The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
Last month, the Department of Homeland Security announced the availability of $279.9 million in grant funding for the Fiscal Year (FY) 2024 State and Local Cybersecurity Grant Program (SLCGP). Now in its third year, the four-year, $1 billion program provides funding for State, Local and Territorial (SLT) governments to implement cybersecurity solutions that address the growing threats and risks to their information systems. Applications must be submitted by December 3, 2024.
While there are no significant modifications to the program for FY 2024, the Federal Emergency Management Agency (FEMA), which administers SLCGP in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), identified key changes, some of which we highlight below:
The FY 2024 NOFO adds CISA’s KEV catalog as a new performance measure and recommended resource
The FY 2024 notice of funding opportunity (NOFO) adds the CISA Known Exploited Vulnerabilities (KEV) catalog as a recommended resource to encourage governments to regularly view information related to cybersecurity vulnerabilities confirmed by CISA, prioritizing those exploited in the wild. In addition, CISA has added “Addressing CISA-identified cybersecurity vulnerabilities” to the list of performance measures it will collect through the duration of the program.
Tenable offers fastest, broadest coverage of CISA’s KEV catalog
At Tenable, our goal is to help organizations identify their cyber exposure gaps as accurately and quickly as possible. To achieve this goal, we have research teams around the globe working to provide precise and prompt coverage for new threats as they are discovered. Tenable monitors and tracks additions to the CISA KEV catalog on a daily basis and prioritizes developing new detections where they do not already exist.
Tenable updates the KEV coverage of its vulnerability management products — Tenable Nessus, Tenable Security Center and Tenable Vulnerability Management— allowing organizations to use KEV catalog data as an additional prioritization metric when figuring out what to fix first. The ready availability of this data in Tenable products can help agencies meet the SLCGP performance measures. This blog offers additional information on Tenable’s coverage of CISA’s KEV catalog.
FY 2024 NOFO adds “Adopting Enhanced Logging” as a new performance measure
The FY 2024 NOFO also adds “Adopting Enhanced Logging” to the list of performance measures CISA will collect throughout the program duration.
How Tenable’s library of compliance audits can help with Enhanced Logging
Tenable's library of Compliance Audits, including Center for Internet Security (CIS) and Defense Information Systems Agency (DISA), allows organizations to assess systems for compliance, including ensuring Enhanced Logging is enabled. Tenable's vulnerability management tools enable customers to easily schedule compliance scans. Users can choose from a continuously updated library of built-in audits or upload custom audits. By conducting these scans regularly, organizations can ensure their systems are secure and maintain compliance with required frameworks.
FY 2024 NOFO continues to require applicants to address program objectives in their applications
As with previous years, the FY 2024 NOFO sets four program objectives. Applicants must address at least one of the following in their applications:
- Objective 1: Develop and establish appropriate governance structures, including by developing, implementing, or revising Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents, and ensure operations.
- Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
- Objective 3: Implement security protections commensurate with risk.
- Objective 4: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.
How Tenable can help agencies meet Objective 2 of the program
Tenable is uniquely positioned to help SLTs meet Objective 2 through the Tenable One Exposure Management Platform. In addition to analyzing traditional IT environments, Tenable One analyzes cloud instances, web applications, critical infrastructure environments, identity access and privilege solutions such as Active Directory and more — including highly dynamic assets like mobile devices, virtual machines and containers. Once the complete attack surface is understood, the Tenable One platform applies a proactive risk-based approach to managing exposure, allowing SLT agencies to successfully meet each of the sub-objectives outlined in Objective 2 (see table below).
Sub-objective | How Tenable helps |
2.1.1: Establish and regularly update asset inventory | Tenable One deploys purpose-built sensors across on-premises and cloud environments to update inventories of human and machine assets, including cloud, IT, OT, IoT, mobile, applications, virtual machines, containers and identities |
2.3.2. Effectively manage vulnerabilities by prioritizing mitigation of high-impact vulnerabilities and those most likely to be exploited. | Tenable One provides an accurate picture of both internal and external exposure by detecting and prioritizing a broad range of vulnerabilities, misconfiguration and excessive permissions across the attack surface. Threat intelligence and data science from Tenable Research are then applied to give agencies easy-to-understand risk scores. For example, Tenable One provides advanced prioritization metrics and capabilities, asset exposure scores which combine total asset risk and asset criticality, cyber exposure scoring which calculates overall exposure for the organization, peer benchmarking for comparable organizations, as well as the ability to track SLAs and risk patterns over time. Further, Tenable One provides rich critical technical context in the form of attack path analysis that maps asset, identity and risk relationships which can be exploited by attackers. It also provides business context by giving users an understanding of the potential impact on the things that matter most to an agency, such as business critical apps, services, processes and functions. These contextual views greatly improve the ability of security teams to prioritize and focus action where they can best reduce the potential for material impact. These advanced prioritization capabilities, along with mitigation guidance, ensure high-risk vulnerabilities can be addressed quickly. |
2.4.1 SLT agencies are able to analyze network traffic and activity transiting or traveling to or from information systems, applications, and user accounts to understand baseline activity and identify potential threats. | Tenable provides purpose-built sensors, including a passive sensor, which can determine risk based on network traffic. After being placed on a Switched Port Analyzer (SPAN) port or network tap, the passive sensor will be able to discover new devices on a network as soon as they begin to send traffic, as well as discover vulnerabilities based on, but not limited to:
|
2.5.1 SLT agencies are able to respond to identified events and incidents, document root cause, and share information with partners. | Tenable One can help SLT agencies respond to identified events and incidents and document root cause more quickly. SOC analysts managing events and incidents and vulnerability analysts focused on remediation of vulnerabilities have access to deep technical content in the form of attack paths, with risk and and configuration details to verify viability, as well as business context to understand the potential impact to their agency. This information is valuable not only to validate why IT teams should prioritize mitigation of issues before breach, but to prove that a successful attack has occurred. Further, agencies can deliver dashboards, reports and scorecards to help share important security data in meaningful ways across teams and with partners. Agencies are able to customize these to show the data that matters most and add details specific to their requirements. |
Source: Tenable, October 2024
Tenable One deployment options offer flexibility for SLT agencies
Tenable offers SLT agencies flexibility in their implementation models to help them best meet the requirements and objectives outlined as part of the SLCGP. Deployment models include:
- Centralized risk-based vulnerability program managed by a state Department of Information Technology (DoIT)
- Multi-entity projects
- Decentralized deployments of Tenable One managed by individual municipalities,
- Managed Security Service Provider (MSSP) models that allow agencies to rapidly adopt solutions by utilizing Tenable’s Technology Partner network.
Whole-of-state approach enables state-wide collaboration and cooperation
A “whole-of-state” approach — which enables state-wide collaboration to improve the cybersecurity posture of all stakeholders — allows state governments to share resources to support cybersecurity programs for local government entities, educational institutions and other organizations. Shared resources increase the level of defense for SLTs both individually and as a community and reduce duplication of work and effort. States get real-time visibility into all threats and deploy a standard strategy and toolset to improve cyber hygiene, accelerate incident response and reduce statewide risk. For more information, read Protecting Local Government Agencies with a Whole-of-State Cybersecurity Approach.
FY 2024 NOFO advises SLT agencies to adopt key cybersecurity best practices
As in previous years, the FY 2024 NOFO again recommends SLT agencies adopt key cybersecurity best practices. To do this, they are required to consult the CISA Cross-Sector Cybersecurity Performance Goals (CPGs) throughout their development of plans and projects within the program. This is also a statutory requirement for receiving grant funding.
How Tenable One can help agencies meet the CISA CPGs
The CISA CPGs are a prioritized subset of cybersecurity practices aimed at meaningfully reducing risk to critical infrastructure operations and the American people. They provide a common set of IT and operational technology (OT) fundamental cybersecurity best practices to help SLT agencies address some of the most common and impactful cyber risks. Learn more about how Tenable One can help agencies meet the CISA CPGs here.
Learn more
- $1 Billion State and Local Cybersecurity Grant Program Now Open for Applicants
- Protecting Local Government Agencies with a Whole-of-State Cybersecurity Approach
- How to Meet FY 2023 U.S. State and Local Cybersecurity Grant Program Objectives
- New U.S. SLCGP Cybersecurity Plan Requirement: Adopt Cybersecurity Best Practices Using CISA's CPGs
- Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog