Program Detail
The Drinking Water State Revolving Fund in partnership with the Massachusetts Department of Environmental Protection Drinking Water Program (MassDEP DWP), is offering grants funds of up to $50,000, to PWSs that have a cybersecurity risk assessment and use operational technology equipment with an identified cybersecurity risk.
Background
The MassDEP DWP is actively working to improve the cybersecurity and resilience of PWSs. Cybersecurity must be addressed in a PWS's Emergency Response Plan (ERP) per 310 CMR 22.04(13). The PWS must have assessed their system, including cybersecurity and have a plan to address acts of vandalism or sabotage, including cyber incidents, that have the potential to impact the quality or quantity of water available to the system (as required by 310 CMR 22.04(13)(a)9).
Goal. The goal of this grant is to support PWSs in improving their cybersecurity defense, mitigating the risks of cyber-attacks, and enhancing overall resiliency and compliance.
Eligibility
To be eligible to apply for the Cybersecurity Grant, a PWS must meet one of the following criteria:
- Small Systems (serving less than 10,000 people), or
- Located in a Disadvantaged Community, as defined by the Massachusetts Clean Water Trust's definition here: The Disadvantaged Community Program | Mass.gov.
Pre-Requisite: (A PWS must fulfill both of the following requirements)
Operational Technology (OT) Conditions: A PWS must have OT equipment with a cybersecurity risk. OT equipment is defined as hardware and software that detects or causes a change to water treatment and/or distribution processes through the direct monitoring or control of physical devices, processes, and events in the enterprise. OT equipment presenting a cybersecurity risk include equipment that is or may occasionally be connected after initial installation:
- to a computer (for any reason including alarm reporting and patching)
- to a network (local, wide area or internet), or
- is remotely accessible (either for control or monitoring)
And
Cybersecurity Assessment: A PWS must have a cybersecurity assessment or evaluation program and have completed a cybersecurity assessment performed by either the PWS or a qualified entity such as US Environmental Protection Agency (EPA), Cybersecurity and Infrastructure Security Agency (CISA), or other qualified third-party organization within the past two years. This assessment must include a report that highlights cybersecurity findings, gaps, vulnerabilities and proposes potential recommendations to address/mitigate the issues.
Funding
The Massachusetts SRF is offering up to $2 million in funding for this program. The maximum grant amounts awarded will vary from up to $15,000 to $50,000 and will depend on factors such as PWS type, size, and findings in cyber assessment report.
| PWS Population Served | Maximum Grant Amount |
|---|---|
| Less than 3,300 | $15,000 |
| 3,300 to 10,000 | $30,000 |
| More than 10,000* | $50,000 |
*Disadvantaged Community PWS only
Eligible Projects
Funding can be allocated to OT cybersecurity improvement projects to proactively mitigate vulnerability to cyberattacks and strengthen the PWS's overall cybersecurity posture. The projects will depend on the findings in the assessment report. Eligible projects may include, but are not limited to:
- Upgrading, replacing, or removing unsupported and end-of-life hardware, software, and operating systems
- Incident response planning
- Employee training programs
- Network segmentation
- Improving remote access security
- Encryption Implementation
- Developing and Updating an Emergency Response Plan/Cybersecurity Incident Response Plan
- Penetration Testing (only if all assessment findings have been taken care of)
Note that specific activities such as annual software subscriptions may not be eligible for use with grants funds. Grant funds may not be used for operation and maintenance activity.
Program Timeline and Application Process
Applications will be accepted on a rolling basis, but there are a few important dates to consider.
- Application process opens March 22, 2024
- Final grant application deadline June 1, 2024
Application Process and What to Expect After Applying
Eligible PWSs may apply on a rolling basis through June 1, 2024, or until all funds are expended
The Application, and other materials, can be downloaded at the following links.
* Statements included in Appendix A must be included in your initial application submission. Further required supplemental materials (Appendices B, C, and D) are not required immediately with your application but must be submitted prior to the deadline to be awarded a Cybersecurity Improvements Grant.
Submission: PWS must complete the application and submit it to MassDEP Drinkng Water Program using the following link. The link is secure, which only designated MassDEP staff will access. If your PWS has any questions about the submission of sensitive information in this application, please contact the Drinking Water Program at program.director-dwp@mass.gov.
Upon submission of the application:
- Applications are reviewed by MassDEP. MassDEP may contact the PWS to verify their eligibility for this grant. If determined to be necessary, MassDEP will schedule a project review meeting, in person or through another secure method, to discuss your projected needs, cost, and schedule before approval is granted.
- Eligible projects are approved by MassDEP and issued a Project Approval Certificate (PAC).
- MassDEP forwards the PAC to the Massachusetts Clean Water Trust (Trust) for review and approval by a vote of the Trust’s Board of Trustees.
- The Trust reviews the financial documentation submitted, and if acceptable, enters into a Grant Agreement with the PWS (Copy of the grant agreement may be found here).
- Upon receipt of the fully executed Grant Agreement, the Trust creates a grant account and funds can begin to be drawn by submitting invoices for MassDEP approval. The Grant Agreement must be fully executed by June 30, 2024.
- Eligible expenses incurred from the date of the PAC through the contract end date may be submitted for reimbursement. The final payment will be held until the grant closeout conditions have been met.
Contractors/Consultants for Cybersecurity Related Projects
PWSs are encouraged to use contractors listed under the OSD ITS78 Statewide Contract for Data, Cybersecurity, and Related Audit Compliance and Incident Response Services. Alternatively, if the PWS already have a qualified contractor/consultant, they can use it with prior written approval from MassDEP/DWP.