On November 15, the President Biden signed the $1 trillion Infrastructure Investment and Jobs Act (“the Act”) into law. The sprawling 2,700 page legislation includes funding for programs touching seemingly every aspect of American infrastructure, including: highways, bridges, airports, public transit, railroads, electric vehicle charging stations, power transmission lines, broadband access development, housing, commercial ports, transportation safety, drinking water, and more. One somewhat less archetypally “infrastructural” investment in the Act is $1.9 billion to buttress government cybersecurity capabilities.
State and Local Government Grant Program
The biggest block of that spending is $1 billion for a grant program to assist state, local, tribal, and territorial governments to defend against malicious cybersecurity threats and modernize cybersecurity systems. These improvements should safeguard government data, private information of constituents and partners, and access to critical infrastructure components.
The grant program will be administered by the Federal Emergency Management Agency (“FEMA”), which already administers all of the Department of Homeland Security’s (“DHS”) existing grant programs. FEMA will receive technical assistance on the program through the Cybersecurity and Infrastructure Security Agency (“CISA”), which was established in 2018 to, among other things, “coordinate a national effort to secure and protect against critical infrastructure risks.”[1]
FEMA will distribute funds over the course of four years:
- $200 million in Fiscal Year (“FY”) 2022
- $400 million in FY 2023
- $300 million in FY 2024
- $100 million in FY 2025
Governments applying for this funding will have to provide a financial contribution to any program for which they propose to use the money. Recipients must contribute 10% of the cost of an activity carried out under the grant program for FY 2022, with the recipient share increasing by 10% each FY, except that “multi-entity groups” contribution share start at 0% and increases from there.
To receive one of the grants, applicants must implement a “Cybersecurity Plan.” Such plan must be approved by federal authorities and is subject to ongoing review requirements. Cybersecurity-related control measures that the plans must address include implementing continuous vulnerability assessments, threat mitigation, and best practices and methodologies, such as the National Institute of Standards and Technology (“NIST”) framework.
Additional Cybersecurity Provisions in the Act
The Act allocates the additional $900 million to a variety of agencies and programs to further bolster the nation’s cybersecurity capabilities.
$250 million will go toward funding the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program, administered by the Department of Energy, and designed to support public utilities and other eligible entities. Another $157.5 million toward the DHS and Technology Directorate over a five year period to fund “critical infrastructure security and resilience research, development, test, and evaluation” and $35 million to CISA for “risk management operations and stakeholder engagement and requirements.”
The Act also creates a Cybersecurity for the Energy Sector research, development, and demonstration program, which will be allocated $250 million for developing “advanced cybersecurity applications and technologies for the energy sector.”
The separately titled Cyber Response and Recovery Act of 2021 sets aside $100 million for government cybersecurity incident response capabilities. These funds will be set aside for distribution to entities responding to what DHS declares a “significant [cybersecurity] incident.” CISA will allocate aid to public and private sector entities accordingly.
The recently established office of National Cyber Director is allocated $21 million to hire qualified cybersecurity professionals.
Finally, in one provision not highlighted by a funding allocation, the Environmental Protection Agency and CISA are directed conduct an analysis to identify public water systems which, if subject to cyber-attack, could negatively affect public health or safety.
Conclusion
It is unlikely that even this much needed infusion of funds will solve the nations’ cybersecurity woes. Readers can anticipate cybersecurity incidents in the public and private sectors to persist, and for combating them to be a permanent feature of the modern economy.
Understanding how the Act might affect your organization can be facilitated by the advice of experienced legal counsel. Please feel free to reach out to attorneys Justin Furry or Christopher Baiamonte at the Wladis Law Firm at (315) 445-1700 with questions regarding anything in this article.
[1] Cybersecurity and Infrastructure Security Agency Act of 2018, H.R. 3359, 115th Cong. § 2.
Justin S. Furry
Mr. Furry received his BBA from the University of Toledo and his JD from Syracuse University College of Law.