Full Report
The U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection reviewed the State and Local Cybersecurity Grant... The post US House Subcommittee reviews State and Local Cybersecurity Grant Program, considers adjustments for impact appeared first on Industrial Cyber.
Analysis Summary
# Regulation/Compliance: State and Local Cybersecurity Grant Program (SLCGP) Reauthorization Assessment
## Overview
This summary focuses on the Congressional review and assessment of the State and Local Cybersecurity Grant Program (SLCGP), which provides federal funding to state, local, and territorial governments to address cybersecurity risks and threats to their information systems. The primary context is the program's upcoming expiration and the push to reauthorize it, incorporating feedback from cybersecurity experts and government officials regarding its effectiveness, administrative burdens, and future direction.
## Key Details
- Issuing Authority: U.S. Congress (Managed operationally by CISA and FEMA)
- Effective Date: Program established in 2021. Current fate pending September reauthorization.
- Jurisdiction: State, local, and territorial governments within the United States.
- Status: Program funding is set to expire in September; currently under review for reauthorization.
## Requirements
### Mandatory Requirements
*Note: As this is a grant program review, mandatory items apply to entities *receiving* funding, not all state/local governments universally.*
1. **Risk Mitigation:** Recipients must utilize funds to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, state, local, and territorial governments.
2. **Intergovernmental Information Sharing (Implied/Recommended by Congress):** State and local governments are urged to continue sharing cybersecurity threat information and disseminating best practices.
3. **Administrative Compliance (Implied):** Grant recipients must meet administrative requirements necessary to demonstrate adherence to grant usage rules (which may need streamlining based on feedback).
### Recommended Practices
1. **Adopt Shared Services:** States are encouraged to utilize funding flexibility to establish statewide shared solutions (like a statewide Security Operation Center - SOC) which can be offered as a default option for municipal governments to opt into, improving efficiency and reducing costs for smaller entities.
2. **Focus on Resilience:** Efforts should center on enhancing cyber preparedness and resilience against sophisticated threats, particularly state-sponsored actors.
3. **Streamline Bureaucracy:** Administrative processes related to demonstrating compliance and fund distribution, particularly concerning shared solutions across jurisdictions (e.g., counties), should be reduced where possible.
## Affected Organizations
- Industries: All sectors relying on state and local government information systems (which includes essential critical infrastructure managed at these levels).
- Organization Size: Smaller communities and local governments that typically lack resources and qualified cyber talent benefit most directly.
- Geographic Scope: State, local, and territorial governments across the United States.
## Compliance Timeline
- **2021:** SLCGP established by Congress.
- **Current (Impending):** Program funding authority is set to **expire this September**.
- **Future:** Full continuation of federal funding is contingent upon Congress reauthorizing the program before the expiration date.
## Implementation Guidance
### Assessment Phase
- **Evaluate Efficacy:** State and local partners, in collaboration with CISA/FEMA, should provide data assessing the program’s effectiveness and identifying administrative barriers encountered during the initial funding period.
- **Threat Landscape Review:** Assess current threat exposure, particularly concerning state-sponsored actors (e.g., APT groups like Volt Typhoon/Salt Typhoon), to target grant application and spending priorities.
### Implementation Phase
- **Prioritize Shared Solutions:** Where feasible, leverage state capacity to develop shared cybersecurity services (SOCs, monitoring) that can serve smaller, resource-constrained localities.
- **Focus on Foundational Defenses:** Continue building on the foundation established by the initial grant funding to expand national cybersecurity defenses.
### Validation Phase
- **Auditing Grant Use:** Grant recipients must continue to demonstrate proper allocation of the $838 million distributed thus far toward mitigating identified cybersecurity risks.
- **Feedback Mechanism:** Utilizing structured feedback processes, as highlighted in the Congressional hearings, to ensure modifications to the program address usability and effectiveness barriers for local recipients.
## Technical Requirements
The article does not specify technical compliance baselines (like specific NIST CSF tiers), but the goal is to secure information systems against sophisticated threats, emphasizing preparedness and resilience against state-sponsored actors targeting IT/OT assets, referencing the ongoing threat posed by groups like Volt Typhoon.
## Penalties & Enforcement
- Fines: Not specified, as this is a grant program review. Penalties for misuse of federal grant funds would typically be governed by existing federal grant regulations.
- Other Consequences: **Total Loss of Funding:** If reauthorization fails by the September deadline, the program will cease to receive federal funding, eliminating a critical resource for local cybersecurity improvements.
- Enforcement: Historically managed through CISA and FEMA grant oversight mechanisms.
## Related Standards
- **NIST CSF and Best Practices:** Cybersecurity experts emphasize disseminating best practices, suggesting alignment with established federal frameworks like the NIST Cybersecurity Framework (CSF) for maturing cybersecurity programs.
## Resources
- Official Documentation: Congressional records related to the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearings regarding SLCGP reauthorization.
- Guidance Documents: Testimony from officials like Alan Fuller (Utah CIO) and Mark Raymond (CT CIO) provides practical guidance on necessary program improvements.
- Tools: The program supports the acquisition or development of necessary technology services (e.g., Security Operation Centers).
## Practical Recommendations
1. **Advocacy for Reauthorization:** State and local CIOs should actively advocate for the swift reauthorization of the SLCGP to ensure continued federal support, given the rising threat level.
2. **Assess Shared Service Benefits:** Organizations should evaluate the feasibility and administrative simplification achieved through statewide shared service models discussed by witnesses (e.g., statewide SOCs).
3. **Prepare for Increased Burden:** Given the federal government's intent to increase the responsibility of state/local entities in responding to cyberattacks, organizations must use current/future funding to meet this heightened burden while simultaneously pushing for reduced administrative overhead on compliance tracking.