State officials said this week that they are balancing centralized and decentralized distribution approaches as they try to put money from the Federal government’s State and Local Cybersecurity Grant Program (SLCGP) to work for them.
During a GovExec event on Aug. 20, state officials said that those varying approaches to using funding provided by the SLCGP has benefitted otherwise under-resourced local governments as they try to improve cybersecurity.
Established as a part of the Infrastructure Investment and Jobs Act of 2021, SLCGP provides $1 billion in funding over four years. Of that total, at least 80 percent must be provided to local governments in the form of cash and shared services. The grant program aims to achieve a “whole-of-state cybersecurity approach.”
The program also requires that a certain percentage of funding be allocated to rural communities. Brian Gardner, the interim chief information officer (CIO) for the city of Dallas, Texas, said that’s an important step to ensure that communities with less resources are also made more secure so that larger security breaches can be prevented.
“Dallas itself is just a small piece of [the Dallas Fort Worth area],” he said, “and making sure that as a big entity that we’re all covered, because if one is compromised, they all can be compromised,” explained Gardner.
Referring to a 2019 ransomware attack on nearly two dozen Texas municipalities, Gardner said, “we saw this with the 22 entities that were compromised in Texas. So really partnering with the smaller entities and making sure that they’re aware and helping them with their programs and making sure they understand this grant can really impact their services is significant.”
Building on centralized services and making local entities aware of resources also has been helpful, said Alyssa Zeutzius, the state of New York’s deputy chief cyber officer for policy.
New York has used the Federal grant program to help build upon a smaller cybersecurity grant program offered by the state for county governments, and she said that New York has leveraged “internal communications and our collaboration that we’ve done on some of our shared services programs” as part of the planning process for SLCGP.
Common cybersecurity funding requests received from local governments include network monitoring, hardware updates, mobile device monitoring, and management, said Zack Hudgins, the state of Washington’s privacy manager. He said the state decided to provide funding to local governments directly instead of investing in services, which has resulted in a “real oversubscription” of funding requests versus the total funding available.
“I think the most valuable piece of that whole [planning] process was the assessment, because it gave us a real sort of first view, in many ways, of how many jurisdictions were in the National Cybersecurity Review, how many folks knew about the CISA [Cybersecurity and Infrastructure Security Agency] tools and were using them,” said Hudgins.
“So just that first glance of an assessment process was probably the most valuable for our planning committee, because then they could target resources,” he said. “So, it was very thorough. It was a lot, but it was all worthwhile.”
Hudgins said that ongoing planning efforts include monitoring which projects are doing well, dealing with staffing issues and vendor timelines out of the 252 programs that have received SLCGP funding, and building centralized services.
Other states, like Texas, have provided local governments with centralized services instead of direct funding.
“The state of Texas didn’t allocate money to the local municipalities, and that was okay by us, they took the approach of offering services for municipalities to sign up for, and that all worked well, and we didn’t take advantage of it,” said Gardner. He explained that Dallas had a “mature” cybersecurity program in place and that governments with less resources benefitted from the services provided through the SLCGP grants.
Other initial planning efforts that the speakers shared included organizing committees with representatives from local governments of all sizes and informing governments about the grant program and its requirements.
Looking to the future, speakers said that they are focused on sustainability beyond the SLCGP grant funding including spending on one-time investments instead of recurring costs; leveraging state-level resources and services through centralized training, certifications, and shared services; and securing ongoing budget support from city councils and leadership to prioritize cybersecurity funding in regular budgets.