What $1B in cybersecurity funding can mean for US state, local governments

How do you best spend a cybersecurity budget you have long been hoping you’d get? That’s the question state, local, and territorial (SLT) governments are starting to ask themselves in the wake of a major September announcement from the Department of Homeland Security.

DHS will be doling out $1 billion in funding over the next four years as part of a first-of-its-kind cybersecurity grant program specifically aimed at SLT governments. The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Emergency Management Agency (FEMA) are jointly managing the grants, and CISA has laid out the overarching goals for the funding:

• Implement cyber governance and planning
• Assess and evaluate systems and capabilities
• Mitigate prioritized issues, and
• Build a cybersecurity workforce

While the designated State Administrative Agency (SAA) for each state and territory is the only entity eligible to apply for funding (this fact sheet does a great job of summarizing what you need to know), the legislation requires states to distribute at least 80% of funds to local governments, with a minimum of 25% of the allocated funds distributed to rural areas. That’s great news, because this money will have the most impact at the city and county level.

“What should I do with this money if I get it?”

IT leaders at those levels will invariably ask themselves that question.

A quick look back can help us look forward. Two big government-led fundings happened in the last 20 years or so: in 2001 and then in the wake of the Affordable Care Act passing. If you do the math, those were roughly 7 or 8 years apart, typically the age at which hardware is replaced.

A lot of the investment that was done in that second funding wave was around network infrastructure and security, such as replacing firewalls and upgrading to the latest antivirus technology. That makes sense. If we were talking about how to spend money on shoring up physical infrastructure, a city might replace a bridge—whatever is most aging and vulnerable.

The same thinking applies here. After decades of experience in IT security, networking, and compliance (I helped found the Symantec State Local and Education division), I’d say start here:

• Identify what is aging and vulnerable
• Know your gaps and design a road map around them
• Your list of potential projects is probably going to be a long one, so prioritization is key

Sometimes understanding the company you find yourself in can help. A recent Center for Digital Government survey of 103 state and local officials flagged both security and compliance challenges as the major holes, among them, “legacy, unpatched and nonsupported networks that increase their exposure” and “limited enterprise visibility around the endpoints connecting to their networks.”

That backs up the cyber posture that I commonly see among SLT government organizations. The rise in both remote/hybrid work and the number of services offered digitally has increased their exposure, and yet many organizations are using firewalls, legacy anti-virus, and VPN for office connecting. Cities and counties would be wise to look at shoring up the security of their networking infrastructure and their handling of data segmentation, as well as shift toward more modern endpoint detection and response (EDR) solutions, which continuously monitor end-user devices to both detect and respond to cyber threats like ransomware and malware.

As far as data goes, government agencies that offer digital services must generally be compliant with Criminal Justice Information Services (CJIS) and Payment Card Industry Data Security Standard (PCI DSS); county health departments must also comply with the Health Insurance Portability and Accountability Act (HIPAA).

These require that data that contains criminal, payment, or health information be segmented off from the rest of the network. Taking a zero-trust approach is the best way to accomplish this and is an investment I recommend making. Under the zero-trust model, every person and device are treated as potential threats, with access to specific resources granted only after their identity is authenticated.

One way of visualizing the security improvement: Think of walking into a room and seeing 3 doors. Prior to segmentation, piles of information would sit at tables in front of each of the three doors. After segmentation, certain information was, for instance, put behind door No. 3, and anyone who wanted to enter would need a badge. With Zero Trust, that person entering door No. 3 doesn’t even see the other two doors and may not see everything even within door three.

Knowing the best resources to turn to can help give you a solid footing, and I recommend two: a White House executive order on cybersecurity that has some great nuggets on Zero Trust, and this NIST paper on Zero Trust Architecture.

For any organizations who get this funding, I’ll sum up my hope for you: That it helps you mature your security posture and bring your security infrastructure into the modern age.