The Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the National Cyber Director (ONCD) have jointly published a comprehensive guide aimed at embedding cybersecurity into federally funded infrastructure projects. Titled Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure, the guide offers essential tools and resources for grant-making agencies and recipients to incorporate strong cybersecurity practices into their programs and infrastructure initiatives.
This cybersecurity playbook is designed to assist federal grant program managers, critical infrastructure owners and operators, and organizations such as state, local, tribal, and territorial governments that sub-award grant funds or oversee grant-funded projects.
With the U.S. making historic investments in infrastructure through legislative acts such as the Infrastructure Investment and Jobs Act (IIJA), the Inflation Reduction Act (IRA), and the CHIPS and Science Act, this guidance emphasizes the critical need for cybersecurity to be integrated into the foundation of these projects.
Key Features of the Cybersecurity Playbook
The playbook provides a structured approach to incorporating cybersecurity into grant programs and offers:
- Recommended actions for integrating cybersecurity throughout the grant lifecycle.
- Model language for Notices of Funding Opportunity (NOFOs) and Terms & Conditions to ensure clear cybersecurity expectations for applicants.
- Templates for grant recipients to create Cyber Risk Assessments and Project Cybersecurity Plans.
- A comprehensive list of cybersecurity resources to support the execution of grant-funded projects securely.
CISA Director Jen Easterly highlighted the significance of this guidance, stating, “As organizations take advantage of historic infrastructure grants, it’s critical to ensure the security and resilience of this next generation of American infrastructure in every community across our nation.”
Harry Coker Jr., White House National Cyber Director, echoed these sentiments, emphasizing the importance of “cybersecurity by design” in rebuilding the nation’s critical infrastructure. He noted, “We need infrastructure projects to be shovel-ready and cyber-ready. This guidance will serve as a valuable resource to ensure cybersecurity is a fundamental part of every infrastructure project from the outset.”
Minimizing Burden While Maximizing Security
CISA and ONCD have designed the playbook to be flexible and to minimize administrative burden while ensuring that baseline cybersecurity practices are included in federally funded projects. Federal agencies administering grants, sub-awarding organizations, and infrastructure operators are encouraged to adopt the playbook’s recommendations to safeguard projects from evolving cyber threats.
Directive to Secure Cloud Services
In addition to the playbook, CISA has issued Binding Operational Directive (BOD) 25-01: Implementing Secure Practices for Cloud Services. This directive mandates federal civilian agencies to strengthen the security of cloud environments by implementing assessment tools and aligning their configurations with CISA’s Secure Cloud Business Applications (SCuBA) project.
Recent cybersecurity incidents have highlighted the risks posed by cloud misconfigurations, which can enable attackers to gain unauthorized access, exfiltrate data, or disrupt services. In response, BOD 25-01 requires federal agencies to:
- Identify cloud tenants within their scope and report this information to CISA.
- Deploy SCuBA assessment tools for continuous monitoring and alignment with secure configuration baselines.
- Implement mandatory SCuBA policies and update configurations to address evolving threats.
By June 2025, federal civilian agencies must fully implement these requirements to reduce risks associated with cloud vulnerabilities.
CISA Director Jen Easterly reiterated the urgency of these measures, stating, “Malicious threat actors are increasingly targeting cloud environments and evolving their tactics. These actions are a crucial step in reducing risk to the federal civilian enterprise. We urge all organizations to adopt this guidance to collectively bolster national cyber resilience.”
Strengthening Cloud Security with SCuBA
The SCuBA project underpins this directive by providing consistent security baselines for widely used Software-as-a-Service (SaaS) products, such as Microsoft Office 365. These baselines are complemented by assessment tools that allow agencies to monitor their cloud environments effectively and address deviations from secure configurations.
CISA emphasizes the importance of keeping security configurations updated, as outdated settings can expose systems to vulnerabilities. Regular reviews and adjustments ensure agencies remain aligned with evolving best practices and emerging cyber threats.
Why This Matters
The guidance and directives released by CISA and ONCD mark a significant step toward safeguarding U.S. infrastructure and federal networks against cyberattacks. As the nation invests in modernizing its critical infrastructure, integrating cybersecurity from the start will not only enhance resilience but also protect public trust in these vital systems.
Federal agencies, grant recipients, and infrastructure operators are encouraged to adopt the playbook and implement the required cloud security measures promptly. These actions are crucial to ensuring that the next generation of American infrastructure is not only innovative but also secure and resilient.
