Playbook advises federal grant managers how to build cybersecurity into their programs

Two U.S. cyber agencies released guidance Tuesday on how federal grant managers should incorporate cybersecurity in their programs for critical infrastructure projects, as well as how potential recipients can take it into account.

The Office of the National Cyber Director and the Cybersecurity and Infrastructure Security Agency publication — the “Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure” — recommends how agencies should weave cybersecurity into grant-making from the outset and gives them model technical language to use. The playbook also advises potential recipients on how to develop assessment and risk plans.

It’s a reflection of a handful of Biden administration priorities: its “Investing in America” initiative to spend on infrastructure improvements, its push for secure-by-design products, the national cybersecurity strategy’s observation about how federal grant funds can bolster critical infrastructure resilience, and an objective listed in an updated national security memorandum from this spring about using grants to improve critical infrastructure cyber protections.

“As we make investments in rebuilding and updating our infrastructure through funding such as made available from the Investing in America agenda, we have the opportunity and obligation to build in cybersecurity by design,” said Harry Coker Jr., the national cyber director. “We need infrastructure projects to be shovel ready and cyber ready.”

The playbook takes pains to note that it is only advisory — it doesn’t waive or replace existing federal cybersecurity rules, nor create any legal burdens or rights. But, it says, other kinds of grant-makers and programs could also learn from it.

“This Playbook is intended to assist managers of relevant Federal grant programs and grant recipients; however, all Federal financial assistance programs can benefit from taking a similar approach to analyze their lifecycle activities and identify opportunities for strengthening the cybersecurity of critical infrastructure,” it reads. “Agencies should consider establishing cost thresholds or other criteria for applying this Playbook to specific projects.”

The playbook includes model language for the inclusion of cybersecurity in notices of funding opportunities or other grant program guidance and announcements, as well as for grant award terms and conditions.

The Infrastructure Investment and Jobs Act, Inflation Reduction Act and Creating Helpful Incentives to Produce Semiconductors and Science Act are key parts of Biden’s Investing in America agenda, under which the administration envisions major critical infrastructure upgrades in the future.

“The United States has a unique opportunity and national security imperative to build cyber resilience into this next generation of American infrastructure,” the playbook states.

Said CISA Director Jen Easterly: “As organizations seek to take advantage of historic infrastructure grants, it’s critical to ensure the security and resilience of this next generation of American infrastructure in every community across our nation.”