Cybersecurity for Discretionary Grant Projects
The Bipartisan Infrastructure Law (BIL) makes historic investments in the transportation sector, providing the U.S. Department of Transportation (DOT) with grant funding for infrastructure development and modernization. When DOT awards discretionary grants, it includes cybersecurity requirements, where applicable, to promote cyber resilience across the transportation sector.
The Office of Sector Cyber Coordination works with DOT's grant program offices to include Critical Infrastructure Security and Resilience language in Notices of Funding Opportunity (NOFO) announcements. This language alerts grant applicants of the need to identify and address grant project cyber risks, which contributes to the continued availability of safe transportation systems sector operations.
Below are Frequently Asked Questions (FAQs) relating to DOT's integration of cybersecurity into discretionary grant programs.
It is the United States’ policy to strengthen the security and resilience of its critical infrastructure against all hazards, including cyber risks. Transportation is vital to the U.S. economy and its national security—enabling the safe and efficient movement of goods and people. The transportation systems sector has been the target of malicious cyber-attacks. For this reason, DOT includes cybersecurity requirements in its discretionary grant agreements for projects that have potential cyber risks to help support the transportation sector's safety and operability amidst a growing cyber risk landscape.
DOT may include any/all of the following as part of discretionary grant agreements:
- Designate a Cybersecurity Point of Contact: Grantees need to identify an individual whom DOT may contact to answer questions regarding their organization's implementation of the DOT cybersecurity grant agreement provisions.
- Develop a Cyber Incident Response Plan: Grantees need to develop a plan that clearly identifies an incident manager and lists all the necessary steps to both isolate infected system (s) and fully restore any impaired services or capabilities should a cyber incident occur.
- Develop a Cyber Incident Reporting Plan: Grantees need to develop a plan that outlines the steps the organization will take to report to either the Cybersecurity and Infrastructure Security Agency (CISA) or the Federal Bureau of Investigations (FBI) when it determines a cyber incident has occurred.
- Conduct a Cybersecurity Self-Assessment: Within two (2) years of the beginning of the grant agreement’s period of performance, grantees need to complete a cybersecurity self-assessment. There are several publicly available cybersecurity self-assessments, such as the Cybersecurity Assessment Tool for Transit (CATT), CISA's Cybersecurity Performance Goals Checklist, and CISA's Cyber Security Evaluation Tool (CSET) that may guide this process.
While DOT strongly encourages recipients of formula grant funding to also address cybersecurity in their project planning, formula grant recipients should continue to meet requirements as stipulated in their grant agreements and terms and conditions. Formula grant recipients should, as with all other DOT grant recipients, strive to promote transportation infrastructure that is secure and resilient by design.
DOT has developed technical assistance to support transportation systems owners and operators to strengthen cybersecurity. The assistance, which you can find at this website, describes DOT’s cybersecurity approach for grantees and includes a guide to additional resource material for:
- Incident Reporting
- Incident Response Planning
- Cybersecurity Self-Assessments
- General Cybersecurity Best Practices
No, if you are meeting similar cybersecurity requirements from other U.S. Government agencies, DOT will not include duplicative requirements in your grant agreement. DOT collaborates with fellow U.S. Government agencies and grantees to identify whether its grantees are already meeting similar federal cybersecurity requirements when it determines the terms and conditions to include in DOT grant agreements.
No, the Office of Sector Cyber Coordination is not administering cybersecurity grants. It is integrating cybersecurity protections into discretionary grants that DOT Operating Administrations have selected for award.
No, the Cybersecurity Self-Assessment that you need to complete in accordance with the Terms and Conditions of your discretionary grant agreement is not a risk assessment. It can best be described as a maturity assessment that allows your organization to better understand cybersecurity strengths and weaknesses so you can take appropriate action to prioritize and mitigate deficiencies identified by the assessment.