 

Fiscal Year 2010 

 

HOMELAND SECURITY GRANT PROGRAM 

 

 

SUPPLEMENTAL RESOURCE: CYBER SECURITY 
GUIDANCE 

 

 

 

 

December 2009 

 

 

 

 

 

 

 

 

 

 

 

 

U.S. DEPARTMENT OF HOMELAND SECURITY 

U.S. DEPARTMENT OF HOMELAND SECURITY 



CYBER SECURITY GUIDANCE 

 

With the pervasiveness of information technology (IT) and cyber networks systems in 
nearly every aspect of society, effectively securing the Nation’s critical infrastructure 
requires investments in network resiliency as well as cyber infrastructure protection. As 
all levels of government now rely on cyber networks and assets to provide National 
security, public safety, and economic prosperity, their operations depend on information 
systems that are maintained, protected, and secured from exploitation and attack. In 
recognition of this importance, President Barack Obama has identified the digital 
infrastructure as a strategic National asset. 

 

The increasing frequency and 
sophistication of cyber attacks on critical 
infrastructure and key resources (CIKR) 
requires planning across all State, local, 
tribal, and territorial (SLTT) homeland 
security components to develop robust 
strategies to prepare for and respond to 
events that can degrade or destroy SLTT 
governments’ abilities to deliver essential 
services to citizens and prepare for the 
impact of terrorist or criminal activity or 
natural disaster. 

 

Nation-states, criminal organizations, 
terrorists, and other malicious actors 
conduct attacks against critical cyber infrastructure on an ongoing basis. According to 
the National Institute of Standards and Technology (NIST) National Vulnerability 
Database, 6,608 new computer vulnerabilities were catalogued in 2006; 6,516 in 2007; 
and today the database continues to increase at a rate of 11 vulnerabilities published 
per day. The impact of a serious cyber incident or successful cyber attack would be 
devastating to SLTT governments’ assets, systems, and/or networks; the information 
contained therein; and the confidence of those who trust governments to secure those 
systems. 

 

SLTT planning should incorporate intra-state coordination with sound assessment and 
mitigation practices to drive development and maintenance of robust cyber security 
capabilities within the All-Hazards framework of homeland security. To effectively 
address the security of SLTT cyber assets, consider the following preparedness 
measures: 

. The degree to which government IT, communications, and cyber infrastructures 
provide operational support for the systems on which State essential services, 
including Homeland Security, function 


. How a loss or degradation of these systems would hinder homeland security 
operations and essential functions 




“Many of the Nation’s essential and 
emergency services, as well as our 
critical infrastructure, rely on the 
uninterrupted use of the Internet and the 
communications systems, data, 
monitoring, and control systems that 
comprise our cyber infrastructure. A 
cyber attack could be debilitating to our 
highly interdependent CIKR and 
ultimately to our economy and national 
security.” 

 

National Strategy for Homeland Security, 
October 2007 


. How state preparedness and response efforts benefit from assessments of 
threats and vulnerabilities to these systems as well as the analysis of the 
malicious and potentially illegal activity occurring on them 




 

As a means to guide these efforts, State Administrative Agencies (SAA), security 
officials, and authorities at all levels of government should review cyber infrastructure 
and assets based on appropriately tailored vulnerability assessments. Doing so will 
better enable coordinated investments and protective measures, increasing return on 
investment and overall security. 

 

This Annex outlines parameters for SLTT government officials to coordinate 
preparedness planning efforts to ensure cyber security investments are considered and 
supported in long term development considerations. Potential grantees should review 
the guidance provided below prior to submitting proposals and discuss how to apply it to 
SLTT planning with cyber security and IT leadership (i.e., Chief Information Officer, 
Chief Information Security Officer, etc.). This due diligence will ensure that grantees 
amply address their cyber security goals and objectives and assess current activities to 
bolster the security of state computer network enterprises. 

A. The Role of Cyber Systems 

IT network infrastructure enables the functions and services of all sectors, resulting in a 
highly interconnected and interdependent global CIKR network. The U.S. Department 
of Homeland Security (DHS) is leading efforts to engage and work with security partners 
at the State and local level, as well as in 
the private sector and academia, to 
ensure that the cyber elements of 
critical infrastructure are robust, 
responsive, and resilient. As such, 
State planning should consider the full 
scope of cyber assets and network 
infrastructure in mission critical systems 
that support incident response and 
emergency management, physical 
security protection, law enforcement 
and intelligence gathering, and other 
State homeland security functions. For 
example: 

 

. Malicious activity originating in cyberspace can affect physical system 
components and potentially lead to property damage and loss of life. Aligning 
State and local cyber incident response activity to National policies and 
protocols, and assigning responsibility to a central authority will ensure a uniform, 
coordinated response to any such event 


. Shifting to Internet protocol (IP) networks for such services as interoperable 
emergency communications and 911 systems provides State and local 
responders with new capabilities for prevention, response, and recovery. It also 




Cyber infrastructure includes electronic 
information and communications 
systems, and the information contained 
in those systems. Computer systems, 
control systems such as Supervisory 
Control and Data Acquisition (SCADA) 
systems, and networks such as the 
Internet are all part of cyber 
infrastructure. 

 

– National Infrastructure Protection Plan (NIPP), 2006 


. Degradation or disruption of IT and communications functions can inhibit 
execution of continuity of governance or continuity of operations plans following a 
catastrophic event or other physical security incident. Accounting for redundant 
and alternative systems for supplying essential functions in emergency response 
planning reduces “down time” on critical systems 


. Other infrastructures, including transportation, water treatment, electric power, 
and other control systems-based elements owned and operated by States and 
municipalities are vulnerable 


. State and local Fusion Centers rely on IP networks to communicate vital data for 
tactical and operational decision-making. The failure of IT networks could 
hamper analysis of a developing crisis, hurting decision making at critical 
junctures, especially if errors coincide with a larger man-made or natural disaster 


. Malicious and criminal activity online against government systems and assets 
can accompany criminal activity in the physical world. Information on such 
activity can contribute greatly to law enforcement investigations and prosecutions 
and should be available to SLTT law enforcement entities 


. Effectively addressing cyber threats to the SLTT enterprise requires situational 
awareness across the multiple systems and coordination by a central authority. 
Two-way sharing of information on malicious activity and cyber attacks 
significantly contributes to situational awareness as well as appropriate response 
measures 




B. Building Capabilities and Allowable Costs 

Establishing cyber security as a primary target capability in preparedness planning 
provides the foundation on which to build operational functions in cyber response and 
recovery, and enhanced coordination of activities though all levels of government. As 
such, funds from each of the fiscal year 2010 Homeland Security Grant Program 
(HSGP) components – State Homeland Security Program, Urban Areas Security 
Initiative, Metropolitan Medical Response System, and Citizen Corps Program – 
can be used to invest in functions that support and enhance SLTT cyber security 
programs. 

 

. Equipment: Expenditures that cover a wide range of investments including 
network protection, intrusion detection, and encryption technologies. More 
information on the DHS Approved Equipment List, including a breakdown of 
Cyber Security Enhancement Equipment, is available on the Responder 
Knowledge Base, www.rkb.us 




 

. Planning: Each SLTT government entity should develop and implement a 
comprehensive cyber security approach to manage cyber risk that is fully 
incorporated into overall State homeland security plans and operations. The 
plans should be reviewed and updated on a periodic basis to address technology 
and vulnerability changes, cover the full scope of threats facing State enterprises, 





and account for IT and computer systems owned and operated by all State, 
regional, local, tribal, and territorial governments 




 

. Training: Expanding government employees knowledge of cyber threats and 
security measures and well as enhancing capabilities of existing IT and cyber 
security staff contributes to overall security posture of the government enterprise. 
Information on various training courses is available at www.nw3c.org, 
www.sentinelproject.net and www.fema.gov/about/training 




 

. Exercises: Scenarios must be based on events that adhere to State Homeland 
Security strategies and focus on testing and validating existing capabilities. 
Cyber events are unique in that they can result in physical impacts to systems 
that are highly localized in nature, yet be driven by anonymous actors operating 
outside of regional authorities 




 

. Personnel/Operations: In addition to staff to support the above activities, 
grantees can apply for funds to hire analysts to monitor and assess the health of 
critical computer systems as well as coordinate information sharing and response 
efforts to cyber incidents 




C. Guiding Investment Decisions 

Securing cyber systems requires a layered defense that accounts for the range of 
security challenges facing organizations, including logical and physical threats to cyber-
based systems. There are a number of resources available to help State and local 
security officials conduct assessments that can help inform where to allocate funding 
obligations to build cyber security capabilities. Resources include the National Institute 
of Standards and Technology (NIST) Computer Security Resource Center. NIST 
provides standards and technology to protect information systems against threats to the 
confidentiality, integrity, and availability of information and services. NIST includes 
guidance on securing information systems, methods for assessing the effectiveness of 
security requirements, and managing risk from information systems (in addition to many 
other topics). DHS’ National Cyber Security Division (NCSD) has established tools that 
draw on existing cyber security guidance and standards to assist organizations in 
assessing their security posture. The Cyber Security Evaluation Tool (CSET) is a DHS 
product that provides users with a systematic and repeatable approach for assessing 
the security posture of their cyber systems and networks. The CSET tool is designed to 
raise awareness and facilitate discussions on cyber security within an organization. It 
also highlights vulnerabilities in the organization’s systems and provides options for 
consideration on ways to address vulnerabilities. The results of the CSET assessment 
can be used as a starting point for making informed investment and risk-based 
decisions. 

 

Organizations can use CSET results to demonstrate the degree to which they have 
adopted best practice in cyber security. Conversely, these organizations can use the 
results to document “options for consideration,” and produce a prescriptive list of 
security control deficiencies that require funding consideration. A risks assessment 


contextualizes this information with other risk information on assets, threats, known 
vulnerabilities in people, process, and technology, and consequences. Once a risk 
assessment is complete, State and local security officials should work with State HSAs 
and state planning entities to ensure that identified gaps receive adequate funding for 
mitigation activities and equipment. 

 

Implementing the CSET or any assessment tool/methodology for use in identifying 
cyber security vulnerabilities should be conducted in partnership with all State homeland 
security components to account for the full range of functions supported by cyber 
systems. Additional information on the CSET is available at ncsd_cipcs@hq.dhs.gov. 

D. Conclusion 

It is the recommendation of the U.S. Department of Homeland Security (DHS) that State 
Homeland Security Advisors, SAA’s, and all state homeland security planning entities 
evaluate the full scope of cyber threats and vulnerabilities to all existing and envisioned 
homeland security functions, systems, and procedures before applying for funding 
under the Homeland Security Grant Program. By incorporating assessments of the 
systems and assets that support State IT and cyber infrastructure, State planners can 
more effectively seek funding for and implement mitigation strategies for protecting 
critical functions, ensure ongoing delivery of services, and protect the safety and 
wellbeing of citizens. 

 

It is also the recommendation of the U.S. DHS that State Homeland Security Advisors 
incorporate cyber security in supported and long-term development considerations. As 
the underpinning of most of our CIKR, cyber elements of critical infrastructure need to 
be robust, responsive, and resilient. 

 

Comparing current cyber security activities with the desired level of preparedness will 
enable officials to identify gaps and needed enhancements that can be accounted for in 
investment justifications. Establishing and enhancing cyber security capabilities that are 
fully-integrated into ongoing state preparedness efforts provides the foundation on 
which to enhance collaboration and coordination from across state functions and 
through all levels of government in building All-Hazards capabilities. As more and more 
technologies are integrated into our Nation’s prevention protection, response, and 
recovery activities, cyber security will be an essential requirement. Investing now may 
help lay the foundation SLTT stakeholders need for future All-Hazards efforts. 

 

Grantees are urged to review information provided by the following resources, which 
provide valuable guidance, best practices, and opportunities for support and information 
sharing: 

 

. DHS’s National Cyber Security Division (NCSD) works collaboratively with public, 
private, and international entities to secure America’s cyber assets by building 
and maintaining an effective National cyberspace response system and 
implementing a cyber-risk management program for protection of critical 
infrastructure. It has resources that can assist State and local Governments in 





bolstering their cyber security capabilities. Information is available at 
www.dhs.gov/xabout/structure/editorial_0839.shtm 




 

. The United States Computer Emergency Readiness Team (US-CERT) is a 
partnership between DHS and public and private sector security partners. 
Established in 2003 to protect the Nation’s Internet infrastructure, it coordinates 
defense against and responses to cyber attacks across the Nation by 
collaborating with State and local Governments and sector information sharing 
and analysis centers (ISACs), analyzing cyber threats and vulnerabilities, and 
disseminating cyber threat warning information. Information is available at 
www.Us-Cert.gov/ 




 

. The National Institute of Standards and Technology (NIST) is a non-regulatory 
Federal agency within the U.S. Commerce Department’s Technology 
Administration. NIST’s mission is to develop and promote measurement, 
standards, and technology to enhance productivity, facilitate trade, and improve 
the quality of life. The NIST Information Technology Laboratory, Computer 
Security Division provides a variety of tips, newsletters, and publications to 
support cyber security efforts. Information is available at www.nist.gov 




 

. The National Association of State Chief Information Security Officers (NASCIO) 
provides a mechanism for collaboration on security investment priorities among 
state CIOs and leading IT officials in the States. Through its Information Security 
and Privacy Committee, NASCIO identifies security-related issues that States 
may encounter and offers insight and effective security practices to address 
those issues. Topics addressed have included the security and privacy 
implications of emerging technologies, such as wireless technologies, the role of 
the Chief Information Security Officer, and insider threats. Information is 
available at www.nascio.org/ 




 

. The Multi-State Information Sharing and Analysis Center (MS-ISAC) is a focal 
point for information sharing on IT and cyber security between and among State 
and local governments. It is a voluntary and collaborative organization with 
participation from all 50 states and the District of Columbia that provides a 
common mechanism for raising the level of cyber security readiness and 
response in each State and with local governments. In addition, DHS has 
officially recognized the MS-ISAC as the National center for States to coordinate 
cyber readiness and response. The US-CERTand MS-ISAC exchange 
information regularly to facilitate National coordination of cyber security detection, 
prevention, and response activities. Information is available at www.msisac.org/