State CISOs to Feds: Show Us the Money

Ryan Murray loves it when a plan comes together.

As deputy chief information security officer (CISO) for the state of Arizona, Murray has had his hands full attempting to safeguard the mostly rural communities across the state against cybersecurity challenges.

So, three years ago, his department set out to help upgrade largely antiquated, and in some cases nonexistent, local IT cybersecurity systems using a combination of federal grant money and state contributions. Meeting with county, city, and tribal leaders, his team identified needs and pain points to understand where improvements were most critical. Then, as grants came along from agencies like the Department of Homeland Security (DHS), Murray’s office was ready to pursue them more quickly and efficiently.

Do you know your risk score?

At the same time, his team was able to use what they’d heard from local officials to purchase modern cybersecurity tools and services at a discount (under some vendor master service agreements and state contracts) and then provide those solutions to cash-strapped local governments—for free.

Murray says this model puts Arizona in good shape to capture a chunk of the $1 billion in cybersecurity funding that is baked into the bipartisan infrastructure bill President Biden signed into law in November.

“We have removed complexity from these processes, which will be important considering we don’t yet know when the funds will be made available or what the requirements will be,” says Murray.

Fighting cybersecurity ambiguity

State and local officials who are mulling going after their share of the cybersecurity funds in the infrastructure law would be advised to follow Arizona’s lead and do some advance legwork—now.

The No. 1 thing the states need right now is guidance from CISA on how they can spend the money.

That’s because, while everyone knows the money is coming, there will not be much time to chase it. The funds will be allocated over four years, with $200 million available in 2022, $400 million in 2023, $300 million in 2024, and $100 million in 2025.

The Cybersecurity and Infrastructure Agency (CISA) had been expected to issue its Notice of Funding Opportunity (NOFO) for the first funding installment in early summer, but it appears that could slip to late summer. This means state and local governments could have a month or less to complete and submit applications since the 2022 disbursement is supposed to go out by the end of the federal government’s fiscal year on Sept. 30.

Filling out government applications is rarely easy. Indeed, there are numerous hurdles.

For instance, the rules dictate that 80% of grant money must flow to localities, which means the states need mechanisms for making that happen. They must also be ready to match the grant funds with their own money, beginning at 10% in 2022 and increasing 10 percentage points each year until 2025. And they need to present cybersecurity plans that lay out how the funds will be disseminated and used.

[Read also: 5 strategies state CIOs can use to transform their workforce]

Considering CISA has yet to publicly define how the funds could be spent—and by whom—this is admittedly a tall order. But many progressive state CIOs and CISOs are moving forward anyway.

“The No. 1 thing the states need right now is guidance from CISA on how they can spend the money,” says Alex Whitaker, director of government affairs for the National Association of State Chief Information Officers (NASCIO). “But they are not sitting on their hands. Those who are interested are working on their cybersecurity plans and trying to get locals into the room to identify their needs.”

Federal cybersecurity funding is worth the hassle

Not every state is going to be interested in pursuing infrastructure funding, Whitaker says. At the end of the day, there will be only $1 billion to split among 50 states over four years. And since the states must chip in millions of dollars in matching funds during that time, some may conclude “This isn’t really worth it for us—that it’s just too much hassle,” he says.

At the same time, Whitaker notes, there is a “tremendous need” in state and local governments to upgrade IT security systems. Many local governments, in particular, still use primitive hardware and software containing long-outdated security features and benefits, he says. Others do not regularly update or patch key systems, making them more vulnerable to ransomware and other nefarious attacks. Still others use a hodgepodge of siloed tools to see and understand where data lies and who is accessing it. And many lack current identity and access controls, such as multifactor authentication (MFA), which can help offset username and password weaknesses.

Jennifer Pittman-Leeper, customer engagement manager for Tanium, says most state and local CIOs and CISOs know their IT security systems aren’t up to snuff: “If today’s tools and technology were really working for the states and localities, they wouldn’t need this money,” she says. “It’s not working, and they know it.”

[Read also: State agencies play catch-up on cybersecurity]

As such, those turning away from funding opportunities like the cybersecurity grants in the new infrastructure law need to take a harder look.

“They have to make the investment to upgrade their technologies,” she says. “This federal money can help states take things to the next level, which for some is just a fundamental level. They should not look a gift horse in the mouth.”

Pulling the cybersecurity Band-Aid off

State agencies need to “pull the Band-Aid off,” says Pittman-Leeper, and secure funding wherever possible to better understand their complex environments and begin to get them under control.

It’s not a magic wand. But it’s a beginning, and you must start somewhere.

For those CIOs and CISOs who are behind in preparing but are interested in pursuing this infrastructure law funding—a few rapid-fire approaches:

• Dust off that cybersecurity plan: To achieve specific milestones, make sure to include a strategy and specific tactics for the whole four-year time frame of the plan.

• Talk to locals: The cybersecurity plan should clearly define how the state will support local cybersecurity efforts. This cannot happen without actively discussing county, city, and tribal priorities and challenges. For instance, even if a state provides modern tools, a locality may not have the wherewithal to implement them. This might suggest they need more training, support, or help from a third-party managed security services provider (MSSP).

[Read also: Every employee must now be part of the cybersecurity team

• Educate and evangelize the need: Most CIOs and CISOs know this, but they cannot be successful in a vacuum. When going after federal funding, it’s critical to educate politicians on the reasons for it. Pittman-Leeper notes they must understand
  the need for more budget and incremental funding, so that if
  grant applications are successful, they do not pull budget
  away afterwards.

• It also sells government officials on the importance of funding cybersecurity upgrades for legacy state and local IT systems.

 

In Arizona, Murray notes, with the support of Gov. Doug Ducey, the state’s budget earmarks $10 million to help local governments and K-12 school districts up-level their security postures.

• Think broadly: Tear a page from Arizona’s book and recognize that grants don’t have to be one-off efforts. With a sustainable model in place, it’s possible to go after all sorts of federal funding opportunities. For example, DHS recently announced $1.6 billion in preparedness grants to fight terrorism. Part of that funding can be applied to cybersecurity efforts. Not surprisingly, Murray’s team has coordinated with local governments to apply for that funding, too.

• Partner with other states: The amount of time, energy, and investment involved in pursuing infrastructure cybersecurity funding might still seem daunting. But Arizona’s Murray says his team is chatting with counterparts in other states, including Texas and New Mexico, on ways to pool funds to meet their common needs. True, it’s possible CISA’s guidelines may shoot down that approach (again, this is yet to be determined). But thinking out of the box could open doors for numerous possibilities after funding occurs.

[Read also: It’s time to fix America’s cyber infrastructure, too]

Pittman-Leeper says that no matter how state CIOs and CISOs feel about federal cybersecurity grants, they are probably going to have to take advantage of them sooner or later.

“Cybersecurity has been an underfunded problem for some time, and the problem isn’t getting any smaller,” she says. “State CIOs and CISOs who are pursuing this kind of funding are realistic enough to know it’s not a magic wand. But it’s a beginning, and you must
start somewhere.”