DoT aims to layer cybersecurity into infrastructure grants process

The Department of Transportation, at the forefront of federal efforts to modernize U.S. infrastructure, aims to ensure cybersecurity is embedded in a wave of historic investments funded through DoT under the bipartisan infrastructure law, but being implemented largely at the state and local levels.

Cybersecurity is a top priority for DoT Chief Information Officer Cordell Schachter, he said in a recent interview on the sidelines of the Institute for Critical Infrastructure Technology’s spring conference in Arlington, VA.

“We deal with cybersecurity every day, and sometimes it feels like all day, because if we don’t have  security in safeguarding information and systems, then we can’t do the other things that DoT needs to do,” Schachter said. “And increasingly, every organization is a digital organization.”

The Infrastructure Investment and Jobs Act includes tens of billions of dollars for investments in roads and bridges, railways, public transit systems, and electric vehicle infrastructure, among other investments.

Much of that funding will flow down from DoT through “formula grants” to state and local governments, as well as discretionary grants issued under Notices of Funding Opportunity.

Meanwhile, the Biden administration’s recently issued national cyber strategy makes defending critical infrastructure from digital threats a major priority. Critical infrastructure includes broad swaths of the nation’s transportation systems.

“We think of cybersecurity around our overall goal of improving resilience from all hazards in our grant making, including climate,” Schachter said. “But for cybersecurity in particular, we would like infrastructure that’s either modernized or newly built to be secure by design, so that the cybersecurity aspect of it is built in and not added later, as we might have to do to legacy technology.”

Schachter said DoT modeled its approach based on the Transportation Security Administration’s guidelines for surface transportation operators.

DoT’s guidelines for its grantees include four main components:

1. Designate a cybersecurity point of contact
2.  Create a cybersecurity incident reporting plan
3. Create a cybersecurity incident response plan
4. Conduct a self-assessment

“Those four steps exist already in guidance and directives that TSA has given to various operators in various sectors throughout the country,” Schachter said. “So it shouldn’t be new to anyone. It’s been discussed for a long time. And it’s also seen as something that’s achievable, even for potential grantees who don’t have very advanced cybersecurity practices.”

For the formula grants to state, local, tribal and territorial governments, the four steps will not be mandatory, Schachter said, and instead come in the form of guidance. According to DoT, the bulk of federal transportation funding flows through such programs to recipients based on formulas established by Congress. Examples of formula grant-making include the Federal-Aid Highway Program and the Urbanized Area Formula Grants.

“We will issue the cybersecurity approach as guidance and really support them in achieving it, but it’s not a condition of receiving the grant,” Schachter said.

DoT components are already providing some resources to help their local partners. In early February, the Federal Transit Administration published a “Cybersecurity Assessment Tool for Transit” on its website to help public transit organizations strengthen their cybersecurity programs.

Meanwhile, for discretionary grants, DoT intends to “have the cybersecurity approach be part of the conditions that they need to satisfy to be awarded the money,” Schachter said.

“But I want to stress we deliberately chose non-onerous steps in our approach, so that even an organization that is not very sophisticated from a cybersecurity perspective can achieve these goals,” he added.

DoT’s recent funding notice for $700 million in grants for charging and fueling infrastructure, for instance, includes a section on resilience requirements.

“Each applicant selected for federal funding under this notice must demonstrate, prior to the signing of the grant agreement, effort to consider and address physical and cyber security risks relevant to the transportation mode and type and scale of the project,” the notice states.

Shachter said that DoT is considering potential cybersecurity risks at the outset any new program to ensure security is baked into the process on the front end.

“It could be physical infrastructure, it could be vehicles, whatever it is, we’ll do an evaluation of the project and determine if it what we’re calling, ‘elevated cybersecurity risk,’ then we would ask you to complete the four components of the cybersecurity approach,” he said.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.