Full Report
The program faces a number of challenges before it is set to expire, during a time where state and local governments face a bevy of cyber risks and changes. The post Renew — but improve — billion-dollar cyber grant program to states and locals, House witnesses say appeared first on CyberScoop.
Analysis Summary
# Regulation/Compliance: State and Local Cybersecurity Grant Program Renewal (CISA-FEMA Program)
## Overview
This summary pertains to the ongoing discussion and congressional hearing regarding the renewal and potential improvement of the expiring \$1 billion federal cybersecurity grant program designed to enhance the cybersecurity posture of state and local governments. The program is vital for combating modern cyber threats like ransomware and nation-state attacks, although witnesses suggest modifications are needed for sustained effectiveness and accessibility.
## Key Details
- Issuing Authority: Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) (Joint Administration). Congress is responsible for renewal.
- Effective Date: The primary program is due to expire soon (implied timeframe based on hearing).
- Jurisdiction: State and local governments within the United States.
- Status: Under review for renewal and potential modification by Congress.
## Requirements
### Mandatory Requirements (Current Program or Suggested for Renewal)
1. **Cybersecurity Posture Improvement:** Funds must be used to establish or improve the cybersecurity capabilities of states and localities.
2. **Joint Administration:** The program is currently jointly administered by CISA and FEMA.
3. **Matching Requirements (Suggested Standardization):** Witnesses suggested standardizing the annual matching percentage requirements, rather than allowing them to increase over time, implying existing grants may have variable matching requirements.
### Recommended Practices (Suggested Improvements for Renewal)
1. **Alignment with NIST Framework:** The program should align its requirements or guidance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
2. **Simplified Application Process:** The application process should be simplified to make it more accessible to non-technical government employees.
3. **Dedicated Funding for Large Municipalities:** Create a separate funding stream allowing large municipalities to apply directly to the federal entities rather than solely through state channels.
4. **Consistent Funding Mechanisms:** Ensure consistent year-to-year funding to allow recipients to commit to long-term cybersecurity programs without fear of imminent cuts.
## Affected Organizations
- Industries: State and local governments (including municipalities).
- Organization Size: Affects all local governments, with specific recommendations noted for large municipalities.
- Geographic Scope: United States.
## Compliance Timeline
- **September (Implied Expiration):** The current four-year cyber grant program is due to expire.
- **Current Congressional Activity:** Hearings are underway, indicating Congress aims to reauthorize and fix the program.
- **Final deadline:** Full compliance with new grant terms once reauthorized.
## Implementation Guidance
### Assessment Phase
- **Current Posture Review:** Organizations should assess their current cybersecurity posture against established standards (e.g., NIST CSF) to identify gaps the grant funding should target.
### Implementation Phase
- **Program Commitment:** Organizations must factor in the potential risk of funding fluctuation when launching new programs, although renewal aims for greater consistency.
- **Application Strategy:** Municipalities should consider whether applying directly (if the proposed change passes) or through the state is strategically better.
### Validation Phase
- **Attack Success Tracking:** Documenting the success rate of blocking cyberattacks (as noted by Utah CIO) serves as an informal validation metric for the utility of the grant funding.
## Technical Requirements
No specific technical controls were mandated in the discussion, but the central theme implies requirements would focus on hardening infrastructure against specific threats like ransomware and nation-state actors. **Alignment with NIST CSF** suggests adopting standards-based controls.
## Penalties & Enforcement
The article focuses on the continuation and structure of the **grant program**, not direct regulatory penalties for non-compliance with an underlying federal law.
- **Enforcement Focus:** Enforcement concern centers on whether previous policies (like threatened federal support cutbacks) diminish state/local ability to respond to threats.
- **Consequences of Non-Renewal:** Loss of vital federal funding ($\$1$ billion) for state/local cybersecurity efforts, resulting in diminished capacity to handle sophisticated threats.
## Related Standards
- **NIST Cybersecurity Framework (CSF):** Explicitly recommended as a standard the grant program should align with.
- **CISA Guidance:** The program is jointly administered by CISA, suggesting adherence to CISA-issued best practices is implied or required by the grant terms.
## Resources
- Official Documentation: Congressional hearing transcripts and CISA/FEMA grant documentation (not provided).
- Guidance Documents: Any forthcoming reauthorization legislation specifying new requirements.
- Tools: Implied requirement or benefit aligns with tools that map implementation to NIST CSF.
## Practical Recommendations
1. **Advocate for Renewal:** State and local entities must continue to advocate for the renewal of the grant program.
2. **Prepare for NIST Alignment:** Begin structuring current or future cybersecurity plans around the NIST CSF to align with likely renewal mandates.
3. **Streamline Internal Processes:** Identify internal administrative bottlenecks (especially application processes) that hinder access to federal aid, preparing for future simplifications.
4. **Secure Local Buy-in:** Address skepticism regarding federal spending noted by some lawmakers by clearly demonstrating the return on investment (e.g., attacks successfully blocked) to ensure continued bipartisan support for reauthorization.