Disaster Discourse: The Hagerty Blog

Five Ways to Meet the New UASI & SHSP Cyber Requirements

In May of 2018, the Homeland Security Grant Program (HSGP) announced new requirements related to cybersecurity in their Fiscal Year 2018 (FY 2018) Notification of Funding Opportunity (NOFO). These new requirements apply to the more the nearly $1 billion grant money available through the Urban Area Security Initiative (UASI) and State Homeland Security Program (SHSP). They reinforce the importance of cybersecurity and the role that emergency managers have in preparing for and responding to cyber-incidents.

The FY 2018 NOFO stipulates that all applicants must include at least one cyber project in their investment justification in order to be eligible for a UASI or SHSP grant. These projects, like all HSGP-funded projects, must support the security and functioning of critical infrastructure and core preparedness capabilities relating to terrorism.  Further, recipients of UASI and SHSP grants must include Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) in their Senior Advisory Committees and Urban Area Working Groups. This gives cybersecurity experts more say in decisions about where grant funding is allocated on the state and local levels.

Based on these new requirements and the importance of cybersecurity, it is more important than ever that emergency management and information technology communities work together to create a collaborative synergy with clearly defined roles and responsibilities. Hagerty’s Cyber Nexus Approach (CNA) advocates a collaborative, holistic methodology to cyber program management in order to meet the growing challenge that cyber threats pose.

The following are five key ways that UASI and SHSP applicants can meet the NOFO cyber requirements, no matter where your organization is in its journey toward cybersecurity.

1. Strategic Planning

Does your organization have a vision for cybersecurity? Strategic planning encourages organizations to identify priorities, visions for success, and goals to outline a clear and intentional path forward. This process incorporates multiple components from strategic visioning to benchmarking, and results in a highly tailored based on the individual strengths, needs, and vulnerabilities of each organization. Not only does this meet the UASI and SHSP grant requirement, but it also gives your organization a clear set path for the future. Strategic planning services can include strategic visioning, benchmarking, discovery change workshops, and more. Strategic planning answers the questions: Where are you? Where do you want to be? How do we get there?

2. Assessments

Do you know your weak spots? If you’ve already established a strategy for your cyber efforts, assessments may be the next step. Assessments are another way to identify strengths and gaps in your organization’s cyber capabilities and defenses. Evaluating your organization’s readiness and infrastructure before a cyber incident can help identify improvement areas without the risk of a real cyber incident. Experienced planners and subject matter experts can help inform readiness assessments and gap analyses. Readiness assessments are formal evaluations of emergency preparedness programs that provide in-depth analysis of existing capabilities and identify areas for improvement to better protect against a cyber incident. Gap analyses evaluate current program capabilities against national best practices, such as those established by the National Institute for Science and Technology (NIST) or the National Association of State Chief Information Officers (NASCIO). The output or deliverable for this process is a detailed report that can help your organization in their strategic planning processes. An in-depth assessment answers the questions: What are my strengths? Where are my greatest weaknesses? And what are the risks?

3. Operational Planning

What will you do when a cyber incident happens?  Developing cyber plans creates a common operating picture among the diverse stakeholders cyber incidents involve. By establishing a plan that designates operational procedures, a clear organizational structure, and coordination, organizations can help ensure their vision for cybersecurity is put into action. The planning process itself is also an opportunity for key stakeholders to build relationships and collaborate to identify their needs and values. There are a number of different types of operational planning that can help guide response and recovery actions during a cyber incident, including continuity of operations planning (COOP), Cyber Disruption Team planning, and cyber-incident response planning. This planning process answers the questions: What needs to be done? And who is doing it?

4. Training

Is your team ready for a cyber incident? An important step to making plans actionable is making sure cyber teams understand what they are and how to use them. Training provides stakeholders with the tools they need to understand cyber incidents and how to respond and recover from them. Engaging the team members that will be involved in cyber response and recovery can also be a way to test whether your existing plans are functional, additionally it will help identify strengths and gaps. Creating and implementing effective cyber-response training ensures that personnel are familiar with established procedures and are equipped to be able to fulfil their responsibilities in response to an incident. Effective training answers the question: What are the personnel responsibilities and resources for effectively managing and responding to an incident?

5. Exercising

Have you tested your plans? Exercising takes the lessons learned in training and brings them into the real world. Table-top, functional, and full-scale exercises such as cyber disruption exercises all provide avenues to discovering what your organization does well and where it can improve. Implementing regular exercises can be a way to identify gaps and provide stakeholders with the opportunity to “test run” a cyber incident. Cyber disruption exercises are an effective way to test an organization’s capabilities and determine how you can build better cybersecurity. Exercises answer the questions: Are my plans adequate? And do personnel have a clear understanding of responsibilities?

Hagerty is prepared to help your organization meet these requirements to enable UASI and SHSP funding, or to build cybersecurity capabilities outside the context of HSGP. Using our innovative Cyber Nexus Approach, Hagerty leverages subject matter expertise and experience planning with states across the country to bring diverse stakeholders together and build organized, effective cyber operations. To learn more about our cybersecurity services, contact Kayla Slater, lead for the cybersecurity portfolio.