The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the National Cyber Director (ONCD) have published a guide to help grant-making agencies integrate cybersecurity into their programs and assist recipients in enhancing cyber resilience in their projects. CISA and ONCD developed the playbook to be a minimal burden on the federal grant awarding process and is intended to strengthen cybersecurity in critical infrastructure projects. The recommended guidance and actions are flexible for the recipient while providing a mechanism to support the inclusion of baseline cybersecurity best practices.
The document targets federal grant managers, critical infrastructure stakeholders, and organizations like state, local, tribal, and territorial (SLTT) governments involved in sub-awarding grant funds. It helps grant-making agencies incorporate cybersecurity requirements into their respective grant programs. It provides guidance for projects that include technologies that, if impacted by a cyber incident, could affect critical infrastructure safety, reliability, or operability. It also provides tools and resources that the grant program can direct applicants towards to support their ability to meet the requirements.
The playbook aids managers of federal grant programs and recipients in enhancing cybersecurity for critical infrastructure. While advisory and non-binding, it offers recommended requirements, model language, resources, and guidance. Agencies should set criteria for applying the playbook to specific projects. The Playbook will be reviewed and updated periodically.
Specifically, the guidance contains recommended actions to incorporate cybersecurity into grant programs throughout the grant management lifecycle; model language for grant program managers and sub-awarding organizations to incorporate into Notices of Funding Opportunity (NOFOs) and terms and conditions; templates for recipients to leverage when developing a cyber risk assessment and project cybersecurity plan; and a comprehensive list of cybersecurity resources available to support grant recipient project execution.
“We are excited to provide this guidance to grant-making organizations, along with our teammates at the Office of the National Cyber Director,” Jen Easterly, CISA director, said in a media statement. “As organizations seek to take advantage of historic infrastructure grants, it’s critical to ensure the security and resilience of this next generation of American infrastructure in every community across our nation.”
“ONCD, along with our partners at CISA, continues to advocate for cybersecurity to be incorporated into the foundation and design of the Nation’s critical infrastructure,” said Harry Coker Jr., White House National Cyber Director. “As we make investments in rebuilding and updating our infrastructure through funding such as made available from the Investing in America agenda, we have the opportunity and obligation to build in cybersecurity by design. We need infrastructure projects to be shovel-ready and cyber-ready. That’s why we’re proud that the guidance released today will serve as a helpful resource to help our partners and recipients build cybersecurity into infrastructure projects from the beginning.”
Faced with the critical need to secure the nation’s infrastructure, the federal government has made historic investments through the Infrastructure Investment and Jobs Act (IIJA), Inflation Reduction Act (IRA), and CHIPS and Science Act. These initiatives aim to build and maintain infrastructure that is resilient to cyber threats, adhering to the secure and resilient-by-design principles outlined in the National Cybersecurity Strategy and National Security Memorandum 22 (NSM-22).
The ONCD issues this Playbook resource in furtherance of the strategic objectives in the National Cybersecurity Strategy, while the CISA and other departments and agencies provided technical expertise in developing the document. The Playbook is intended to provide federal agencies and grant recipients with tools to build cyber resilience into their projects. Adding cybersecurity requirements into Federal funding programs and upholding them throughout the projects’ lifecycle allows grant program managers, recipients, and subrecipients to identify, prioritize, and address key cyber risks more easily.
Federal agencies should include provisions such as cybersecurity principles, best practices, and controls in their awards and sub-awards, consistent with applicable law and guidance. The recommended cybersecurity requirements in this Playbook help recipients develop long-term strategies to address cyber risk on asset performance continuously. Where appropriate, agencies should encourage recipients and subrecipients to set cybersecurity goals above the baseline requirements.
The playbook detailed that a project cyber risk assessment and project cybersecurity plan should be required for every critical infrastructure grant project that has a technology nexus. When a recipient has multiple projects within a system, it may be appropriate to develop an overall plan for the system. These systems and assets may include elements, components, and full systems of information technology (IT), operational technology (OT), industrial control systems (ICS), supervisory control and data acquisition (SCADA), and other systems.
The playbook also recognized that actions taken to mitigate the cyber risk to critical infrastructure are more effective when executed throughout the full lifecycle of projects, beginning with the principles of Secure by Design. Incorporating Secure by Design principles into technology and project design and development is one of the most effective steps technology manufacturers can take to mitigate cyber risk. Additionally, all grant recipients are encouraged to take advantage of no-cost services provided by CISA and other government agencies. Finally, performing a Project Cyber Risk Assessment and developing and implementing a Project Cybersecurity Plan for grant projects is a key element in enhancing critical infrastructure cybersecurity.
Conducting a Project Cyber Risk Assessment is essential to understanding the potential physical impact resulting from an incident or occurrence to IT, OT, ICS, and other systems essential to the safe and reliable operation of facilities, systems, and equipment. Conducting a Project Cyber Risk Assessment reveals potential vulnerabilities and their potential impact to improve the overall safety, resiliency, and cyber posture necessary to meet operational and mission needs. By conducting such assessments, organizations can establish an appropriate baseline of cybersecurity actions and then develop a Project Cybersecurity Plan.
Furthermore, recipients and sub-recipients should conduct a Project Cyber Risk Assessment and develop a Project Cybersecurity Plan during the project design phase. PMs will need to determine the appropriate timeframe for the attestation or submission of the assessment and plan based on the scope and complexity of the project and its lifecycle. The Project Cyber Risk Assessment and Project Cybersecurity Plan will assist recipients in implementing baseline cybersecurity best practices and controls as part of the execution of the grant award, reduce project cybersecurity risk, and reduce the risk of disruption to critical infrastructure.
Agencies should refer covered applicants and recipients to the cybersecurity resources and services, best practices, tools and training, and policy template resources to enable recipient development, implementation, and maintenance of the Cybersecurity Plan. The resources are organized by cybersecurity performance goal (CPG) to guide grant recipients to the resource(s) that are most useful for addressing their CPG gaps and needs. Agencies and grant PMs should encourage covered award applicants and recipient organizations that have implemented mature cybersecurity best practices and controls (and who may have already implemented CPGs at an organizational level) to continue strengthening their cross-sector and sector-specific cybersecurity best practices and controls by implementing the NIST Cybersecurity Framework.
In conclusion, the playbook identified that investments in the cybersecurity of critical infrastructure are key to preventing disruption and minimizing potential negative impacts. Grant programs funded by the IIJA and other investments present the opportunity—and necessity—to build cybersecurity into the critical infrastructure projects they fund. Critical infrastructure must therefore be developed and updated by incorporating the concepts of cyber-informed engineering and secure by design. Incorporating baseline security practices is vital to protect national and economic security and ensure a safe and prosperous future for Americans.