In November of 2021, President Joe Biden signed the Infrastructure Investment and Jobs Act (IIJA) which authorizes a plan to invest $1.2 trillion into the nation's infrastructure. This bipartisan infrastructure bill plans to bolster the transportation, energy, water, utility sectors, and state and local governments.
An important provision within the IIJA is the allocation of $2 billion towards enhancing the cybersecurity of government organizations. Given the currently limited cybersecurity investment in America, the IIJA is a big step forward in enforcing the country's cyber defenses.
Why is the IIJA Important to Cybersecurity?
Despite representing only a fraction of the $1.2 trillion budget, the $2 billion in federal funding represents the largest ever cybersecurity investment in United States history. Along with many other pieces of cybersecurity legislation passed in recent years, the IIJA is the first of many steps in securing the nation's overall cyber defenses.
The goal of the IIJA is to incentivize all local and state governments to implement strong security infrastructures, regardless of if they receive funding. Because the funding is conditional, grant applicants have more reason to create and develop the best plan to receive the grant money.
More importantly, President Biden and the White House hope that the IIJA can raise the bar for cybersecurity in the private sector. Every year sees record amounts of cyber attacks affecting private businesses, including major companies like Facebook, LinkedIn, JP Morgan Chase, and Microsoft.
The IIJA certainly won't be the last grant program for attaining cybersecurity funding. By establishing the importance of data and information security with this bill, both public and private organizations will hopefully start to fight against the rising threats of cyber attacks.
Who Receives Funding from IIJA?
At this moment, IIJA cybersecurity appropriations are allocated only to federal agencies. Here is a breakdown of the $2 billion allocated for cybersecurity defense:
- $1 billion for grants to improve the cybersecurity of state and local government entities (includes schools, hospitals, parks, etc.) through 2025. The appropriations per fiscal year are as follows: $200 million in 2022, $400 million in 2023, $300 million in 2024, and $100 million in 2025.
- $250 million for the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program to support public utilities and other eligible entities in smaller towns or villages
- $250 million to develop "advanced cybersecurity applications and technologies for the energy sector"
- $20 million every fiscal year from 2022 to 2028 to create a Cyber Response and Recovery Fund to help private and public organizations respond to cyber incidents
- $157.5 million for the Department of Homeland Security Science and Technology Directorate (DHS-S&T) to build "critical infrastructure security and resilience research, development, test, and evaluation"
- $35 million to the Cybersecurity and Infrastructure Security Agency (CISA) for "risk management operations and stakeholder engagement and requirements"
- $21 million for the Office of the National Cyber Director (ONCD).
Key Takeaways of IIJA
- To receive a portion of the $1 billion available for state and local governments, all applicants must create a detailed cybersecurity plan and submit it to federal authorities for approval. The plans must outline security control measures, vulnerability testing, threat assessments, and attack prevention practices outlined in the NIST framework. Any funding received by the state and local governments must be matched by the governments themselves, with a limit cap on the federal share of investment.
- The Secretary of Energy is tasked with developing a Public-Private Partnership, a partnership between the electric utilities and the electric reliability organizations. The Public-Private Partnership will help utilities with self-assessments of potential cyber threats, security training, technical assistance, and the sharing of best data security and collection practices.
- The Secretary of Energy also must create an Energy Cyber Sense Program to address supply chain cybersecurity risks. The program should establish cybersecurity vulnerability reporting processes and a related database, as well as provide technological assistance to electric utilities, product manufacturers, and other energy sector stakeholders to develop mitigation and remediation solutions for any vulnerabilities.
- The IIJA addresses and amends Part II of the Federal Power Act by adding incentives for cybersecurity investments. The Federal Energy Regulatory Commission (FERC) will be responsible for conducting a one year-long study to identify incentive-based rate treatments for the transmission and sale of electricity to encourage investment in cybersecurity technology and participation in information sharing between public utilities.
What Are Some Challenges With IIJA?
Although IIJA addresses many cybersecurity needs, especially within the infrastructure of government organizations and programs, it still faces a few challenges. One of the immediate challenges is that there is currently no plan in place to provide cybersecurity training for teams in these government groups. Smaller districts or municipalities may struggle to apply for and maintain the same level of standards as larger towns, cities, or even states. Comparatively, smaller utility or energy companies could also face the same issues.
Another problem with the federal government taking a stronger cybersecurity stance is the lack of communication with lower-level organizations. Many organizations believe that it falls on the hands of the White House to protect their cybersecurity interests, but the government maintains that each individual organization needs to protect itself. Should CISA provide security assessment services or provide the necessary solutions to protect against potential threats? Or is it simply the role of the federal government to put the systems in place to allow local and state governments to access?
