While the National Association of State Chief Information Officers entered 2022 with some of its longstanding federal priorities finally starting to be realized, like a cybersecurity grant program, the organization is now looking to Washington to refine and clarify how that new program will actually work.
The $1.2 trillion Infrastructure Investment and Jobs Act, which President Joe Biden signed last November, included $1 billion to cover four years of cybersecurity grants for state and local governments. And while that checked off one of NASCIO’s signature agenda items, the tricky part now is figuring out how the Department of Homeland Security will award the money to states and how state CIOs will in turn distribute shares to their local communities, NASCIO Executive Director Doug Robinson said Wednesday.
“It’s been authorized and appropriated, now we’re figuring out the ground rules,” he told StateScoop about the grant program, a version of which the association has pushed for since 2008. “We’ve been at this a long time. The conditions have changed a bit, but most importantly we have a four-year run.”
Working out how the grant program will function was one of four key federal advocacy goals NASCIO listed Wednesday, along with expanding broadband deployment and reforming the FCC’s mapping methodology, continued adoption of the .gov top-level domain and the ever-present push to harmonize the cybersecurity regulations that disparate federal agencies impose on states.
The cyber grant program, as structured in the infrastructure law, requires states to put up a cash match funding 10% of what they intend to use their awards to be spent on. It also requires states to redistribute about 80% of what they receive from DHS to their local subdivisions. These conditions, Robinson said, create “a lot of logistical issues” that need to be hammered out with the federal government.
‘Forming and storming’
One of the biggest issues to resolve is how the money will flow from state coffers to local accounts. The federal government will send grants first to state CIOs’ offices, but those entities are not set up to run grant programs of their own, Robinson said. He said NASCIO and its members will need to spend time negotiating with the DHS units involved in the grant program, including the Federal Emergency Management Agency, which will administer it, and the Cybersecurity and Infrastructure Security Agency, which has a major advisory role.
Robinson said he also hopes states don’t get skittish about participating because the program requires them to put up a “hard-dollar match.”
“I think that would be short-sighted,” he said.
Timing is also an issue. The infrastructure law calls for the first $200 million to be shipped out by the end of the current fiscal year, Sept. 30, though the number of issues that need to be worked out could mean grants don’t start flowing until summer, Robinson said.
“The first year is a lot of forming and storming,” he said. Still, the passage of the grant program is “real progress. Went from aspirational to implementational language.”
Elsewhere, NASCIO plans to continue pushing the federal government to do more to encourage state, and especially local, governments to get on the .gov domain. Robinson said that while adoption has increased in the first year since CISA took over management from the General Services Administration and dropped the $400 registration fees, still less than 10% of all local governments have moved over.
Robinson chalked that partly up to CISA not ramping up its education and marketing efforts and government agencies worrying about migration and rebranding costs. He said he expects moving every state and local agency on .gov to be a “10-year journey.”
Looking for a sit-down
There’s been less progress on achieving the regulatory harmonization NASCIO’s long sought from federal agencies, Robinson said. While the General Accountability Office, Congress’ investigatory branch, broadly affirmed state CIOs’ complaints that the varying rules imposed by agencies make compliance with data and cybersecurity standards difficult, the GAO report’s May 2020 publication was swept away by the early months of the pandemic.
Robinson said he does see an opening for improvement in continued conversations with Federal CIO Clare Martorana and Federal CISO Chris DeRusha, who was formerly the top cybersecurity official in Michigan and who may be more aware of the burdens states face.
“The most positive aspect is that we have someone at the federal CISO role who understands this from the state perspective,” Robinson said.
Regulatory harmony remains a long process, and Robinson said NASCIO is counting on the White House Office of Management and Budget to lead federal agencies in smoothing out their differences.
“There needs to be some type of collaboration with these agencies internally. It would be ideal if they’d sit down,” he said.
But overall, Robinson sounded a positive note on NASCIO’s federal agenda.
“Coming out of 2021, I was very pleased because we’ve been at some of this stuff for a long time,” he said. “Even though it’s not all of what we requested, I’m good with making progress.”