Opportunities For Cybersecurity Investment In The Bipartisan Infrastructure Investment And Jobs Act

In an increasingly modernized and interconnected world, the cybersecurity risk continues to grow, and our nation’s infrastructure is not impervious. For states looking to elevate their cybersecurity posture, the IIJA offers numerous avenues of support to make these improvements.

by Casey Dolen and Glenn Grimshaw

In November 2021, the bipartisan Infrastructure Investment and Jobs Act (IIJA) was signed into law, paving the way for a once-in-a-generation investment in America’s infrastructure. The passage of the IIJA secured about $1.2 trillion in funding toward nearly 400 new and existing programs, including programs seeking to improve the country’s roads and bridges, broadband network, energy network, port facilities, and to improve the resiliency of infrastructure and communities.

In an increasingly modernized and interconnected world, the cybersecurity risk continues to grow, and our nation’s infrastructure is not impervious. A disruption to the critical communications technology, transportation and utilities on which citizens rely can have sweeping economic and physical consequences. The IIJA recognizes this by including a number of cybersecurity-specific programs, as well as allowing spending from numerous other programs on cybersecurity preparedness and response, which can be integrated into other infrastructure investments.

For states looking to elevate their cybersecurity posture, the IIJA offers numerous avenues of support to make these improvements. Such programs can be distinguished between 1) those that directly provide funding to address cyber risks and threats, 2) those in which expenditures on cybersecurity-related investments are classified as eligible uses. These IIJA programs are in addition to programs established under other statues, including the Department of Energy’s Cybersecurity, Energy Security and Emergency Response (CESER) Research, Development, and Demonstration program, which has announced a Fiscal Year 2022 funding opportunity.

The following guide provides an overview of potential IIJA grants overseen by various federal agencies that state, local, tribal and territorial (SLTT) entities may wish to take advantage of to combat the heightened global cyber threat.

Cybersecurity-Specific Programs

The IIJA includes funding for new and existing cybersecurity-specific programs that focus on strengthening cyber systems and defense against future attacks, some of which provide opportunities to SLTT entities. Key programs are outlined below.

U.S. Department of Homeland Security Cybersecurity Programs

  • State and Local Cybersecurity Grant Program — This new $1 billion program provides funding to SLTT governments to address cybersecurity risks and cybersecurity threats to their information systems. Funding can be used to implement cybersecurity projects, address imminent cybersecurity threats and prepare cybersecurity plans, which must be submitted for review to be eligible for grant funding. There is a requirement that states pass down at least 80 percent of program funds to local governments, and the details of these pass-through arrangements for states will be set out in the forthcoming Notice of Funding Opportunity, which is expected in summer 2022.
  • Cyber Response and Recovery Fund — This new program allocates $100 million over 5 years to establish a fund that the Cybersecurity and Infrastructure Security Agency (CISA) can tap into in the event of a significant cyber incident when other resources are deemed insufficient. This can include grants and cooperative agreements with state, territorial and tribal governments. There is no non-federal cost-share requirement.
  • Cybersecurity — The IIJA continues this existing program to fund $14.5 million toward research, analysis and the development of technology to strengthen defensive cybersecurity capabilities relating to telecommunications equipment and industrial control systems. Eligible recipients include, but are not limited to, academia, industry and Department of Energy National Labs.

U.S. Department of Energy Programs

  • Cybersecurity for the Energy Sector Research, Development, and Demonstration Program — This new program channels $250 million in funding over five years to develop advanced cybersecurity applications and technologies for the energy sector, to leverage electric grid architecture to assess risks to the energy sector, and to perform pilot demonstration projects with the energy sector to gain experience with new technologies. Eligible recipients for this program include utilities, National Labs, manufacturers and vendors.
  • Rural and Municipal Utility Advances Cybersecurity Grant and Technical Assistance Program — The IIJA establishes this new $250 million program to provide grants and technical assistance to deploy advanced cybersecurity technologies for electric utility systems and to increase the participation of eligible entities in cybersecurity threat information systems. Eligible entities include state-owned utilities, rural electric cooperatives, municipally owned electric utilities, and small investor-owned utilities. The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response recently announced its development of the program and the launch of listening sessions for eligible entities and other interested partners. Learn more here.
  • Energy Sector Operational Support for Cyber Resilience Program — The Department of Energy has been allocated $50 million from the IIJA to establish a program to build energy sector operational support for cyber resilience. Specific uses include enhancing and periodically testing the emergency response capabilities of the Department of Energy, expanding its cooperation with the intelligence community and providing technical assistance to small electric utilities.

NGA is pleased to announce the creation of its Governors’ Cybersecurity Policy Advisors Network, which will serve as a forum to share ideas and troubleshoot challenges with colleagues from other states, connect advisors with valuable resources and technical assistance, and provide opportunities to hear from subject-matter experts via timely workshops.

Governors’ offices are invited to designate a representative to participate in this network. This individual could be a policy advisor in a Governor’s office who handles the Governor’s cybersecurity portfolio, a state cybersecurity advisor, a cybersecurity office/division director, or another official of the Governor’s choosing. The intent is that this individual can speak to the Governor’s priorities as they relate to cybersecurity. Offices are welcome to designate more than one representative as long as the Governor’s office has recommended their participation.

NGA asks offices to send contact information for the designated participant(s) to Ann Corcoran (acorcoran@nga.org). Questions about the network can be directed to Steve Fugelsang (sfugelsang@nga.org) and/or Casey Dolen (cdolen@nga.org).

Programs That Permit Expenditure On Cybersecurity Measures

The IIJA also includes several programs across a range of agencies which, while not cybersecurity infrastructure-focused, allow for investment in cybersecurity measures as an eligible use to support program objectives. A number of these programs are outlined below.

U.S. Department of Commerce

  • Broadband Equity, Access, and Deployment Program (BEAD) — The centerpiece broadband program in the IIJA is the $42.5 billion BEAD program, which provides funding to states, territories and the District of Columbia to expand high-speed internet access and use, with a focus on reaching unserved and underserved communities across the United States. The Notice of Funding Opportunity for this program permits last-mile broadband project funding to be allocated to “network software upgrades, including but not limited to, cybersecurity solutions” as well as “training for cybersecurity professionals who will be working on BEAD-funded networks.” The Notice also requires that subgrantees have in place prudent cybersecurity and supply-chain risk management practices, including at a minimum a cybersecurity risk management plan.

U.S. Department of Transportation

  • Port Infrastructure Development Program Grants — The $2.25 billion Port Infrastructure Development Program provides competitive grants to ports and port authorities to invest in the modernization and expansion of U.S. ports. The program supports projects that improve the resiliency of ports, including activities to ensure the cybersecurity of information technology and operational technology of port systems. The Notice of Funding Opportunity for the Fiscal Year 2022 program closed on May 16, 2022.

U.S. Department of Energy

  • State Energy Program — This $500 million program provides funding and technical assistance to states, territories and the District of Columbia to enhance energy security, advance state-led energy initiatives and increase energy affordability. To qualify for funding, states and territories must submit an Energy Security Plan by September 30, 2022. This plan must assess the existing circumstances in the state and propose methods to mitigate the risk of energy supply; ensure the state has a source of reliable, secure, and resilient energy infrastructure; and strengthen the ability of the state to secure energy infrastructure of the state against all physical and cybersecurity threats.

Joint Program: U.S. Departments of Energy and Transportation

  • National Electric Vehicle Infrastructure Formula Program (NEVI) — The new $5 billion NEVI program provides dedicated funding to states to strategically deploy electric vehicle (EV) charging infrastructure and establish an interconnected network of charging stations, with an initial focus on serving designated Alternative Fuel Corridors. The initial step in this process required states to prepare an EV Infrastructure Deployment Plan, in which states had to identify how they will address cybersecurity risk to their charging network. In addition, proposed minimum standard regulations require states to implement cybersecurity strategies to mitigate charging infrastructure, grid and consumer vulnerabilities associated with the operation of EV charging stations. For more information on the program, visit the Joint Office of Transportation and Energy website here.  

U.S. Environmental Protection Agency

  • Clean Water and Drinking Water State Revolving Funds (SRF) — The Clean Water State Revolving Fund Program was allocated $11.71 billion in the IIJA over 2022-2025 to provide communities with low-cost financing for a wide range of water quality infrastructure projects. Similarly, the Drinking Water State Revolving Fund program was also provided $11.71 billion in the Act for drinking water infrastructure projects to promote human health objectives. Funding from both these programs can be used by public, private and nonprofit drinking water utilities and publicly owned wastewater treatment plants to conduct cybersecurity assessments, equipment, infrastructure and training, if states include it in their annual Intended Use Plans. EPA offers free cybersecurity assessments and technical assistance to water and wastewater utilities here. See the Clean Water SRF Fact Sheet and the Drinking Water SRF Fact Sheet for more information.

Please direct any questions regarding the content of this memo to Glenn Grimshaw (ggrimshaw@nga.org) or Casey Dolen (cdolen@nga.org). A full list of programs that provide funding for cybersecurity measures and further details of each can be found in NGA’s sortable and searchable IIJA program Tracker, which is located on the NGA’s IIJA Implementation Resources page. It may also be useful to consult the White House’s Guidebook to the Bipartisan Infrastructure Law for State, Local, Tribal, and Territorial Governments, and Other Partners, or the State Fact Sheets Highlighting the Impact of the Infrastructure Investment and Jobs Act Nationwide.