State and Local Cybersecurity Grant Program: Where local governments must allocate funds to support the future of cybersecurity

This past February, the Department of Homeland Security’s State and Local Cybersecurity Grant Program began to distribute funds to states with approved cybersecurity plans. For budget and resource strapped state, local and territorial governments (STLGs), these grants enable crucial cybersecurity investments to protect our nation from unprecedented cybersecurity risks and help bridge the gap between current funding and security needs.

Even with the additional funding provided by these grants, SLTGs will need to use the money wisely to optimize state and local government protections, beginning with data security reviews, consolidation of security and development tools and the enablement of rapid modernization.

Data security review
To determine gaps and potential vulnerabilities, and update administration policies, agency leaders should conduct a data security review to inform an effective security plan. The goal is to make sure there is a security policy that is enforceable and actionable to protect platforms, applications and the data they access. Begin with a role-based permissions review to ensure awareness of what users can do and when and where they can do it.

Next, verify what data can be accessed and determine if it’s through an application or directly. Then locate the connection and ensure it is encrypted. A common challenge when maintaining complete awareness of software security is understanding the vulnerabilities introduced throughout the entire software supply chain, including open-source code.

Local government IT leaders must also ensure administration policies are up to date and which administrators have system access, then review the installation of platforms and implement proper installation, patching and version policy. Any applications should be subject to a security policy indicating a reasonable maximum time frame for adopting major releases, minor revisions and security patches.

Consolidate security and development tools
State and local governments have limited IT budgets, but are tasked with a wide range of priorities, with modernization and security among the most important. Utilizing DevSecOps is one way to address both priorities, making it essential to weave into state security plans.

DevSecOps combines development, security and operations, in turn optimizing delivery and maintenance of software while ensuring security at every step of the development process. The approach allows developers to release code notably faster than traditional methods, so modern systems are more rapidly and securely delivered to constituents.

The implementation of a DevSecOps approach will allow SLG organizations to prevent bad actors from exploiting system vulnerabilities by identifying and remediating risk during the development process.

An additional way to support visibility in the development process and beyond is through the implementation of a software bill of materials (SBOM). An actionable, continuously updated SBOM allows for easier visibility into the contents of an application and can detect vulnerabilities within software’s code, and can define how, when and why organizations can peer into a piece of software or learn about its version history. This kind of information, and the rules surrounding it, are crucial to supply chain security and a comprehensive security plan.

Focus on rapid modernization to secure legacy infrastructure
Outdated applications and systems often put organizations at risk since their capabilities no longer have the infrastructure to protect from modern attacks. They’re easy targets for bad actors. As state and local government IT leaders look to enhance security, modernization needs to be a part of that plan.

A DevSecOps approach for modern software development can support this by making modernization more efficient and less cumbersome. When all necessary functions are combined into a single platform it allows for automation, continuous integration, and delivery to happen in the same place. What once took months or years to produce can now be accomplished in a matter of weeks.

This approach will also assist states looking to accelerate adoption of the cloud, as DevSecOps can allow for streamlined deployments across multiple cloud vendors. Rapid modernization will make cybersecurity plans more effective by replacing the systems with the highest risk, while improved cybersecurity practices protect organizations and constituents across the board.

Every day, state, local and territorial governments take on the vital missions of supporting their residents. This grant is an opportunity to transform IT infrastructure and innovate on the way SLTGs provide citizen and constituent services. These funds will allow for the tools to build, modernize and secure systems, while providing quality technology services to residents with increased cybersecurity standards.

Conducting data security reviews, consolidating security and development tools through approaches like DevSecOps, and significantly reducing cybersecurity threats from bad actors by modernizing legacy infrastructure will position state and local governments for success.

Joel Krooswyk, federal CTO of GitLab Inc., has 25 years of experience in the software industry and has been involved in agile and digital transformations in many Fortune 500 enterprises. His experience spans development, QA, product management, portfolio planning and technical sales, and he has written a half million lines of unique code throughout his career. On an average day, you’ll find him discussing software modernization, cybersecurity, standards compliance, ongoing digital transformation, DevSecOps and automation.