A look at cybersecurity funding in the Infrastructure Investment and Jobs Act

President Joe Biden passed the Infrastructure Investment and Jobs Act (IIJA) in November 2021, allocating more than $1 trillion in federal capital to improve the nation’s infrastructure. The money from this bill will go toward a wide range of national infrastructure projects such as water, roads, clean energy initiatives, internet accessibility projects, and countless other efforts. A portion of the funding will support cybersecurity development — $1.9 billion to be precise, or approximately 0.2% of the total budget. Half of that money will be spent on grants for state and local governments and the rest will be distributed among a variety of other cybersecurity projects.

Some of the bill’s cybersecurity provisions include the following:

• $1 billion in grants to improve the cybersecurity posture of local and state governments;
• $250 million for the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program;
• $250 million for developing “advanced cybersecurity applications and technologies for the energy sector”;
• $157.5 million to fund cybersecurity research for the US Department of Homeland Security’s Science and Technology Directorate (DHS-S&T);
• $35 million to fund risk management and stakeholder efforts for the DHS’s Cybersecurity and Infrastructure Security Agency (CISA); and
• $21 million for the newly-created Office of the National Cyber Director (ONCD).

Pending Approval for Cybersecurity Funding

The cybersecurity portion of the bill is a footnote to an otherwise enormous federal expenditure. With only 0.2% of the bill’s provisions allotted to cybersecurity efforts, some qualifying organizations may feel like their options are limited. Approval for funding is contingent upon a long list of conditions and may only be used for expenses approved of by federal authorities, which may or may not address the particular needs of each organization. Among other things, the organization must draft a cybersecurity plan to be approved of by the federal government, as well as adhere to cybersecurity best practices such as those outlined in the NIST framework.

Every organization has its own needs and limitations. Some may already be facing internal restraints on budget, staffing, and other factors not addressed by the bill. If an organization is already dealing with a thin budget and overburdened IT staff, then this will have to be considered when drafting a plan for implementation—especially if the grant can’t be used for more pressing expenses than what’s covered in the bill. An organization not prepared to undertake new projects may end up with a diminished return on steep implementation costs.

To put things into perspective, recipients of the federal funding can’t use the money to hire or pay employees or cover existing costs. Those expenses must come out of the organization’s pocket. Recipients may only receive the funds under the condition that they match the federal funds with capital from their own reserves for each fiscal year. Approved expenses in the 2022 fiscal year cannot exhaust more than 90% of the federal contribution, and federal contributions will decrease by 10% each fiscal year for the duration of the grant program. In other words, state and local governments will continue to receive federal funding only under the condition that they will gradually contribute more of their own capital by 10% each fiscal year.

Reducing the Burden with Specops uReset

As you can see, qualifying organizations must jump through a number of hoops to be approved of for a grant, and the grant may only solve part of the problem. This is why leaders should first seek solutions that will ease the burden on their IT staff, especially when it comes to social engineering attacks. Keeping cybercriminals at bay with the Specops uReset solution will save your organization the time, money and resources it needs to draft the best cybersecurity plan possible and make good use of the grant money.

The password reset process gives cybercriminals an easy way into an organization’s network. They attempt to hijack accounts by requesting a password reset while impersonating the targeted employee. This is where the Specops uReset tool comes in—Specops uReset is a self-service password reset solution that uses multi-factor authentication to validate the user’s identity when a password reset is requested. uReset supports several common authenticators such as security questions, digital identity providers, mobile verification codes, and even fingerprint authentication.

uReset specifically protects the helpdesk, a common attack vector in social engineering attacks. By giving the helpdesk operator multiple options for identifying users who need to reset their password, cybercriminals will have less of an opportunity to exploit human error when impersonating someone else. Specops uReset further limits the number of potential points of compromise by storing user and password data on the user object in the Active Directory instead of in a separate database.