An Introduction to the State and Local Cybersecurity Grant Program (SLCGP)

Cybersecurity funding in corporate environments has always been a source of anxiety for those who seek to keep organizations safe. When we examine the cybersecurity readiness of many state, local, and territorial governments, this funding struggle is taken to new heights of scarcity.

Fortunately, a new program has been created by the Department of Homeland Security (DHS) to improve this shortfall, and better protect municipalities in the United States. As introduced on the Cybersecurity and Infrastructure Security Agency (CISA) website:

“On September 16, 2022, the Department of Homeland Security (DHS) announced a first-of-its-kind cybersecurity grant program specifically for state, local, and territorial (SLT) governments across the country.”

“Funding from the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) helps eligible entities address cybersecurity risks and threats to information systems owned or operated by—or on behalf of—state, local, and territorial (SLLT) governments. Through two distinct Notice of Funding Opportunities (NOFO), SLCGP and TCGP combined will distribute $1 billion over four years to support projects throughout the performance period of up to four years. This year, the TCGP will be released after SLCGP.”

The Federal Emergency Management Agency (FEMA) will be the administrative and oversight authority for the appropriated funds. The grants will be distributed to the State Administrative Agencies (SAA), which will distribute the money to the local governments. 

The primary purpose of this initiative is to be able to help those state and local governments perform cybersecurity at a level that may not have been previously possible due to budget constraints. One need not look very far to see that local governments are susceptible to many of the same threats that impact many private corporations.

Since many local governments are supported financially by the residents of those towns, they have no way to generate the finances required to implement a really super-duper, true cybersecurity program. Given the governmental structure in some states, where they function almost independently from the larger municipality, this type of funding is very critical, allowing them to qualify for funding to be able to build out their cybersecurity programs as well.

Many folks may think that local government consists of police and fire departments, but when we look at the larger picture, we have to consider that some of these small towns have their own power distribution facilities, as well as other vital services, such as water treatment plants.  On a budget sheet, these all take priority over cybersecurity. As you may recall, a small water treatment plant was the target of an attack in 2021.  According to CISA, there have been at least five attacks against the U.S. Water and Wastewater Systems (WWS) Sector facilities since 2019. The funding that we are seeing from this program will go a long way towards helping those state and local entities be able to purchase the software and the staff required to put in a meaningful cybersecurity program in these vulnerable areas.

One question that comes to mind when hearing about obtaining a grant is, where should these recipients be spending that money?

The answer, of course, would depend on the recipients’ current cybersecurity readiness, and can even stretch out to the entire infrastructure. For example, managed services are one aspect. Many municipalities may or may not have a cloud presence built out yet. If they do have a cloud presence built out, then it may make more sense to use SaaS applications or applications that are provided by a Managed Service Provider (MSP) to provide the staff as well as the software. Contrarily, you may find that many state and local government entities that are not cloud-ready yet; may still have their infrastructure on premises. Their grant award may be better invested in  vulnerability management solutions. Those vulnerability management solutions need to be able to address whether or not their vulnerabilities exist in servers or workstations that are tied to that entity's infrastructure, but also in the Internet of Things (IoT). So, Operational Technology, such as Industrial Control Systems, and IoT are big concerns to those entities.

One common problem with many legacy systems is that they may include devices that are not IP addressable. This would dictate the need for tools that have the ability to scan non-standard, non-IP- based OT gear. An example of that might be a Siemens switch that uses serial protocol technology. Anyone who works in a corporate environment may be surprised to think that such older technology still exists, but this just emphasizes the dearth of funding afforded to many local governments to fight cybercrime.  A vulnerability scanner needs to have the ability to assess IP addressable items as well as non-IP addressable items and recognize a serial protocol and be able to profile what that device is. Some tools do it, and some don't. For instance, if you looked at the Tripwire IP360 tool, it recognizes anything that has an IP address, but not anything that functions on a serial connection. Fortunately, Tripwire Industrial Visibility provides that solution.

Another area where a small municipality might be able to usefully direct grant money is in a change management solution. For an entity that is doing everything in the cloud, SaaS applications then become a big deal. They need to be able to perform vulnerability assessments from the cloud.  They also need to be able to perform change management or integrity checking and other security functions from the cloud. Everything from event logging and management, to alerting also needs to be considered for any entity that has any internet presence.

Uptime is also an important concern for a government agency.  An investment in fault-tolerant components could be in place that ensures uptime, let's say, of a 99% uptime disaster recovery in a hot failover situation.

One of the most important areas that governments must focus on is compliance, both with state, as well as federal regulations. This is another reason why the tool selection needs to be carefully considered. Any tool must fulfill both the security purpose and if it also addresses a compliance requirement, then that adds to its value.

The SLCGP is an important and, unfortunately, overdue initiative. However, as the importance of cybersecurity grows, it is encouraging to see this new direction to help even the smallest areas of government.