$1 Billion Dollar Grant for SLTT’s and implications for MSPs
In this video, Andrew Burch, Wes, and their guest Karen discuss the federal grants for enhancing cybersecurity in state, local, tribal, and territorial (SLTT) governments. They emphasize the importance of having a comprehensive cybersecurity plan to qualify for these funds and how the grants aim to raise the overall security maturity across these entities. Karen, the Vice President for the Multi-State Information Sharing and Analysis Center (MS-ISAC), provides insights into how these funds will be distributed and used to promote best practices and shared services among SLTT governments.<ul><li>The federal government has allocated a substantial pool of money over multiple years to support state, local, tribal, and territorial governments in building cybersecurity programs.</li><li>The grant emphasizes a whole-of-community approach, requiring states to involve all levels of government in their cybersecurity planning and building resiliency.</li><li>Managed Service Providers (MSPs) have a critical role in supporting SLTTs with cybersecurity planning and implementation, especially given their expertise and existing relationships with local governments.</li></ul>
Guests
Video Transcript
All right. Welcome everybody. We are here, Andrew Birch. I hope it's worth the wait as well. Um, I appreciate everybody's understanding in that we're, um, coming at 2:00 PM today due to travel for just basically all of us. Um, both Wes and I were on flights, unfortunately, Mike Beard, who is gonna be the voice of the MSP, um, he, uh, can't make it, but, um, so we're gonna do our best and we're trying to get our guests on.
So Wes and I are gonna tap dance in the meantime as Phyllis tries to get Karen on. Literally, literally, Literally, we're gonna Tap dance. Um, but, uh, no, this is pretty interesting. I was talking to Phyllis West and we were trying to kind of offline beforehand. Um, first off, again, welcome everybody. You know, when the federal government, um, you know, puts these massive grants out, um, you know, this is nothing short of pretty substantial amount of money.
And, uh, in talking to Phyllis, you know, I think MSPs that really look at the key requirements, um, of the cybersecurity programs that these municipal, state, local territorial governments are gonna have to create and then submit for funding, Wes, I think those ones are gonna be really well, uh, situated. What do you think you've, you know, you've worked with, you know, in essence through the ISACs, uh, which talked to obviously a lot of state and local Yeah. Organizations.
Talk to us, I mean, About this. A lot of things stand out to me, Andrew. One, one thing that really stands out is, um, it's good to continue to see the federal government put their money where their mouth is. Um, you know, they've been really going down this journey of getting more and more serious around security, both in statements made from CISA and others into, um, you know, continued collaborations.
But to see a significant pool of money, um, over multiple years, um, be carved out and approved towards state, local tribal territories. When we say SL TTS today, by the way, that's what we're talking about. Um, that's exciting. Like, that's like, it's really needed for sure. I mean, just think about how many small and, um, uh, like state organizations that many MSPs work with that, that don't have the funding for these kinds of things that don't have the things in place that they need.
And so, um, Andrew, I'm, I'm really excited about it. I think that as MSPs you stand, um, to really be in the middle of all of this, don't look at this as a huge cash grab for you specifically, but it's gonna flow in, in some exciting ways that I think are needed. Yeah, absolutely. Karen, thank you so much for joining. And I know this was really short notice for you, so I can't thank you enough for doing this. No worries. Can you hear me okay? We can, we can hear you. Fantastic. Yeah. Great.
Um, so Karen, knowing you have to stop at the bottom of the hour, um, I'm gonna jump right on in here 'cause we have some questions for you. Um, first off, huge mad respect for you and for those out there listening in that don't know, uh, who Karen is. This is the former CISO for New York State who has recently taken over, um, as the vice president for the multi-state asac. Um, so, um, real quick, Karen, if you could just maybe tell us a touch about yourself.
I'll have Wes and Phyllis start asking you some questions. And again, thank you so much for your time. Absolutely. I'm very happy to be here, and thanks for thinking of me and thanks for having me today. Um, yeah, I think you, you said you've, uh, said it in a nutshell. I was formerly the, um, New York State CISO. I had been with New York State for 32 years, so, um, retired after a long career in public service.
Um, and, you know, still had some chops left in meat and still wanted to continue working, um, on cyber, particularly in the state, local tribal territory space. So, um, was lucky to find a position over here at the MSI side. Well, maybe they were lucky on the other side too, I would say. Karen. So, um, Phyllis, you are the home of the multi-state. Um, so this is really cool that you've been co-hosting with us while Ryan is on a bit of a sabbatical.
So I'm gonna give you the honors to, uh, kick things off with Karen. Yeah. So Karen, um, you know, you're on with a bunch of MSPs, um, who we know may be supporting a lot of SL tts. Some of them may not be familiar with the MSI sac. So if you don't mind, if you could give us, um, kind of a, an elevator speech and what the MSI SAC is, and maybe a little bit about, um, the announcement for the grant and what your thoughts are. Sure.
Um, so M MS IAC is a division of the not-for-profit Center for Internet Security. Um, we are federally recognized as the focal point for cyber threat prevention preparedness, um, response and recovery for the nation's state, local, tribal and territory governments. So we use the term S-L-T-T-A lot, and that's what that means to the, those governments.
Um, we are designated by the Department of Homeland Security, cybersecurity and Infrastructure Security Agency as the cybersecurity ISAC for SL Ltt governments in the United States. We are a voluntary member driven organization. We've been around for about 20 years. Um, and we are expecting to hit 14,000 member organizations this week, um, across all of the different SLT governments.
So then, um, in terms of the grant, um, the, uh, notice of funding opportunity dropped on Friday, as you know, um, this is something that we've been waiting for in, in SLTT for a long time, um, since the grant was announced back in, or actually since it became law back in November, 2021. Um, in terms of the grant itself, it's certainly a positive step. This is the first of its kind dedicated cyber funding.
Uh, there have been other grants where cyber allowable expense, but in this case, um, this is all about cybersecurity, which is fantastic. Um, there's some really great features of the grant. It, it, uh, promotes a whole of community approach. So the grant isn't focused necessarily on one specific entity. It's, um, it's hoping to force states to involve all levels of government in their cybersecurity planning and building resiliency. Um, it's very risk-based.
So they wanna ensure that the funding that the, the government is providing is targeted at the right areas, um, that the, the money is going to the areas that have the most risk. Um, it also serves to ensure that state local tribals and territories are adopting best practices. Things like multifactor authentication or enhanced logging, those kinds of things. Um, to, to, to me it's, uh, it really makes sense to have this be a combined grant between FEMA and csa.
'cause FEMA really has the expertise in grant administration. So, um, you know, we really need their expertise in that area. And then, um, CSA will serve as a subject matter expert in cybersecurity. So they both the jointly administering this grant. So we think that will be, uh, a great feature as well. That's awesome. So, as the, um, VP of the MSI sac, um, how, how is the MSI SAC going to help SL TTS with this announcement? Um, Go ahead. So, no, no, that's fine.
So, immediately following, um, this call, um, we have stood up a biweekly work group of our, um, state CISOs and their cybersecurity planning committees, um, as well as industry partners. Um, we're trying to make sure that we're foc we're providing a focus group for, um, these different states to talk with your peers and get best practices out. Um, on Thursday, the MSI cycle will be holding what, what we refer to as a SNAP call for all our men members.
And we'll have, uh, cisa presenting at that as well. We really started our outreach, like I said, back, uh, after this was, this grant was signed into law. We started doing webinars to gather state and local perspectives about the grant. And we, we used that to create and publish. And as I mentioned, the working group started in May again, to bring atten, really to bring attention to the, to planning efforts.
Um, what we were seeing is that a lot of, uh, states were waiting for the nofo, the notice of funding opportunity before they took action. So we really wanted to drive that action, um, ahead of, and that planning early. Um, so that working group was able to produce a white paper on what states should be doing as they waited for the nofo. Um, and then some of the other things are we, we have an ongoing, uh, webinar series on whole of state, uh, whole of community approaches.
And, uh, we had some sessions at our annual meeting on that as well. And that is allowing, um, states to hear from their peers on what they're doing, sort of, you know, try to get their best practices and approaches. Um, and then, you know, as, as part of the statute, as part of the law that was created around this grant program, um, there's a suggestion that eligible entities consult with Ms. IAC in drafting their plans.
So we're, we're gonna be looking to, um, see if that's something that's helpful. We can serve it as an, an advisor or consultant and, um, um, assist with the planning committees and potentially even, um, hold a clearing house for different approved plans as Well. That's awesome. Karen, can I ask a quick question? Yeah.
You know, for, for a state like New York where you're the ciso, you know, then, you know, they have that kind of funding makes sense that, you know, roll back the years you would be sitting there probably on that committee, um, other large states as well. For the smaller entities that literally might rely on the MFP, um, or some vcso, are they going to be allowed to participate in some way? Do you envision that in these, and is it too early to tell?
Well, so the only, um, entities that are eligible to apply for the grant are states and territories. Sure. This particular grant, sure, there is another, uh, notice of funding opportunity that will be for tribes as well. Um, so the state will be the one that is, um, receiving the money for the grants. However, there is a requirement that, that get passed through, 80% of that funds gets passed through to local governments. And of that 80%, 25% of that has to go to rural communities.
Um, one of the things I had mentioned early was that, um, CISA built this grant to try to really, uh, drive whole of community approaches. So one of the requirements is that each state has a cybersecurity planning committee, and that planning committee will ultimately be the ones that, um, approve the plans and approve the projects that go forward. There is a requirement that that planning committee include voices from local government as well as voices from public education and public health.
So, um, there's a lot that's in this grant that's really sort of driving that whole of community approach and that whole of government all levels of government approach. So I think that's a really good piece of this grant. Yeah. Awesome. Phyllis, back to you. Yeah, sure.
So you, you answered part of, you know, that ha those, um, organizations, the states having to have, um, a cybersecurity plan, um, in it, they also reference organizations can build a plan in accordance with, um, minimum requirements as stated in the state and local Cybersecurity Improvement Act. You have an idea of, um, what this may look like? Or is MI MSIs anything, or is that we'll be discussing. Okay, great.
No, So, so the, the actual, the elements that are required in the plan are actually written into the statutes. So we knew going into this what they were gonna be. So it's things like, and I think I, I may have alluded to some of these. It's things like, um, inventorying your assets, um, having a, um, a a way to manage, monitor your logs.
Um, and then some other best practice type things like having multifactor authentication, um, ensuring that you're getting off of end of life products, those kinds of things. There's, there's 16 required elements. Now, not all of them speak to a service product. Some of them are things like, you know, how, you know, describe how you're engaging the local governments, things like that.
But, um, there's enough in there that it really, uh, it speaks to the kind of best practice stuff that I think all of us have been promoting for some time. Right, exactly. Wes, over to you. Great. I appreciate that, Phyllis. So, um, Karen, thanks for joining us today. Um, really excited.
Um, so it seems like just, uh, looking at the polls here, it looks like we, we asked, and if you guys, um, would go and fill this out, we asked how many are currently working with SLTs in some form or fashion, and um, it looks like it's close to, it's about 40%. Yes. Um, do you see, just across the board, do you have any experience, do you see managed IT providers working inside of SLTs and work with them? Do you see that very often?
Um, yeah, we do see a number of, of managed security service providers that do work with, uh, with, with s SLTs. Um, CIS tries to align themselves with those providers to make sure that they're understanding the requirements, uh, for the, for the SLTT communities and, and, you know, their challenges and what they need to be focusing on. Okay. That's great. So, um, I just wanna ask that question because I think, um, it's something that you should be thinking about as an MSP, right?
Like, are there clients there that I maybe had never dreamed of, um, potentially working alongside? And, and I think, um, you know, this is an industry that, that certainly needs it. So, um, yeah, that's just why I wanna ask the question. So Abs yeah, absolutely. I would say, you know, if you are an MSP that is, that is working with those types of clients, certainly encourage your clients, um, first for, to have a membership in the isac.
There's a lot of services that, and, uh, just awareness material that's available to them. Um, see what, you know, what's there that we have that's appropriate for their needs. And then the other thing I'd say is just make sure that they're prior prioritizing their control adoption around the highest priority, um, and the, the safeguards that are to be most effective to them, uh, to address the needs that are, or the threats, I'm sorry, that are relevant to them. Okay.
And when you say control adoption, are you talking about the CIS controls? Um, CIS controls for sure. But just in general, um, any type of control framework. Um, this, this particular grant, I think is, is aligned well with the, with the CIS control frameworks. And, um, the CIS controls, uh, are really, um, I don't wanna say they're, they're threat based and risk-based, which is really what they're looking for here.
Um, so any kind of standard that's aligned with, with federal standards, I think is gonna be crucial to these efforts. And CIS controls certainly are. Um, and then again, um, addressing things from a risk perspective, making sure that you're, um, spending money, uh, that's commensurate with the risk that you have is a real key objective of this grant. And I think the CIS controls will, um, will assist with that for sure. Yeah. Okay. Great.
Um, how do you think that this grant program, um, will, how, how will MSPs interact? So you've said that the money's gonna go, at least initially, is gonna go to this at the state level, right? Correct. So how do MSPs get pulled into this by like, maybe like clients, like state clients that are already working with, how, how's that operation work, do you think? So, I mean, that's possible for sure.
There's, there's definitely monies available in this grant for, um, sort of operational, um, needs. Things like, um, if you need assistance with planning, um, you know, creating your plans, that kind of thing, you can use some of the money to hire for that, for that reason. Um, and it's, you know, I think it, it would certainly behoove the, the service providers to understand the grant.
Um, you know, get, make yourself familiar with what the requirements are that are in there, and then identify ways in in which you might be able to assist them, um, the states or the territories, uh, and their different planning committees. Um, I, one thing I would caution though, there's, there's not a lot of money when it's divided up between the 56 states and territories. It's over four years. Um, or I think it might be five years even.
Um, and then divide that up between all the different municipalities that are in a specific state. Um, it's not a ton of money, so really there's no windfall here.
And then the other thing I would question is that understand that the first year monies, the expectation for the first year monies are that that will be used to create these committees and create the cybersecurity plan that's required of each state, um, and assessing, you know, where you are so that you can, again, prioritize where those risks are that you need to spend, spend on. Um, so, um, projects will come later, is what I'm trying to get to.
Um, but again, if you have expertise in, in, in planning, uh, certainly you may wanna advertise that to your SLT customers. Yeah, okay. That, that makes a lot of sense. And that's, that's kind of what anything else that MSPs should be thinking about.
So they need to read up on this, they need to kind of understand how the grant's working and the timelines involved, and, um, all of that, it, it, are there, does the grant talk about any sort of, like, you must be this tall to ride as far as an MSP that you need to have these security maturity capabilities? Anything like that that you've seen? No, and I think, I think part of it is we're trying, part of what this grant is trying to do is, is, um, bring up the security maturity of all of SLTT.
Um, it does speak in there about additional best practices will be required as, as maturity sort of rises. Things like, um, endpoint detection and response or penetration testing. Those kinds of requirements will likely come later as the, as maturity builds up. But because everyone is so across the board at this point, I think we're starting from baseline. Um, and, and that's actually another way that the, the CIS controls sort of line up with this.
Well, um, in the CIS controls, we've got these implementation groups to sort of prioritize that. We're talking here about implementation group one, right? The, what are the basic things that everybody should be doing to, um, at least, you know, have a base level of security? We can I ask you a real quick question? Yeah, please, Karen.
Um, even though you said, Hey, there's not gonna be this windfall, could you foresee that, hey, you're, you're a municipality and maybe you're, you haven't really put taken the time to look at a, you know, build the cybersecurity plan, look at the controls, and at an IG one level, they might look at budget differently though, might they? I mean, so where they all have a certain amount of budget each year Mm-Hmm. And maybe they didn't allocate that much.
If you're an MSP working with that municipality, they might all of a sudden start to look at things differently with the fact that they're getting both grant money and, you know, where they should allocate their funds. Is that, is that a fair statement? In other words, I don't want MSPs to think, oh, well, you know, we're trying to spread over four or five years of a billion dollars across 50, you know, 50 states.
I I think this brings awareness that there's gonna be investment on, you know, both sides. Absolutely. Absolutely. It does. And, and one other thing about this grant, I think that's different from other grants and how they operate is, um, it doesn't require necessarily a, um, fund pass through. A state can pass through that 80% in the form of services and, um, you know, applications, licenses, those kinds of things.
So it's also starting to look at, uh, shared services, I think are trying to promote those. So we know what happens with a lot of the, the previous grants is, um, they would go to the haves, right? As opposed to the have nots. So the, the ones that really need the stuff don't have, either don't have grant writers to put in a good application or don't have the skill sets or the people to manage any of these tools once, you know, if they did get the grant.
So, um, that's another really positive thing is that it's, it's promoting shared services. Um, there is a capability for that or ability to do that, um, within a state. Um, it's gonna be left up to the state, which way they go.
If they go the old route of, you know, we're gonna just pass through the money, so the locals have to apply to us for that, or whether they, um, identify, um, economies of scale really, and just, um, shared, shared services that they can promote or provide to, to all the locals. Fair plus. Yeah, that's great. And I'm, you know, I'm glad to see the 20% carve out too for rural, right?
I, I come from rural Kentucky originally, and, you know, I see, um, for sure, like the, the, the lack of funding, the lack of capability. We've been talking at the national level for years now. Decades now, it seems like the, the infrastructure challenges that United States has if we were to come under a mass cyber attack, right? And so, mm-Hmm.
I don't think this at all fixes it, but do you sort of see this funding is at least one iterative step in the right direction of like, course correcting on where we're at from that perspective? Absolutely. So yeah, I said that before we're, we're excited because this is really the first dedicated pot of money towards cyber. I think everybody in, um, SLTT is invested in making sure that this program is successful so that there is, um, opportunity for continued funding going forward.
Um, another key piece of the grant is, is a requirement for performance metrics. So they wanna be able to show that, um, the investment of this money by the federal government into SLTs is doing what it's anticipated to do, is bringing up the security maturity of those. So that's gonna be important as well.
So absolutely, I think it's, this is a, this is a start for us, and, you know, we're excited about that, but I do expect it to grow and, you know, um, like I said, we're all invested in making sure it's a success. We, wes, Karen again, Phyllis, can I just ask all you a question? I like Sure. So we, we know about the community defense model, and for those of you that don't know, it's, it's phenomenal.
It's a metadata study, a threat, but, so I guess first you, Karen, why wouldn't the government, the federal government say, look, you all implement CIS controls. One is the STA implementation, one's the standard. So we can roll back and do a metadata study, you know, a year, two years, three years on the efficacy that we already know works with the community defense model.
Is, is there any of that thinking so that they can validate those types of, you know, what they're doing is, is working or, you know, I, I think there's been conversations around that and I think there's been, you know, um, some input as to as to that. So they don't, um, they don't say you can't do that, right? Right. They don't rule out the CIS controls. It's, it's, um, but they, they do have other frameworks, um, like Sure. You know, MIS framework that they're promoting as well. Absolutely.
Absolutely. Sorry, Phyllis, you were No, yeah, I was going to ask Karen, I'm glad you, um, brought up metrics. Um, mm-Hmm. We all know, you know, I worked in the, the federal government for 25 years, your state government. Um, the grants come, everyone gets excited and, um, you know, I'm curious, like, what is that going to be part of the cybersecurity planning? Um, I'd love to see what kind of metrics there are.
As you know, through the years, you know, Michael, Daniel had report cards for everybody and everyone failed miserably, but still, here we are, everyone's still getting terrible report cards. Like what is it that we can do to help SLTs? How is it that, um, we can recommend that they get measured, you know, what is it, um, going to look like? So, you Know, not to put you on the spot, but No, that's fine.
There, there is, there are some performance metrics that are, um, built into the grant that federal government's requiring. And those are mostly around adoption. Um, right. So how, what percentage of the states now have a cybersecurity plan, or what percentage of the states now are implementing MFA, those, those kinds of things.
Um, it is on, it's the responsibility of the state within their cybersecurity plan to define what their metrics are gonna be for their individual, um, investment justifications and projects under that. Um, so that's gonna be, I think, unique to each state.
Um, but in terms of, you know, again, offering, um, advisory consultants, consultancy into that, uh, cyber cybersecurity planning committees, I think is, is one way that we can assist both from an MS IAC perspective and from an MSP perspective. Yeah. We, Wes did you have something or, right. Um, I was just digesting all that because, uh, Phyllis, you're reading what that was gonna be my question too is like, what does performance look like? What does success for this look like? And mm-Hmm.
Um, I, I guess what maybe, and I know this is maybe an impossible question to sort of ask, but just in your opinion, Karen, what do you feel like success looks like fast forward four years from now? Like, does this look like what you mentioned, like, we see better readiness and security plans are adopted, all that sort of stuff, but any, anything else that sort of is like the goal of what should the, the outcome of this funding, um, should, should be geared towards that you can think of?
Um, yeah, I, I mean, I think I, I point back to the, uh, what we're trying to do here is just sort of raise the base, base maturity across the nation. And I think it clearly will drive, um, establishment of plans. Um, when I spoke to fema, I think it was in July, their estimation were that two thirds of the states don't even have a plan, a cybersecurity plan. So that's kind of alarming. So that, that will, this will drive that it's a requirement.
Um, it's also requiring the states and locals to work together. So I think that alone, just bringing that community together for that collective defense is, is just, is gonna raise our security maturity. Um, and then, um, you know, as we were speaking about metrics, it does require an assessment every year, right? So some type of risk, risk assessment, maturity assessment. So, you know, hopefully those, those assessments will help to identify the metrics right, that they can report out on.
But again, you know, what gets measured gets done, right? So we're, we're, we're sort of forcing a focus on cybersecurity and forcing a focus on tracking, um, your maturity over time. So I, I think we'll see some benefits from this for sure. I know we're at the bottom of the hour. Can I ask one parting question? Sure. You, you decide to open up a sh you know, you put a shingle up, you're an MSK, which you're obviously well qualified to do.
Um, question for you is, if this was gonna be a focus s ltts with what's going on here, what, what, what might you do to really, I guess, set yourself up best to kind of work from municipality up into the state, knowing that's where the funding's coming from? Yeah, so I think I would, uh, certainly connect at the state level. Um, 'cause like I said, it, it, it's, while 80% of this money is going to the locals, it may be going from a shared service that's run by the state, right?
Um, and sponsored by the state. Um, so I think I would, I would start there, um, making those kinds of connections again, if you have, if you have, um, planning capabilities, make that known, um, to, to the states. 'cause really I think that's what they're gonna be focused on now. And then, uh, again, just familiarize yourself with what's in the grant. It's 93 pages, the nofo, I spent much of the weekend combin through that.
Um, you know, not, not, uh, terribly interesting reading, but it'll, you know, it'll give you an idea of what's, what's expected and align what your offerings are with what's required and see if there's a spot for you. Yeah, it was really tha So I'm gonna one, as we close out here with you, Karen, again, respecting your time.
Um, that, that was just, as I read through the least, the cursory level, the key req, like the requirements to have a cybersecurity plan just kind of stuck out over and over and over again. Mm-Hmm. So if you really understand, it seems like if you really understand planning, governance, that type of thing, you're, you're in a good spot to start, if I understand. Absolutely.
And certainly in the first year now there's, there will be a different nofo notice the funding opportunity every single year of this grant. So some of those requirements may, may change, but uh, you know, it's sort of, it, it gives you insight into what's sort of going to be expected over the next four years. Um, but understand that may change a little, but definitely in this first year, the planning is what's really, uh, the focus. Kent, thank you enough for coming on.
Can we have you back when you have maybe a little more time? Sure. Uh, knowing all this is kind of hammering you at, you know, this week and all, so Yeah, absolutely. No, I'd be happy to come back. Back. And I, again, I thank you guys for, for the invite for today. It was awesome to have. Thanks, Karen. Yeah. Alright. Thank you. Thanks Karen. Bye-Bye. Wow, that was awesome, Phyllis. Thank you so much for bringing her on. Um, yeah, no problem. That was fantastic.
Um, so Keith, um, you're, you're Mike Beard today, who couldn't actually on, uh, Mike was gonna join us. They do a lot of work. I always like now try to have a voice of the MSP in some part of the cyber call. 'cause I think it's really important. Um, Keith, I think we've known each other now, I think almost two decades. Um, so it's awesome to see you and you are looking fantastic. Um, Oh, thank you. Yeah, of course.
Keith, you work with municipalities and states, um, when you saw this, 'cause you've worked in this area a lot over the years. What, what did you think? Well, more so than the money, um, because those grants don't always get down to where you need to be. I think it starts allowing these municipalities to understand the importance of where we're going. You know, uh, I always like to tell people the, the security stuff we're replacing is the, I don't want use square word stuff.
We sold them years ago. So in some ways it looks like we're cycling. So to just have it and say the federal government has, um, decided this is so important that they're gonna throw some money at it, um, wakes people up. Now, when you're dealing in municipalities and governments, for those that do and don't, color of money is important to them. Like no one at a a local level cares exactly what they spend. They care whose pocket it comes out of.
Um, and, and the other thing is, it's very difficult to get things funded midstream. You know, we're working on the public utility budget, uh, two years ahead of time to get it before the board and the oversight. And you're going like, so you have to really have a good crystal ball or be as smart as we, um, to predict these things. But, uh, and, and just example at, at the port then we run into, which is kind of a complex one.
You have the port authority, you have the state, you have the federal government, you have the unions, you have the steam doors, and getting them to agree on little things takes time. Having these nudge points is helpful, at least in my presentation. Um, Phyllis, I'm gonna let you take over the questions that you were gonna ask Mike. But Heath, it is interesting because you worked with the ports, you worked with him for years.
Did, do you feel you might have a little bit of a leg up, meaning how this all flows, you know, local interstate and because it's gonna have this communal approach? Well, after, so I think we, we, we implemented the port system in 1999, so we have a little bit of experience there. It took a, you know, we finally at least know how to navigate it, which is important.
I mean, it's, it may sound like I'm trying to overly make it overly complex, but everyone wants to be in the approval and no one wants to be the approver. I dunno if that makes sense. Like, don't do something without us, but I won't go on the limb either. So it, it, it's taught us how to navigate through that and, and everything we get, which is one of the reasons I watch all your calls as we get these tidbits, are things I could pass on and say, this is not Keith or Vista.
This is coming from these guidelines that are being adopted at a much higher level. Um, I don't want to get into it, but I do have some security background and credentials. Um, but that doesn't seem to be enough. You know, they also like to see someone besides just me said this. Right. And, and, and I think it's helpful. Yeah. Awesome. Phyllis. Yeah.
So we heard Karen say over and over again about the planning, planning, planning and how really this first year the funding is around cybersecurity planning, have a plan and the governance. Um, so from your experience, um, you know, and working with governments as well, how is it this first year especially, and she said, you know, get involved at the state level. What advice could you give an MSP on?
Um, trying to, to do what you said, get in at the state level, try to influence, um, the planning and perhaps the metrics and all of that. I got in at the levels because I had a high profile project many years ago, cybersecurity at the Jet Propulsion Lab at Caltech. And so people think that sounds good. Um, but I also, it does sound good. I was gonna say you took the words right outta my mouth.
But I, but I also keep those relationships going by being active, um, in, in, um, community service and, and politics. Um, on a fringe, I, I like, like I had a ethics board. I'm advisor, um, to the state, um, uh, majority leader on cybersecurity issues. I I do some, uh, curriculum for the state university and community colleges.
It's, it's a, it's an ongoing network relationship because, you know, for a new MSP to say, I'm going to take, I've never done with government business, I'm gonna take this grant and be part of it is probably not accurate. You know, those would take doors that would open. Now the positive thing for someone getting into this is she said it's gonna be repeated year after year.
So if this is a direction you wanna go, start building those relationships and, and your local legislature will be extremely helpful. Their staff will and get and getting those doors open for you. Yeah, that's, I mean, I just offer 'em something in return. I mean, I think, um, we talk about, you know, I always tell them if you get cyber or you get IT issues that your office doesn't understand, gimme a call. And, and they do.
And, and I know Wes probably does the same thing, you know, they, they do every quarter. Maybe, you know, it's not a whole lot of your time, but it keeps you on the radar. Keith might, might you do some like, you know, thought leadership and webinars for like really a kind of appeal to those, those organizations.
I, I, I, we don't do webinars because, you know, our clients, the Longshore union and, and, and so I, I do speak at their hall and, and talk about, um, you know, hygiene and, and how we, um, into a business process context. You know, they really don't, the fact of cybersecurity and getting that doesn't resonate. What resonates to them is if we don't keep this system secure and redundant, you may not get dispatched for a few days and lose income.
So I always have to tie it back into that and to the, um, maturity of my AAU audience. Right. Yeah. Yeah, I agree. I mean, we often have talked about, you know, you have to tie cyber risk back to the business risk, right? Everyone understands the business risk. Um, they don't quite understand sometimes how cyber actually can affect that. So it's nice that you're able to do that. Um, also, you know, obviously you've implemented security probably within your own MSP.
Um, how do you feel that being able to talk about implementing security controls on your own enterprise, maybe even on behalf of other enterprises, how do you feel that can that can help influence decision makers as far as the grant or even when making connections? Well, for us, we're blessed in the fact that we actually, um, dispatch watchmen. So we have non-technical staff.
So when I, um, implement things like two FA and, uh, those, I'm dealing with people that are on the low end of the technical totem pole, which is great practice for us. I'm not sure that implementing it with our tech staff is great practice for us because all this stuff is pretty easy for us technical people, right? They go, that was easy. Now I could just roll it out to a company that doesn't do this.
Um, you know, we have dispatchers that all they are is, you know, it's like a phone answering service except, and so they're, that helps us a lot in, in, um, planning some implementation and, and practicing it in a safe environment. Um, and, and, um, maybe each smaller MSP has a customer or client, they're very close with that. They could say, I'm gonna roll this out.
And, you know, before we had that, I used to give customers, I'm gonna give you this service for two months while we roll it out. 'cause you're my Guinea pig. But I, I think having those test test beds are, are really important over webinars and theories we do. And, you know, we're all smart in the room. We, we like to chat and use all the good terms we know, but that doesn't really, you know, our customers have different skills. That's Interesting. So Keith, I've, I've got a question for you.
So I, you know, we asked Karen, in your mind, what does success look like with, you know, this much money being poured in and, you know, I appreciate that she came back and sort of said, well, keep in mind it's divided over four years and 50 states, right? So it's not all that much money at the end of the day. Um, what do you think success, in your opinion, what do you think success looks like?
Um, at the end of the day, after four years of this Success comes to me in, in awareness because, um, you know, we, we asking people for a lot, a lot of money and a lot of investment. And not just monetary into our licenses and, and bag of tricks. We're asking for an education and retraining process and maybe a redefinition, like when we do things on the shop floor for, for aerospace companies, redefining workflows and how does this tie into their lean flow that they've spent years perfecting.
And so I, I think there has to be a lot of motivation. Um, and this helps with that. And it, and it, um, creates more of a partnership. It doesn't fund at all, but it sure gives us some great talking materials. Yeah. I, it, it does. Um, what, what is, I don't know that every MSP on the call today recognizes where a lot of the municipal, municipal, I cannot talk to municipalities. There we go.
Um, and just state organizations look like from a cyber perspective, I mean, are they, we can gimme your, your view on like where they stand today in, in their cybersecurity maturity, their preparedness. Is it as bad as you see when you read these articles that just spook you and think, dear God, let us not be hit by a cyber attack. Um, or are they better off? What do you think? It, it's like turning an aircraft carrier.
I mean, it's, you give you an example for the public utility in the city where, you know, they have to go to their board, their management, their board, then to the city council, and then to the county board. So, you know, you're two years behind. You even get the approval to start the project, which means you're probably four years or five years behind where you need to be. Um, so I still think, you know, um, it's in the position where people are beginning to take it serious. I see.
Um, that, but it's still a process and, and, uh, it's why we get paid the big bucks. Yeah, I mean, I'm curious about that too. We had, you know, about, um, what 45% of the folks on this call that answered the survey said, yeah, they support SL tts. What are you seeing? Are you able to sell S SL TTS a security package? Or are they resistant? Is it just they want the cheapest, bare minimum? Um, you know, we work, no, they Need, they, they need help.
I think one of the skill sets you have to, to have maybe more in this market than even in the, in the pub, in the private company market, is you have to have the ability to help package it. So the person presenting it can rationalize the spending. No one wants to stand there in front of their board or the city council or the board of supervisors and get grilled on questions, uh, that they can't answer. Um, because every municipality has also wasted a ton of money on, uh, it spend.
I mean, that's historically true. Um, as you get into a better position, it could sit down and help make those presentations. I think that's important. Uh, you know, I make the presentations for in, in my local municipality because they know me. I, I'm chair of the ethics board. And you know, I think that gives it some credence. Um, but I think it's really a matter of people don't really understand what they're asking for and why. Um, you know, that I, I get questions.
We have to respect the questionnaire, and I think we often, I got questions just, don't we have backups? And you go, that is a legitimate question from someone that doesn't understand all the dynamics of what we do. And by the way, I couldn't run a public utility, so I respect their position. Um, and you have to start explaining to 'em what are the other damages of, of an event, uh, of, of, um, you know, the loss of your co customer's confidence, the, um, downtime in your business.
The fact that there's a four to one ratio. You know, there's a study by key management years ago when one user's down, they interrupt three others. So the math is incorrect. And you say, oh, just Wes isn't working. You go, no, if Wes isn't working, he's calling Andrew and say, Hey, did you watch a game last night? I'm bored. I'm, I need someone to talk to. That's the dynamics of, of, of, uh, this, those are the things they understand, but they need to be educated.
And we have to remember, we sit on the cyber call every week and we're smart. They're not, they're doing something else. Someone just posted, well, um, you know, you have to put in a bid and then, um, really they just go to the cheapest one. Is that is, you know, it seems like you have a better relationship and it's, it's not that, Um, no, that's sometimes true, but not always. There is a, you can, you can bid a lot of things based on your requirements.
An example, we've had the dispatch system since 1999. It goes out forbid by statute every five years. The one requirement is you must have operated, which someone helped them put into it. You must have operated a maritime dispatch system successfully dispatching union workers for at least five years. Well, as far as we know, there's only one company in the country that successfully has had a dispatch system in operation for over five years. So other people can bid and they get disqualified.
Next thing is, um, if you were to read our description, when they go out and bid it, it doesn't mention servers or computers. And we've talked about this, I think with some people before. It says, you must have a a night dispatch, a night dispatch chalkboard. Do you even know how to bid that? Do you know what that is? I could. You know, it's, it's a, it's, it's, and so it's a lot of ways protect the territory. And by the way, certain things do go out to bid every year.
Certain things that are complex, you can get long-term and, and, and, um, you can, you can be sole provider. It happens quite often. But in this case, correct me if I'm wrong, Phyllis, I'm gonna come to you again.
What you, you said, and we heard Karen over and over, and when you read the literature, this is about planning and I, and I, it, it is, you know, and I gotta, maybe I'm just naive, but I gotta believe if you're an MSP, that really gets in almost like, you know, I know Jennifer Van Weers out there, like the MSPs that have really dug into CMMC, just using that as a quick analogy here. Truly understand what is happening, right? In this case, at the federal, you know, federal level.
But this case at the state level, I, I have to believe that if you help that municipality and the state come together and that municipality receives money, I got, I, I gotta believe you're gonna be sitting in a pretty good position to, to implement that security program. Is that, is that naive? No, I mean, I think you're absolutely right. Um, and then, you know, Karen's really did recommend, um, get involved at the state level.
The municipalities, um, will have some knowledge of how to get involved at the state level. I mean, they're not, I mean, they, they may not be cyber aware, but there's someone who knows how to get money. Mm-Hmm. Um, in a municipality for sure. Um, and I will tell you, everybody in this country right now who's ins LTT government understands that that bill came through, right? Ms. IAC has over 14,000 members. They've been talking about it for a while. The states will be talking about it.
So it is true, you know, um, just like Keith has been talking about, you have to get that networking and you do have to figure out how to have that influence initially. I think there's a, there's a great recognition and you saw it coming from CISA as they put out more and more advisories on, on MSPs. There's great recognition at the federal level that means it's gonna trickle down to state and local level as well, that MSPs are running networks and IT infrastructure for s SLTs, right?
And so, um, you know, I have got to believe that part of the cybersecurity planning knows that and that they're keeping that in mind. So I believe that, um, those MSPs that step forward, I think your help will be welcome, right? Because everyone knows it. And more and more, you know, Andrew posts it all the time as well. CSA is calling out MSPs and I don't wanna say it in a mean way, but the way those advisories come down, it does kind of seem like they're calling out MSPs, you know?
Um, Unfortunately they do. And, and, and it's clear the isa, MS. ISAC does as well because CISA and MS. isac about a year ago, did write a joint paper Mm-Hmm. About supply chain and msp. So again, I just, it's easy for I think everybody to just go, ah, it's gonna be a bid thing. I'm not gonna get involved. I'm not gonna waste my time, et cetera.
But again, I think the MSPs that invest a little here, um, that are understand municipality have been working in it, man, I, I think there's gonna be, I think there's gonna be some upside. Um, By the way, there's, there's big qualifications. I I, I'll do a quick story not to board one. We started our business in 1999. There was an opportunity to do the Boeing shop floor C 17 final assembly. I was so dumb when I filled out the bid, we got it.
And I called the, when the guy called me and said, I said, man, did I do it too cheap? He said, no, you were the only person that bid that reached our small business Setaside. He goes, the other people that bid was like IBM and, and and parole systems and so on. And so everyone, I always, when I talked to other MSPs, I said, everyone sat in a room and said, we'll never get that. That's Boeing. So I got it. 'cause I was the only guy dumb enough to fill out the form.
'cause I was the only one that wasn't smart enough to know the reasons I shouldn't get it. So Think probably gonna have what? I think we lost you. You lost me. Yeah. Yeah. Okay. Now I was gonna say like, yes, Philip, do you think, you know, if you're a woman owned, you know, just gonna be direct, right? Woman owned MSP, minority, MSP to to, but aside from what Keith just said, you're going to have a leg up, especially if you're have some of those qualifications now. Right?
So certainly states have to, um, spend a certain amount of money for minority owned and operated small businesses. Um, states do get, you know, the color of money. That is a color of money for sure. As far as being wrapped up into the grant, I'm not quite sure if it's like specific language in the grant, but certainly, um, that has got to be somewhat of a benefit. Um, I also wanted to say, you know, these cybersecurity plans I'm sure are going to be made public. Mm-Hmm.
Um, as Karen said, this is year one money, right? So there's year two, year three, year four, year five. Um, and as Keith has said, if you're not, um, if you're not well connected within your state, you do, you need to start doing some things. If you care about this business, um, and you want some follow on money, now's the time to start networking. This is not, the grant came out and I only have three months to start networking 'cause money's gonna be let out in 2023.
It's not, it's, it's, you have, you know, years to come. And so it is, you know, start networking now if you're interested, um, in this population and, um, move forward on it. You know, someone mentioned state ramp. State Ramp is not quite mandated yet. Um, you know, state Ramp is trying to align with FedRAMP as well as, um, some of the state laws. Um, that's a whole nother conversation, state ramp.
But, um, By the way, just to, just to point out how deep the networking goes, um, the governor just appointed my son, Ryan, who some of you have met special needs as the, uh, as a director to state council. And so, I mean, a little, it's little. Yeah, I, well he's, he's an awesome guy. He's much better than my other son. Um, and so that's an inside joke for some people.
Um, so, um, but it's, it's just those relationships and they, and they will call you up and say, this is something you need to look at because we're not getting the right qualified, uh, bidders. And so, um, relationships help a lot, not price. Yeah. Wes, um, what do you think, um, you know, we've had on Chris Sanders with, you know, the, his role tech fund. What do you think he's gonna be thinking here? And do you, you know, how do you think that whole thing will flow?
'cause Rural was called out specifically. Yeah, Ru Rural was called out. Um, I'm sure Chris is, uh, I haven't talked to him about it, but I'm sure he is really excited about it. You know, you look at these, the reason I asked that question earlier that I got, uh, Felicia and a ton of people, Matt Lee all like negative 100 in terms of their, their maturity readiness. I mean, it's the truth.
You look at a lot of these rural, you know, internet, rural water, rural wastewater, electric, a lot of these are just just way behind. And I actually, I've had opportunity to work with many of them. Um, in my perch days, we did a lot of work with the water isac. And so I'm, I'm on often with these water utilities and, um, you know, boy, for them security looks like how much can we just try to kind of hide behind our OT network and pray nothing happens. Right?
And it's, um, boy, it's tough for them because they just, the, the money for them comes, it's, it's, I'm sure they have state funds, I don't understand all the details of it, right? But their members are a huge component and the members don't want to vote for this stuff. They don't go imagine them having a meeting, a local water, rural water utility saying we wanna raise the price by $10 per month per member so that we can afford some cybersecurity upgrades. That's gonna go down in a heartbeat.
Um, so these are the things that they are really struggling with for sure.
Yeah, it's, it's interesting you mentioned ot, you know, whether it's James Carroll or, or John Strand, the, this, this, this is anecdotal, I don't know if it means anything, but you talk about budget and everything, um, they're always like west cringing when they have to pen test and OT network for the mere sake of taking down the entire electric grid because of the age of, you know, all of the, you know, ICS you know, the systems. It's, it's, it's pretty frightening.
Um, Keith, have you experienced that to a degree on the OT side? Uh, Yeah. I, I, you know, with, with the municipality, you know, there's a lot of these networks in, in, in public sector are built through osmosis without a, a real plan. And they've kind of evolved and, you know, just getting your arms around it. And it is the nature of funding. We have a, you know, if you get political, we have a serious funding problem in our government.
The way things are funded, the way budgets are done, the long, the ability to do long-term planning that you have in the private sector, it, it makes it difficult, especially as administrations change and, and boards and supervisors and city council. And a lot of times you're starting back at square one. Why did they approve this and why should we continue it. And, and so it's an ongoing education, uh, process and continually keeping your plan raising to the, to the top. Yeah. Very cool.
You know, there, there's one ancillary to that I'm curious, um, in Florida, so I live in Florida. Um, pat, uh, I'm sure you remember seeing this as well, Andrew, that our governor put out a, um, uh, a signed legislature that ransoms are no longer paid for state organizations in Florida. Just done, you're not paying it. Right?
I wonder if we see things like that continue to happen of like putting deeper cybersecurity, uh, lines in the sand, if that forces, you know, okay, if I can't pay a ransom anymore, it's literally impossible for me as a state organization in, um, in Florida. Um, how, what, what are we gonna do in, in response to lowering the opportunity threshold for that to happen, right?
It's just, I wonder what if, if we're going to see a lot of things all start to stack up here, not just in terms of funding, but even changes in making harder legislature and forcing security up in the, the risk management pipeline, um, by, by, by forcing better things. I just, I wonder, right. I'm just thinking out loud, I'm, I don't know what any of you three think, but I wonder No, it's, It's an actuary equation. It's the same thing when PCI compliance was there.
People said, since no one's getting penalized and there's no ramifications for not doing it, let's not. And so, um, you know, it's an actuary equation that someone sits there that's smarter than you and I that goes, no, you want this much to do it and we see this much risk and it's not that high. I don't think it pans out, you know, and it's, it's when there's repercussions that people say, why didn't you tell me to do this years ago? Right, right. Always, always. Yeah.
Well, I know we're at the top of the hour, Keith, thank you so much for coming on, but always greatly with us. Absolutely. Um, one, one thing, uh, Wes that was kind of thrown out there that I know you have a lot of experience with, I wish we had time to talk about more is, and, and Phyllis is there's questions around cyber insurance and I wonder what role right, that's gonna play in this whole, you know, funding process. Will, will they play a role right, as a stakeholder in this whole thing?
I would think they would. Um, you know, so anyway, that's maybe something we could talk, pick up on a little bit. Next episode, um, join us next week. We are gonna be talking with somebody that really understands M 365 at scale, the challenges that come with, um, configurations of M 365 security with M 365 at scale. That'll be a really fun one, Wes and, and Phyllis. I'm looking forward to that. I'm excited. Yeah. I'm gonna learn on this one, that's for sure. Yeah, Same, same.
I really wanna know about M 365, so this'll be good. I only play with it loosely, so. Yeah. Alright, until then, we'll see you next week. Everybody back at our usual time. And, uh, appreciate you guys all bearing with, with us as we have been traveling the last few weeks. Until then, take care everyone. Thanks Everyone. Thank you. Thanks.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois