As part of the Bipartisan Infrastructure Law, also known as the Infrastructure Investment and Jobs Act of 2021, the United States federal government announced a cybersecurity grant program for state, local, territorial, and tribal (SLTT) governments to fund allocation of USD1 billion over the next four years for the improvement and creation of cybersecurity programs. The Department of Homeland Security will implement the grant program, with the Cybersecurity and Infrastructure Security Agency (CISA) serving as subject matter experts and the Federal Emergency Management Agency (FEMA) administering the funds.
To qualify for funding, the following strategic elements are required to be included in Cybersecurity Plans, based upon the National Institute of Standards and Technologies (NIST) Cybersecurity Framework (CSF):
- Implement multifactor authentication (MFA).
- Implement enhanced logging.
- Data encryption for data at rest and in transit.
- End the use of unsupported or end-of-life software and hardware that are accessible from the internet.
- Prohibit the use of known, fixed, or default passwords and credentials.
SLTT governments have many options across a variety of vendors for the products and solutions that meet the above criteria. It is essential to have a detailed plan and well-structured strategy to advance applications for federal funding. In support of these efforts, we want to call attention to the following offerings from Microsoft that can help SLTT governments make their case for federal funding in these key areas.
Implement multifactor authentication
Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra, offers an array of MFA methods, be it in the form of a single multifactor authenticator or the form of two single-factor authenticators (read the full list of supported multifactor authentication methods). To set the bar higher, SLTT governments can further strengthen their MFA and enforce the use of phishing-resistant MFA using Azure AD certificate-based authentication, FIDO2 security keys, Conditional Access Authentication Strengths, or Windows Hello for Business. Products like Microsoft Intune can make it easy to configure Windows Hello for Business, supporting your organization’s move to MFA. Azure AD’s External Identities cross-tenant access settings are an ideal way to securely collaborate with external users coming from other Azure AD organizations and other Microsoft Azure clouds. Cross-tenant access settings give you granular control over how external users from other Azure AD organizations collaborate with you (inbound access) and how your users collaborate with other Azure AD organizations (outbound access). These settings also let you trust MFA and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.
Implement enhanced logging
Microsoft Sentinel provides capabilities to centralize log data from other software and systems to track incidents and events across the enterprise. An expansive hub of rich integrations allows for the ingestion, enrichment, and delivery of log data, including cloud access security broker, identity, endpoint, network and operational technology (OT) security, and IT capabilities with bi-directional integrations. Archived logs allow for the storage of data for up to seven years to meet compliance requirements.
For Windows devices, you can collect diagnostic logs remotely and without interrupting the user with Microsoft Intune by device or in bulk.
Data encryption for data at rest and in transit
Data at rest encryption for Microsoft 365 provides Customer Key-based encryption across multiple Microsoft 365 workloads. Tenant administrators can configure a single data encryption policy using customer-managed keys and assign it to the tenant. Once assigned, the tenant-level encryption policy starts encrypting all customer data for multiple Microsoft 365 workloads.
With Microsoft Purview Advanced Message Encryption, you can control sensitive emails shared outside the organization with automatic policies. You configure these policies to identify sensitive information types, such as personally identifiable information, financial, or health IDs, or you can use keywords to enhance protection. Once configured, you can pair policies with custom-branded email templates and then add an expiration date for extra control of emails that fit the policy.
Microsoft Intune also helps you enforce data protection on your devices to be compliant with your organization’s policies. This combined with Conditional Access policies helps verify that when data leaves your organization, it can only go to compliant devices that are encrypted and meet the standards defined by your organization (including data-at-rest protection). Intune also can configure and enforce encryption on Windows endpoints with BitLocker specifically and require encryption across the mobile device landscape.
Prohibit use of known, fixed, or default passwords and credentials
SLTT governments are required to change password policies that are proven ineffective, such as complex passwords that are rotated often. This includes the removal of the requirement for special characters and numbers, along with time-based password rotation policies. Instead, consider doing the following:
- Use password protection to enforce the blocking of a common list of weak passwords that Microsoft maintains. You can also add custom banned passwords.
- Use self-service password reset to help users reset passwords as needed, such as after an account recovery or credential compromise.
- Use Azure AD Identity Protection to be alerted about compromised credentials so you can take immediate action.
How Microsoft Security solutions help support grant applicants
The products mentioned are several suggested offerings of which SLTT governments can take advantage when considering their applications for federal cybersecurity grant funding. For further information on other required elements and how Microsoft solutions map to the NIST CSF, organizations can read the US Cybersecurity Grant Readiness Assessment and Microsoft Technical Reference Guide.
Microsoft partners with governments around the world to ensure the safety and integrity of their critical systems. We are committed to assisting our SLTT government customers in improving the state of cybersecurity for their regions and the people they serve.
Additional resources for SLTT customers:
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.