When the Biden administration’s $1.2 trillion infrastructure spending law passed in 2021, one of the top questions for state technology leaders was how they would be expected to manage funds from the four-year, $1 billion cybersecurity grant program they’d pushed hard to get in the bill.
Top among those concerns was how the at-least 80% of funds states were required to pass on to their local governments, school districts, utility systems and other political subdivisions would be configured: Would states have to set up complex, bureaucracy-heavy subgrant processes, or could they share their own information security tools — which in most cases were more mature than the locals’?
Nearly nine months after the Department of Homeland Security published its official guidance on the grant program, the answer appears overwhelmingly to be shared services, state CISOs told StateScoop recently. And with the first states whose plans have been approved by the Cybersecurity and Infrastructure Agency and Federal Emergency Management Administration — which are jointly running the program — starting to receive their first-year funds, they’re using them to extend the cyber capabilities of smaller public-sector entities.
‘Traveling clown show’
“We’re not sub-granting,” New Hampshire Chief Information Officer Denis Goulet said at a National Association of State CIOs meeting in Washington earlier this month.
Rather, New Hampshire’s plan — which received about $2.5 million from DHS for the first year of the grant program — includes the state Department of Information Technology helping local governments, school districts and others take modest steps, such as implementing multi-factor authentication, migrating their web presences to the .gov domain and training up IT workers’ cyber skills.
While those not be the most advanced goals in cybersecurity, the real challenge in New Hampshire, where rugged individualism is baked into the state motto, is getting local governments on board. To do that, the state CISO, Ken Weeks, said he’s been leading officials around the state, making the pitch to sign up for these services.
“The way we do it is a traveling clown show that includes myself, the risk manager, the incident response lead, and we double down and bring along a couple of feds,” Weeks said at the NASCIO conference. “We bring along the CISA representative, who’s one of us. We bring along the Secret Service, the guy who’s gonna get your money back when you get ransomwared.”
Weeks’ roadshow, he said, catered to “everything from four-person water districts to our two urban areas.”
That kind of geographic diversity was also top-of-mind for Illinois CISO Adam Ford when his state’s cybersecurity planning group developed its plan for the DHS grant.
“There’s 7,000-plus units of government in Illinois,” he said in a phone interview.
While some states, like New Hampshire, focus on multi-factor authentication and .gov adoption, Illinois plans to use most of the $4.4 million it’s getting this year to provide local governments with services from the statewide security operations center, specifically an endpoint detection capability to vastly improve network visibility for counties, towns, sheriffs’ departments, 911 services and water districts.
“Our goal in year one is to get as much coverage and as much visibility for shared defense throughout the state,” Ford said.
Ford said outreach for SOC services will be an extension of a five-year-old election security program known as “cyber navigators.” That program, launched in 2018 with federal election assistance grants released after 2016 Russian hacking scares, allowed the Illinois State Board of Elections to hire cybersecurity professionals to offer voluntary training and technical assistance to county election offices up and down the state.
“Because we had the program built out for elections, we’ve had that collaborative relationship. We know the county people,” Ford said.
Reception for the EDR service so far, he said, has been promising.
“I’m surprised how many organizations are willing and ready to accept EDR so we can see [their network activity],” he said. “We had to build that partnership with local government where the state was a supplement, not a replacement. It’s not a hands-off approach, it’s a helping-hand approach.”
As the DHS grant fund continues playing out, Ford said he also plans to establish a statewide information sharing and analysis center — a localized counterpart akin to the federally funded MS-ISAC — that would be integrated with the state’s fusion center.
According to NASCIO, most of the 48 states that applied for the DHS grants are using the requirement that 80% of grant funds be redistributed as opportunities to share their cyber services. A few are said to be considering hybrid plans that would include a small amount of pass-through funding, but sharing existing capabilities is seen as more effective and efficient.
And for some states, including New Hampshire and Illinois, 80% is the floor of what they’re sharing with their locals.
“While the state doesn’t have enough funding as we need for cyber, we’re in way better shape than municipalities,” Goulet said. “We’ve decided not to take the full 20% allowed.”
“We’re passing it all to locals,” Ford said. “To me the shared services approach makes the most sense. We’re trying to reach every unit of government, not just the units that have an IT department or grants management department.”