On September 16, the U.S. Department of Homeland Security (DHS) and Federal Emergency Management Agency (FEMA) announced the a Notice of Funding Opportunity (NOFO) for the State and Local Cybersecurity Grant Program (SLCGP), which is funded by the Bipartisan Infrastructure Law (BIL). The SLGCP provides a total of $1 billion in funding over the next four years, with a total of $185 million available for Fiscal Year (FY) 2022, to support state and local efforts to address cyber risks to their information systems

KEY POINTS

• The funds are appropriated to FEMA, with the Cybersecurity Infrastructure and Security Agency (CISA) being identified as the subject matter expert. While FEMA will handle administration, CISA will review and approve state submitted plans, as well as serve as a resource for answering questions and guiding states and local government through the process
• The funding that will be available to each state is determined by using a baseline allocation plus a population-based allocation formula. Specific state allocations were updated with minor changes on Oct 7 and can be found here
• 80% must be passed through to local entities within 45 days of a state’s receipt of funds
• 25% of a state’s total allocation must go to rural communities
• Each year will require a cost share or match, of which soft or in-kind expenses are eligible

WHAT CAN THE FUNDING BE USED FOR

The goal of the grant is to assist SLTT governments with managing and reducing systemic cyber risk. At a high level, funding requests can fall under four objectives. Specific eligible cyber areas are referenced in more detail under the plan requirements listed in the next section.

• Objective 1 - Governance & Planning – projects such as the development of the statewide plan
• Objective 2 - Assessment & Evaluation – projects such as cyber security assessments
• Objective 3 - Mitigation – projects such as MFA implementation, enhanced logging, enhancing end user protections, monitoring tools and training and education, elimination of unsupported/end of life software and hardware that are accessible from the internet, migrating to the .gov domain.
• Objective 4 - Workforce Development – identifying and mitigating gaps in the cybersecurity workforce, enhancing recruitment and retention efforts, and bolstering the knowledge, skills, and abilities of personnel

WHAT IS THE ELIGIBLE ENTITY ROLE (STATE ROLE)

To be awarded the funding, each State’s identified State Administrative Agency (SAA) will need to apply for the assistance funds. The state is also required to create a cyber security planning committee consisting of the following membership: the eligible entity, State CIO/CISO or equivalent, Local/counties (if eligible entity is a state), Representatives from varying densities, public education, and public health. 50% of members must have professional experience relating to cybersecurity or information technology. A full list of SAAs and their main contacts can be found here.

The planning committee will be responsible for creating the statewide cybersecurity plan, which must provide an assessment of 16 cyber-specific required and a list of projects being submitted for approval. The 16 required elements focus on a number of areas. Of particular note for county IT leaders are the following best practices and methodologies:

• Implement multi-factor authentication
• Implement enhanced logging
• Implement data encryption for data at rest and in transit
• End use of unsupported/end of life software and hardware that are accessible from the Internet
• Prohibit use of known/fixed/default passwords and credentials
• Ensure the ability to reconstitute systems (backups)
• Migrate to the .gov internet domain

WHAT IS THE COUNTY ROLE

While funding will come to the state and then be distributed to localities based on approved projects, counties represent an integral component. Counties should be assessing and developing strategies for improving cyber defenses. To that end, cross-boundary relationships are critical to the successful implementation of this funding.

• Contact your state association to share your priorities and encourage the state association to strengthen the relationship with the state CIO and CISO and even serve as the local county representative on the planning committee
• Contact your state CISO directly to offer to assistance in providing input to the statewide cyber security plan
• Develop your strategy and project list of cyber priorities. Your county specific plan should be forward thinking and strategically planned over the next four years
• Join, if you are not already, a member of the NACo Tech Xchange. This network of over 900 county IT Leaders serves as an interactive community where NACo posts relevant alerts and resources for counties and where counties share best practices and knowledge on technology topics including cyber

RESOURCES

• Grant Announcement (includes funding allocations by state)
• To contact CISA: SLCGPinfo@cisa.dhs.gov
• To contact FEMA: ASKCSID@fema.dhs.gov
• To contact NACo resources: Rita Reynolds rreynolds@naco.org
• Upcoming FEMA/CISA Outreach Calls to hear updates and ask questions. To register:
  • Tuesday, October 18, 2022, | 3 – 4 p.m. EDT
  • Tuesday, October 25, 2022, | 3 – 4 p.m. EDT
  • Tuesday, November 1, 2022, | 3 – 4 p.m. EDT
  • Tuesday, November 8, 2022, |3 – 4 p.m. EST