Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the National Cyber Director (ONCD) have... The post CISA, ONCD playbook aims to strengthen cybersecurity, resilience of grant-funded infrastructure projects appeared first on Industrial Cyber.
Analysis Summary
# Best Practices: Integrating Cybersecurity into Federal Grant Programs for Critical Infrastructure
## Overview
These best practices, derived from the CISA/ONCD guidance, focus on integrating mandatory and encouraged cybersecurity requirements throughout the lifecycle of federal grant programs, particularly those involving critical infrastructure projects. The goal is to build cyber resilience by design, ensuring projects are "shovel-ready and cyber-ready."
## Key Recommendations
### Immediate Actions (Grant Managers/Agencies)
1. **Establish Criteria for Playbook Application:** Define and document the specific criteria for which grant programs and projects must apply the cybersecurity guidance outlined in the CISA/ONCD Playbook (especially for projects impacting critical infrastructure safety or operability).
2. **Incorporate Model Language into NOFOs:** Immediately integrate the provided model language into Notices of Funding Opportunity (NOFOs) to clearly communicate baseline cybersecurity expectations to potential applicants.
3. **Direct Applicants to Baseline Resources:** Identify and share comprehensive lists of available cybersecurity resources, tools, training, and policy templates provided in the Playbook with all covered grant applicants.
### Short-term Improvements (1-3 months)
1. **Mandate Cyber Risk Assessment:** Require all covered grant recipients to develop and submit a **Project Cyber Risk Assessment** customized to the project's technology and lifecycle complexity.
2. **Develop Project Cybersecurity Plans:** Require recipients to create and adhere to a **Project Cybersecurity Plan (PCP)** based on the risk assessment, ensuring the implementation of baseline cybersecurity best practices and controls.
3. **Incorporate Security into Sub-Awards:** Ensure that cybersecurity principles, best practices, and controls are explicitly included in the terms and conditions of all sub-awards related to the grant.
### Long-term Strategy (3+ months)
1. **Encourage Mature Practices:** Where baseline requirements are met, actively encourage recipients and subrecipients to set organizational cybersecurity goals **above the specified baseline requirements**.
2. **Promote Secure by Design:** Ensure that grant programs mandate the adoption of principles like **secure by design** and **cyber-informed engineering** during the design and development phases of infrastructure projects.
3. **Continuous Risk Management:** Establish mechanisms within the grant management lifecycle (e.g., periodic reporting) to ensure recipients develop long-term strategies to **continuously address cyber risk on asset performance**.
4. **Periodic Review and Update:** Grant-making agencies should budget time and resources to periodically review and update their utilized cybersecurity requirements in alignment with the evolving CISA/ONCD Playbook releases.
## Implementation Guidance
### For Small Organizations (e.g., Smaller SLTT Governments often receiving sub-awards)
- **Focus on Baseline Controls:** Prioritize the implementation of the most foundational security controls identified in the Playbook resources, focusing on patching, access control, and basic risk identification tasks.
- **Leverage Provided Templates:** Fully utilize the provided templates for the Project Cyber Risk Assessment and Cybersecurity Plan to minimize internal overhead and ensure compliance with federal expectations.
### For Medium Organizations (e.g., Mid-sized Grant Recipients managing complex projects)
- **Develop Role-Based Security:** Assign specific personnel or teams responsible for overseeing the development, implementation, and maintenance of the Project Cybersecurity Plan.
- **Utilize CPG Organization:** Map internal security gaps to the Cybersecurity Performance Goals (CPGs) provided in the Playbook resources to structure project security investments effectively.
### For Large Enterprises (e.g., Federal Grant Awarding Agencies)
- **Integrate into Lifecycle Management:** Fully integrate the security requirements captured in the Playbook into the existing grant management lifecycle processes, from solicitation through closeout.
- **Mandate Framework Adoption:** Encourage or require organizations with mature existing practices to align their project security posture with recognized standards like the **NIST Cybersecurity Framework (CSF)** to move beyond baseline compliance.
## Configuration Examples
*The provided text focuses on policy and process rather than specific technical configurations. The closest elements involve mandated documentation:*
1. **Project Cyber Risk Assessment:** A documented inventory and analysis identifying threats, vulnerabilities, and potential impacts associated with the technology deployed under the grant.
2. **Project Cybersecurity Plan (PCP):** A documented set of agreed-upon cybersecurity controls and performance expectations that the recipient must implement during the project execution.
## Compliance Alignment
* The guidance strongly encourages alignment with the following concepts and frameworks:
* **Secure by Design:** Incorporating security from the foundation and design phase.
* **Cyber-Informed Engineering (CIE):** Integrating cyber risk considerations into engineering processes.
* **NIST Cybersecurity Framework (CSF):** Recommended for organizations with mature practices seeking to strengthen controls.
* **National Cybersecurity Strategy / NSM-22:** Adherence to overarching national security objectives regarding infrastructure resilience.
## Common Pitfalls to Avoid
- **Treating Cybersecurity as an Afterthought:** Implementing security measures only after technical deployment rather than integrating them into the design phase ("Shovel-ready should mean cyber-ready").
- **Using Generic Plans:** Applying boilerplate security documentation that does not specifically address the unique risks of the critical infrastructure project funded by the grant.
- **Ignoring Sub-Award Requirements:** Failing to flow down necessary cybersecurity requirements and accountability to sub-recipients, creating weak links in the supply chain.
## Resources
- **CISA/ONCD Playbook:** The primary source document for incorporating requirements.
- **Cybersecurity Performance Goals (CPGs):** Referenced structure used to organize available technical resources for recipients.
- **NIST Cybersecurity Framework (CSF):** A recommended standard for implementing mature controls.