States urge Congress not to claw back cybersecurity grant funding
A handful of professional associations representing state and local governments on Monday urged congressional leaders to preserve $100 million in upcoming cybersecurity funding already approved through the State and Local Cyber Security Grant Program.
Seven groups — including the National Association of State Chief Information Officers, the National Governors Association and the National League of Cities — asked in a letter for continued dispersal of the $1 billion in cybersecurity funding authorized by 2021’s Infrastructure Investment and Jobs Act.
Alex Whitaker, NASCIO’s government affairs director, told StateScoop the letter was prompted by rumors that the state and local grant program may be targeted by appropriators for clawbacks.
“While much work has been done by state and local governments to implement stronger cybersecurity protocols and address vulnerabilities, sustained federal funding is critical to ensure continued momentum,” the letter reads. “The inclusion of the SLCGP in the IIJA recognized this tremendous need.”
The program has posed some challenges to state and local governments — program administrators from the Federal Emergency Management Agency and the Cybersecurity and Infrastructure Security Agency admitted last March the program’s matching requirements have proven “steep” in some states.
Overall, however, the program has been heralded by state and local governments as the at least partial realization of a longstanding need for improved cybersecurity programming in a local government sector that is continually bombarded by cyberattacks. Critical infrastructure, including at water utilities, is among states’ cybersecurity concerns. The Illinois Secretary of State’s office, which maintains state records and administers elections, recently revealed that its email system was breached last April.
The letter points to the good work the new cyber funding has done so far, including helping local governments implement basic security protocols and more frequently use the security resources shared by their state governments. It also points to the increasing prevalence of “whole of state” cybersecurity programs launched by state governments, in which state technology offices take greater responsibility for public sector organizations that might have traditionally fallen outside their scope, such as local law enforcement agencies, schools or public utilities.
While state technology officials have generally celebrated the $1 billion State and Local Cyber Security Grant Program after years of calling for federal assistance to guard against an unending barrage of cyberattacks, the program has also hit snags. Whitaker said NASCIO often encounters reluctance among state officials to invest in new cybersecurity programs that will run out of support after the four-year federal grant program expires.
The increasing match required by states in each year of the program, however, may have been included with the idea of weaning states off the federal support. In the first year of the grant program, 90% of funding came from the federal government, followed by an 80-20 split, and then 70-30 before it will close at 60-40 in the program’s final year.
Whitaker said NASCIO also has some critiques of the program, including a desire to see funding get dispersed more quickly and to receive more-clear guidance from FEMA and CISA on the allowable uses of the funding.
But most of all, he said, state and local governments don’t want the funding taken away.
“Redirecting these vital funds at this time would seriously hinder efforts at the state and local level to make our nation’s networks secure,” the letter warns.