There’s good news and there’s bad news.
- The good: Reinforcements are on their way. The federal government created a new grant program to ease the burden on school districts in their constant battle against an increasingly malicious cybersecurity landscape.
- The bad: The extremely tight window to apply for funding passed on Nov. 15. Nonetheless, there’s still a chance your school district can receive a slice of the $1 billion pie.
Let’s explore the ins and outs of the federal government’s new State and Local Cybersecurity Program (SLCGP). From the details and requirements of the program to how your district might benefit, we’ll walk you through all you need to know about the opportunity.
What is the State and Local Cybersecurity Grant Program?
In November 2021, President Biden signed a $1.2 trillion Infrastructure Investment and Jobs Act — better known as the Bipartisan Infrastructure Law. The bill gave state and local governments resources through which they could improve roads, bridges, broadband, and other essential components of their infrastructure.
Through this legislation, Congress also established the State and Local Cybersecurity Grant Program. It’s a first-of-its-kind initiative that empowers the federal government to make targeted cybersecurity improvements within state, local, and territory government agencies. A total of $1 billion will be distributed over the next four years.
Okay — so what does this mean for your school district? How does this involve K-12 education?
According to K-12 Dive, schools cannot directly apply for the program. However, they can work with state and local governments to acquire funding. Per the SLCGP’s fact sheet, local governments are defined by law as a county, municipality, city, town, township, local public authority, or a school district. Likewise, a minimum of 80% of the state allocations must be passed down to the local level (i.e., school districts and other local entities).
That means schools can still access federal funding, albeit with a few caveats.
How does the program work?
All 56 states and territories, including the District of Columbia, Commonwealth of Puerto Rico, U.S. Virgin Islands, Guam, American Samoa, and Northern Mariana Islands are eligible to apply. However, only state agencies are able to submit the application.
According to the Department of Homeland Security, the program has four objectives it requires of every applicant. Each one is meant to serve the overall purpose of assisting state and local governments (school districts included) with reducing cyber risk. Applicants must demonstrate in their application how they will:
- Develop governance structures and improve capabilities for responding to cyber incidents.
- Understand their organization’s current cybersecurity posture and how they can improve based on continuous testing and evaluation.
- Implement security protections according to risk sensitivity.
- Ensure personnel are trained in cybersecurity according to their responsibilities.
The Bipartisan Infrastructure Law requires grant recipients to complete certain steps after receiving a grant:
- Establish a Cybersecurity Planning Committee
- Develop a statewide Cybersecurity Plan. If the recipient already has one, funds can be used to implement it
- Conduct assessments as the basis for projects throughout the life of the program
- Adopt key cybersecurity best practices
How can SLCGP funds be used?
The program has strict rules about how grant money can and cannot be used. K12 SIX, a national nonprofit dedicated to the advancement of K-12 cybersecurity, breaks down the conditions in simple terms:
- Generally, grant funds may be expensed for “any purpose that addresses cybersecurity risks” or threats to information systems owned or controlled by school districts.
- Funds may not be used to purchase cybersecurity insurance or to pay extortion demands during a ransomware attack.
For fiscal year 2022 — the first year in the program’s existence — a total of $185 million is available through the SLCGP.
Why is the SLCGP necessary?
You may be wondering: What’s the point of the SLCGP? Why was the program created in the first place?
Here’s how the Department of Homeland Security puts it in their Notice of Funding Opportunity:
“Our nation faces unprecedented cybersecurity risks, including increasingly sophisticated adversaries, widespread vulnerabilities in commonly used hardware and software, and broad dependencies on networked technologies for the day-to-day operation of critical infrastructure. Cyber risk management is further complicated by the ability of malicious actors to operate remotely, linkages between cyber and physical systems, and the difficulty of reducing vulnerabilities.”
Simply put, cybercrime is surging. And virtually no other sector is targeted more frequently than K-12 education. According to Microsoft Security Intelligence, education accounts for over 80% of malware encounters in the past 30 days. That’s more than retail, healthcare, and telecommunications combined.
As high-profile cybersecurity incidents like the Los Angeles Unified School District’s ransomware attack demonstrate, public schools are constantly under siege from malicious hackers. And with the majority of districts operating in the cloud, the attack surface is only growing larger.
Think about it: For every student in your district, they may have several accounts linked to your domain, all spread out across several personal and school-provided devices. That means it’s becoming increasingly more difficult for school IT departments to secure sensitive data inside the district. Even the FBI is warning schools to take a closer look at their cybersecurity policies.
To make matters worse, many districts are struggling to keep up with the rapidly changing pace of cloud security. Why? A variety of factors may be to blame:
- Funding: Not all school districts have the funds to implement robust cybersecurity procedures. Many cash-strapped schools make do with what they can, which means outdated technology and obsolete protections.
- Labor shortages: Threat vectors are growing increasingly sophisticated. The issue is that school security teams are often understaffed. Without the right amount of manpower, schools fall short of the mark when it comes to mitigating threats in a timely and effective manner.
- Complexity: The sheer volume of data that schools collect is incredible. Behind every student and staff member, there’s a treasure trove of information just waiting to be glossed over by prying eyes. Meanwhile, when school security teams need to investigate an incident, they have to comb through hoards of data just to discover the source of the risk.
To boil it down, schools lack the means to keep sensitive data under lock and key. That’s exactly what the SLCGP aims to do. The grant program represents an important opportunity for unfunded schools to seize cloud security solutions that can help them better protect their students from digital harm.
How to benefit from the SLCGP
As previously mentioned, schools themselves cannot directly apply for funding. Also, the deadline of the first application period ended on November 15 — just two months after the launch of the program.
Nonetheless, there are still steps schools can take to make sure they benefit from the available funding. It’s important that school administrators understand the process and know exactly how they can rally support from their state governments.
First, if you haven’t done so already, proactively reach out to your state’s Chief Information Security Officer (CISO). Engaging with your state CISO will allow you to learn more about their plans to apply and/or implement SLCGP funds. Most significantly, you can discuss how those funds will be used to benefit your school district.
It’s important to note that the program requires each state applicant to include at least one representative from relevant stakeholders, including public education. In other words, chances are your state likely already has someone representing your interests. Because ultimately it’s up to the state to determine how funds are allocated, it’s a good idea to be involved in this process and let your voice be heard.
Meanwhile, there are tangible steps you can take in terms of cybersecurity. The SLCGP seeks to advance the implementation of several best practices:
- Multi-factor authentication (MFA)
- Enhanced logging
- Data encryption for data at rest and in transit
- End use of unsupported or end-of-life software and hardware accessible from the internet
- Prohibit use of known/fixed/default passwords or login credentials
- The ability to backup critical systems and data
Schools are encouraged to implement these best practices wherever possible. For instance, schools should audit their cloud domains to identify any unsupported or unsanctioned cloud apps that may pose a risk to sensitive data.
These steps should help you benefit from SLCGP funds during the next application period.
How to use your grant money most effectively
Hopefully, some much needed extra funding is headed your way. And if it is, you’re going to need to figure out the best way to spend it.
Here’s an idea: Why not deploy a proper cloud security platform? EdWeek Research tells us that the majority of schools aren’t allocating their budgets to protecting cloud applications. With the right choice of solution, you can safeguard data and multiply the power of your security team.
Here’s what to look for in a cloud security platform:
- Automated threat detection: The best tools act as a force multiplier for your district by automating key processes, including threat detection. With customizable policies, you can instantly identify threats and vulnerabilities as they occur in your cloud domain.
- Data classification: Not all data is created equal. Some documents are more sensitive than others, which is why you need to classify your data according to risk. The right solution will automatically classify data as it’s created, allowing you to better allocate your time and energy.
- Ease of use: Clunky interfaces and disparate applications are needlessly troublesome to work with. Look for a platform that protects your entire domain all from a single pane of glass.
- 1:1 integrations: Search for a solution that’s natively built into your cloud domain. For instance, ManagedMethods uses deep 1:1 API integrations with leading cloud providers, including Google Workspace and Microsoft 365.
Don’t let cloud security fall through the cracks. Request your free cloud security audit and gain peace-of-mind over the holidays with a free cloud security trial by ManagedMethods today.