The Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the National Cyber Director (ONCD) have come together to release a comprehensive guide that focuses on incorporating cybersecurity into federally funded infrastructure projects. The guide, titled Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure, aims to provide essential tools and resources for grant-making agencies and recipients to ensure the integration of strong cybersecurity practices into their programs and projects.
In the United States, there have been significant investments made in infrastructure through legislative acts like the Infrastructure Investment and Jobs Act (IIJA), the Inflation Reduction Act (IRA), and the CHIPS and Science Act. Given this backdrop, it becomes imperative to highlight the crucial role cybersecurity plays in the foundation of these projects. The guidance provided in the playbook stresses the critical need for cybersecurity to be deeply embedded in these initiatives for long-term success and sustainability.
The playbook offers a structured approach to integrating cybersecurity into grant programs and includes a variety of key features. These features include recommended actions for incorporating cybersecurity throughout the grant lifecycle, model language for Notices of Funding Opportunity (NOFOs) and Terms & Conditions, templates for creating Cyber Risk Assessments and Project Cybersecurity Plans, and a comprehensive list of cybersecurity resources to support secure project execution.
CISA Director Jen Easterly underscored the importance of this guidance by emphasizing the necessity of securing the next generation of American infrastructure in every community across the country. Similarly, Harry Coker Jr., White House National Cyber Director, echoed the sentiments by stressing the concept of “cybersecurity by design” as an essential element in rebuilding the nation’s critical infrastructure.
The playbook is designed to be flexible and aims to minimize administrative burden while ensuring that baseline cybersecurity practices are part of federally funded projects. It encourages federal agencies, sub-awarding organizations, and infrastructure operators to adhere to the recommendations provided to protect projects from evolving cyber threats.
In conjunction with the playbook, CISA has issued a Binding Operational Directive (BOD) 25-01, which focuses on implementing secure practices for cloud services. This directive mandates federal civilian agencies to enhance the security of cloud environments by using assessment tools and aligning configurations with CISA’s Secure Cloud Business Applications (SCuBA) project. The directive aims to address the risks associated with cloud misconfigurations, which can potentially lead to unauthorized access, data exfiltration, or service disruption.
By June 2025, federal civilian agencies are expected to fully implement the requirements outlined in BOD 25-01 to mitigate cloud vulnerabilities and enhance overall cybersecurity resilience. CISA Director Jen Easterly emphasized the urgency of these measures to address the increasing threats faced by cloud environments and to bolster national cyber resilience through collective action.
The SCuBA project, which underpins the directive, provides consistent security baselines for commonly used Software-as-a-Service (SaaS) products like Microsoft Office 365. These baselines, along with assessment tools, aid agencies in monitoring their cloud environments effectively and addressing any deviations from secure configurations. Regular reviews and adjustments are crucial to staying aligned with evolving best practices and emerging cyber threats.
The guidance and directives released by CISA and ONCD signify a pivotal step in safeguarding U.S. infrastructure and federal networks against cyberattacks. By integrating cybersecurity from the onset, the nation not only enhances resilience but also safeguards public trust in critical systems. Federal agencies, grant recipients, and infrastructure operators are urged to promptly adopt the playbook and implement the required cloud security measures to ensure that the next generation of American infrastructure is not only innovative but also secure and resilient.