5 things to consider while applying to the State and Local Cybersecurity Grant Program (SLCGP)
State and local government (SLG) organizations are experiencing an increase in cyber incidents that impact and disrupt citizen services. In 2021, US President Joe Biden signed the Infrastructure Investment and Jobs Act (IIJA). This act provides funding that state, local, and academic institutions can access to make strategic decisions that can build resilience, modernize systems, and enhance and strengthen the overall security posture of critical infrastructure services.
IIJA created the State and Local Cybersecurity Grant Program (SLCGP), which provides funding to eligible entities to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, state, local, or tribal governments. SLCGP allocates $1B distributed over four years to support state, local, and tribal agencies in the implementation of cybersecurity best practices.
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released the FY22 Notice of Funding Opportunity (NOFO), which provides more details about the requirements to apply for SLCGP funding. The funding opportunity requires participants to prioritize the establishment of a cybersecurity planning committee; the development of a state-wide cybersecurity plan; assessments; and the adoption of cybersecurity best practices.
This blog post guides you through some resources and approaches to consider as organizations strive to meet the SLCGP funding requirements. Note: the SLCGP funding’s overall per state allocations are not sizeable enough for each local organization to implement their own security measures effectively. Participating state and local government entities should take a strategic and enterprise approach to leverage these funds in a manner that will make a broad impact in risk reduction, and to make their infrastructure more resilient.
The SLCGP funding requirements
With a tight 60-day window for submission, grant program participants need to act quickly while meeting the intent of the grant, which requires 80% of the funds to be allocated to local government. For those entities pursuing the grant for enterprise initiatives, like consolidated IT programs, approval from local government representatives is required. The SLCGP also includes stringent grant reporting requirements. These reporting requirements may be considered cumbersome to smaller local government participants that may not have a grants office or knowledgeable staff to support these efforts. Local government organizations can consider leveraging the statewide grant offices to support meeting the grant reporting requirements.
Participating SLG organizations with strong private-public partnerships with their vendor community can streamline their SLCGP funding efforts by using already established processes and solutions.
Considerations to help meet the SLCGP funding opportunity
Organizations must apply for SLCGP funds before the deadline on November 15, 2022. As the SLCGP necessitates establishing a cybersecurity planning committee, the following are recommended approaches for a cybersecurity planning committee to consider to secure funding:
1. Streamline cybersecurity solution procurement to standardize operations and reduce costs
Organizations can take advantage of independent software vendors’ (ISV) solutions that can provide visibility, integration, automation, and protection at scale. However, the cybersecurity planning committees in charge of reviewing and submitting requests for these solutions should prioritize reducing various agencies’ requests—rather, they should look broadly across all requests to identify repeated themes and focus on areas that can scale across agencies and departments. In taking this approach, states can standardize capabilities and better operationalize threat data that they can use to make actionable decisions. Ransomware is one of the most dominant cyber incidents across state and local government (SLG) organizations, so having an integrated system that allows for simplified operations and automated response can benefit SLG organizations that are resource constrained. Committees can find vendor solutions to meet this need in the AWS Marketplace from Amazon Web Services (AWS) or with AWS Partners; some examples of such solutions are Presidio’s Ransomware Mitigation Kit and SentinelOne for AWS Elastic Disaster Recovery.
2. Find ready-made solutions in a digital catalog to support cybersecurity governance and more
Given the short timeline for submission, participants can consider using digital catalogs that simplify, consolidate, and accelerate procurement processes by offering a wide range of relevant solutions from ISVs. In addition, these catalogs can provide solutions that offer enhanced visibility into utilization and other critical data points that factor into the SLCGP’s metrics and grant reporting requirements. Digital catalogs like the AWS Marketplace can offer organizations solutions that support procurement speed, flexible pricing and terms, and the needed governance to oversee cyber events as required by grant programs like the SLCGP. SLG customers can collaborate with vendor partners that can assist in fast-tracking implementations and offer flexible contract terms, e.g. shelf ware clause, and volume discounts.
3. Prioritize resilience for your infrastructure
SLG organizations looking to secure SLCGP funding may consider prioritizing resilience for their infrastructure. Organizations can build resilience and an effective data strategy with various cloud services. Cloud services provide opportunities to increase scalability, resilience, reliability, and offer low cost disaster recovery and centralized immutable back up offerings. Services like AWS Backup can be used to centralize and automate data protection across your services regardless of whether they are on premises or in the cloud. AWS Backup secures your backups by encrypting your data in transit and at rest, which reduces risk of data compromise.
4. Skill your organization with no-cost cybersecurity training
The NOFO details that applying organizations must adopt cybersecurity best practices and implement cyber awareness training to be eligible for funding. SLG Organizations can consider using no-cost training opportunities and cyber awareness services offered by leading security vendors. AWS Cybersecurity Awareness Training is a no-cost training solution that can scale for use by private organizations and citizens. The training offers 15-minute lessons on cybersecurity-related topics like secure communication, data classification, phishing, physical security, social engineering, data privacy, third-party/application security, laptop standard, protect data, and acceptable use in over 10 different languages. It also meets accessibility requirements.
5. Think long-term with a modernization strategy
Lastly, for subsequent year SLCGP efforts, SLG organizations should focus on long-term strategies, like statewide modernization of critical applications and infrastructure. Organizations can use cloud services to help meet the NOFO requirement to implement best practices like implementing zero trust architecture, which can further support efforts to enhance digital transformation efforts while securing the citizen experience.
Conclusion
State and local governments should not be deterred by the grant submission timeline and reporting requirements. This funding opportunity can help implement state-wide risk mitigation strategies to protect data privacy, secure infrastructure, and serve citizens across the nation.
AWS and AWS Security Partners provide a portfolio of services that support SLG organizations with their SLCGP objectives and can help implement end-to-end enhanced security. For more information on how AWS can support customers’ security requirements, visit the AWS Security & Compliance hub. Learn more about how state and local governments use AWS in the AWS Cloud for State and Local Governments hub.
Do you have questions about how your agency can use AWS to support your cybersecurity goals? Reach out to Cloud Solutions Tech to learn more.