Later this fall, officials said, a separate tribal grant program will be unveiled.
A $1 billion federal grant program is being launched to help states and local governments secure their electronic information, the White House said Friday.
The Department of Homeland Security has opened a 60-day application period for states and territories to submit their plans for the four-year initiative. Administration officials said the grants will be administered by the Cybersecurity and Infrastructure Security Agency in conjunction with the Federal Emergency Management Agency, which has long provided DHS funding to states and municipalities.
For the first year of new grants will require an extension
State chief information officers and chief information security officers have been waiting for months for instructions on the grant program. The first year of funding technically covers the federal government’s 2022 fiscal year, which ends on September 30. That wait led Doug Robinson, executive director of the National Association of State Chief Information Officers, to predict in July that an extension would be necessary for the first year of the new grants.
$185 million for FY 2022
In a press conference Thursday, Homeland Security Secretary Alejandro Mayorkas and White House Infrastructure Coordinator Mitch Landrieu said $185 million would be distributed over the next 60 days to cover fiscal 2022. States would be required to include details on how they would allocate at least 80% of the funds to their local governments in their applications for the program.
Later this fall, an administration official said, a separate grant program for tribal governments will be unveiled.
‘A huge challenge’
“Many states and localities contend with unique problems and require assistance in resisting cyber attacks, particularly against nation-state adversaries and well-financed cyber criminals,” Mayorkas said. “Threats take advantage of these limitations and vulnerabilities to attack and inflict devastating damage.”
The secretary outlined several significant ransomware incidents over the last few years, including Atlanta, Baltimore and Tulsa, Oklahoma, last week’s attack on the Los Angeles Unified School District, as well as the one on Friday.
“Effective” implementation of cybersecurity systems
To protect against cyber threats, state, local, tribal and territorial governments currently face an enormous challenge, as exemplified by Hurricane Katrina, Landrieu said. This funding will better protect the most vulnerable communities, ensuring that resource constraints do not prevent them from developing plans to safeguard their critical infrastructure.
State CIOs and CISOs, who’ve had discussions with CISA officials over the past year, should be able to draw up plans. However, states may differ greatly in the plans they develop, although a Biden administration official on the call said the federal government has a few objectives, including “effective” implementation of cybersecurity frameworks like the National Institute of Standards and Technologies. CISA will also be “reliant heavily” on its roster of state coordinators and regional advisors.
The official promised flexibility, too.
FEMA and CISA
“We worked with states, territories, and local communities to give them the right amount of flexibility,” the official said. “We think the program will fit people’s needs.”
FEMA and CISA will jointly review state applications at the end of the 60-day application window, to award funds by the end of the calendar year. But the first year of funding will take a “little different approach,” an official said.
Avery said jurisdictions should be allowed to establish cybersecurity plans before the law kicks off on Jan. 1, 2017.
The grant funds will be used to develop plans for the final three years of the program, with the expectation that states would do that in the first year, the official said.
A project seeking funding through the internet via a ‘Kickstarter’
NASCIO declined to comment on the NOFO until it has had a chance to review it.
The entire country, combined with the organization and its members, has been preparing for the grant program, which is worth $1 billion over four years, but is a “drop in the bucket” when compared to what states and localities need to defend themselves against a landscape that includes ransomware, foreign governments targeting software vulnerabilities, and critical infrastructure facility threats.
The officials said that CISA would report back to Congress on how states are using DHS grant funds and whether the grant program could continue.
“We’re going to use the implementation of these first plans to understand how we’re investing in our state and territorial partners,” the official said. “Once we notice those changes, we will be able to determine where those investments may go.”
To encourage states and local governments to prioritize cybersecurity as they plan infrastructure projects, the White House has created a grant program.
“It’s intended to help cities and small communities organize themselves,” he said. “Send a market signal from the federal government that they need to harden their assets and have an all- hazards approach.”