A billion dollars for local-government cybersecurity—Will they ever see it?

Remember the fanfare upon learning of the passage of the bipartisan Infrastructure Investment and Jobs Act (IIJA) signed into law in November 2021? One billion dollars targeted state, local, tribal and territorial (SLTT) with a cyber grant program within the Cybersecurity and Infrastructure Security Agency (CISA) over four years. After the bill’s passage came the “great wait” and it wasn’t until 10 months later in September 2022, when CISA issued its 96+ page rules for implementation. During this time, it appeared that the rules were being drafted without any input from those representing state and local governments. Sadly, the final result tends to prove this.

Sifting through the main and supporting documents reveals a brilliant set of requirements that when taken together present the very best in cybersecurity planning and best practices. At the same time the rules’ complexity and built-in roadblocks lead one to conclude that it is highly unlikely small and medium-sized local government will ever see a penny, despite their well-documented needs. In other words, the rules’ brilliance in substance is offset by its seemingly complete lack of understanding of the overall targeted audience. To make matters worse, CISA has tasked FEMA, an agency with little to no on-going relationships with local government tech folks, to be the administrative body everyone is supposed to interact with.

So now we are at the beginning of 2023 as cyber threats are only increasing, each state is to develop its own plan. This is just the first hurdle, and not an unreasonable one. But why did everyone have to wait nearly a year only to learn that there needed to be detailed plans? Entities are required to show in their applications that they will implement projects that will further a list of core objectives. Each project must include a project schedule with clearly defined milestones that also clearly aligns with each entity’s Cybersecurity Plan. The four core objectives are: Cyber Incident Response, Testing and Evaluation, Cyber Risk Protections, and Workforce Initiatives. Next there are 15 required elements that each applicant must address. And finally, there are seven tactical areas that need to be addressed in each local government application:

• Implement multi-factor authentication capabilities
• Implement enhanced logging capabilities
• Data encryption for data at rest and in transit
• End the use of unsupported/end-of-life hardware and software
• Prohibit the use of known/fixed/default passwords and credentials
• Ensure the ability to reconstitute systems through backups
• Complete migration to the .gov internet domain

Very few small to medium-sized local governments have the staff capacity to even apply for any such grant, let alone implement and pay for it. Yes, there is a matching funds requirement, too.

Many senior local government tech managers have dismissed the program outright due to its complexity, available capacity, short- and long-term funding considerations, and the accompanying red tape reporting requirements.

To read the complete article, visit American City & County.