State and Local Cybersecurity Improvement Act Update: Get Started Protecting Sensitive Data and Systems

On May 18, 2021, the House of Representatives passed the State and Local Cybersecurity Improvement Act (SLCIA) to address cybersecurity vulnerabilities and promote additional cybersecurity collaborative efforts between the Department of Homeland Security (DHS) and state, local, tribal, and territorial governments. The bipartisan bill was received in the Senate on July 21, 2021, read twice, and then referred to the Committee on Homeland Security and government affairs, where it has been sitting since. Once it passes, it will go to the President’s desk, where it will then immediately provide incentives to address the increasing danger of malicious cyberattacks on state and local IT infrastructure.

Giving state and local governments the resources to protect against hackers

The SLCIA updates the Homeland Security Act of 2002 to give the DHS leeway to utilize centers like the Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC). This will allow them to work with state, local, tribal, and territorial governments as needed, upon request.

This collaboration will encourage conducting cybersecurity exercises and hosting trainings meant to address current or future cyber risks or incidents. It will also provide operational and technical assistance to state and local governments to implement security resources, tools, and procedures to improve overall protection against attacks. The goal is to provide state and local governments with the support they need to defend themselves from hackers.

Resources to bolster government security capabilities

The SLCIA establishes a $500 million DHS grant program that will empower government institutions to increase their focus on cybersecurity. The bill also:

• Requires CISA to develop a strategy to improve cybersecurity of state, local, tribal, and territorial governments, enabling them to identify federal resources to capitalize on as well as set baseline objectives for their efforts;
• Indicates state, local, tribal, and territorial governments must develop a comprehensive cybersecurity plan to guide their usage of any grant money they receive;
• Establishes a state and local cybersecurity resiliency committee made up of representatives from state, local, tribal, and territorial governments to provide awareness of cybersecurity needs; and
• Enjoins CISA to assess the feasibility of a rotational program for the detail of approved government employees holding cyber positions.

The bill gives state and local governments the push they need to begin defending their networks. This can include the development of new strategies to boost their cybersecurity capabilities and acquisition of the funding needed to ensure their implementation. By investing in cybersecurity ahead of an attack, an entity is more likely to save money and protect its data.

Assessing eligibility for cybersecurity grants

Cybersecurity grants are available to municipalities of all sizes — but it’s important to start strategizing now by considering your IT infrastructure and cybersecurity frameworks. By applying for the grants, you indicate that you are taking your entity’s security seriously and taking the proper steps to qualify.

The State and Local Cybersecurity Improvement Act will provide up to $1 billion in grants for state, local, tribal, and territorial governments, allowing them to directly address their cybersecurity threats and risks. The program’s funding starts at $2 million for 2022, $400 million for 2023, $300 million for 2024, and $100 million for 2025.

To be eligible, an entity must:

• Maintain responsibility for monitoring, managing, and tracking its information systems, applications, and those user accounts owned and operated by the government;
• Show it has a process of continuously prioritizing the assessment of its cybersecurity vulnerabilities and threat mitigation practices; and
• Have a tangible plan that outlines:
  • How to manage and audit network traffic.
  • How the government plans to use the information to improve its systems’ resiliency and strength.

Our perspective

While the bill is still waiting on the Committee on Homeland Security and Governmental Affairs there are some things you can do to make sure you are ready. State and local governments should focus on building teams that can handle the grant application process — and be prepared to implement once awarded. This bill indicates that governments are past the point of merely updating a firewall or running a generic virus program — things like multifactor authentication and zero-trust architecture are viewed as the next steps (which was required for federal agencies in a 2021 executive order).

How we can help

Prior to starting the grant application process, your IT leaders should start thinking about how to handle security gaps with various procedures and consistent tests. MGO can help. Our Technology and Cybersecurity team can provide guidance as you prepare for the future.

About the authors

Francisco Colon is a Partner at MGO with extensive experience in external audit, fraud examinations, litigation support, operational and internal controls reviews, and buyer/seller due diligence. He specifically focuses on assisting organizations with evaluating and updating their internal controls with a focus on strategic alignment and fraud litigation deterrence management in a variety of industries, including tribal government, gaming, technology, cannabis, hospitality, government contracting, distribution, manufacturing, and private equity. Contact Francisco at FColon@mgocpa.com.