The Infrastructure Investment and Jobs Act (IIJA), formally known as the Infrastructure Bill, was passed into law in November 2021. The Act includes significant spending targeted at upgrading infrastructure across the nation. Funds are included to improve roads, bridges, rail networks, public transit, seaports, airports, green initiatives, create jobs, and improve the IT systems and cybersecurity for critical infrastructure and services at the state and local government levels.
Local Government organizations will be able to apply for funding from a ring-fenced cybersecurity improvement grant within the broader IIJA funding allocation. States will allocate the funds, and each state can do this to suit its needs within the federal IIJA specification. How the distribution of funds will happen and what local government entities will need to do to make a request is currently being finalized. Not everything is known (as of the end of April 2022), but we know enough to enable local government organizations to start planning their applications.
Webinar on What We Currently Know
Critical Insight's Founder and CISO Mike Hamilton has contacts within federal and state-level administrations. He has talked to many people about how the IIJA cybersecurity grant will be allocated and distributed. To communicate what we currently know, Critical Insight held a webinar and chat this week with Mike, Fred Langston (EVP of Professional Services and Critical Insight Co-Founder), and Jake Milstein (Marketing/Event Host).
During the webinar, Mike outlined what he currently knows at the national and Washington state level about the process and timelines for distributing the IIJA cybersecurity grant. We are based in Washington State and have a clearer picture of how this state will allocate funds. The local allocation in other states will be broadly similar but with regional variations.
After Mike had outlined his current understanding, there was an informative discussion based on topical questions from participants in the chat. You can watch an embedded recording of the webinar below or on our YouTube Channel. We'll summarize what we currently know in the remainder of this article. However, everyone should note that the funding allocation process in Washington and other states is still not finalized. Many of our conversations with officials have been off the record. What we outline in the webinar and this article is provisional and subject to change. But the information does provide a basis to start planning for funding applications from the grant.
The National Cybersecurity Grant Allocation
Within IIJA, there is a $1B tranche of funding earmarked to bolster cybersecurity protections for infrastructure and Government IT systems at the state and local government levels. The federal grant stipulates that at least 7% of the funding allocated to each state has to be spent by rural local governments. There is a national classification that defines rural, but it includes a catchall clause that allows states to determine what is rural according to their needs. We expect many states to spend more than the mandated 7% of their allocation on rural local governments.
There are approximately 90,000 local government entities in the US. If the $1B grant were distributed equally across all the local governments, each would get about $11,100. This is not how the funds will be distributed. Instead, each local government organization will need to apply for funds within their state. Each state will receive its share of the grant from FEMA, and then it'll be up to each to further divide it at the state and local government levels. Each state will have a review and approval committee to evaluate applications and approve those deemed to deliver the most cybersecurity benefits.
The composition and criteria that these state-level approval committees will use are not final, but we know that state-level CISOs will play a part. An Incident Response Plan (IRP) will likely be a requirement for any local government applying for funds from the grant. If the grant application is for mission-critical functions, there may be a need to demonstrate COOP funding allocation at a certain percentage. We'll come back to these points later.
Variations at the State Level
Before we get into what we've heard from officials in Washington state, we want to emphasize again that planning for the allocation and spending of these funds is still in flux. Statements we make here (and in the webinar on the 26th of April) are provisional and subject to change. Our discussions with state officials involved in cybersecurity planning were off the record, and nothing we outline here should get used to bind or criticize anyone involved in planning.
Critical Insight is in Washington State, so the variations from the federal grant for Washington are what we are most familiar with. You will find different variations in other states. What do we currently know about how Washington plans to spend its allocation from the IIJA grant?
80% of the Washington grant will get allocated for local government spending. With the remaining 20% held back for state cybersecurity improvements.
Within the 80% going to local government, there will be 25% ring-fenced for rural local government. This means that Washington is spending 20% of its total grant on rural local government. Significantly higher than the 7% stipulated in the federal grant outline.
- There will be a cost-sharing requirement that entities must demonstrate in their existing budget. The level of this cost-sharing is still to be finalized but could be 40% on some project types.
If multiple local government jurisdictions band together to form a team to deliver better cybersecurity protection for them all, then the state will waive this cost-sharing requirement. This is an effort to drive efficiencies of scale and better cybersecurity outcomes across larger groups.
Every application for a grant from the funds must include a security plan outlining how the local government organization will make improvements over time.
The Washington State CIO/CISO will create a committee that evaluates and approves applications and plans within the state.
There will be a template that applicants can use to apply.
The initial Notice of Financial Opportunity (NOFO) informing local governments that they can apply for funding from the grant is likely to be issued in the next few weeks.
What the Funding Will Likely Emphasize
Once the IIJA funding NOFO is out and applications are open, we expect that there will be specific cybersecurity techniques and services that the approval committees across all states will prioritize. The items that committees will likely look for in applications are:
24x7 cybersecurity monitoring provision
Multi-factor authentication (MFA) delivery
Incident response plan and readiness provision - with evidence that you have tested the plan via tabletop exercises and have communicated the steps staff need to take when an incident occurs.
Zero-trust architecture planning and implementation
User cybersecurity awareness training - Critical Insight offers this free via a video meeting every other Friday.
The approval committee will almost certainly be looking for applications designed to greatly improve the security of essential services that a local government delivers. Examples of this will include drinking water treatment infrastructure, election systems, the local 911 emergency IT systems, and similar. A good test to determine if something you control is critical (beyond the 16 sectors designated critical by the federal government) is to use the media test. Would it make the local, state, or national news if these systems got hacked? If yes, they should be classified as critical and have cybersecurity protections to stop them from being compromised.
There are some things that the IIJA grant can't fund. The following are in scope:
Capital purchases - although be careful about ongoing running costs after purchase as these may not be. Would a managed service to get the functionality be a better choice?
Consulting services - external expert help to determine your threat level and to create and deliver a plan to address vulnerabilities.
Managed services - purchasing services such as managed detection and response (MDR) from dedicated cybersecurity providers.
Possibly eliminating technical debt items that are a cybersecurity risk - for example, replacing Microsoft Windows 2012 servers with new hardware running the latest version that gets security patches or even with cloud-based services. This kind of spending is still a grey area, but clarification will follow.
Upgrading cloud licenses - many local government organizations will have existing Microsoft 365 licenses on E3 or G3 tiers. Upgrading these licenses to the E5 or G5 level adds many cybersecurity protections that, at a stroke, improve the security posture. Using IIJA funds to take out a multi-year E5/G5 Microsoft 365 plan for all users could well be a good use of these funds. We will need to seek clarification on whether this is a legitimate use.
The following expenditures will not get covered by IIJA grant funding:
Supplanting existing costs - you can't use the funds to pay for items or services already committed.
Hiring employees - full-time staff costs for new employees are not in scope. For example, you can't hire a new cybersecurity expert with these funds as this would be an ongoing cost commitment. You can use the funds for short-term contractors.
What You Need to Do to Prepare
It would be prudent if you started preparing today to apply for funds as soon as possible after the NOFO. Here's what you should do now (Critical Insight can help you with this - see the next section).
Develop an incident response plan - as stated previously, we think that this will be vital to stand out when approval committees start to evaluate applications.
Perform an assessment of your current cybersecurity posture based on a nationally recognized cybersecurity framework. Doing this will enable you to target your application to request funds for improvements where you need them most. Especially for critical areas like water management etc., as outlined previously. We'd suggest that the NIST Cybersecurity Framework is a good choice because it is outcomes-based and does not dictate the cybersecurity technologies you should use to deliver outcomes.
Get the template for application in your state as soon as it's available and start to complete it based on what you need funds to protect (as outlined by the assessment process above).
- Get help on how to best structure and write state-level grant applications from someone with experience and a successful application track record.
Note that about 1000 local government organizations in Washington State can apply for these funds. You'll want your application to be submitted quickly and to stand out from the crowd.
Critical Insight Is Here to Help
Delivering cybersecurity services to protect critical infrastructure and IT systems is why Critical Insight exists. We have decades of experience in our team across the health sector, local government, state government, and private sector critical infrastructure providers.
We can help local government organizations get ready to apply for funds from the IIJA grant and work with you into the future to ensure you get the best return on investment. The image below outlines the services that Critical Insight provides, with arrows highlighting the groups of services that apply to what you need to start doing today to get ready for the IIJA NOFO.
We can help you do a gap analysis to see where you need to spend funds to improve cybersecurity. We can also work with you to create and test an incident response plan (remember that all indications are that having this will be essential). We can provide 24x7 monitoring now at a level for your current budget and at an expanded level using IIJA funding in the future if the gap analysis and planning indicate this is a way to improve your cybersecurity.
Get in touch today using the form below to chat with our experts. We can help you get ready to apply for IIJA funding, help you write and submit the application, and ensure that any funds you get allocated deliver the maximum return on investment.