Hassan-Led State and Local Cybersecurity Grant Program Passes Senate

Press Release

Today, the U.S. Senate passed a state and local cybersecurity grant program introduced by Senator Maggie Hassan, Chair of the Emerging Threats Subcommittee, as part of the bipartisan infrastructure package.

"A cyberattack on a state or local government network can put schools, electrical grids, and crucial services in jeopardy," said Senator Hassan. "Even though cyberattacks are becoming more and more common in today's threat landscape, state and local governments often do not have the adequate resources to defend against them. This new grant program will be a crucial resource for state and local governments, and I am very pleased that it is a part of our historic bipartisan infrastructure bill."

The State and Local Cybersecurity Improvement Act authorizes a new grant program at the Department of Homeland Security dedicated to improving cybersecurity for state, local, tribal, and territorial entities. This grant program, which will provide $1 billion over 4 years, would be administered by the Federal Emergency Management Agency (FEMA), to take advantage of existing grant systems and expertise, while the Cybersecurity and Infrastructure Security Agency (CISA) would provide cybersecurity subject matter expertise. Senator Hassan has long pushed for this program, and in June led a subcommittee hearing on why this grant program is so important.

Senator Hassan has led efforts to start a state and local cybersecurity grant program, most recently holding a hearing on this in the Emerging Threats and Spending Oversight Subcommittee. The hearing included testimony from Sunapee School District Superintendent Russ Holden, who Senator Hassan invited to testify on how the District navigated a 2019 cyberattack. After ransomware attacks hit Strafford County and Sunapee School District in New Hampshire, Senator Hassan met with officials to discuss what more the federal government can do to help prepare for and combat these attacks.

Many state and local governments lack the resources to address the increased pace of cyberattacks, with most states only spending 1-3 percent of their overall IT budgets on cybersecurity, compared to about 16 percent for federal agencies. A dedicated grant program will enable state, local, and tribal governments to prioritize cybersecurity investments.

The State and Local Cybersecurity Improvement Act would:

Authorize $1 billion over four years to enable state, local, and tribal governments to prioritize cybersecurity investments.
Require states to distribute at least 80 percent of funds to local governments, including 25 percent of funds to rural areas.
Require states and tribes to submit to CISA a cybersecurity plan, which outlines on how the state or tribe will improve its cybersecurity.
This plan must be approved by the state or tribes' Cybersecurity Planning Committee, which includes representatives from local entities that will help bring more diverse perspectives to the table and improve coordination.

Senator Hassan has prioritized efforts to address state and local cybersecurity threats as a member of the Senate Homeland Security and Governmental Affairs Committee (HSGAC) and the bipartisan Senate Cybersecurity Caucus. The latest National Defense Authorization Act, which is now law, included a bipartisan amendment that Senator Hassan introduced to create a cybersecurity state coordinator in each state. Furthermore, in an effort to bolster cybersecurity within the federal government, Senators Hassan and Rob Portman (R-OH) passed into law the bipartisan Hack DHS Act, which establishes a bug bounty pilot program -- modeled off of similar programs at the Department of Defense and major tech companies -- that uses vetted "white-hat" or ethical hackers to help identify unique and undiscovered vulnerabilities in the Department of Homeland Security (DHS) networks and information technology. The Senators also passed into law their bipartisan Public-Private Cybersecurity Cooperation Act, which complements the Hack DHS Act by requiring DHS to establish a cyber-vulnerabilities disclosure program so that vulnerabilities in DHS' cyber systems can be easily reported and fixed.

Source