CISA and ONCD Release Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure

Purpose

The purpose of the “Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure” is to provide a comprehensive guide for federal grant program managers, critical infrastructure owners and operators, and sub-awarding organizations to incorporate cybersecurity into their grant programs. This playbook aims to assist grant recipients in building cyber resilience into their grant-funded infrastructure projects, thereby enhancing the overall security of the nation’s critical infrastructure.

The guide is designed to support grant-making agencies throughout the grant management lifecycle, from developing a Notice of Funding Opportunity (NOFO) to monitoring and evaluating grant recipient performance. By incorporating recommended actions, model language, and templates, this playbook provides a practical framework for ensuring the cybersecurity of federal grant programs and their recipients.

Effects on Industry

The effects of this playbook on industry will be significant, as it aims to enhance the overall resilience and security of critical infrastructure projects funded through federal grants. This will have a positive impact on various industries, including:

• Critical infrastructure sectors such as energy, water, transportation, and healthcare
• Grant-making agencies responsible for managing federal grant programs
• Sub-awarding organizations that distribute funds to recipients
• Recipients themselves, who will benefit from the guidance provided in developing a Cyber Risk Assessment and Project Cybersecurity Plan

By adopting the recommended actions and best practices outlined in this playbook, industry stakeholders can reduce the risk of cyber-related incidents, protect sensitive information, and maintain public trust.

Relevant Stakeholders

The following stakeholders are relevant to this update:

• Federal grant program managers responsible for managing grant programs
• Critical infrastructure owners and operators who receive federal grants
• Sub-awarding organizations that distribute funds to recipients
• Grant recipients themselves, who will benefit from the guidance provided in developing a Cyber Risk Assessment and Project Cybersecurity Plan

These stakeholders will directly benefit from the playbook’s recommendations and resources, which are designed to enhance cybersecurity and resilience throughout the grant management lifecycle.

Next Steps

To comply with or respond to this update, industry stakeholders should take the following next steps:

• Review and apply the recommended actions outlined in the playbook
• Incorporate model language into NOFOs and Terms & Conditions
• Leverage templates for recipients to develop a Cyber Risk Assessment and Project Cybersecurity Plan
• Utilize comprehensive lists of cybersecurity resources available to support grant recipient project execution

By taking these steps, stakeholders can ensure that their federal grant programs and critical infrastructure projects are adequately secured, reducing the risk of cyber-related incidents and protecting sensitive information.

Any Other Relevant Information

Additional relevant information includes:

• The Office of the National Cyber Director (ONCD) and CISA’s continued commitment to enhancing cybersecurity and resilience in critical infrastructure sectors
• The importance of collaboration and coordination among industry stakeholders, including federal agencies, sub-awarding organizations, and grant recipients
• Future plans for updating and refining the playbook based on stakeholder feedback and emerging cybersecurity threats