Cyber attacks continue to escalate globally, and no organization is immune. Among the hardest hit are state and local government entities, where IT budgets are tight and valuable constituent data is plentiful. As you might expect, these organizations are especially enticing to malicious actors.
Fortunately, for state and local governments hoping to strengthen their cyber and data security capabilities -- help is on the way! The assistance comes in the form of a new State & Local Cybersecurity Grant Program (SLCGP), which is open to the 56 U.S. states and territories.
Unfortunately, the timeline for action is tight. In fact, applications for funding are due on November 15, 2022.
Here's what you need to know about the grant program and the resources available to states as they prepare to apply.
What is the State and Local Cybersecurity Grant Program (SLCGP)?
According to the Department of Homeland Security, the SLCGP is intended to "assist state, local, and territorial (SLT) governments with managing and reducing systemic cyber risk." As DHS puts it in their Notice of Funding Opportunity:
The potential consequences of cyber incidents threaten national security. Strengthening cybersecurity practices and resilience of state, local, and territorial (SLT) governments is an important homeland security mission and the primary focus of the State and Local Cybersecurity Grant Program (SLCGP). Through funding from Infrastructure Investment and Jobs Act (IIJA), also known as the Bipartisan Infrastructure Law (BIL), the SLCGP enables DHS to make targeted cybersecurity investments in SLT government agencies, thus improving the security of critical infrastructure and improving the resilience of the services SLT governments provide their community.
DHS has designated a baseline amount for each state for the 2022 fiscal year, which can be viewed on FEMA's website.
Why is the SLCGP initiative a big deal?
Cybersecurity is critical to state and local organizations because they provide essential services to the public. As we saw with the Colonial Pipeline ransomware attack in 2021, cyber attacks can have real-world consequences, especially when they directly impact systems and services that communities depend on.
This grant allocates funding to state and local organizations to build and strengthen their Cybersecurity Plans and aligned cybersecurity activities, making them more resilient to, and better protected against, cyber threats.
When is the 2022 SLCGP application deadline?
The deadline to submit an application for SLCGP grant is November 15, 2022, at 5 p.m. ET.
Who can apply for SLCGP funds?
All 56 U.S. states and territories are eligible to apply for the SLCGP funding. This includes the 50 U.S. states, District of Columbia, the Commonwealth of Puerto Rico, the U.S. Virgin Islands, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands. In each of these cases, the Governor-designated State Administrative Agency (SAA) must be the one to submit the application.
The grants will be awarded at the state level, and local entities may be sub-awarded funding by states that receive the grant.
How do states apply for the grant?
FEMA's SLCGP Fact Sheet emphasizes that states should begin the multi-step application process as soon as possible to ensure they meet the November 15 deadline. Eligible applicants must submit their initial application through the grants.gov portal. From there, eligible applicants will be notified by FEMA and asked to proceed with submitting their complete application package in the Non-Disaster (ND) Grants System.
What are the SLCGP grant requirements?
As a condition of receiving the SLCGP grant, states will need to:
- Establish a Cybersecurity Planning Committee;
- Develop a state-wide Cybersecurity Plan, unless the recipient already has a state-wide Cybersecurity Plan and uses the funds to implement or revise a state-wide Cybersecurity Plan;
- Conduct assessment and evaluations as the basis for individual projects throughout the life of the program; and
- Adopt key cybersecurity best practices.
See Section 10C of the Notice of Funding Opportunity for more details on requirements for the grant. Here are a few highlights from those requirements:
Key Requirement: Assembling a Cybersecurity Planning Committee
According to CISA, states will need at least one representative from relevant stakeholders, including:
- The eligible entity;
- If the eligible entity is a state, then representatives from counties, cities and towns within the jurisdiction of the eligible entity;
- Public education within the jurisdiction of the eligible entity;
- Public health; and
- Rural, suburban and high-population jurisdictions.
CISA also notes that "Not less than half of the representatives of the Cybersecurity Planning Committee must have professional experience relating to cybersecurity or information technology."
Key Requirement: Creating a Cybersecurity Plan
The Cybersecurity Plan is a statewide planning document that must be approved by the Cybersecurity Planning Committee and the state's CIO, CISO, or equivalent information security leader. The Plan will need to be continually updated for fiscal years 2024 and 2025.
As part of their Cybersecurity Plan, grant applicants are required to address in their applications how they will meet the following program objectives:
- Objective 1: Develop and establish appropriate governance structures, including developing, implementing, or revising cybersecurity plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.
- Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
- Objective 3: Implement security protections commensurate with risk.
- Objective 4: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.
Key Requirement: Implementing Cybersecurity Best Practices
The DHS highlights the importance of adopting current cybersecurity best practices to strengthen state and local security programs and advancing Zero Trust security strategies. The following components are required to be included in cybersecurity programs and individual projects:
- Implement multi-factor authentication;
- Implement enhanced logging;
- Data encryption for data at rest and in transit;
- End use of unsupported/end of life software and hardware that are accessible from the Internet;
- Prohibit use of known/fixed/default passwords and credentials;
- Ensure the ability to reconstitute systems (backups); and
- Migration to the .gov internet domain.
What can SLCGP funding be used for?
Funds from the grant can be used to develop and execute against the state's Cybersecurity Plan, which includes many facets listed above. The funding can also be allocated by states to local entities according to their Cybersecurity Plan, so not all the funding has to be used at the state level: It can and, ideally, should extend to local entities where stronger security is a priority.
Making Your Cybersecurity Plan? Start with the Data.
Creating a statewide Cybersecurity Plan is no small feat, and at Virtru, we tip our hats to the state and local government IT teams who are responsible for deploying strong security across the many pieces of the government puzzle.
We've found that, in a multilayered security landscape with hundreds of apps, thousands of endpoints, and dozens of security vendors, the best way to tackle a big problem is to start with the most essential thing you need to protect: The data.
Your constituents' private information, your state's health and human services data, your sensitive budgetary and financial records, criminal justice information regulated by CJIS — all these kinds of data, and many more, are at the heart of what you are protecting when you build your Cybersecurity Plan.
When it comes to protecting data with encryption, in transit and at rest (a required Cybersecurity Plan element), we at Virtru are experts. Our encryption solutions fit seamlessly into the apps your teams already use every day — like Google Workspace and Microsoft 365 — and our Secure Share encrypted file transfer platform can streamline and securely intake government forms.
We also understand that different organizations use different tech stacks: We prioritize interoperability across Google and Microsoft; we make it easy to securely share data internally and externally; and our data protection gateway is platform-agnostic.
Virtru is easy and affordable to deploy, helping you meet one of the key cybersecurity requirements of SLCGP — so you can quickly demonstrate performance on this essential facet of your Cybersecurity Plan. We also have a long history of equipping state and local governments with data security, from the State of Maryland to the Massachusetts Municipal Association, to school systems like Iron County Schools in Utah and Newfield Schools in New York.
As John Kindervag, the creator of Zero Trust, says: "What's the best way to protect your data? Encrypt it. How do you encrypt it? You control the keys and certificates that are the underlying technology that make encryption happen." At Virtru, we equip you to do just that.
To get started with Virtru, contact our team today. We'd love to work with you to safeguard your constituents' data and make the most of your SLCGP funding by protecting your most important asset, your data.
