In early November, the U.S. House of Representatives passed a $1.2 trillion infrastructure bill. The legislation has a lot in it. There’s $7.5 billion set aside for creating a network of EV charging stations across the United States, for instance, with an additional $65 billion earmarked for overhauling the nation’s electricity grid with renewable energy, noted CNET.

There’s also some money reserved for cybersecurity. According to CSO, the law will boost government spending on cybersecurity by $1.9 billion. About half of that is reserved for a new initiative called the “Small and Local Cybersecurity Improvement Act.”

Let’s spend some time examining how this new billion-dollar program is designed to work.

There’s a lot of detail here, so feel free to tl;dr and just skip to the bottom for our take.

An Overview of the State and Local Cybersecurity Improvement Act

The purpose of the State and Local Cybersecurity Improvement Act is “to award grants to eligible entities to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, State, local, or Tribal governments,” as quoted from the infrastructure bill’s text. The program’s appropriations will begin at $200 million for fiscal year (FY) 2022. It will then double to $400 million the following fiscal year before dropping to $300 million in FY 2024 and $100 million the year after that.

The primary purpose of a grant issued via the State and Local Cybersecurity Improvement Act is to help an eligible entity develop, implement, and/or revise a cybersecurity plan. This strategy must describe how the eligible entity will approach about two dozen different cybersecurity functions. Those efforts include monitoring network traffic, conducting vulnerability assessments on an ongoing basis, ensuring the continuity of their systems in the event of a ransomware attack, using best practices identified by the National Institute of Standards and Technology (NIST) to mitigate supply chain risks, and leveraging the National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity to close gaps in their cybersecurity workforce through training and retention. It’s up to each eligible entity to assess those different capabilities, describe relevant individual responsibilities for fulfilling them, outline the resources and timetable that they need to implement them, and identify appropriate metrics that they can use to implement the plan and reduce their cybersecurity risks.

Each eligible entity must submit their cybersecurity plan to the Department of Homeland Security (DHS) for review. It’ll then be up to DHS to determine whether the plan satisfies the requirements, a determination which will be effective for a period of two years. No later than two years, DHS will then need to determine whether eligible entities need to revise their cybersecurity plans in a way that reflects the evolving threat landscape. It can then renew its determination of a cybersecurity plan as it sees fit.

Additionally, the State and Local Cybersecurity Improvement Act requires that DHS submit a report to Congress each year. That report must discuss the use of funds under the State and Local Cybersecurity Act, the proportions of the different types of eligible entities receiving grants through the program, and the overall effectiveness of the program in strengthening state and local cybersecurity. Those reports must be submitted until September 2025, a point when the entire program is expected to end.

Our Thoughts on the State and Local Cybersecurity Improvement Act

In the description of the State and Local Cybersecurity Improvement Act above, notice that we didn’t mention the need for eligible entities to spend their money on a particular tool or shiny object. That’s because there isn’t any mention of using a particular tool within the bill itself. Instead, there’s the guidance for eligible entities to use frameworks from NIST and other respected entities to drive their security measures forward.

This recommendation gives a lot of leeway to eligible entities in designing their cybersecurity plans. But it might also create some consternation, as some of the frameworks referenced in the bill aren’t easy for organizations who don’t already have internal cyber expertise to implement. In particular, eligible entities on the smaller side might not know where to start.

For those organizations, we always recommend the Center for Internet Security’s Critical Security Controls (CIS Controls). Those measures constitute the basic building blocks of a well-designed cybersecurity strategy. They’re based on the NIST Cybersecurity Framework, after all, so when the bill refers to NIST, going with the CIS Controls wouldn’t represent a deviation. It’ll serve as a good starting point for eligible entities to build out their cybersecurity plans.

Interested in learning more? Check out what’s new in Version 8 of the CIS Controls. While you’re at it, you can explore how the CIS Controls can you help your organization to solve some of its real-world security challenges.