Frequently Asked Questions

All state and local government entities are eligible to participate in the Whole-of-State Cybersecurity Plan. The Whole-of-State Plan provides shared cybersecurity solutions and funding to entities across Minnesota. Eligible public entities include:

• Counties, municipalities, cities, towns, townships, local public authorities, port cities.
• Rural communities, unincorporated towns or villages.
• Authorized Tribal governments and organizations.
• K-12 public school districts, special districts, intrastate districts. 
• Councils of government, regional or interstate government entities, or agencies or instrumentalities of a local government.
• Government-affiliated critical infrastructure.

Local entities interested in participating in the Whole-of-State Cybersecurity Plan must begin by following these steps:

1. Fill out the Whole-of-State SLCGP Survey with your organization’s information. This is a required first step for participants. MNIT will use the survey information to better shape and deliver cybersecurity services for our plan, and to contact you about services available. 
2. Send an email to the Cyber Navigator team notifying them your organization has completed the survey: CN.MNIT@state.mn.us.
3. Sign up to receive news and updates about the Whole-of-Security Plan. 
4. Sign up for CISA Cyber Hygiene Services. This is a requirement for all participants.

After completing steps 1 and 2, the Cyber Navigator team will contact your organization to schedule a meeting. In that meeting, they will provide an overview, review roles and responsibilities, answer questions, and share the required program documentation. Once this is complete, MNIT will schedule a kick-off meeting and provide an entity-specific deployment timeline.

Goal 1: Mature cyber capabilities throughout the state.
Goal 2: Increase participation in programs and services known to work.
Goal 3: Collaborate and share information throughout the state.
Goal 4: Prepare and plan for cyber incidents by strengthening the cyber-resiliency of critical infrastructure.

The Whole-of-State Plan can be found here.

Through the Whole-of-State plan, participating entities have access to cost-efficient, sustainable, advanced cybersecurity tools and resources that are subsidized with federal and state funding. 

By participating in the plan, your organization can:

• Mature its cyber capabilities.
• Reduce the risk of cyber threats by leveraging statewide programs.
• Collaborate and share information with MNIT and other local entities.
• Be better equipped to plan and prepare for cyber incidents.
• Help to continue keeping Minnesota’s and Minnesotans’ data secure.

The Nationwide Cybersecurity Review (NCSR) is a no-cost, anonymous, self-assessment offered to all states (and agencies), local governments (and departments), Tribal Nations, and territorial governments through the Center for Internet Security (CIS). 

This is an excellent way to learn about your organizational baseline. The assessment is open from Oct. 1-Feb. 28 each year. All government partners are strongly encouraged to complete this assessment annually. Your organization can review NCSR information and register at Nationwide Cybersecurity Review (NCSR).

Through the Whole-of-State Plan, MNIT helps eligible entities strengthen their cyber resiliency and secure data that Minnesotans have entrusted to their organization. Funding for the Whole-of-State Plan comes from several sources, and used for two main programs: 

Statewide Security Monitoring Initiative (SSMI): Eligible entities include Minnesota’s counties, port cities, and Tribal Nations. This has been funded through federal homeland security grants since 2012. The SSMI grant program was renewed for 2023 with $1.9 million of federal funds awarded to MNIT to deliver SSMI services to counties, port cities, and Tribal Nations.

State and Local Cybersecurity Grant Program (SLCGP): Eligible entities include cities, public schools, Tribal Nations, and government-affiliated critical infrastructure.

For four years (July 1, 2023 - June 30, 2027), the Whole-of-State Cybersecurity Plan will include $23.5 million through SLCGP funds. The funds are available to Minnesota through an annual application process and are designed to adjust annually based on a four-year program formula. 

This grant program is not expected to be renewed by the federal government at the end of the four years and requires an increasing percentage of state matching funds each year to encourage state and local governments to develop sustainable funding for efforts that will last longer than the four-year SLCGP. 

To drive sustainable program investments and to ensure programs are available to as many eligible entities as possible, the Cybersecurity Task Force might require participating entities to share the costs and benefits of security solutions and approved efforts in focus areas.

SLCGP funding includes:

• $18 million in federal funds allocated to Minnesota through the SLCGP.
• $5.5 million in state matching funds from the Minnesota Legislature.

In an effort to address additional concerns that Whole-of-State SLCGP survey respondents identified, MNIT is developing services for:

• Threat intelligence: To monitor for indicators of compromised data and provide timely alerts.
• Vulnerability management: To scan public-facing devices, domains, and IPs for vulnerabilities and provide timely mitigation guidance. 

Both services are nearly at the rollout stage and will benefit a range of partners across the state. 

MNIT will continue to work with our partners and the Cybersecurity Task Force to identify gaps and needs for additional cybersecurity efforts.

Minnesota is committed to ensuring the funding from the SLCGP grant program supports as many local government organizations as possible. 

Federal law requires states to pass through at least 80% of the total funding to local governments through shared solutions/capabilities or a sub-grant process. MNIT has committed to pass through as much of the overall funding as possible, exceeding the 80% requirement. 

In addition, at least 25% of Minnesota's total funding will be designated for rural areas, defined as communities with a population of less than 50,000 residents.

This funding is helping: 

• Local governments, Tribal Nations, and school organizations acquire the tools and resources they need to enhance their existing baseline cybersecurity capabilities.
• Expand the use of advanced cybersecurity detection and defensive tools and capabilities.
• Expand threat intelligence analysis and collaboration throughout Minnesota.
• Bring security products, services, and resources to critical infrastructure through strategic partnerships.

The federal grant requires MNIT to pass through solutions and/or funding no later than 45 days after FEMA and CISA release the funding to the state. Based on this requirement, MNIT and the Cybersecurity Task Force will submit funding requests monthly, as eligible entities complete the required grant program and work orders (service agreements). 

We anticipate that many of these agreements will require action by boards, councils, or other elected bodies on behalf of the eligible organizations and may take days or weeks to gain proper approvals. 

Submitting projects for funding release on a rolling basis will ensure that participating organizations' needs can be met as quickly as possible once approved and help Minnesota meet the 45-day passthrough requirement.

Local entities interested in participating in the Whole-of-State Cybersecurity Plan must begin by following these steps:

1. Fill out the Whole-of-State SLCGP Survey with your organization’s information. This is a required first step for participants. MNIT will use the survey information to better shape and deliver cybersecurity services for our plan, and to contact you about services available. 
2. Send an email to the Cyber Navigator team notifying them your organization has completed the survey: CN.MNIT@state.mn.us.
3. Sign up to receive news and updates about the Whole-of-Security Plan. 
4. Sign up for CISA Cyber Hygiene Services. This is a requirement for all participants.

After completing steps 1 and 2, the Cyber Navigator team will contact your organization to schedule a meeting. In that meeting, they will provide an overview, review roles and responsibilities, answer questions, and share the required program documentation. Once this is complete, MNIT will schedule a kick-off meeting and provide an entity-specific deployment timeline.

Yes, but funding will be approved only for projects that align with the specific program goals set by the Cybersecurity Task Force. If your approved request includes a vendor different from the one that is part of the shared solution available through the plan, it will be subsidized at the same level of funding as the shared solution.

Eligible entities, such as local governments and K-12 schools, need to:

1. Complete the SLCGP survey to be considered for using shared solutions. 
2. Execute a shared solution service agreement by the proper authority within the eligible entity. This could require board or council approval for some organizations. The Whole-of-State program team will work with you to identify the right agreements and help with the approval process. 
3. Take responsibility for certain aspects of adoption. For example, each entity will be required to identify all endpoints (desktops, laptops, servers, and more) that need protection and install the MDR software. Some additional configurations will be required. 

Our security experts will provide an implementation and configuration guide to help you onboard. In some cases, an IT provider may be needed to install and configure a solution. We will work with your existing provider to scope that work. If you do not have a provider, we will offer a program to assist you in foundational security work, including the implementation of MDR and other baseline security controls in a future project release.

Shared solutions offer a consistent product that is cost-effective, efficient, and brings value to eligible entities. We can negotiate a better statewide price for the benefit of all participants because of the scale of adoption. This approach has been proven to work in Minnesota with the SSMI program. Organizations that participated in SSMI’s shared solutions recognized significant cost savings compared to buying and managing their own solutions.

If an eligible entity in Minnesota prefers to choose and buy its own solution, they can apply for an SLCGP project. These project proposals will follow a sub-grant process that requires a grant application, project documentation, and quarterly updates on progress and success criteria results. To be considered by the task force, the proposed solution will need to meet the same criteria set by the task force for the shared solution core capabilities. Any alternate solutions funded through this program will be limited to the same subsidy level as entities choosing the shared solution receive. For example, if the shared solution costs $35/device and the cost share is $17/device, the subsidy amount for any qualifying solution will be limited to the difference of $18/device.

Possibly, but not for the same solution and capabilities you already have. Supplanting is a term that refers to using grant funds to pay for something you already own and budgeted for – this is forbidden. For example, if you currently use an MDR tool that you budgeted and paid for, you cannot get grant funds to pay for that same product and use your budget for something else. Any questions related to supplanting should be directed to the MNIT Cyber Navigator team.

The vulnerability management service provides participating entities with an ongoing, regular process to identify, assess, manage, and remediate cyber vulnerabilities across public-facing devices. These scans identify weaknesses that can be exploited by threat actors. This service is similar to CISA external scans with added MNIT consultative services and discovery of unknown devices. Entities are still required to sign up for CISA Cyber Hygiene Services if utilizing the MNIT program.

MNIT vulnerability management services are expected to be available in late 2024.

Local entities interested in participating in the Whole-of-State Cybersecurity Plan must begin by following these steps:

1. Fill out the Whole-of-State SLCGP Survey with your organization’s information. This is a required first step for participants. MNIT will use the survey information to better shape and deliver cybersecurity services for our plan and to contact your organization about service availability. 
2. Send an email to the Cyber Navigator team notifying them your organization has completed the survey: CN.MNIT@state.mn.us.
3. Sign up to receive news and updates about the Whole-of-Security Plan. 
4. Sign up for CISA Cyber Hygiene services. This is a requirement for all participants.

After completing steps 1 and 2, the Cyber Navigator team will contact your organization to schedule a meeting. In that meeting, they will provide an overview, review roles and responsibilities, answer questions, and share the required program documentation. Once this is complete, MNIT will schedule a kick-off meeting and provide an entity-specific deployment timeline.

Cyber Navigators lead communication efforts with eligible partner entities interested in Whole-of-State services. The Cyber Navigators meet with interested entities, discuss grant program details, and collect information needed to provide the work order and provision tools and services. 

The Cyber Navigators manage the process at each stage and continue as a primary point of contact for entities participating in MNIT programs. They act as a liaison between MNIT and the eligible entities to enhance and strengthen organizational cybersecurity posture. They work with local government entities, vendors, as well as state and federal agencies, to answer questions and provide information. 

Additionally, Cyber Navigators work closely with the Minnesota Fusion Center and federal agencies on range of cybersecurity topics and can connect entities to other local, state, and federal agencies. 

Email the Cyber Navigators at CN.MNIT@state.mn.us to learn more about Whole-of-State Cybersecurity Plan or with any other questions.