A small group of professional groups representing state and local governments on Monday urged congressional leaders to retain $100 million in future cybersecurity funding already approved through the State and Local Cybersecurity Grant Program.
In a letter, seven groups, including the National Association of State Chief Information Officers, the National Governors Association and the National League of Cities, called for continued allocation of $1 billion in cybersecurity funding authorized by the Infrastructure Investment and Jobs Act of 2021.
Alex Whitaker, NASCIO's director of government relations, told StateScoop that the letter was prompted by rumors that state and local grant programs could be targeted for cancellation by appropriators.
“State and local governments have done much work to implement stronger cybersecurity protocols and address vulnerabilities, but continued funding from the federal government is essential to ensure continued momentum,” the letter said. “The addition of SLCGP to IIJA recognizes this great need.”
The program has posed some challenges for state and local governments, with program managers for the Federal Emergency Management Agency and the Cybersecurity and Infrastructure Security Agency acknowledging last March that the program's matching requirements had proven “stringent” in some states.
But overall, the program has been hailed by state and local governments as at least partially fulfilling a long-standing need for improved cybersecurity programs in the local government sector, which is constantly under cyberattack. Critical infrastructure, including water utilities, is among the state's top cybersecurity concerns. The Illinois Secretary of State's office, which keeps the state's records and administers elections, recently disclosed that its email system was breached last April.
The letter notes that the new cyber budget has produced positive results so far, including helping local governments implement basic security protocols and more frequently utilizing shared security resources with state governments. It also notes the increasing prevalence of state-sponsored “statewide” cybersecurity programs, in which state technology departments take on greater responsibility for public sector entities that traditionally fall outside their jurisdiction, such as local law enforcement, schools and public works.
State technology officials have generally welcomed the $1 billion state and local cybersecurity grant program after years of seeking federal help to combat never-ending cyberattacks, but the program has faced obstacles. Whitaker said NASCIO often encounters state officials being reluctant to invest in new cybersecurity programs that will lose support when the four-year federal grant program expires.
However, the idea behind increasing the amount of funding states must contribute each year after the program begins may be to free states from federal support: in the first year of the grant program, 90% of the funding comes from the federal government, then 80/20, then 70/30, and finally 60/40 in the final year of the program.
Whitaker said NASCIO has also been critical of the program, but would like to see the funds distributed more quickly and clearer guidance from FEMA and CISA on the allowable uses of the funds, among other things.
But above all, he said state and local governments don't want to see their funding cut.
“Diversion of these critical funds at this time would severely hinder state and local level efforts to secure the nation's networks,” the letter warned.