Experts said the $1 billion State and Local Cybersecurity Grant Program is admirable for its emphasis on planning, but it may not deliver much direct cash at the local level.
Some state and local governments could be “totally left out” of the federal government’s $1 billion cybersecurity grant program, two experts warned, adding that states need to better assess their current cyber landscapes before they start splashing the cash.
States must send at least 80% of the funding they receive to local and rural communities or provide them with comparable shared services or other items, capabilities or activities. They must also constitute a planning committee to determine how the money is spent.
Additionally, grant applicants are required to show they have considered four core cybersecurity areas, seven sub-areas and 15 other topics during their planning, a process that is “more of a focus on checking off the boxes,” said Alan Shark, vice president for public sector and executive director of the Public Technology Institute. That exercise is “divorced from how local governments actually operate,” he said during a joint webinar last week with the National Association of State Chief Information Officers (NASCIO).
He said forcing states to “go through hoops” could result in grants not being spent in the right places, as it may make it more difficult for them to get the funding they need from the federal government. And the required governance structure—where each state must form a planning committee to determine how allotted funds are spent and whether shared services should be offered in their stead—may not work in every state, Shark said.
While the planning process is a step in “the right direction,” Shark said every state should be broken into regions, with each under a coordination office that includes local government representation and is overseen by a state’s chief information officer and chief information security officer.
That structure would better account for the differences in how each state operates and “at least set up a mechanism of governance that does not formally exist today,” Shark said, while ensuring money is spent properly at all levels of government.
Shark’s warning comes as state and local cyber spending has increased but is still deemed inadequate given the threats that still exist.
“Unless we have those [governance] structures, we're going to be going back asking for more money,” Shark continued. “And I'm afraid too many are going to be totally left out.”
Others on the webinar warned that states should keep their focus on evaluating their needs and make intelligent investments when they receive grant funding. Doug Robinson, NASCIO’s executive director, said that strategy should be part of the planning process but could get forgotten once states see their coffers grow with grant funding.
“The states and the locals really need to focus on assessing their environment before they start buying bright, shiny objects,” Robinson said. “So that's my concern with the grants; [they] need an assessment program to assess the risk, do that risk assessment, document the risk and say, ‘This is how we're going to invest in the future,’ rather than simply buying technology.”
Robinson said governments are “months away from real dollars being on the streets” through this grant program and that he expects most states to use a “hybrid approach” of cash and shared services to distribute those funds.