TOWN STAFF REPORT RECCOMENDATIONS
title
Consider approving Resolution 24-22 authorizing Staff to submit applications to the State and Local Cybersecurity Grant Program (SLCGP); and take appropriate action (Jason Power, IT Director)
body
STAFF: Jason Power, IT Director
BACKGROUND:
Approval of Resolution 24-22 would authorize Staff to submit applications for the Texas State and Local Cybersecurity Grant Program (SLCGP). These applications are due by March 14, 2024, and must include a resolution stating that the Governing body (Town Council) agrees to provide applicable matching funds for the projects that are awarded funds as part of the SLCGP. The match requirement is 10% of the project.
There are 4 solicitations that align with the FEMA objectives:
• FEMA Objective 1: Governance and Planning
• FEMA Objective 2: Assessment and Evaluation
• FEMA Objective 3: Mitigation
• FEMA Objective 4: Workforce Development
Projects must also align with the state Cybersecurity Plan and can only support one-time services that reduce cybersecurity risks to information systems owned or operated by or on behalf of local governments within Texas. The attachments contain lists of possible projects. Several of the projects have already been addressed by Staff and would not fall within the SLCGP at this time. These projects include backup of critical systems, migration to .gov domain, endpoint detection and response, migrating applications and data to the cloud, UPS backup power, firewalls, web filtering, VPN, web application scanning, vulnerability scanning, enhanced logging, security assessments, automated asset discovery, vulnerability scanning, and penetration testing. Staff also have plans for projects in the upcoming years that could meet the requirements of the FY24 and FY25 SLCGP.
At this time, Staff will be submitting three (3) projects for consideration for the grant program. Each project should meet the grant requirements as “SLCGP Objective 3 - Mitigation Projects” and could be completed within the required timeframe of September 1, 2024 through August 31, 2025. The three projects and their total estimated costs for one year are:
1) MFA/SSO software and services ($13,100). This project would allow Staff to implement an Multi-factor authentication / single sign-on solution that could be used by staff across the entire organization (Westlake Academy and Municipality). The solution would be more effective and easier to manage, and allow more integrations with software and services that do not support our current methods of MFA/SSO.
2) Intrusion Detection and Intrusion Prevention hardware and services ($30,600). We have IDS/IPS capabilities currently, but it is mostly directed towards external scanning with limited internal visibility. This project would allow the implementation of new IDS/IPS equipment and services across the entire organization (Westlake Academy and Municipality) and further enhance our current cybersecurity capabilities by providing more detection capabilities inside our network than currently available.
3) Wi-Fi hardware replacement due to upcoming End-of-life/End-of-support ($94,300). Current Wi-Fi hardware will be end-of-life/end-of-support within the next two years and is already past-due for replacement as the system has been in place almost 8 years now. New wi-fi hardware will support newer protocols and provide additional options for wireless security and services.
If all three mitigation projects are awarded, the Town could be responsible to match funding at 10% of the costs, which would be approximately $13,800 total.
Funding used as a match must be for project-specific related costs. There may be an opportunity to submit individual project match waivers as well, however the process has not been outlined by FEMA yet. It is not necessary to include the dollar or percentage amount on this resolution, just a commitment to provide the applicable match. Changes in the award amount could result in a requirement for the grantee to submit a new resolution.
More details on the cybersecurity grant program are provided below and in the attachments:
Responses are due March 14, 2024.
Eligible applicants can apply through the Office of the Governor’s eGrants website. Specific instructions on how to apply and additional eligibility requirements are in the RFA. The application process will be managed by the OOG.
The federal Infrastructure Investment and Jobs Act (IIJA) <https://www.congress.gov/bill/117th-congress/house-bill/3684/text>, also known as the Bipartisan Infrastructure Law (BIL), was signed into law on November 15, 2021. One component of the act is the State and Local Cybersecurity Grant Program (SLCGP), which appropriated $1 billion over four years (2022-2025) to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, state, local, or tribal governments.
Texas’ Allocation
Texas was allocated approximately $40 million over four years. The allocation requires matching funds that increase through the years. (Note: Matching funds will be paid by grant sub-recipients.)
• For FY22, Texas was allocated $8,469,945. The state matching fund requirement for FY22 is 10% and will be $846,994.50. So, there is a total of $9,316,939.50 available to be spent on cybersecurity projects for FY22.
• For FY23, Texas was allocated is $17,418,110. The state matching fund requirement for FY23 is 20% and will be $3,483,622.00, making a total of $20,901,732.00 available to be spent on cybersecurity projects for FY23.
A minimum of 80% of allocations must be passed through to local governments. In addition, at least 25% of the total funds made available under the grant must be passed through to rural communities.
Grant Roles and Responsibilities
The Office of the Governor (OOG) is the State Administrative Agency and serves as the fiscal agent and authorizing official of the SLCGP federal funds and will submit the SLCGP application to CISA and administer sub-recipient grants.
The Department of Information Resources (DIR) serves as the subject matter expert pertaining to all programmatic requirements and federal regulations associated with the SLCGP and will develop a Cybersecurity Plan, establish a Cybersecurity Planning Committee, support development of the Plan, and identify projects to implement utilizing SLCGP funding.
The Cybersecurity Planning Committee is responsible for developing, implementing, and revising Cybersecurity Plans (including individual projects); formally approving the Cybersecurity Plan (along with the chief information officer, chief information security officer or an equivalent official); and assisting with determination of effective funding priorities (i.e., work with entities within the eligible entity’s jurisdiction to identify and prioritize individual projects).
Sub-recipients are local governments as defined in Texas Local Government Code Title 5.c § 176.001(3) <https://statutes.capitol.texas.gov/Docs/LG/htm/LG.176.htm> and will submit applications for eligible projects, and if awarded, will accept the grant award, satisfy grant requirements including provide the state match, submit financial and programmatic performance reports, and meet any additional grant terms.
Eligible Sub-Recipients
Local governments are eligible sub-recipients. Local governments are defined below. Refer to Texas Local Government Code Title 5.c §176.001(3) <https://statutes.capitol.texas.gov/Docs/LG/htm/LG.176.htm> for more detail.
• a county;
• a municipality;
• school district;
• charter school;
• junior college district;
• water district;
• tribal government; and
• other political subdivisions
Rural area is defined as an area encompassing a population of less than 50,000 people that has not been designated in the most recent decennial census as an “urbanized area” by the Secretary of Commerce.
Cybersecurity Planning Committee
The planning committee consists of members from state, county, and municipal government organizations and from public education and public health institutions within the State of Texas, and includes representatives of urban, suburban, and rural areas of the State. The State Cybersecurity Coordinator serves as committee chair.
Committee Members <https://dir.texas.gov/resource-library-item/slcgp-planning-committee-members>
State Cybersecurity Plan
The State Cybersecurity Plan establishes high level goals and finite objectives to reduce specific cybersecurity risks at SLT governments. It includes a description of roles, an assessment of capabilities, resources and timelines for implementing the Plan, and metrics.
Submitted projects must align with the Cybersecurity Plan.
State of Texas SLCGP Cybersecurity Plan <https://dir.texas.gov/resource-library-item/state-texas-slcgp-cybersecurity-plan>
Application Process
The request for applications (RFA) opened January 15, 2024, and closes March 14, 2024, Eligible applicants can apply through the OOG eGrants website <https://egrants.gov.texas.gov/>. Specific instructions on how to apply and additional eligibility requirements are in the RFA posted on eGrants. The application process will be managed by the OOG.
Once applications are received, the Cybersecurity Planning Committee will work collaboratively across the state to identify and prioritize individual projects that align with the Cybersecurity Plan. Funding for projects will be released within forty-five days after approval by the Department of Homeland Security's (DHS) Cybersecurity Infrastructure Security Agency (CISA).
Requirement for CISA Services
All sub-recipients are required to participate in the following free services by CISA:
• Web Application Scanning: an “internet scanning-as-a-service.” This service assesses the “health” of your publicly accessible web applications by checking for known vulnerabilities and weak configurations. Additionally, CISA can recommend ways to enhance security in accordance with industry and government best practices and standards.
<https://www.cisa.gov/resources-tools/services/web-application-scanning>
• Vulnerability Scanning: evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities. This service provides weekly vulnerability reports and ad-hoc alerts.
<https://www.cisa.gov/resources-tools/services/cisa-vulnerability-scanning>
• Nationwide Cybersecurity Review (NCSR): a free, anonymous, annual self-assessment designed to measure gaps and capabilities of a SLT’s cybersecurity programs. It is based on the National Institute of Standards and Technology Cybersecurity Framework and is sponsored by DHS and the MS-ISAC. (Required during the first year of the subaward period of performance and annually)
<https://www.cisecurity.org/ms-isac/services/ncsr>
Additional Requirements
Sub-recipients are also required to join the TX-ISAO:
• Texas Information Sharing and Analysis Organization (TX-ISAO): a free membership to a forum for entities in Texas to share information regarding cybersecurity threats, best practices, and remediation strategies.
<https://dir.texas.gov/information-security/tx-isao>
Sub-recipients must comply with the Cybersecurity Training requirements described in Section 772.012 and Section 2054.5191 of the Texas Government Code. Local governments determined to not be in compliance with the cybersecurity requirements required by Section 2054.5191 of the Texas Government Code are ineligible for OOG grant funds until the second anniversary of the date the local government is determined ineligible. Government entities must annually certify their compliance with the training requirements using the Cybersecurity Training Certification for State and Local Governments.
<https://dir.texas.gov/information-security/statewide-cybersecurity-awareness-training>
Sub-recipients are strongly encouraged to join the MS-ISAC and/or EI-ISAC:
• Multi-State Information Sharing and Analysis Center (MS-ISAC): a free membership to the cybersecurity ISAC for state, local and territorial (SLT) governments, which provides services and information sharing that significantly enhances SLT governments’ ability to prevent, protect against, respond to, and recover from cyberattacks and compromises.
• Election Infrastructure Information Sharing and Analysis Center (EI-ISAC): a free membership for state and local election officials, provided by a collaborative partnership between the Center for Internet Security (CIS), CISA, and the Election Infrastructure Subsector Government Coordinating Council, which offers a suite of elections-focused cyber defense tools, including threat intelligence products, incident response and forensics, threat and vulnerability monitoring, cybersecurity awareness, and training products.
Best Practices and Methodologies
Projects that assist entities with the adoption of these best practices will be prioritized by the Cybersecurity Planning Committee. Approved projects will include only one-time cybersecurity services.
FISCAL IMPACT:
Based on the estimated costs of the three projects, the fiscal impact could be up to $13,800 (10% match of the total costs of the projects). Since the projects are not allowed to start until on or after September 1, 2024, the fiscal impact would likely be to the FY25 budget (after October 1, 2024) instead of the current FY24 budget.
STAFF RECOMMENDATION:
Staff recommends approval of Resolution 24-22 authorizing Staff to submit applications to the State and Local Cybersecurity Grant Program (SLCGP).
ATTACHMENT(S):
Click or tap here to enter text.
TOWN COUNCIL ACTION/OPTIONS:
1) Motion to approve
2) Motion to amend with the following stipulations (please state stipulations in motion)
3) Motion to table
4) Motion to deny