$1B for state and local cyber grants in Senate infrastructure deal

A $1.2 trillion federal infrastructure package negotiated between the White House and a bipartisan group of U.S. senators includes $1 billion to create a new grant program to improve the cybersecurity of state, local, tribal and territorial governments, according to a summary of the spending plan released Thursday.

The grant funding, which would be doled out by the Department of Homeland Security over a four-year period beginning in the 2022 fiscal year, would make good on a longstanding priority of the National Association of State Chief Information Officers, which has been one of several organizations pushing the federal government to establish such a program.

According to the summary, which was first reported by CNN, there would be $200 million available in the first year of the program, $400 million in 2023, $300 million in 2024 and $100 million in 2025. While the funds would be administered by the Federal Emergency Management Agency — which runs DHS’s existing grant programs — the Cybersecurity and Infrastructure Security Agency would serve as a subject matter expert for awarding this new money.

The summary states that Sen. Maggie Hassan, D-N.H., a member of the 20-senator group that negotiated the infrastructure deal, has received tentative approval from both FEMA and CISA on the new grant program, along with the support of Senate Homeland Security Committee Chairman Gary Peters, D-Mich., and the committee’s top Republican, Rob Portman of Ohio.

While FEMA’s existing Homeland Security Grant program has long included some cybersecurity funding — including a small increase ordered in February by DHS Secretary Alejandro Mayorkas — those grants also fund state and local entities’ natural-disaster and counterterrorism activities.

“The current grant programs to provide cybersecurity assistance to SLTT entities has inherent flaws that this program will address,” the infrastructure summary reads. Hassan also told StateScoop last month that she did not want cybersecurity grants “to cannibalize other security needs.”

NASCIO and other groups representing state and local officials, like the National Governors Association, have for several years been raising the alarm about their need for more robust and consistent cybersecurity funding, especially as threats like ransomware become more frequent and dangerous to public services and critical infrastructure. In a letter to congressional leaders earlier this month, NASCIO, the NGA and seven other organizations asked Congress to “authorize and fully fund” a cyber grant program.

While the money outlined Thursday would be the single biggest federal investment in state and local cybersecurity, it is less than what was outlined in a bill the House approved last week that called for $500 million in grants annually. The grants created in that bill, which enjoyed broad bipartisan support, would’ve been overseen by CISA and required states to put up matching funds. Money in the Senate’s proposal would be available “until expended.”

In a statement to StateScoop, Rep. Yvette Clarke, D-N.Y., who chairs the House Homeland Security Committee’s cybersecurity panel and was a lead sponsor of the House’s grant bill, applauded the Senate but said more could be done.

“I recognize the urgent need to help state and local governments defend their networks, and appreciate the efforts of my colleagues in the Senate to provide the funding I have long advocated for,” she said. “Of course, I will support efforts to get much-needed funding out the door quickly so state and local governments can get to work on better securing their networks against cyberattacks.  At the same time, I believe there may be more need than what the Senate package provides and will seek opportunities to provide additional support to state and local governments.”

The grant proposal is also the largest of several cybersecurity proposals in the infrastructure outline, which also includes a response and recovery fund at CISA, research and development at DHS’s Science and Technology Directorate and funding for the new Office of the National Cyber Director.

While the Senate infrastructure plan passed an initial procedural vote Wednesday, legislative text has yet to be written, and Hassan’s office has not yet responded to questions on how the grants will be structured. House Speaker Nancy Pelosi, D-Calif., has also said her chamber will not consider the infrastructure package until the Senate begins deliberations on a $3.5 trillion budget resolution.

In an email, a NASCIO spokesperson told StateScoop the $1 billion in grants outlined Thursday is a good start: “We are pleased with where things stand now but know there’s still a lot of work yet to do.”