Points of Contact:
Loren Monroe, Principal and State and Local Advocacy Practice Head – loren_monroe@bgrdc.com
William Crozer, Vice President and Managing Director of State and Local Advocacy – wcrozer@bgrdc.com
Cyber Security
Topline Funding: ~$1.9 billion
- $1 billion – state and local government grants
- $550 million – electrical grid cyber
- $157 million – DHS cybersecurity research
- $100 million – cyber response and recovery fund
- $35 million – CISA risk management/stakeholder efforts
- $21 million – National Cyber Director Chris Inglis’ (staffing and operations)
Overview: The Infrastructure Investment and Jobs Act (IIJA) authorizes ~$1.9 billion (B) in cybersecurity funding across several programs with a focus on transportation, energy, water utilities, and state and local governments. The legislation also earmarks millions of dollars for the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA) to help prevent cyberattacks and support organizations, including private companies, that fall victim to such attacks. The centerpiece of the funding is $1 billion in state, local, tribal, and territorial grants to support IT network modernization. The legislation also provides for enhanced flexibilities around existing grant programs. For example, current Department of Transportation grant programs for highway projects would allow states to deploy those funds for cybersecurity.
The IIJA contains a host of non-funding related provisions as well. For example, it creates a Federal Highway Administration cyber coordinator position. Another provision in the legislation tasks CISA with developing a list of public water systems deemed vulnerable to a cyberattack. CISA would then create a plan to provide voluntary technical and cybersecurity support to those public water systems.
PROGRAMS & FUNDING STREAMS
STATE, LOCAL, TRIBAL, AND TERRITORIAL (SLTT) GRANT PROGRAM
Establishes a new grant program for state, local, tribal, and territorial governments to modernize their IT networks and infrastructure to better respond to modern threats such as ransomware attacks. $1B allocated over 4 years ($200M FY22, $400M FY23, $300M FY24, $100M FY25). 1 percent will go to each state and 0.25 percent will go to all four US territories. Another 3 percent will go to tribal governments. Of the remaining 46% of funding, 23% is apportioned among states based on population size and the other 23% based on the state’s rural population as a percentage of the total U.S. rural population. States are required to distribute at least 80% of funds to local governments, including 25% of funds to rural areas (see below).
Agency of Jurisdiction: FEMA in consultation with DHS-CISA
Eligible Grantees: States (with flow through to localities), Tribes, and U.S. Territories.
Timing: FY2022
Federal Cost-Share: State and local cost share is 10 percent for FY22 and 23, 20 percent for FY23, 30 percent for FY24, and 40 percent for FY25.
Notes: The State and Local Cybersecurity Grant Program requires states to develop comprehensive cybersecurity plans. These plans must describe the steps the government will take to implement a process of continuous cybersecurity vulnerability assessments and threat mitigation. Further, the plan must be approved by the state or tribes’ Cybersecurity Planning Committee, which includes representatives from local entities.
RURAL AND MUNICIPAL UTILITY ADVANCED CYBERSECURITY GRANT AND TECHNOLOGICAL ASSISTANCE PROGRAM
Authorizes $250 million program for FY22-26. Program will provide grants and technical assistance to, and enter into cooperative agreements with, eligible entities to protect against, detect, respond to, and recover from cybersecurity threats. The major objectives include deploying advanced cybersecurity technologies for electric utility systems; and increasing the participation of eligible entities in cybersecurity threat information sharing programs.
Agency of Jurisdiction: Department of Energy
Eligible Grantees: Rural electric cooperatives, utilities owned by a political subdivision of a State, such as a municipally owned electric utility, utilities owned by any agency, authority, corporation, and instrumentalities of one or more political subdivisions of a State.
Timing: Grants available within 180 days of enactment.
Federal Cost-Share: N/A
CYBER RESPONSE AND RECOVERY FUND PROGRAM
$100M allocated in $20M increments across FY22-26. Funds eligible upon declaration by the Secretary of Homeland Security of a “significant incident” following a breach of public and private networks. Any unused funds remain available until expended with the program ending September 30, 2028.
Agency of Jurisdiction: DHS/CISA
Eligible Grantees: Federal, State, local, and tribal entities, and public and private entities on a reimbursable or non-reimbursable basis.
Timing: Immediately.
Federal Cost-Share: N/A
DHS SCIENCE AND TECHNOLOGY DIRECTORATE FOR RESEARCH AND DEVELOPMENT PROGRAM
$31.5M per year over 5 years (total $157.5M) for DHS Science and Technology Directorate for Research and Development. These funds will include support for specific areas of research related to risk assessments; cybersecurity vulnerability testing; and positioning, navigation, and timing capabilities.
Agency of Jurisdiction: Department of Homeland Security
Eligible Grantees: N/A
Timing: Immediately.
Federal Cost-Share: N/A
CISA SECTOR RISK MANAGEMENT
$21M authorized to support staffing and operations for the Office of the National Cyber Director for FY22 (until September 30, 2022). The office does not currently have appropriated funds.
Agency of Jurisdiction: CISA
Eligible Grantees: N/A
Timing: Immediately.
Federal Cost-Share: N/A
ELECTRIC GRID CYBER PROGRAMS
$550M investment in various grid cybersecurity programs to boost the overall security and resilience of the sector.
- $250 million to fund a cybersecurity grant program focused on the electric grid.
- $250 million for cybersecurity research and development in the energy sector.
- $50 million for modeling and assessing risks to energy infrastructure.
SUMMARY OF THE CARPER-CAPITO SUBSTITUTE TO S. 914, THE DRINKING WATER AND WASTEWATER INFRASTRUCTURE ACT OF 2021
MIDSIZE AND LARGE DRINKING WATER SYSTEM INFRASTRUCTURE RESILIENCE AND SUSTAINABILITY PROGRAM
Authorizes $300M for a grant program to assist midsize and large drinking water systems with increasing their resilience to natural hazards, cybersecurity vulnerabilities, and extreme weather events.
Agency of Jurisdiction: EPA
Eligible Grantees: Midsized and Large Drinking Water Systems. Funds may be used to promote water conservation enhance water-efficiency, create desalination facilities, relocate or renovate existing vulnerable water systems, enhance water supply, and implement measures to increase resiliency to natural hazards, cybersecurity vulnerabilities, or extreme weather events, including extreme weather events that are a result of climate change. Funds can also be used for the formation of regional water partnerships to collaboratively address documented water shortages.
Timing: Immediately.
Federal Cost-Share: 10 percent nonfederal cost-share for small or disadvantaged communities and a non-federal cost-share of 25 percent for all other communities.
CLEAN WATER INFRASTRUCTURE RESILIENCY AND SUSTAINABILITY PROGRAM
Establishes a Clean Water Infrastructure Resiliency and Sustainability Program to address rising threats to clean water infrastructure from climate change. An owner or operator of a publicly owned treatment works can use the grants to assist in the planning, design, construction, implementation, operation, or maintenance of a program or project to increase the resiliency or adaptability of water systems to natural hazards, cybersecurity vulnerabilities, or extreme weather events, including those related to climate change.
Agency of Jurisdiction: EPA
Eligible Grantees: Municipalities, an intermunicipal, interstate agency, or state agency.
Timing: Immediately.
Federal Cost-Share: Grant under the program shall not exceed 75 percent of the total cost of the proposed project.