As Congress begins work on future COVID-19 relief bills, a group of bipartisan legislators wrote to House and Senate leadership urging them to include funding for state and local government (SLG) IT infrastructure in future relief bills.
The May 22 letter was spearheaded by Reps. Jim Langevin, D-R.I., Michael McCaul, R-Texas., Cedric Richmond, D-La., and Mike Gallagher, R-Wis., with an additional 25 representatives signing on.
Amid the COVID-19 pandemic, SLGs have had to rapidly pivot to remote work and delivering citizen services online. The cost of new hardware, infrastructure, and cybersecurity measures can be a heavy weight on a state’s budget – many of whom are already facing budget shortfalls as a result of COVID-19. Previous relief legislation has included measures to aid SLGs; however the representatives said that it isn’t enough.
“In the bipartisan CARES Act, we recognized the vital role states and municipalities are playing on the front lines of this crisis and provided funding both to address COVID-specific needs and to help administer Federal programs that are managed by state agencies,” they wrote. “However, these investments are insufficient to address the significant technical challenges states continue to face, nor will they address rising cybersecurity concerns as more work is conducted remotely.”
The letter explains that many SLGs were already struggling with legacy IT systems, and are now unable to keep up with surging demand for citizen services like unemployment insurance benefits, limited telework capabilities for state and local employees, and increased concern over cyber threats.
“Increased reliance on technology broadens the attack surface that malicious actors, whether criminals, nation-state adversaries, or hacktivists, can exploit,” the letter reads. “Unfortunately, legacy IT systems often run on proprietary and no longer supported technologies and are frequently incapable of allowing even relatively unsophisticated cybersecurity controls.”
The letter aligns with recommendations from the Cyberspace Solarium Commission, which Gallagher co-chairs, and Langevin is a member. In the Cyberspace Solarium Commission’s March report, the commission calls for an infusion of IT modernization grant funding for states to help them upgrade their IT systems and harden their cybersecurity posture.
When determining how to include SLG cyber grant funding in future relief bills, the representatives identified four guiding principles congressional leadership should adhere to:
- “Maximum flexibility for systems eligible to receive funding – States have varying degrees of maturity across the many systems they maintain. Flexibility ensures that Federal support can be used to maximum effect by allowing states to prioritize systems that they judge are at highest risk based on the specific threats to, vulnerabilities in, and consequences of a breach of those systems.
- Certification baselines and security planning requirements – Modernization should prioritize a cloud-first approach using vendors that achieve certification against industry-developed standards. However, to ensure mission owners bake security into their proposed modernized architecture, State Chief Information Officers should be required to submit modernization plans using quantized risk assessments to the Cybersecurity and Infrastructure Security Agency for review.
- Local needs considered – Local governments are often even more resource-starved than their state counterparts. Any modernization plan should ensure that local governments are able to access a portion of the funding for their needs and that a state will offer shared services to local governments that reflect their needs.
- Investments for today and for the future – Many states have immediate IT modernization needs as well as longer term, more meaningful system redesigns. Some portion of funding should be available to meet these immediate equipment and license needs while the bulk is available for more substantive projects that will ensure we can withstand this public health crisis and the resultant economic downturn.”