But with the year halfway over, state and local governments are still wondering when they’ll see the money, what they’ll have to do to get it and how far it’ll actually go.
“We know the big question that everybody has is when is the Notice of Funding Opportunity (NOFO) coming out. We do hope it will be out in the coming months. There are just some additional complexities with standing up a new grant program,” said Alaina Clark, assistant director for stakeholder engagement at the Cybersecurity and Infrastructure Security Agency (CISA), the federal agency charged with administering the grants.
The agency will aim to time the notice of funding to be sensitive to states’ different fiscal cycles, Clark said during a June 6 RSA Conference panel.
CISA has been considering feedback from state and local partners as it gets closer to finalizing the details of the program, and various questions remain unaddressed. Still, municipalities can — and should — act now, Clark said. States must provide CISA with cybersecurity spending plans before receiving grants, and then will disburse monies out to localities. Clark said localities should act now to ensure they’re part of states’ planning processes to ensure their needs are heard.
“Make sure you know how your state planning committee is being set up, and that you have a voice at that table,” Clark said.
HANGING QUESTIONS: METRICS AND SHARED SERVICES
CISA has yet to fully determine how it will assess the grant program’s success. Clark said it likely will be adding a few additional considerations beyond those already outlined in the legislation behind the grants.
Monsurat Ottun, associate city solicitor and chief information security, data privacy and risk management strategist for Providence, R.I., suggested that holding municipalities to hitting the same strict metrics may not be appropriate, because municipalities all come from different starting points and contexts. She suggested instead seeking to have municipalities clear a certain bar.
“It’s really difficult to use a standard and metric for every single municipality,” Ottun said. “I would say that having something that is more like a baseline, rather than something that’s stringent.”
Well-intentioned efforts to ensure all localities get a slice of the grant money could also backfire if they result in the funding being divided up among so many parties that each receive a share too small to use effectively, said Massachusetts’ Stephanie Helm. Helm is director of the MassCyberCenter, an organization established by Massachusetts’ governor to help develop the commonwealth’s cybersecurity ecosystem and support its cybersecurity resiliency and outreach.
“We have to look at how we can maximize the resources because if we salami slice everything for 351 municipalities [in Massachusetts], we’re not going to be able to make any difference,” Helm said.
That’s a common concern, and Clark said both state and local partners have asked CISA to permit states to invest grant monies in managed services that can be shared across localities, rather than handing all of the local funding allotments directly to municipalities.
There’s no verdict on it yet: Clark said CISA is considering the suggestion and will clearly detail acceptable uses of the grants when it releases the final notice.
START HERE: PLANNING COMMITTEES
Some states are already planning how they might use the forthcoming grants, while others may have yet to begin.
Clark said some states likely will be forming new planning committees designed around utilizing the cybersecurity monies, while others might tweak existing grant management bodies to meet these particular requirements — the grant program stipulates, for example, that at least 50 percent of state planning committee members bring cyber or IT backgrounds.
Whether the committees are already formed, just emerging or to be made, local governments need to be sure they understand how their state will handle it and that they’re part of these groups or at least have their ear. Clark noted that states will be allowed to use grants to support creating these committees.
“Do not wait for the Notice of Funding Opportunity to come out to start asking some of those questions of the state,” Clark said.
Ottun spoke similarly, “It’s really important for us to be at the table as they’re making decisions [at the state level] about disseminating the funds, so that they’re not allocating in areas that we don’t need.”
Massachusetts is among those who’ve already been working to identify prospective grant funding areas. The state is waiting to see the notice until it forms a committee, but looking at the legislation behind the grant has given state officials a rough understanding of the kinds of activities that will be supported and allowed them to tentatively plan.
The commonwealth has an existing program for providing supports and advice to localities to help them meet a certain cybersecurity baseline. Officials have been considering how funding infusions in the anticipated cybersecurity categories could further support these goals and allow them to expand the program’s scope.
“Once we get the planning guidance in place from the NOFO, we’ve got at least a draft of where we are and where we might potentially go,” Helm said.