A bill was introduced last week in the U.S. House of Representatives Homeland Security Committee that would create a new grant program of $400 million annually to assist state and local governments to improve their cybersecurity posture and resilience.
Known as the “State and Local Cyber Security Improvement Act,” the bill is designed to increase federal cybersecurity funding to state and local governments. Realizing that cyberattacks, particularly ransomware attacks, have hit state and local governments hard, and further recognizing that these smaller governmental entities do not have the resources to adequately prepare, the Act is an attempt by the federal government to assist with these preparatory efforts.
The legislation will also create a 15-member State and Local Cyber Security Resiliency Committee, which will advise the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency with respect to the Act and its implementation.
The proposed legislation requires recipients to meet some guidelines for receiving the grants, including that the grants be used to:
- Enhance the preparation, response, and resiliency of information systems
- Implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices
- Ensure that State, local, tribal and territorial governments that own or operate information systems within the State adopt best practices and methodologies to enhance cybersecurity such as the cybersecurity framework developed by the National Institute of Standards and Technology
Under the Act, the funds would be distributed to the states, who would then redistribute the monies to their local governments. Each state would be responsible for determining how it would redistribute the funds within certain guidelines set forth in the Act.
Recipients would not be able to use grants to replace funds they’ve already allocated for cybersecurity. The grants also cannot be used to pay ransom.
Encouraging states to prioritize cybersecurity needs
While the purpose of the Act is to help state and local governments to defray the cost of upgrading and maintaining their cybersecurity infrastructure, we note that the bill only authorizes $400 million annually, which if theoretically split evenly among states, would only amount to approximately $8 million per state per year.
The grant program is structured to encourage states to increase their own contributions over time. In fiscal year 2021, the first year the grants would be available, the federal share of a state’s cybersecurity budget would not be allowed to exceed 90%, a figure that would decrease by 10% each year through 2025, after which the federal government and states would split cybersecurity costs on an equal basis.
As with any legislation, differences between the House and the Senate will need to be addressed and reconciled.
This bill is a good step in the right direction but will realistically need a significant funding increase in order to be meaningful. Our Privacy, Cybersecurity and Data Management Team will continue to monitor the progress of the bill and provide continuous updates, including how to apply for the grants when they become available.