The Infrastructure Investment and Jobs Act (IIJA) has passed. It includes significant funding to improve infrastructure across the country, including a $1B State, Local, Tribal, and Territorial (SLTT) grant program earmarked to strengthen the cybersecurity readiness for organizations providing local government infrastructure and services
In this blog, we'll list the top 8 things that organizations who are eligible to apply for SLTT funding should be doing now to prepare for when the Notice of Financial Opportunity (NOFO) is published. We expect the NOFO to appear soon. There will be high demand for funds from the grant, and those responsible for evaluating applications and approving projects will be busy. You'll want your application to be submitted quickly and stand out from the crowd, so doing as much preparation now will reap benefits when the NOFO is shared.
Undergo a Cybersecurity Assessment
The committees allocating SLTT funds will want to distribute them where they do the most good. They'll want to target funding to requests from applicants that aim to protect their most critical infrastructure and systems. In order to identify where your vulnerabilities and cybersecurity gaps are, each local government organization that is thinking of applying for SLTT funding should do a cybersecurity assessment if they don't already have a recent one. The assessment should use a nationally recognized cybersecurity framework like the NIST Cybersecurity Framework. Doing an assessment to highlight gaps will enable you to target your application for funds where you need them most, especially for critical infrastructure areas like water management and other public infrastructure systems. We can help you do a gap analysis to see where you need to spend funds to improve cybersecurity.
Develop an Incident Response Plan
All the indications we have suggest that having a well-defined Incident Response Plan (IRP) will be critical to any successful bid for SLTT funding. An IRP ensures that everyone knows what to do in the event of a cyberattack. Demonstrating that you have an IRP and have considered readiness provision in your application process and in how you will use the funding will be required to get part of the grant in your state. As part of the IRP, you should be able to show evidence that you have tested the plan via tabletop exercises and communicated the steps staff need to take when an incident occurs. The development of IRPs (based on the data collected via a cybersecurity assessment and gap analysis) is a core part of the Critical Insight service offering. We can assist you in developing an appropriate IRP if you do not already have one.
Identify Infrastructure That Will Attract Preferential Funding
The SLTT grant funding within the broader IIJA allocation aims to bolster cybersecurity protections at the local level across the country. There will be high demand for the funds. Allocating committees will be looking for projects that request funds to secure the essential systems in their state. Critical infrastructure and systems will likely have a higher priority call on the funds. Examples include drinking water treatment infrastructure, election systems, the local 911 emergency IT systems, and similar. A good test to determine if something you control is critical (beyond the 16 sectors designated critical by the federal government) is to use the media test. Would it make the local, state, or national news if these systems got hacked? If yes, they should be classified as critical and have cybersecurity protections to stop them from being compromised. Don't fall into the trap of requesting funds to upgrade every system with an IT component. Instead, identify your highest-profile and more critical systems and submit a funding application for those.
Know What Expenditure Funding Committees Will Emphasize
Building on the idea that funding committees will be looking to approve projects that deliver the most improvements for critical infrastructure, they will also be looking for projects that provide the maximum improvement in cybersecurity protection. Services and technologies that they will likely be keen to support and see deployed at the local government level are:
- 24x7 cybersecurity monitoring provision
- Multi-factor authentication (MFA) delivery
- Incident response plan and readiness provision - with evidence that you have tested the plan via tabletop exercises and have communicated the steps staff need to take when an incident occurs.
- Zero-trust architecture planning and implementation
- User cybersecurity awareness training
Critical Insight can assist you with these during the application and deployment phases after you obtain funding.
Line Up SLTT Application Writing Help
Applications for funding that conform to the format that the approvals committee expects will have a better chance of success than those that do not. Funding bodies will issue a standard template that local government organizations will need to use to apply for funds. Submitting an application using this template and, at the same time, making your application stand out requires experience in successful bids for other funds. Getting help from teams experienced in government bidding processes will be essential. You should arrange this help as soon as possible as many organizations are looking to get assistance. For example, as many as 1000 local government organizations in Washington state can apply for funds from SLTT.
Watch Our April Webinar
Our 26th of April webinar takes a deep dive into what's currently known concerning the IIJA SLTT funding grant.
We outlined what we know at the national and Washington state level about the process and timelines for distributing the IIJA cybersecurity grant during the webinar. The local allocation in other states will be broadly similar to Washington but with regional variations.
Book a Meeting with Our Experts
Delivering cybersecurity services to protect critical infrastructure and IT systems is why Critical Insight exists. We have decades of experience in our team across the health sector, local government, state government, and private sector critical infrastructure providers.
We can help local government organizations get ready to apply for funds from the IIJA SLTT grant and work with you to ensure you get the best return on investment. The image below outlines the services that Critical Insight provides, with arrows highlighting the groups of services that apply to what you need to start doing today to get ready for the IIJA NOFO.
Get in touch today to book a meeting with our experts. We can help you get ready to apply for IIJA funding, help you write and submit the application, and ensure that any funds you get allocated deliver the maximum return on investment.
Sign Up for Our Daily Blast Email for Updates
The cybersecurity threat landscape is constantly changing. Staying on top of threats and how they might impact your organization is a full-time job. Critical Insight does this full-time, so you don't need to. If you would like a curated summary of what is important in cybersecurity, sign up for our Daily Blast email.
See also: IIJA Cybersecurity Grants – The Top 8 Things You Should Do to Prepare to Apply