Avatar

State and local organizations provide services which are the foundation upon which our society operates.  This same foundation is at risk for cybersecurity incidents, so the federal government is providing grants via the State and Local Cybersecurity Grant Program (SLCGP) to support the cybersecurity health of city and local agencies. The SLCGP will provide $1B from FY22-25. States will administer the funds and determine a plan to implement and maintain security offerings. This program is known as “Whole of State”.


Considerations for Whole of State Program Success

When states implement a “Whole of State” program, there are operational, funding, and security items that must be considered to ensure its success.

Operational

Local organizations often lack the capacity to take on additional cybersecurity responsibilities and will need help to implement and maintain security solutions. Many states are remedying this by using partnerships with public and private service providers. Network providers, fusion centers, solutions vendors, private service providers and others are being considered in the delivery of these solutions and services.

Operationally, there is so much variation in what security support local organizations need that a single security solution will rarely be sufficient. For example, some may need multi-factor authentication (MFA), while others may need Extended Detection and Response (XDR) capabilities. As a result, states are looking at multiple providers for a given solution, or multiple solutions from a given provider, to allow as much flexibility as possible. This allows local governments to have autonomy in selecting the kinds of security solutions or services that best fit their needs.

Whole of State cybersecurity funds for government Cisco

Funding

The SLCGP encourages governments to invest in cybersecurity programs that will collectively raise the security maturity levels of state and local organizations. In doing so, state governments will need to assign resources to handle planning of fund distribution, managing associated purchasing vehicles, and monitoring the use of funds to make sure they’re achieving the desired outcomes.

Elected officials are under pressure to proactively address cybersecurity threats, but there may be other legislative priorities that pull resources away from any programs. Also, since the grant expires in FY25, there must be a future funding model that continues support for the ongoing operational costs that will exist past that time.

Since states don’t want to create new purchasing vehicles to administer the SLCGP funds, they’re finding that the most effective way to use the funds is by interagency reimbursements for qualifying local purchases. Leveraging existing purchasing agreements with vendors will also allow states to have economies of scale to get the lowest possible price, without needing a new purchasing vehicle.

Security

SLCGP funding is to be used to improve ransomware defenses and overall cyber-resilience of state and local organizations. States are planning to use the funds for awareness and workforce development training, MFA and XDR, and improving their state-level incident response capabilities.

Sometimes, the state CISO and security team are a core member of the program team, supporting local governments or state security operations centers. More often, the state security team is not operationally involved. Instead the state will use other partners to implement and maintain a solution.  Regardless, security solutions already in use by the state can influence plans for state and local organizations – providing the opportunity to leverage known partnerships and proven toolsets for better efficiencies.

Lastly, there is the issue of Cybersecurity Education. It has three components:

  • General awareness for government employees and sometimes state residents
  • Internships and training for cybersecurity professionals
  • K12 and Higher Education training partnerships.

States are looking to their public education institutions to provide the training needed. The good news is that SLCGP funding can assist in this area by providing teacher training and curriculum development.

Whole of State and Cisco

Cisco can leverage its global insights, trusted expertise in government, and portfolio scale to provide security solutions across all elements of a state and local ecosystem. Cisco understands the unique needs of the public sector and brings to bear security products designed to address the primary threats facing our customers. To deliver the best outcomes for the SLCGP program, Cisco recommends:

  • Engaging across local governments to leverage economies of scale for core security product
  • Address biggest threats first – likely ransomware – to ensure resiliency
  • Consider a consortium of partners to ensure successful implementations of security services.

Additional Resources for Whole of State

 



Authors

Helen Patton

Cybersecurity Advisor

Cisco State, Local and Education