On September 16, 2022, the Department of Homeland Security (DHS) announced a first-of-its-kind cybersecurity grant program specifically for state, local, and territorial (SLT) governments across the country.
Funding from the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) helps eligible entities address cybersecurity risks and threats to information systems owned or operated by—or on behalf of—state, local and territorial (SLLT) governments. Through two distinct Notice of Funding Opportunities (NOFO), SLCGP and TCGP combined will distribute $1 billion over four years to support projects throughout the performance period of up to four years. This year, the TCGP will be released after SLCGP.
Read about the authorization for SLCGP
Through the Infrastructure Investment and Jobs Act (IIJA) of 2021, Congress established the State and Local Cybersecurity Improvement Act, which established the State and Local Cybersecurity Grant Program, appropriating $1 billion to be awarded over four years.
These entities face unique challenges in defending against cyber threats such as ransomware, as they lack the resources to defend against constantly changing threats. The Department of Homeland Security (DHS), through the Cybersecurity and Infrastructure Security Agency (CISA), is taking steps to help stakeholders across the country understand the severity of their unique local cyber threats and cultivate partnerships to reduce related risks across the SLT enterprise.
Read: How will the SLCGP be administered?
DHS will implement the SLCGP Grant Program through CISA and the Federal Emergency Management Agency (FEMA). While CISA will serve as the subject-matter expert in cybersecurity related issues, FEMA will provide grant administration and oversight for appropriated funds, including award and allocation of funds to eligible entities, financial management and oversight of funds execution.
The program is designed to put the funding where it is needed most: into the hands of local entities. States and territories will use their State Administrative Agencies (SAAs) to receive the funds from the Federal Government and then distribute the funding to local governments in accordance with state law/procedure. This is the same way in which funding is distributed to local governments in the Homeland Security Grant Program.
Application Process and Timeline
- DHS issued a Notice of Funding Opportunity (NOFO) in September 2022 that includes all requirements and details, including information on funding eligibility for states.
- The established SAA for states and territories will be the only entities that can apply for grant awards under the SLCGP. Local entities receive sub-awards through states. The legislation requires states to distribute at least 80% of funds to local governments, with a minimum of 25% of the allocated funds distributed to rural areas.
- Eligible entities can submit an application via Grants.gov. Applications may include a completed Cybersecurity Plan, capabilities assessment and individual projects approved by the Cybersecurity Planning Committee and CIO/CISO/equivalent. Entities without a completed plan are encouraged to apply and complete it in Year One.
- CISA and FEMA will review each submission, and CISA will approve final Cybersecurity Plans and individual projects.
- Once approved, FEMA will remove any holds that they placed on funding and eligible entities can execute projects and make sub-awards.
Key Requirement: Building a Cybersecurity Planning Committee
Eligible entities can form their cybersecurity planning and can create Cybersecurity Plans (in accordance with the minimum requirements as stated in the State and Local Cybersecurity Improvement Act), which are a requirement for receiving grant funds. The state-level Cybersecurity Planning Committee leverages previously established advisory bodies that the states may have formed. The membership of the Cybersecurity Planning Committee will be up to each individual state, given they meet the requirements of the legislation and NOFO. States are encouraged to expand their cybersecurity planning committees to include additional expertise based on individual state needs. DHS provides a list of these suggested additional personnel in the NOFO. However, states are not limited to the added personnel on this list.
The Cybersecurity Planning Committee will identify and prioritize state-wide efforts, to include identifying opportunities to consolidate projects to increase efficiencies. Each eligible entity is required to submit confirmation that the committee is comprised of the required representatives. The eligible entity must also confirm that at least one-half of the representatives of the committee have professional experience relating to cybersecurity or information technology. For more information on the composition of the Cybersecurity Planning Committee, including how to leverage existing planning committees, please refer to Appendix B of the Notice of Funding Opportunity.
Cybersecurity Planning Committee membership shall include at least one representative from relevant stakeholders, including:
- The eligible entity;
- If the eligible entity is a state, then representatives from counties, cities and towns within the jurisdiction of the eligible entity;
- Public education within the jurisdiction of the eligible entity;
- Public health; and
- Rural, suburban and high-population jurisdictions.
Not less than half of the representatives of the Cybersecurity Planning Committee must have professional experience relating to cybersecurity or information technology. Qualifications are determined by the states.
Eligible entities are given the flexibility to identify the specific public health and public education agencies and communities the Planning Committee members represent.
Key Requirement: Create a Cybersecurity Plan
The Cybersecurity Plan is a statewide planning document that must be approved by the Cybersecurity Planning Committee and the CIO/CISO equivalent. The Plan will be subsequently updated in FY24 and 25. It must contain the following components:
- Incorporate, to the extent practicable, any existing plans to protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, SLTs.
- How input and feedback from local governments and associations of local governments was incorporated.
- Include all of the specific required elements (see Required Elements section of Appendix C of the NOFO)
- Describe, as appropriate and to the extent practicable, the individual responsibilities of the state and local governments within the state in implementing the Cybersecurity Plan..
- Assess each of the required elements from an entity-wide perspective.
- Outline, to the extent practicable, the necessary resources and a timeline for implementing the plan.
- Summary of associated projects.
- Metrics that the eligible entity will use to measure progress.
SLCGP Email: SLCGPinfo@cisa.dhs.gov
TCGP Email: TCGPinfo@cisa.dhs.gov
Tools and Resources
(Please note other links will be added as they become available)
The following list of CISA resources are recommended products, services, and tools at no cost to the state, local, tribal, and territorial governments, as well as public and private sector critical infrastructure organizations.
To report an incident, visit www.cisa.gov/report
- Grants Program Directorate Information Bulletins
- Fiscal Year 2022 FEMA Standard Terms and Conditions
Program Office Contact
FEMA has assigned state-specific Preparedness Officers for the SLCGP. If you do not know your Preparedness Officer, please contact the Centralized Scheduling and Information Desk (CSID) by phone at (800) 368-6498 or by email at firstname.lastname@example.org, Monday through Friday, 9 a.m. – 5 p.m. ET.
Centralized Scheduling and Information Desk (CSID)
CSID is a non-emergency comprehensive management and information resource developed by FEMA for grant stakeholders. CSID provides general information on all FEMA grant programs and maintains a comprehensive database containing key personnel contact information at the federal, state and local levels. When necessary, recipients will be directed to a federal point of contact who can answer specific programmatic questions or concerns. CSID can be reached by phone at (800) 368-6498 or by e-mail at email@example.com, Monday through Friday, 9 a.m. – 5 p.m. ET.