As the wait continues for the Department of Homeland Security to publish guidance on the cybersecurity grants contained in last year’s infrastructure law, National Association of State Chief Information Officers Executive Director Doug Robinson said Thursday that state governments will likely need an extension to take advantage of the first year of the four-year, $1 billion program.
Near the end of an hourlong discussion on recent trends in state and local IT, Robinson and Alan Shark, director of CompTIA’s Public Technology Institute, noted that the Sept. 30 end of the federal fiscal year is looming, even as their members wait for a planning document known as a notice of funding opportunity.
“I use my Magic 8 Ball for all my decisions and it’s not giving me positive signals,” Robinson told Shark.
The inclusion of the cyber grants in the Infrastructure Investment and Jobs Act satisfied one of NASCIO’s long-running legislative priorities, one that had grown in urgency after several years of escalating threats from ransomware syndicates and other malicious actors. But that accomplishment was immediately followed on NASCIO’s agenda by the need for clear ground rules on the grant program, even if $1 billion over four years isn’t considered to be a huge amount.
The Cybersecurity and Infrastructure Security Agency, which is responsible for drafting the rules of the grant program, has previously told groups of state and local officials — including governors, mayors, secretaries of state and CIOs — that the guidance will be released this summer. But the outline of the grant program, as described in the infrastructure law, requires states to meet conditions, including matching 10% of any federal funds they receive and redistributing 80% of any awards to local jurisdictions.
Those requirements, Robinson said, will only add to the pressure states face when the first $200 million tranche of funding is finally released, leading him to suggest an extension is warranted.
“Clearly it’s well past the necessary timeline to meet the statutory obligations in the act,” he said. “There’s going to be some type of extension because these are current fiscal year funds. No way states can develop their plans get it approved and get it out in 60 days before Sept. 30.”
A fuzzy timeframe
As states wait for instructions on the cyber grants, other pieces of the Infrastructure Investment and Jobs Act are moving forward, including the Commerce Department’s $45 billion “Internet for All” program, which since releasing its NOFO on May 13 has garnered the interest of every state and territory. The Transportation Department has also released billions of dollars for regional roadway and port projects, airport renovations and transportation research centers.
But the documents needed to get the cybersecurity grant program flowing remain elusive.
“Maybe it’ll come out this month, maybe next month,” Ohio CIO Katrina Flory told StateScoop in a recent interview.
As they wait for DHS’s signal, state CIOs have been laying the groundwork — assembling governance boards, drafting grant-administration plans, meeting with local officials — but there’s still much left to be learned about the cyber grants program, especially at the city and county levels, Shark said during Thursday’s appearance.
“We hope the states are ready because a lot of localities are worried how this is going to be appropriated by the states,” he said.
Robinson replied that there may be “unmanaged expectations” among the local communities anticipating a piece of a $1 billion funding pool that’s meant to cover the entire nation. “Many of them might be disappointed in getting funds at all based on the distribution model,” he said.
Rather, Robinson said, DHS should give preference to “whole-of-state” strategies in which the state leads cybersecurity efforts from the top down.
“We’ve given our opinions to CISA with multiple sessions,” he said. “We want to see a whole-of-state focus for all of this, particularly for year one. $200 million is nothing, quite frankly. It’s peanuts.”