The Infrastructure Investment and Jobs Act Invests Heavily in Cybersecurity
On November 15, 2021, President Joe Biden signed into law the Infrastructure Investment and Jobs Act (IIJA), unleashing over $1 trillion of federal money to strengthen the nation’s infrastructure and fund other key programs and initiatives. In addition to appropriating billions of dollars to improving transportation networks, expanding broadband internet accessibility and promoting clean energy projects, the bill allocates $2 billion to strengthening the nation’s cyber defenses. As we explain below, this is part of a broad whole-of-government approach on cybersecurity—implicating both public and private entities.
The IIJA’s notable cybersecurity appropriations include:
$1 billion for grants to improve state and local government cybersecurity;
$250 million to fund the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program—a program designed to support public utilities and other eligible entities;
$250 million to develop “advanced cybersecurity applications and technologies for the energy sector”;
$20 million per year for fiscal year 2022, and every year thereafter until 2028, to create a Cyber Response and Recovery Fund to help public and private entities respond to a significant cyber incident;
$157.5 million for the US Department of Homeland Security’s Science and Technology Directorate (DHS-S&T) to fund “critical infrastructure security and resilience research, development, test, and evaluation”;
$35 million for the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) for “risk management operations and stakeholder engagement and requirements”; and
$21 million to fund the recently created Office of the National Cyber Director (ONCD).
STATE AND LOCAL CYBERSECURITY GRANTS
The largest appropriation funds a $1 billion grant program for state and local governments. Dispersed over the course of four years, this money will support efforts to enhance the cybersecurity of state and local government information systems. The IIJA appropriates $200 million in federal grants under this program for fiscal year 2022; it appropriates $400 million, $300 million and $100 million, respectively, for fiscal years 2023, 2024 and 2025.
The funds, however, come with a catch: State and local governments must provide matching funds from their own coffers, with the federal share capped each fiscal year. For fiscal year 2022, the federal share of the cost of an activity carried out under the grant program cannot exceed 90%. Maximum federal contributions then decrease each fiscal year by 10%, requiring state and local governments to gradually increase their own investments by 10% each year to continue receiving federal money.*
To receive federal funds, grant applicants must also develop a Cybersecurity Plan, subject to approval and periodic review by federal authorities. Such plans must describe the applicants’ approach to handling a comprehensive list of cybersecurity-related control measures. The measures include, for example, implementing a “process of continuous cybersecurity vulnerability assessments and threat mitigation practices[,]” “adopt[ing] and us[ing] best practices and methodologies to enhance cybersecurity, such as” those in the National Institute of Standards and Technology (NIST) framework, and “assess[ing] and mitigat[ing], to the greatest degree possible, cybersecurity risks and . . . threats relating to critical infrastructure[.]”
MUNICIPAL UTILITY AND ENERGY SECTOR RESEARCH AND DEVELOPMENT PROGRAMS
As noted, the statute appropriates roughly $250 million each to the establishment of the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program and the Cybersecurity for the Energy Sector Research, Development, and Demonstration Program.
The Rule and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program provides cybersecurity funding and technical assistance to rural electric cooperatives, public utilities and certain “investor-owned” electric utilities “to protect against, detect, respond to, and recover from cybersecurity threats.” The program prioritizes giving funds and technical assistance to entities that have scarce cybersecurity resources, own assets critical to the bulk power system’s reliability or own “defense critical electric infrastructure[,]” as the term is defined under federal law.
The Energy Sector Research, Development, and Demonstration Program provides funds to strengthen the cyber defenses of the nation’s energy sector by “develop[ing] advanced cybersecurity applications and technologies,” “leverag[ing] electric grid architecture” to assess risk to the energy sector, conducting “pilot demonstration projects with the energy sector to gain experience with new technologies,” “develop[ing] workforce development curricula for energy sector-related cybersecurity” and “develop[ing] improved supply chain concepts for secure design of emerging digital components and power electronics.”
Notably, the statute does not require entities applying for funds under either program to develop a Cybersecurity Plan; instead, the statue leaves it to the CISA Director to decide whether to require funding recipients to submit one. A Cybersecurity Plan submitted at the request of the CISA Director under these programs must describe how the recipient of funds “plans to maintain cybersecurity between networks, systems, devices, applications, or components[,]” “will perform ongoing evaluation of cybersecurity risks to address issues as the issues arise throughout the life of the proposed solution[,]” “will report known or suspected network or system compromises of the project to the Secretary” and “will leverage applicable cybersecurity programs of the Department, including cyber vulnerability testing and security engineering evaluations.”
The IIJA is a significant, bipartisan legislative achievement that provides much-needed funding for key cybersecurity measures, such as strengthening the cybersecurity of state and local government information systems, enhancing the cybersecurity of the nation’s electric grid and strengthening the cyber defenses of municipal utilities—particularly in rural areas. The legislation unquestionably lays the groundwork for improvements to America’s ability to prevent and respond to cyberattacks.
By appropriating billions of dollars to cybersecurity spending, the bill increases the importance of cybersecurity compliance by federal government contractors. Notably, President Biden signed the IIJA into law less than one month after US Deputy Attorney General Lisa Monaco announced the launch of the US Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative. As we explained here, the Civil Cyber-Fraud Initiative focuses on using the False Claims Act (FCA) to pursue cybersecurity-related fraud claims against government contractors and recipients of federal funds. Companies awarded federal contracts under the IIJA should be attuned to DOJ’s prioritization of bringing civil enforcement actions under the FCA, its avowed intention to “extract very hefty fines” and the Department’s full-throated encouragement of whistleblowers to come forward.
Companies seeking government contracts under the IIJA should revisit their compliance programs to ensure that they strictly adhere to the cybersecurity requirements set forth in the Federal Acquisition Regulation (FAR) and submit accurate information to the federal government in response to any request for a Cybersecurity Plan.
The IIJA also, through conditional funding, strongly incentivizes state and local governments to do their part to protect their information systems by implementing a strong cybersecurity framework and devoting more resources to cybersecurity. As noted above, state and local entities that receive funds under the IIJA must develop a Cybersecurity Plan and “adopt and use best practices and methodologies to enhance cybersecurity,” such as those in the NIST framework. These requirements “raise the bar” for cybersecurity at the state and local level and, in doing so, may very well bolster the federal government’s efforts to normalize more robust cybersecurity practices in both the public and private sectors. What’s more, over time, increased use of the NIST framework by state and local governments—perhaps coupled with civil lawsuits alleging inadequate cybersecurity measures—may increase the threshold for what constitutes a “reasonable” approach to cybersecurity, as a matter of law.
The IIJA may encourage state enforcement authorities to use their own civil fraud enforcement statutes—i.e., state FCA statutes—to promote stronger cybersecurity practices by government contractors. The IIJA requires a state or local government recipient’s Cybersecurity Plan to describe how the entity will “enhance the preparation, response, and resiliency of information systems, applications, and user accounts owned or operated by, or on behalf of, the eligible entity . . . against cybersecurity risks and cybersecurity threats[.]” This language could encourage state and local leaders to adopt a strategy similar to what federal authorities are employing to mitigate cybersecurity risks posed by government contractors: robust enforcement of laws that prohibit claims for payment that contain false representations pertaining to cybersecurity.
The IIJA fits within broader, whole-of-government efforts on cybersecurity, including:
Enhanced public-sector engagement with the private sector;
New sector-specific requirements, such as federal banking regulators’ November 18, 2021, Rule requiring covered entities to report “computer-security incidents” no later than 36 hours after discovery, as well as the pair of Security Directives from the Transportation Security Administration (TSA), on May 28, 2021 and July 26, 2021, imposing a variety of cybersecurity requirements (technical and administrative) on the 100 TSA-designated “most critical” pipeline owners/operators;
Increased enforcement, such as the US Securities and Exchange Commission’s (SEC) recent sanctioning of eight firms for failures in their cybersecurity policies and procedures that resulted in cybersecurity incidents exposing personal information of thousands of customers and clients; and
Topical advisories and guidance, such as the US Department of the Treasury’s Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, FBI and CISA alerts on ransomware and other malign cyber activities, the NIST Ransomware Profile that identifies steps organizations can take to prevent, respond to and recover from ransomware events, and the Financial Crimes Enforcement Network’s (FinCEN) 2021 Anti-Money Laundering and Countering the Financing of Terrorism National Priorities identifying cybercrime as a top priority.
We anticipate that the Biden administration will continue to explore ways to use the resources at its disposal to strengthen the nation’s cybersecurity, including encouraging the private sector through a carrot and stick approach to shore up their own systems and services.
* Grants to multi-entity groups begin with a 100% federal share in 2022 and decrease by 10% each year to 70% by 2025.