Table of Contents
Just a couple of weeks ago, the Biden-Harris Administration announced $1 Billion (with $185 million available for FY2022) allocated to funding a first-ever state and local cybersecurity grant program. That grant program is part of the largest multi-billion dollar Zero Trust initiative that is currently underway across the US Department of Defense. This announcement comes after a few months where the government urged organizations of all sizes to strengthen their defenses against cyberattacks, and directed organizations with government funding to move to a Zero Trust strategy over the next few years.
The mandates and directives around Zero Trust and government cybersecurity strategy are urging businesses to recognize the escalating threats that are plaguing organizations of all sizes with increased frequency. The strongly worded letter implores that “to understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations.”
For the very first time, an administration is allocating specific funds to cybersecurity initiatives because of the risk that is imposed on local and state governments, and our national security at large. The goal of this new program is to help organizations be better equipped to address cybersecurity risks, strengthen the cybersecurity of their critical infrastructure, and ensure resilience against persistent cyber threats for the services state, local, and territorial governments provide their communities.
Here Is My Take on This:
- I don’t see cybersecurity as a “technology problem” when we really get into the meat of what is going awry. It is a leadership and execution problem combined with a lack of strategic focus, at least in my experience.
- State, local, and small business organizations are at a great disadvantage when it comes to the purchasing power of tools and their ability to operate cybersecurity technologies so this help is critical to be able to get them off the ground. Not every business needs to be a business that “does” cybersecurity, most of the time this should be outsourced. This is why MSPs and MSSPs are so valuable in this space.
- The supply chain is infected, period. We collectively buy electronics, software, hardware, and systems from nations and organizations that are both openly and clandestinely hostile to our national interests. But we can’t “get off” of those supply lines, at least not yet. So we must accept that and treat every asset as compromised and observe what is taking place in our systems so we can identify when threats and vulnerabilities are present.
- Other countries will (or should) follow suit on these national efforts. This is a space where a rising tide does not necessarily lift all ships. Those organizations and nations that fall behind will be the easy targets, which is not what you want to be in cybersecurity.
What You Should Do (Now) to Qualify for a Government Grant
There are two key requirements in order to receive the grant:
STEP 1: Form a Cybersecurity Committee
The Cybersecurity Planning Committee will identify and prioritize state-wide efforts to identify opportunities to consolidate projects and increase efficiencies. Each eligible entity is required to submit confirmation that the committee is composed of the required representatives. The eligible entity must also confirm that at least one-half of the representatives of the committee have professional experience relating to cybersecurity or information technology.
Who can be on your planning committee:
- The eligible entity
- If the eligible entity is a state, then representatives from counties, cities, and towns that fall within the jurisdiction of the eligible entity
- Public education institutions within the jurisdiction of the eligible entity
- Public health
- Rural, suburban, and high-population jurisdictions
STEP 2: Form a Cybersecurity Plan
The Cybersecurity Plan is a statewide planning document that must be approved by the Cybersecurity Planning Committee and the CIO/CISO equivalent. The Plan will be subsequently updated in FY24 and 25. It must contain the following components:
- Incorporate, to the extent practicable, any existing plans to protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, SLTs.
- How input and feedback from local governments and associations of local governments was incorporated.
- Include all of the specific required elements (see Required Elements section of Appendix C of the Notice of Funding Opportunity)
- Describe, as appropriate and to the extent practicable, the individual responsibilities of the state and local governments within the state in implementing the Cybersecurity Plan.
- Assess each of the required elements from an entity-wide perspective.
- Outline, to the extent practicable, the necessary resources and a timeline for implementing the plan.
- Summary of associated projects.
- Metrics that the eligible entity will use to measure progress.
If you’d like additional guidance on how to apply for this benefit, be sure to contact us at [email protected].