How the government is prioritizing cybersecurity

Cyber threats are increasing quickly; organizations must improve their cyber posture and can utilize the recent government cyber initiatives.

In brief

• Understanding legislation will help government agencies improve their cyber positioning.
• States need to know what legislation is coming, how to plan for it and how it will impact cyber spending.
• Efforts are underway to bring public and private entities together to coordinate cyber activities.

Next steps for government agencies

• Federal agencies should consider their approach to the EO and plan a strategic path forward. They are feeling the increasingly public and widespread cyber-attacks that have created malicious data breaches. These fully illustrate the vulnerability, exposure, ramifications and need to take immediate action. Read more about President Biden’s Executive Order.
• US government contractors need to proactively and strategically manage their cybersecurity. They must consider how they will be affected by the EO, examining their software supply chain security and third-party risk management.
• US government agencies have submitted recommendations on how to strengthen the US supply chain to assure continuous production of critical goods. View a 60-minute webcast with  global trade, supply chain and policy professionals focused on the Executive Orders' effects on multinational corporations’ supply chains.
• Organizations should look at the cybersecurity EO as more than a check-the-box mandate. New guidelines and processes based on the order are expected within the year and will likely become new industry standards with global ramifications.

2. Cyber impact of IIJA on state and local governments

In November 2021, Congress passed the IIJA legislation that provides $973b over five years, including $550b in new investments across transportation, water, power and energy; environmental remediation; public lands; broadband; and multiple approaches to improving resilience. The investment affords the opportunity to make improvements at state, city and county levels. Realizing these benefits requires thoughtful strategy and engaged management of funding to prioritize, allocate and monitor.

IIJA designates over $2b in funding for cybersecurity resiliency and innovation. The bill includes funds to reduce cyber vulnerabilities in public water systems and drinking/clean water technology. Additionally, the bill allocates state and local funding via grant programs for cyber functions to include detecting and recovering from cyber threats and emergencies. The law requires states to create cybersecurity plans in order to receive grants.

The specific funding allotment (as per Sect. 70612) follows a formula grant, which requires state matching funds starting at 10% and growing to 40% over four years; 1% will go to each state, 0.25% will go to all four US territories, and another 3% will go to tribal governments with the following authorized annual appropriations: FY22 – $200m, FY23 – $400m, FY24 – $300m, FY25 – $100m. The rest of the funding will be split between states based on population size and rural population statistics.

There also been new guidance at the state and local level within the education space with the signing of the K-12 Cybersecurity Act in October 2021.  The law requires the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to evaluate cyber needs for the K-12 sector in order to provide tools and guidance.  Additional proposals, such as the Enhancing K-12 Cybersecurity Act, call for additional funding for a K-12 Cybersecurity Technology Improvement Program.

3. Additional cyber guidance from the government

In addition to the EO and the IIJA legislation, multiple government agencies have been issuing cyber guidance to help organizations improve their cyber posture by providing frameworks, architectures, maturity models and strategy documents to provide support.

For example, DHS CISA issued the Zero Trust Maturity Model for agencies to reference as they transition toward a Zero Trust architecture. In addition, DHS issued the Cloud Security Technical Reference Architecture to illustrate recommended approaches to cloud migration and data protection (as outlined in Section 3(c)(ii) of EO 14028). Furthermore, the Office of Management and Budget (OMB) published the Federal Zero Trust Strategy designed to move the US government toward a Zero Trust architecture.

EY professionals have worked with organizations like the Information Technology Industry Council (ITI) to provide recommendations about the new guidance. View the ITI Summary and ITI Full Whitepaper.

In addition to published guidance, DHS established the Joint Cyber Defense Collaborative (JCDC) in July 2021 to bring together public and private sector entities to unify deliberate and crisis action planning while coordinating the integrated execution of these plans.