Considerations for Developing a Compliant Cybersecurity Plan (BIL 2022)
The Bipartisan Infrastructure Law includes the funding for activities that will guard the nation’s critical infrastructure from cyberattacks. One large new program is the State and Local Cybersecurity Grant Program. This grant program will provide total funding of $1 billion, spread over FY 2022 through FY 2025, for state governments to develop, revise, and implement Cybersecurity Plans or to address imminent cybersecurity threats.
State governments can be soft targets for malicious adversaries due to aging systems and a lack of necessary security safeguards and skilled cybersecurity resources. Many state governments operate on a variety of different technology platforms, use both modern and legacy information systems, and struggle to find the necessary funding to address their critical priorities. The funding included in the Infrastructure Bill for Cybersecurity Plans will allow state governments to develop and implement comprehensive cybersecurity plans and mitigate security risks.
State governments must consult with and receive feedback from local governments within their jurisdictions to align the state’s Cybersecurity Plan with the needs of local governments. It also appears that the State and Local Cybersecurity Grant Program intends that states pass some of the funding in the form of grants to local governments within their jurisdictions. This would help local governments implement their own cybersecurity initiatives and adopt best practices and methodology to enhance their security measures. Details on methodologies and requirements for this distribution are not available in the current legislation.
Required Cybersecurity Plans
The State and Local Cybersecurity Grant Program requires states to develop comprehensive cybersecurity plans. These plans must describe the steps the government will take to implement a process of continuous cybersecurity vulnerability assessments and threat mitigation.
Essential Plan Components
Cybersecurity Plans must describe how the state will address 16 different elements of cybersecurity. These steps include:
Development of Cybersecurity Plans will provide state governments with the long-needed framework to comprehensively assess and address the realities of their current security position, identify a target future state, and design a prioritized roadmap to “level up” their existing security posture.
Full Inventory and Assessment
States should begin development of their cybersecurity plan by creating an inventory of the people, processes, and technology assets (systems, application, and tools) that make up its technology footprint. This process is as much about business as technology—cybersecurity risks come not just from key government information systems used daily, but also through legacy and less-used systems that may contain highly sensitive data but fall under the radar when only critical IT systems are considered. The asset discovery process provides the state the crucial data on what technologies and applications are in use, what interdependencies exist between these assets, and how these technologies fit into broader business processes. The resulting current state assessment is a full inventory of assets, a map linking business functions to technology applications and systems, and the dependencies and criticalities.
Once a full view of the applications, their business roles, and their sensitive data are available, states should identify and prioritize risks associated with these systems. By analyzing the inventory of assets, dependencies, and business processes, the state can identify where unnecessary systems increase data risk, where critical legacy systems can be maintained in their current technologies with improved security controls, and where system upgrades need to be made.
Aligning Systems and Best Practices
Knowing current systems, integrations, and criticalities allows states to identify and apply the leading practices in cybersecurity to prevent, monitor, and detect threats. Whether the threat is a ransomware attack, data breach, or any one of the numerous other potentially devastating attacks, states can identify an appropriate future state by adopting leading cybersecurity practices. Some standards that states should incorporate into their cybersecurity planning include National Institute of Standards and Technology (NIST) SP 800-34, Revision 1 – Contingency Planning Guide for Federal Information Systems, ISO 22301: Business Continuity Management, as well as best practices and methodologies from other NIST standards, such as the Risk Management Framework, Cyber Supply Chain Risk Management, and National Initiative for Cybersecurity Education Workforce Framework.
The State and Local Cybersecurity Grant Program provides an opportunity for states to approach their cybersecurity posture holistically and proactively. What has often been a piecemeal approach for many states—upgraded security for new systems, but without considering the security of legacy systems the new system integrates with—can now be done enterprise wide. The required Cybersecurity Plan presents significant data-gathering and assessment challenges to state IT agencies, but also presents a rare opportunity to create and execute on a strategy with substantial, dedicated federal funds.
Guidehouse Cybersecurity Expertise
The Guidehouse State and Local Government Cybersecurity practice has the experience and expertise to help states take full advantage of the opportunities presented by the State and Local Cybersecurity Grant Program. Our capabilities include the full suite of services necessary to develop a Cybersecurity Plan, including: