State and Local Cybersecurity Grant Program (Infrastructure Bill, 2021)
State and Local Cybersecurity Grant Program (Infrastructure Bill, 2021)
Considerations for Developing a Compliant Cybersecurity Plan
Authored by: Zeshta Bhat and Hillary Thompson
On August 10, 2021, the US Senate passed the $1 trillion Infrastructure Investment and Jobs Act (Infrastructure Bill). This Infrastructure Bill, currently awaiting House action, includes the funding for activities that will guard the nation’s critical infrastructure from cyberattacks. One large new program is the State and Local Cybersecurity Grant Program. This grant program will provide total funding of $1 billion, spread over FY 2022 through FY 2025, for state governments to develop, revise, and implement Cybersecurity Plans or to address imminent cybersecurity threats.
State governments can be soft targets for malicious adversaries due to aging systems and a lack of necessary security safeguards and skilled cybersecurity resources. Many state governments operate on a variety of different technology platforms, use both modern and legacy information systems, and struggle to find the necessary funding to address their critical priorities. The funding included in the Infrastructure Bill for Cybersecurity Plans will allow state governments to develop and implement comprehensive cybersecurity plans and mitigate security risks.
State governments must consult with and receive feedback from local governments within their jurisdictions to align the state’s Cybersecurity Plan with the needs of local governments. It also appears that the State and Local Cybersecurity Grant Program intends that states pass some of the funding in the form of grants to local governments within their jurisdictions. This would help local governments implement their own cybersecurity initiatives and adopt best practices and methodology to enhance their security measures. Details on methodologies and requirements for this distribution are not available in the current legislation.
Required Cybersecurity Plans
The State and Local Cybersecurity Grant Program requires states to develop comprehensive cybersecurity plans. These plans must describe the steps the government will take to implement a process of continuous cybersecurity vulnerability assessments and threat mitigation.
Essential Plan Components
Cybersecurity Plans must describe how the state will address 16 different elements of cybersecurity. These steps include:
How the state will manage, monitor, and track information systems, applications, and user accounts owned or operated by the state government. This includes all state information systems, including legacy information systems and IT that are no longer supported by the manufacturer of the systems or technology.
How the state will monitor, audit, and track network traffic and activity traveling to or from information systems, applications, and user accounts.
How the state will enhance the preparation, response, and resiliency of information systems, applications, and user accounts against security risks and cybersecurity threats.
How the state will implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk, to address cybersecurity risks and cybersecurity threats on information systems, applications, and user accounts.
Development of Cybersecurity Plans will provide state governments with the long-needed framework to comprehensively assess and address the realities of their current security position, identify a target future state, and design a prioritized roadmap to “level up” their existing security posture.
Full Inventory and Assessment
States should begin development of their cybersecurity plan by creating an inventory of the people, processes, and technology assets (systems, application, and tools) that make up its technology footprint. This process is as much about business as technology—cybersecurity risks come not just from key government information systems used daily, but also through legacy and less-used systems that may contain highly sensitive data but fall under the radar when only critical IT systems are considered. The asset discovery process provides the state the crucial data on what technologies and applications are in use, what interdependencies exist between these assets, and how these technologies fit into broader business processes. The resulting current state assessment is a full inventory of assets, a map linking business functions to technology applications and systems, and the dependencies and criticalities.
Once a full view of the applications, their business roles, and their sensitive data are available, states should identify and prioritize risks associated with these systems. By analyzing the inventory of assets, dependencies, and business processes, the state can identify where unnecessary systems increase data risk, where critical legacy systems can be maintained in their current technologies with improved security controls, and where system upgrades need to be made.
Aligning Systems and Best Practices
Knowing current systems, integrations, and criticalities allows states to identify and apply the leading practices in cybersecurity to prevent, monitor, and detect threats. Whether the threat is a ransomware attack, data breach, or any one of the numerous other potentially devastating attacks, states can identify an appropriate future state by adopting leading cybersecurity practices. Some standards that states should incorporate into their cybersecurity planning include National Institute of Standards and Technology (NIST) SP 800-34, Revision 1 – Contingency Planning Guide for Federal Information Systems, ISO 22301: Business Continuity Management, as well as best practices and methodologies from other NIST standards, such as the Risk Management Framework, Cyber Supply Chain Risk Management, and National Initiative for Cybersecurity Education Workforce Framework.
The State and Local Cybersecurity Grant Program provides an opportunity for states to approach their cybersecurity posture holistically and proactively. What has often been a piecemeal approach for many states—upgraded security for new systems, but without considering the security of legacy systems the new system integrates with—can now be done enterprise wide. The required Cybersecurity Plan presents significant data-gathering and assessment challenges to state IT agencies, but also presents a rare opportunity to create and execute on a strategy with substantial, dedicated federal funds.
Guidehouse Cybersecurity Expertise
The Guidehouse State and Local Government Cybersecurity practice has the experience and expertise to help states take full advantage of the opportunities presented by the State and Local Cybersecurity Grant Program. Our capabilities include the full suite of services necessary to develop a Cybersecurity Plan, including:
Developing technology asset inventory because systems are only as strong as their weakest link. We know how to work with business stakeholders to identify how systems and processes are operationalized.
Conducting cybersecurity risk assessments to identify and prioritize risks, their likelihood of occurring, and what damage they could do. Once prioritized, we advise our clients on mitigating threats, engaging with all stakeholders.
Implementing controls to enforce security policies like encryption of data, zero-trust architecture through identity and access management and privileged access management, automated security monitoring and auditing, and intrusion detection and prevention systems.
Helping clients assess, build, enhance, and maintain their data protection and privacy programs using our regulatory expertise, combined with our data protection and technical cybersecurity knowledge.
Detecting security weaknesses in high-value information and business technology assets through vulnerability testing, providing recommendations for remediation and defining risk acceptance processes.
Assisting agencies in planning for and responding to security incidents by conducting business impact analysis and disaster recovery planning, developing incident response strategy.