Supporting Cybersecurity Governance at the State and Local Level

Cybersecurity Risk in an Interconnected World

In an interconnected world, the significance of cybersecurity in safeguarding public and private infrastructure cannot be overstated. Cyber-based disruptions, whether as a direct cause or a byproduct of emergencies, are an escalating threat. Incidents such as adversaries using phishing schemes to steal data in Chatham County, NC (2020), deploying ransomware in Atlanta, GA (2018) to disrupt the city’s operations, or attempting to poison water supplies via remote access in Oldsmar, FL (2021) highlight the need to bolster our investments in people, processes, and technology, ensuring defenders are adequately prepared.

Responding to this need to defend the growing interconnected and information technology-based systems within critical infrastructure across the United States, Congress established the State and Local Cybersecurity Grant Program (SLCGP) to directly “address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, state, local, or tribal (SLT) governments.”

The goal of the SLCGP is to assist SLT governments in the management of these cyber systems and the targeted reduction of systemic cyber risks. This objectives-based program envisioned by the SLCGP is to be implemented over time—funding applicants as they focus their cybersecurity plans, priorities, projects, and implementation toward addressing these SLCGP objectives. As program participants make progress and CISA confirms objective requirements have been met for each phase, the participants may move on to the next set of program objectives. Importantly, this program is intended to not only support state-level governance, but local-level implementation as well, with 80% of the funding being set aside for local governments including 25% to rural areas.

State and Local Cybersecurity Grant Program Governance Structures

During FY2022, applicants focused on developing and establishing appropriate governance structures (Objective 1). Outcomes of this work generally included gap analyses, planning documents, and other doctrine development—which, for many, was a critical foundational task. Objective 1 bolstered SLT capabilities to respond to cybersecurity incidents in a coordinated fashion and ensure continuity of operations and government.

In FY2023 and beyond, the program’s objectives are intended to support the maturation and refinement of processes, creation of training and exercise programs, and performance of iterative plan updates. Specifically, Objectives 2 through 4 cover continuous improvement, risk-informed protections, and ongoing training outcomes.

State and Local Cybersecurity Grant Program Grant Applications

In FY2023, $374.9 million is available under the SLCGP that will be shared among applicants from 56 states and territories. Applications for grant awards are due by October 6th, 2023. As part of their applications, entities need to determine how best to invest the funding as well as prioritize and plan for the related activities. Some best practices for SLT government staff to consider as they plan the implementation of their programs include:

• Comprehensive assessments of existing systems and capabilities.
• Risk-informed prioritization of areas for improvement.
• Plans for building, training, and equipping a robust cybersecurity workforce.
• Mitigation priorities for identified issues.
• Engagement strategies for community-wide stakeholders and partners.

This simple survey can help SLTs and State Administrative Agencies benchmark the status of their cybersecurity and emergency management programs against the components of the SLCGP and include some initial prioritization for addressing their most immediate needs. Witt O’Brien’s can modify it for your specific organization’s needs.

As with many of the frontiers of public and homeland security, cybersecurity is a large, complex, and dynamic challenge. The resources from the SLCGP may significantly help the cybersecurity posture in the awarded SLT jurisdictions by supporting the necessary capability and capacity to cyber programs at all levels of government. This grant program, like similar ones across the Federal government, serves to support critical aspects of emergency and incident management. It is therefore imperative to focus on governance, processes, procedures, and capabilities that address risk at all levels of government.

ITEGRITI Corporation and Witt O’Brien’s have partnered to bring both firms’ extensive cybersecurity, critical infrastructure, emergency management, and government solutions experience to bear in assisting SLT governments to make the best decisions and investments as participants in the SLCGP. By aiding SLT governments, ITEGRITI Corporation and Witt O’Brien’s are helping protect our communities and the United States as a whole.

Scott Stoermer, MPA, MS, has over 27 years of experience in disaster and all-hazards preparedness, including training and exercise programs. A retired Coast Guard Captain, he served on 3 Area Maritime Security Committees with 2 as Chair and understands the intersection between cybersecurity and operational continuity, especially in the face of disaster management.