The Tribal Cybersecurity Grant Program awards are aimed at boosting security for tribes and the rest of the country as well, given the critical infrastructure and industry operated by tribes, said Michael Day, executive officer of TribalHub and chair of the Tribal-ISAC. But difficulties applying for these grants may have deterred some potential participants, he noted.
Applications for the first round of the grant were due in January. Federal officials have been tight-lipped about the program’s current status, with the Cybersecurity and Infrastructure Security Agency (CISA) declining to say how many tribes applied or had their plans approved — a prerequisite to receiving funding. Currently, the exact grant award allocations were still being finalized, with CISA anticipating awards for spring.
As of April 1, the Federal Emergency Management Agency (FEMA) said it had not yet distributed any of the grant funding. But while FEMA has avoided giving specifics, Day said the agency told him that the number of participating tribes exceeded its expectation.
Still, some eligible tribes lacked the resources to apply, Day said. And some tribes also felt the available funding was too little to be worth the work of applying for and managing the grant.
The $18.2 million the grant program set aside is to be split among the 574 federally recognized tribal governments, portioned out based on tribes' population brackets, with $8 million designated to be shared among the eight largest tribes and $2 million for the 392 smallest, for example.
Day said he encouraged tribes to go after the grants, telling them they’d likely receive a bigger slice than expected because others wouldn’t apply.
While multiple tribes could team up as a “tribal consortium” to submit one joint application, Day said that practicalities make the idea unrealistic. That’s because various political bodies and IT teams from across the participating tribes would need to all come to negotiate and reach consensus — and do so within the limited time before the application deadline.
Only a handful of the hundreds of federally recognized tribes have CISOs, while others may rely on a network administrator to handle their cyber needs, Day said. As such, how tribes might look to use the grant money varies widely. Those with less mature postures might look to purchase basic tools like firewalls or third-party penetration testing, for example.
But despite the differences, some common challenges emerge. Many tribes have significant government and health-care sectors as well as enterprises engaged in areas like gaming and hospitality, or manufacturing, among others, Day said. Tribes often can benefit from network connections and shared back-end systems across those verticals, such as health care and government both connecting to shared HR and accounting systems. But those connections then need to be carefully secured against cyber risks.
As tribes work to enhance their cybersecurity, they often struggle to recruit top cyber talent. Cyber workforce pains are felt across the public sector, but they may be especially acute in tribes, where limited salaries are combined with very rural locations, Day said.
And many tribes are wary of turning to remote cyber workers to ease the gap.
“Most tribes — like so many organizations — they're still a bit on the fence with remote work,” Day said. “One of the challenges here is there's a real trust factor: You have to have a very close relationship with the organization to be effective as a cyber team.”
Day hopes that tribes might consider putting some grant award funding toward Tribal-ISAC membership, which could help the entity expand it offerings — including, potentially, providing example applications for future grant cycles. The Tribal-ISAC also aims to fill a gap for tribes that may be wary of sharing information with ISACs associated with industry or with state or federal government in the U.S., given a history of broken trust.
The next round of the grant is coming up, with FEMA expecting to post the notice of funding opportunity before the end of fiscal year 2024.
