A billion dollars for local government cybersecurity—Will they ever see it?
Remember the fanfare upon learning of the passage of the bipartisan Infrastructure Investment and Jobs Act (IIJA) signed into law in November 2021? One billion dollars targeted state, local, tribal and territorial (SLTT) with a cyber grant program within the Cybersecurity and Infrastructure Security Agency (CISA) over four years. After the bill’s passage came the “great wait” and it wasn’t until 10 months later in September 2022, when CISA issued its 96+ page rules for implementation. During this time, it appeared that the rules were being drafted without any input from those representing state and local governments. Sadly, the final result tends to prove this.
Sifting through the main and supporting documents reveals a brilliant set of requirements that when taken together present the very best in cybersecurity planning and best practices. At the same time the rules’ complexity and built-in roadblocks lead one to conclude that it is highly unlikely small and medium-sized local government will ever see a penny, despite their well-documented needs. In other words, the rules’ brilliance in substance is offset by its seemingly complete lack of understanding of the overall targeted audience. To make matters worse, CISA has tasked FEMA, an agency with little to no on-going relationships with local government tech folks, to be the administrative body everyone is supposed to interact with.
So now we are at the beginning of 2023 as cyber threats are only increasing, each state is to develop its own plan. This is just the first hurdle, and not an unreasonable one. But why did everyone have to wait nearly a year only to learn that there needed to be detailed plans? Entities are required to show in their applications that they will implement projects that will further a list of core objectives. Each project must include a project schedule with clearly defined milestones that also clearly aligns with each entity’s Cybersecurity Plan. The four core objectives are: Cyber Incident Response, Testing and Evaluation, Cyber Risk Protections, and Workforce Initiatives. Next there are 15 required elements that each applicant must address. And finally, there are seven tactical areas that need to be addressed in each local government application:
• Implement multi-factor authentication capabilities
• Implement enhanced logging capabilities
• Data encryption for data at rest and in transit
• End the use of unsupported/end-of-life hardware and software
• Prohibit the use of known/fixed/default passwords and credentials
• Ensure the ability to reconstitute systems through backups
• Complete migration to the .gov internet domain
Very few small to medium-sized local governments have the staff capacity to even apply for any such grant, let alone implement and pay for it. Yes, there is a matching funds requirement, too.
Many senior local government tech managers have dismissed the program outright due to its complexity, available capacity, short- and long-term funding considerations, and the accompanying red tape reporting requirements.
Despite this rather early and gloomy assessment, there will (or can) be much good that comes out of all this. The cybersecurity program is both timely and historic as this is the first federal initiative aimed exclusively at local governments. One can only hope that this is simply the beginning and that we will learn from any shortcomings and build towards a more experienced-based program. Having the federal government recognize the critical importance in helping local governments is a big start in the right direction. Those who advocate in this space, including me, believe there needs to be a “whole of government approach” towards cybersecurity in the public sector. Missing in the initial rules governing the current program is the human factor and enhanced cyber governance.
Enhanced governance is as important as any financial investment and support of our nation’s localities. Many like myself fear that money—no matter how many billions—will not reach its intended goals without a massive change in state and local cyber governance. Each state operates separately, which means we have 50 ways of doing things when it comes to policies and leadership. Historically most local government tech managers have minimum to no relationship with state government tech leaders. This gap has always existed, but with the growing cyber threats there needs to be renewed efforts and governance schemes to address the lack of ongoing communications.
State-wide cyber plans, as called for in the current rules, need to address more than checking off boxes of compliance and should seek ways to keep localities and the state fully interconnected in real-time. Perhaps each state could develop a plan that divides their state into distinct regions. These regions would be managed by a city, county or nonprofit, that has or is given the resources to help coordinate activities, training, sharing of resources and information. History has shown that plans, no matter how good they may appear in print, become meaningless if not practiced. The proposed regional centers could also provide training and cyber awareness resources.
At the state level, each state should develop and designate a high-level cybersecurity coordination office whose main mission is to work with local governments across the state though the proposed regions. State CIOs sympathetic towards local governments have always lacked the resources to systematically reach out as they are challenged by identifying exactly who oversees It and cybersecurity in each location. It should also be pointed out, state CIOs and CISOs operate to support the executive branch, and it is often said that they lack a local government assistance mandate other than perhaps providing state-wide IT purchasing agreements. Finally, the current federal rules do not even directly involve the state CIO or CISO to the detriment of having any state-wide coordinated cybersecurity approach and instead designates a FEMA official to lead each cyber state effort. Having a new entrant in the local government cybersecurity space may make sense from a top-down administrative perspective—but it negatively adds another layer of well-intentioned bureaucrats who are thrown into a mix of unproven and nonexistent relationships.
Acknowledging the current program has some serious structural problems, we remain hopeful that we will see a renewed if not an amended effort to bring the right folks together in a formalized network of the willing. Governance structures will be created to establish a sustainable whole of government effort and only then can we begin to see the initial bipartisan Congressional vison become a meaningful reality.
Until such a reckoning, most efforts will likely be used to assist local governments with programs aimed to help them—but very little, if any, monies going to them were it is most needed.
Dr. Alan R. Shark is the vice president public sector engagement and executive director of the CompTIA Public Technology Institute (PTI) in Washington D.C, since 2004. He is a fellow of the National Academy for Public Administration and co-chair of the Standing Panel on Technology Leadership. He is as associate professor for the Schar School of Policy and Government, George Mason University. He is also the host of the popular bi-monthly podcast, Comptia Sharkbytes. Dr. Shark’s thought leadership activities include keynote speaking and blogging. He also is the author or co-author of more than 12 books including the nationally recognized textbook “Technology and Public Management,” now in its second edition, as well as “CIO Leadership for Cities and Counties.”