States used cyber grants for ‘hundreds’ of key projects, report finds
Yuichiro Chino via Getty Images
By
Chris Teale
The Government Accountability Office found that the State and Local Cybersecurity Grant Program was wildly popular, but state leaders are worried about sustained funding.
A cybersecurity grant program has helped fund hundreds of projects in state and local government, but leaders are concerned about sustained funding for those projects and worried about the future, according to a report from a federal agency.
The Government Accountability Office found this week that the State and Local Cybersecurity Grant Program has helped fund 839 state and local cybersecurity projects as of Aug. 1, 2024, by which time the Department of Homeland Security had provided $172 million in grants to states out of a total $1 billion in funding.
GAO said the federal agencies and applicants met all the grant program’s requirements, while grantees for the most part praised how the federal side handled the program. The grant program is funded from the 2021 infrastructure law and jointly administered by the Cybersecurity and Infrastructure Security Agency and the Federal Emergency Management Agency, but runs out of money in September.
GAO found that the projects funded during Fiscal Years 2022 and 2023 include developing cybersecurity policy, hiring cybersecurity contractors, upgrading equipment and implementing multi-factor authentication. GAO said those projects “are essential to identifying risks, protecting systems, detecting events, and responding to and recovering from incidents.” The watchdog also found that the program has been well received, albeit with some caveats.
“[State] officials we interviewed about the grant program provided positive feedback on FEMA’s communications, guidance, and funding,” the report says. “Officials also reported challenges with the program and concerns with sustaining cybersecurity projects after the grant program ends. Selected officials reported their plans for sustaining projects by using other grant programs or seeking future funds at the state and local level.”
Of the projects funded by the grant program, GAO found that they are all aligned with the voluntary Cybersecurity Framework issued by the National Institute of Standards and Technology. The most projects approved — 284, totaling $42 million — came in the core cyber function of identifying risks, which includes risk assessment and asset management. More than 180 projects also were approved for 13 states and one territory to upgrade their equipment, with GAO finding that one planned to replace its “aging” firewall, while another is looking to implement endpoint protection.
Forty-three projects for detecting cybersecurity events received funding worth $22 million, while 52 governance projects that included cybersecurity policy, oversight and workforce investments totaled $12 million in investment. Having a plan in place was a requirement for states to receive funding under this program. More than 100 projects to protect systems from cyber threats received $20 million in funding, while 11 projects to respond to cybersecurity events and recover systems received just over $1 million.
Most projects funded by the law — 333 — were relevant to multiple categories of cybersecurity projects and totaled $75 million.
But the GAO report indicates that state and local leaders feel there are dark clouds on the horizon, as they worry about how to pay for these projects once federal funding from this program runs out. The report notes that one state official said smaller towns and cities may be “deciding between spending on paving roads or cybersecurity practices.” That same official interviewed by GAO said that could then create vulnerabilities in the state’s cybersecurity posture.
Another official noted that sustainment of cyber funding will be an issue for every local entity involved in the grant program, as most have no other way of funding cybersecurity beyond this program. The state may be able to help cover some matching requirements but cannot fill every funding gap.
It is also tough getting state leaders to invest in cybersecurity as “there is no clear mandate that explicitly requires organizations to assign a percentage of funding to cybersecurity,” the report says. “Instead, all cybersecurity investments must be justified and include why the projects are critical.”
In lieu of more funds from this program, GAO said some states plan to use funds from other grant programs to try and make up any shortfalls, although the future of federal grants all look to be in some doubt. Some states appear likely to try to use Homeland Security Grant Program funds from FEMA, but even those will not be enough given the different funding priorities in that program.
And some said they will try and secure more funding from their state legislature, including through a dedicated line item for local government cybersecurity in the state budget.
Reauthorization, then, is critical for states ahead of the Sept. 30 funding lapse. There is some interest in Congress, which held a hearing on the subject early this month, but movement looks unlikely given the lack of legislation. In the meantime, experts urged states not to give up the ghost.
“Obviously none of us know how things are going to shake out, what's going to happen and when it’s going to happen,” Meredith Ward, deputy executive director at the National Association of State Chief Information Officers, said during a panel discussion at the group’s Mid-Year Conference in Philadelphia this week. “My message to CIOs, to states, to CISOs, is still do what you can, not hibernate as much as you can. Our sense of having to work together as fellow state programs is even more important.”