What Local Governments Want from Federal Cyber Grants

State and Local Cybersecurity Grant Program (SLCGP) monies are getting closer to materializing. Forty-eight states applied — all successfully — and now one step stands between them and fresh funding: getting a cybersecurity plan submitted and approved.

Local governments may find this a prime time to get vocal about how this year’s grant monies — or the following’s — could help meet their needs.

“So far there are several [states] very close to getting the money, but the actual funding delivered to any state hasn't happened — at least as of Monday [Mar. 20],” said Rita Reynolds, CIO of the National Association of Counties (NACo) during a FedInsider webinar last Thursday. Reynolds said she’s been able to listen in on some regular calls about the grant program and process, and that a number of county CIOs are members of their state’s grant planning committees.

SLCGP planning committeesinclude membership from local government and other stakeholders. The committees — along with the state CIOs, CISOs or another similar official — must approve the plans before submitting them for CISA and FEMA consideration.

LOCAL GOVERNMENT GRANT PRIORITIES

NACo conducted a survey and focus group sessions with its members over the past 3-4 months. The yet-unpublished results found counties highlighting several key cybersecurity goals, Reynolds said:

• Monitoring tools, for identifying potential malicious network activity
• Multifactor authentication (MFA) — especially for end-user accounts and cloud applications
• End-user education — including regular phishing exercises and follow-up trainings, plus regular all-staff emails from IT
  

Several counties have asked for the cybersecurity grant plans to help them hit these priorities, including requesting endpoint protection and proactive monitoring tools, as well as security training for in-house software developers, Reynolds said. Similarly, several of the states that have submitted plans already provide local governments with monitoring and phishing services and aim to use funding to expand the offerings to more eligible entities.

Workforce constraints have been one barrier for counties striving to meet their cyber needs. NACo’s survey respondents said they struggle to recruit due to limited budgets (cited by 64 percent) and inability to pay competitive IT or cyber wages (cited by 72 percent). Smaller entities especially may lack a designated IT person. But grant funding could help, letting counties pay for a CISO-for-hire to assist them with implementing projects like MFA and to provide support on a longer-term basis, Reynolds said.

Entities considering how best to use the money should look to projects they can quickly complete and start using, advised Douglas Holland, senior solutions engineer at Akamai Technologies, during the webinar. Spending on partially advancing a larger project, meanwhile, runs the risk that it never gets finished or that tools purchased now — like software licenses — expire by the time the rest of funding is available, he said.

When choosing projects, it’s helpful to consider, questions like, “Do you have the other resources that you’ll need? The staff, the assistance, you're going to need to get that project going?” Holland said.

Entities can also get significant mileage out of the grants if they use it to improve their cyber postures enough to qualify for more affordable cyber insurance policies, Holland said.

GET HEARD

Even local entities that aren’t part of their state’s formal grant planning committees should advocate for their needs. Reynolds recommended reading through the SLCGP’s Notice of Funding Opportunity (NOFO) to see if any of the requirements it outlines match their goals.

“Read through those required elements, and there might be two or three that really resonate with you,” she said. “Don't hesitate to write up a quick email, or a letter on county or local government letterhead, and send it to the state CIO or to the planning committee.”

In general, counties can benefit from getting to know their state CIOs, and Reynolds advised starting building those connections by participating in virtual state-sponsored events where the CIO might be speaking.

“I know of several states [where] this relationship building has been in the works for more than a decade,” Reynolds said. “And those are the ones that I've seen that were able to quickly put together their [grant] application and the plan and even submit some projects, because they had that type of planning committee — whether it was exactly what the NOFO was asking for or not — they had something already together where they were working closely together.”

YEAR 2 APPROACHES

State and local governments will also want to look ahead to the second round of SLCGP funding — which is quickly approaching.

The second-year NOFO is due out in late June. It is expected to closely mirror the first year’s process and NOFO, making for a faster experience, Reynolds said.

States will get somewhat more money in year two than was originally planned. That’s because South Dakota and Florida declined to participate in year one, and so the money that had been set aside for them will instead be distributed across all states’ year two allocations.

Declining to participate in year one does not bar the states from participating in year two; South Dakota and Florida may still apply.

TRACKING THE IMPACT?

The Government Accountability Office (GAO) will later evaluate the success of the SLCGP. At this early stage, the GAO is starting to design its review and will likely look at details around the application process and governments’ cybersecurity postures, said Marisol Cruz Cain, director of the GAO’s Information Technology and Cybersecurity team.

These may include:

• percentage of entities with approved cybersecurity plans
• percentage with established cybersecurity planning committees
• percentage capable of monitoring their network traffic for potential threats
• percentage implementing MFA
• percentage with .gov domains