On September 16, 2022, the Department of Homeland Security (DHS), via the Cybersecurity and Infrastructure Agency (CISA), announced the State and Local Cybersecurity Grant Program (SLCGP) in the Fiscal Year 2022 (FY22) Notice of Funding Opportunity (NOFO). This program, which is part of the Infrastructure Investment and Jobs Act (IIJA), is targeted toward state, local, and territorial governments and provides a total of $1 billion in funding, with $185 million appropriated for FY22. This funding is intended to be distributed among states and territories, with a pass-through requirement of at least 80 percent to be distributed to local units of government.
With FY22 SLCGP funding now available, state, local, and territorial governments should consider how they will use this funding to enhance their cybersecurity. CISA identifies three priority areas for the first year of the program:
- Establish a Cybersecurity Planning Committee that can lead entity-wide efforts;
- Develop a Cybersecurity Plan that addresses the entire jurisdiction and incorporates cybersecurity best practices; and
- Conduct assessments and evaluations to identify gaps that can be mitigated by individual projects throughout the life of the grant program.
Using these priority areas as a foundation, Hagerty offers the following recommendations for starting strong with the SLCGP and setting your organization up for success in cyber resilience.
State and Local Cybersecurity Program: CISA
Launch Robust Stakeholder Engagement
The SLCGP requires applicant entities to establish a Cybersecurity Planning Committee to direct funding investments, project prioritization, and funding strategy. This group must include representatives from the applicant entity, the Chief Information Officer, local government, public education and health institutions, and rural, suburban, and high-population jurisdictions. In addition to these required participants, Hagerty recommends engaging cyber response partners, such as private sector information technology (IT) firms, regional governing bodies, military and law enforcement representatives, and critical infrastructure representatives.
While the grant requires a Cybersecurity Planning Committee at the state or territory level, local jurisdictions should also consider their own stakeholder engagement needs to support grant execution. Local jurisdictions can form their own planning teams or response groups to organize and coordinate grant-funded activities. Local jurisdictions should seek to engage a diverse set of cyber response partners, including local governmental agencies and elected officials.
Grant recipients at all levels can use robust stakeholder engagement to support successful grant implementation. By connecting key players, organizations can create avenues for information sharing and collaboration. State, territorial, and local governments should consider setting expectations and rules of engagement for their stakeholder groups early in the process to foster mutual understanding of goals, responsibilities, and procedures for the group. This may include establishing regular steady-state meetings, creating a standing meeting agenda, and setting up a digital document-sharing repository.
Establish and Expand Cyber Plans
An approved Cybersecurity Plan is one of the requirements of the SLCGP. However, applicants may use FY22 funding to develop a Cybersecurity Plan if they do not already have one in place. A well-developed cybersecurity strategic plan helps ensure that grant funding is used impactfully. These Cybersecurity Plans must include the 16 required elements outlined in the NOFO and should include investment justifications for all grant-funded projects. State and territorial governments should take advantage of this opportunity to develop an actionable cybersecurity strategic plan if they do not already have one. Strategic planning provides a unique opportunity to establish a desired end state for cybersecurity and identify concrete action steps to make progress toward that end state.
If your organization already has a strategic plan in place, you may consider expanding your current plans or developing new plans to support cyber preparedness, response, and recovery using best practices. This may include cyber continuity of operations plans and plans for specific types of cyber events, such as ransomware or a data breach. By starting with planning, organizations can help ensure they get the most value from their grant funding and develop planning products that reflect current best practices.
Conduct Assessments to Kickstart a Path Forward
Once organizations have their stakeholder groups and planning frameworks in place, they should consider conducting assessments and evaluations. Assessments are a key component of cybersecurity strategic plans, and it is likely that other work steps and projects will be dependent on the results of these assessments. By starting efforts with assessments and evaluations, organizations will receive critical data and insights into next steps, gaps, and capabilities that can inform activities for the remainder of the period of performance.
In addition to traditional vulnerability assessments, organizations should consider a broad range of assessment types to gather a comprehensive view of their organization’s capabilities and needs. Organizations should consider both technical and non-technical assessments, including organizational capacity assessments, general cybersecurity preparedness assessments, and policy and governance assessments. By prioritizing these assessment processes, organizations can help ensure their grant-funded activities are backed by data from their organization, and that projects provide the most value for the grant funding.
Hagerty Can Help
Hagerty’s team of professionals has experience managing and coordinating federal grant programs, as well as coast-to-coast experience in state and local cybersecurity. The Hagerty team is available to support state, territorial, and local governments with SLCGP-funded projects, including stakeholder engagement, cybersecurity planning, and cybersecurity assessments.
_________________________________________________________________________________________
Erin Bajema is an emergency management professional with experience supporting several areas of emergency preparedness as an analyst, planner, evaluator, and instructional systems designer. Ms. Bajema has served on projects in a diverse range of subjects, including disaster recovery planning, housing, continuity of operations, active threat, energy resilience, and cybersecurity.