The letters to the recipients of the DHS State and Local Cyber Security Grant Program (SLCGP) should be released any day now. Yes, I know we have been hearing that since December, but realistically speaking, it really should be soon. It has to be because soon since CISA will have to announce details for Year 2 in the next few months.
The good news is that the Kentucky Office of Homeland Security Cybersecurity Grants Committee got all their submissions in on time, PLUS Kentucky is one of only 11 states that has submitted the state cyber security plan required for the grant to be released. (Way to go, KOHS!)
While we don’t yet know which of the grant applications were submitted by the state, we can at least plan for when the notifications are made.
If your county, AD district, school district, or organization is one of the grant recipients (or you receive another grant), the first thing to do is celebrate. But not for long. There’s work to do, for crying out loud!
You likely already outlined in your grant application the objectives you will be working toward in general terms. However, more specifically, you need to plan your steps.
First, identify what you need to protect. When I worked for the Navy in program protection for the new destroyer program in the mid-90s, we knew that we could not protect every aspect of the program from discovery. For one thing, satellite imagery would clearly show that shipyards were working to build a new ship. But there were new technologies that we definitely needed to protect. Those are the ones we focused on protecting. Our “crown jewels.”
Similarly, you should determine what things are critical to your organization. Employee data, student/client/citizen data, 9-1-1 center operations? Knowing what is most critical to your operations will inform you on how to proceed…where to put your protective measures.
Determining how to protect your crown jewels will be best addressed by doing a vulnerability assessment to find the holes in your network. Maybe it is in patches that have not been implemented, or maybe the configuration or your architecture is flawed. It could be in the policies and procedures you need to implement, your staff training, development of incident response plans, etc.
Penetration testing will provide insight into how a threat actor can infiltrate your system, so you know how to close those gaps.
From here, you will have to implement the protective measures, whether they are technical (EDR, DNS, MFA, etc.), administrative (Policies/Procedures, Incident Response Plans, training programs), or physical (door locks, cameras, etc.).
Continuous monitoring will then ensure that you stay protected and provide a method to discover any new vulnerabilities that must be addressed immediately, thereby reducing risk and harm. This includes using a Security Operations Center (SOC) for threat hunting to identify anomalous behavior and stop attacks before they happen.
Cyber security is a journey, not a destination. Let’s take that trip together. We promise we won’t ask, “are we there yet?”