The funding comes from the year one State and Local Cybersecurity Grant Program (SLCGP), which has started sending monies to states. And while Indiana is taking advantage of the grant program now, it’s also looking for effective ways to ensure a lasting impact once this program ends.
So far, the 31 local entities that the state has signed up for the EDR service represent “well over 20,000 seats or licenses,” said Indiana CISO Hemant Jain. This initial batch serves as just a slice of Indiana’s 92 counties and more than 3,000 cities, towns, townships and libraries, Jain said, and more licenses are to come, with the state aiming for an increase each quarter.
That quarterly schedule lets local entities that are ready to adopt the tool apply now, while giving others time to learn or prepare more. Some interested entities may currently have other contracts or products in place, too. After all, the goal is to support, not disrupt, their operations, Jain said.
Those seeking the EDR service can complete an online form, and requests will be fulfilled based on the number of licenses available, with priority given to rural counties, cities and towns, Jain said. Although SLCGP rules allow the state to retain 20 percent of the grant while channeling the rest to locals, Indiana is putting its own portion into funding EDR licenses as well.
Looking ahead, Jain hopes federal officials will be encouraged by the impact of the SLCGP and provide more money after the four-year grant program ends. But Indiana still needs to plan for sustaining the work either way.
That might mean switching to a cost-sharing model to continue offering the EDR service. The state’s economy of scale and negotiating power means it can expect to give local entities better pricing than they would be able to obtain individually. And this kind of large-scale, centrally managed service may give locals better protection and support, Jain said. In the meantime, entities have several years of saving funds that they’d otherwise have spent on an EDR service.
The EDR shared service also sets the state and locals up with better insights into the threat landscape. The state will receive aggregated details from local entities’ EDR solutions. Those can reveal which threat actors are targeting local entities, the techniques and tactics they’re using, and whether they’re focusing on particular sectors or regions. That can help inform defense strategies, and the state can share threat findings with local entities, peers or federal officials.
The SLCGP arrived at a time when Indiana already had other cyber-related initiatives underway with local government, including a cybersecurity general awareness training provided to locals at no cost.
As Indiana looks toward year two of the program, Jain said it expects to use funds to expand that training, as well as provide more EDR licenses, and pull together relevant cybersecurity resources and trainings into an online one-stop shop.
Recent listening sessions with local governments underscored concerns around disaster recovery and continuity of operations, and the informational resource could direct them to supports like Cybersecurity and Infrastructure Security Agency’s incident response tabletop exercises and products available through state vendor contracts.
Indiana also will support adoption of multifactor authentication, something urged by the SLCGP’s Notice of Funding Opportunity and which appeared to be an area of need for Indiana local governments, according to initial findings from a university-state study.
Cybertrack is a collaboration between the state, Purdue University and Indiana University to assess where local governments stand on adopting fundamental, high-impact elements of a cybersecurity program.
So far, the program has assessed 22 county and municipal governments and one library, according to the results. While this is a small sample size — about 0.78 percent of the state’s total governments — “the early results are sobering,” the report said. Among them, it found that only 30 percent of the studied entities required multifactor authentication for remote network access and only 13 percent required it for administrative access.
