Funds from the Department of Homeland Security’s new state and local cybersecurity grant program have started making their way into state coffers, two officials from the Cybersecurity and Infrastructure Security agency told StateScoop on Friday.
Those funds, the first drops of a four -year, $1 billion program created in the 2021 infrastructure law, are mostly being used to help states finesse the plans for how they’ll commit the required 80% of any funds they receive to local governments.
“As the plans are approved, it’ll start rolling out. So it’s already moving,” said Alaina Clark, CISA’s assistant director for stakeholder engagement, whose been one of states’ main contacts regarding the grant program.
Clark spoke with StateScoop on the sidelines of the National Association of Counties’ meeting in Washington, where earlier she’d briefed a roomful of county CIOs from around the country on the status of the grant program.
Two states pass
Since DHS kicked off the cyber grants with a notice of funding opportunity last Sept. 16, all but two of the 56 states and territories eligible for the program have applied — only Florida and South Dakota are sitting out. Any money that might’ve gone to those states, she said, will be redistributed evenly across the states and territories that are participating.
“They have the option to choose to accept the funds or not, and Florida and South Dakota chose not to accept the funds, and they can address cyber in the state as they wish,” Clark said.
Still, it’ll be a while before all of the $185 million in the grant program’s first year — which counts for the federal government’s fiscal 2022 — makes its way to the participating states. Many states are still assembling their required cybersecurity planning committees and drafting formal plans for how they’ll share the money with counties and other localities — either in the form of shared services or direct funding.
Bess Mitchell, the head of CISA’s grant operations branch, said that of the 54 states and territories that applied, just 11 have submitted their written plans, while the other 43 have until Sept. 30 to get theirs in. By then, CISA will have put the finishing touches on its funding document for the grant program’s second year, covering fiscal 2023. The agency is also still developing the funding notice for the grant money reserved for tribal governments.
“The plans are being reviewed and approved and then FEMA” — a DHS branch with a long history of issuing grants — “is approving their budgets,” Clark said.
Clark said the process has improved CISA’s ties to state and local governments.
“I think it increases the collaboration,” she said. “We have phenomenal state cyber coordinators. This is a new grant so there are a lot of questions just to make sure [states] understand the application of it.”
The view from NASCIO
Rita Reynolds, NACo’s chief information officer, said the grant experience so far has been “a good start.”
But DHS grants are not counties’ only source of much-needed cybersecurity funding. During the Friday morning session for county IT leaders, Doug Robinson, the executive director of the National Association of State CIOs, pointed to several state governments that’ve increased their aid to local governments. He named Massachusetts, which on Thursday picked 177 cities, towns and school districts for a cyber hygiene training program, and New York, where Gov. Kathy Hochul is looking to increase the state cybersecurity budget by $35 million, with a focus on protecting local governments and critical infrastructure.
In Florida, one of the two states skipping the federal grant program, a proposed budget includes $128 million allocated toward cybersecurity, including a technical assistance grant program for local governments.
“That’s what states need to do,” Robinson said. “I think we’re going to see more commitments. We can definitely achieve economies of scale.”