$1 billion for public sector security—act quickly

The State and Local Cybersecurity Grant Program, administered by the Cybersecurity and Infrastructure Security Agency (CISA), represents one of the largest federal grant packages ever for state and local cybersecurity—and it comes at a great time. US, state and local governments experienced a 50% increase in cyberattacks from 2017 to 2020. At the same time, there's an extreme shortage in cybersecurity talent, with 2.7 million unfilled cybersecurity jobs globally.

Grant overview

Funding will be available in Q3 2022 through Q3 2026 and distributed yearly, with applicants required to meet certain requirements. For example, applicants must be one of the 56 states and territories, submit a Cybersecurity Plan that aligns with the criteria (unless funding will be used to create the plan in year one) and have a Cybersecurity Planning Committee comprised of specified members.

Other requirements:

• Applying as a single applicant requires a 10% match (federal share 90%, applicant share 10%).
• The entity must pass through at least 80% of funding to local governments within their jurisdiction.
• At least 25% of the pass-through funding must go to rural areas (population of less than 50,000 that has not been designated in the most recent decennial census as an “urbanized area”). This is not a requirement for grants awarded solely to support development or revision of the cybersecurity plan, or for the District of Columbia, the Commonwealth of Puerto Rico, American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, the United States Virgin Islands, or a Tribal government.
• The applicant entity must make a firm written commitment to passing through grant funds or equivalent services to subrecipients.
• The applicant entity or multi-entity must engage and obtain consent of local governments if passing through items, services, capabilities or activities to rural areas in lieu of funding in order to count that value as part of the overall 80% pass-through requirement.

Three ways to get started

1. Get strategic. To access the funding, present a cybersecurity plan to CISA outlining how you will improve cybersecurity. The first year of funding can be used to create a statewide cybersecurity plan. If that's the case, plans must be submitted by September 30, 2023. The Cybersecurity Plan is a statewide planning document that must be approved by the Cybersecurity Planning Committee and the CIO/CISO equivalent. The Plan should be updated in FY24 and FY25 and should contain all of the specific items in the Required Elements section of Appendix C of the Notice of Funding Opportunity (NOFO).
   The NOFO elements align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework best practices (i.e., Identify, Protect, Detect, Respond and Recover). In addition, governance, risk and compliance and workforce development are important aspects. Also, since cybersecurity isn’t a ‘one and done’ activity, a key to success is creation of a Cybersecurity Program Management Office (PMO) to orchestrate, implement, update and maintain the plan and assist with funds administration. Accenture has extensive experience in this area and can help with cybersecurity plan development and implementation, standing up and running of PMOs and funds management.
2. Become resilient. Accenture’s State of Cybersecurity Resilience 2021 report found organizations can reduce the cost of breaches by up to 71% if they increase their performance to what we call 'Cyber Champion’ levels. A common characteristic of Cyber Champions is that they gave CISOs a seat at the top table; became threat-centric; aligned cybersecurity to their organization’s business strategy; and modernized legacy systems by taking advantage of cloud security solutions.
   
3. Specifically, when seconds matter, a swift and effective response is crucial. Incident Response Retainer and Managed Extended Detection and Response (MxDR) services are great ways to rapidly increase resiliency to cyber attacks. In addition, implementing disaster recovery and data backup strategies may reduce the impact of cyber attacks by enabling continued access to mission-critical public data and services during a breach.
4. Embed security. Make it a part of every initiative, including migration to cloud, applications and platform modernization. Cloud is and will be vital. The Accenture and National Association of State Chief Information Officers (NASCIO) Cloud Study found that as states responded to the COVID-19 pandemic, they accelerated the move to remote and hybrid workforces. Globally, 57% of public sector leaders feel that accelerating cloud adoption is mission critical. Cloud also takes center stage in the US Federal Government, with the FY22 National Defense Authorization Act (NDAA) allocating more than $44 billion for the Department of Defense to migrate to the cloud, including a directive for the US Space Force to brief Congress on how it will leverage cloud.
   We applaud this emphasis on cloud. Public services organizations can take advantage of cloud-native security services to modernize security while migrating to the cloud, and Accenture can help with each step of the cloud journey. Our IT infrastructure is 95% in the public cloud and is costing us half as much as our legacy delivery models. We have a multi-cloud strategy and currently leverage Microsoft Azure and Amazon Web Services and Google Cloud Platform. Thus, cloud is a fiscally sensible option for public entities.

Looking forward

We can learn a lot about what is to come for public services organizations by looking at regulations and the movement to improve cybersecurity in the US Federal Government. In May 2021 the Executive Order on Improving the Nation’s Cybersecurity introduced the widest sweeping cybersecurity reform ever. Three key themes in the executive order are: the requirement for all Federal agencies to adopt a Zero Trust Architecture; Software Supply Chain Security; and CISA's role in collaborating with states.

Ultimately security is about people: protecting people, bringing people together and sharing knowledge and tools to collectively strengthen our defenses. By aligning cybersecurity with their goals and mission, state and local government agencies can save money and operate more efficiently while helping to protect citizen information and operations integrity.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.

This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.
This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.