The Department of Homeland Security (DHS) on September 16, 2022 announced a first-of-its-kind cybersecurity grant program specifically for state, local, and territorial (SLT) governments across the country with funding in the amount of $200 million for Fiscal Year (FY) 2022, $400 million for FY 2023, $300 million for FY 2024, and $100 million for FY 2025.
Stated by legislation, the ultimate goal of the program will be to award grants to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, State, local, tribal, and territorial (SLTT) governments.
Cybersecurity grant program objective
The goal of the grant program is to assist SLTT governments in managing and reducing systemic cyber risks. CISA has established four discrete, but interrelated objectives to accomplish this:
- Governance and Planning: Develop and establish appropriate governance structures, as well as plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.
- Assessment and Evaluation: Identify areas for improvement in SLTT cybersecurity posture based on continuous testing, evaluation, and structured assessments.
- Mitigation: Implement security protections commensurate with risk, using the best practices as described in element 5 of the required 16 elements of the cybersecurity plans and those further listed in the NOFO.
- Workforce Development: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with their responsibilities as suggested in the National Initiative for Cybersecurity Education.
Priorities of the program in the first year
The focus in the first year is to establish a strong foundation on which to build a sustainable cybersecurity program. Initial priorities all of which are statutory conditions for receiving a grant, include the following:
- Establish a Cybersecurity Planning Committee that can lead entity-wide efforts
- Develop a Cybersecurity Plan that addresses the entire jurisdiction and incorporates cybersecurity best practices
- Conduct assessments and evaluations to identify gaps that can be mitigated by individual projects throughout the life of the grant program
16 Required Elements for Cybersecurity Plan
The Cybersecurity Plan should establish high level goals and finite objectives to reduce specific cybersecurity risks across the eligible entity. Below are the 16 required cybersecurity plan required elements:
|1. Manage, monitor, and track information systems, applications, and user accounts
|2. Monitor, audit, and track network traffic and activity
|3. Enhance the preparation, response, and resiliency of information systems, applications, and user accounts
|4. Implement a process of continuous cybersecurity risk factors and threat mitigation. practices prioritized by degree of risk
|5. Adopt and use best practices and methodologies to enhance cybersecurity (references NIST)
|6. Promote the delivery of safe, recognizable, and trustworthy online services, including using the .gov internet domain
|7. Ensure continuity of operations including by conducting exercises
|8. Identify and mitigate any gaps in the cybersecurity workforces, enhance recruitment and retention efforts, and bolster the knowledge, skills, and abilities of personnel (reference to NICE Workforce Framework for Cybersecurity)
|9. Ensure continuity of communications and data networks in the event of an incident involving communications or data networks
|10. Assess and mitigate, to the greatest degree possible, cybersecurity risks and cybersecurity threats relating to critical infrastructure and key resources, the degradation of which may impact the performance of information systems within the jurisdiction of the eligible entity
|11. Enhance capabilities to share cyber threat indicators and related information between the eligible entity and the Department
|12. Leverage cybersecurity services offered by the Department
|13. Implement an information technology and operational technology modernization cybersecurity review process that ensures alignment between information technology and operational technology cybersecurity objectives
|14. Develop and coordinate strategies to address cybersecurity risks and cybersecurity threats
|15. Ensure rural communities have adequate access to, and participation in plan activities
|16. Distribute funds, items, services, capabilities, or activities to local governments
Best Practices and Methodologies
Most SLTT governments are required to eventually adopt specific best practices and ensure it meets certain criteria. In addition to the 16 required elements, the Cybersecurity Plan must discuss the below seven best practices:
- Implementing Multi-factor authentication
- Implement Enhanced logging
- Data encryption for data at rest and in transit
- End use of unsupported/end of life software and hardware that are accessible from the Internet
- Prohibit use of known/fixed/default passwords and credentials
- The ability to reconstitute systems (backups)
- Migration to the .gov internet domain
States cannot receive funds until they have established a statewide cybersecurity plan to guide their efforts, and ensure it meets certain criteria. As part of the grant application the Cybersecurity Plans must be approved by the CIO, CISO or similar role and by a cybersecurity planning committee that have professional experience in cybersecurity or information technology. If an entity is applying for grant funds to develop a Cybersecurity Plan, the plan is not required to be submitted as part of the FY 2022 application, but must be submitted for DHS review and approval by September 30, 2023.
Implement a process of continuous cybersecurity remediation
In order to prioritize remediation efforts, develop a Cybersecurity Plan that addresses the entire jurisdiction and incorporates a hardening automation platform. CalCom Hardening Automation Suite- (CHS) ensures that your servers are constantly hardened and secured while maintaining the servers availability and saving security operations administrators a tremendous amount of time.