In its final year, the State and Local Cybersecurity Grant Program bars states from spending their funding on services provided by the Multi-State Information Sharing and Analysis Center.
Listen to this article
0:00
Learn more.
This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
The Department of Homeland Security on Friday published the notice of funding opportunity for the fourth and final year of the State and Local Cybersecurity Grant Program. Among the details explaining the latest round of funding for the $1 billion program is a stipulation that grantees may not spend their funds on services provided by the Multi-State Information Sharing and Analysis Center, a group that for more than 20 years has shared critical cybersecurity intelligence across state lines and provided software and other resources at free or heavily discounted rates.
The notice outlines numerous other items states and their local government are not permitted to spend cyber grant funding on, a list with obvious inclusions like “recreational and social purposes,” along with perhaps less obvious prohibitions, like covering ransoms in ransomware attacks, paying cybersecurity insurance premiums or paying for land or other construction costs associated with building new facilities.
According to the NOFO, the grant program is designed to assist state and local governments with “managing and reducing systemic cyber risk.”
“Our nation faces unprecedented threats to the homeland from increasingly sophisticated criminal groups and nation-state actors,” the DHS document reads. “State, local, and territorial (SLT) entities stand at the forefront of cyber defense. This partnership includes enforcing laws, assisting the federal government in securing borders and cyberspace, and dismantling transnational criminal organizations.”
The new prohibition against spending on MS-ISAC services comes as the group, which is widely lauded among state and local technology officials, eyes the conclusion of its current funding and cooperative agreement with the federal government, which ends Sept. 30, the end of the fiscal year. The Cybersecurity and Infrastructure Security Agency has not commented on whether it will renew the group’s funding or agreement. (The NOFO also prohibits states from spending funds on services offered by the Elections Infrastructure ISAC, which was effectively shuttered after DHS pulled its funding last February.)
“In accordance with our mandate from Congress, CISA is focused on helping critical infrastructure strengthen cyber resilience while ensuring responsible stewardship of taxpayer dollars—including by reducing redundant investments and promoting efficient, scalable solutions,” CISA Director of Public Affairs Marci McCarthy said in an emailed statement. “Our cybersecurity experts are embedded in communities nationwide, offering a wide range of no-cost services to help governments protect their networks and critical services. CISA remains committed to supporting state and local governments through strong operational collaboration. We share information in real time and develop cybersecurity resources in coordination with partners across the broader cybersecurity ecosystem.”
The Center for Internet Security, the New York nonprofit that operates the MS-ISAC (and EI-ISAC), is planning at the end of the fiscal year to switch to a subscription funding model that charges states based on the size of their IT operating budgets. According to the nonprofit’s website, the switch was required “due to significant decreases in federal funding for the MS-ISAC.”
“The model preserves CIS’s commitment to serving ‘cyber underserved’ SLTT organizations,” an FAQ on the website reads. “By offering affordable individual membership options scaled to budget at various pricing tiers, even the smallest or most resource-constrained entities can participate and benefit.”
According to the FAQ, MS-ISAC will also offer smaller governments financing options such as six months of deferred billing, 50% discounts or free membership. Members of the MS-ISAC’s executive board told StateScoop that the group considers it essential to support the least resourced local governments, which are among those running the nation’s most critical infrastructure — cities, schools, water utilities and hospitals.
Chris Gergen, North Dakota’s chief information security officer, said he was disappointed to learn that he would not be permitted to spend cyber grant funds on MS-ISAC services.
“Many of the services that are being provided by MS-ISAC directly align to the objectives of the SLCGP and I was really hoping that we might be able to use SLCGP funds to cover statewide membership for North Dakota,” Gergen said. “Where we’ve used the funds in particular is to do some cybersecurity maturity assessments.”
Gergen said he wished the MS-ISAC would share with his office the results of how local governments in his state fared in the group’s cybersecurity reviews, but such quibbles notwithstanding, he finds the assessments, and the group’s other services, helpful.
The federal grant program, he said, has seen “very good” participation among local governments, which receive 80% of the funding. The required funding matches, though, which have grown each year of the program, made participation untenable for many local governments, he said, which led the state legislature to approve the state covering the matches.
According to the NOFO, DHS expects to issue 56 awards totaling $91.7 million. The 50 states, and the District of Columbia, will each receive at least $1 million, while American Samoa, Guam, the Northern Mariana Islands, and the U.S. Virgin Islands will each receive at least $250,000.
