State and Local Cybersecurity Grant Program

Overview

State and Local Cybersecurity Grant Program Notice of Funding Opportunity

On September 16, 2022, the Department of Homeland Security (DHS) announced a first-of-its-kind cybersecurity grant program specifically for state, local, and territorial (SLT) governments across the country.

Funding from the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) helps eligible entities address cybersecurity risks and threats to information systems owned or operated by—or on behalf of—SLT governments and Tribal governments. Through separate Notices of Funding Opportunities (NOFOs), the SLCGP and TCGP combined will make $1 billion available over four years, including more than $400 million in FY 2023 and more than $300 million in FY 2024.

On July 1, 2024, DHS announced the first $18.2 million of awards through the TCGP. Learn more about this program on our TCGP page: Tribal Cybersecurity Grant Program | CISA

A blue cyber node

Read about the authorization for SLCGP

Through the Infrastructure Investment and Jobs Act of 2021, Congress established the State and Local Cybersecurity Grant Program and appropriated $1 billion for this program.

These entities face unique challenges and are at varying levels of preparedness in defending against increasingly sophisticated and ever-changing cyber threats. DHS, through the Cybersecurity and Infrastructure Security Agency (CISA) in coordination with the Federal Emergency Management Agency (FEMA), is taking steps to help stakeholders across the country understand the severity of their unique local cyber threats and cultivate partnerships to reduce related risks across the SLT enterprise.

Read below or print the SLCGP Fact Sheet and Frequently Asked Questions.

NOFO and documents

FY 2024 Notice of Funding Opportunity.

The goal of the SLCGP is to assist SLT governments with managing and reducing systemic cyber risk.

Read the U.S. Department of Homeland Security's press release announcing the cyber grant in its third year: DHS Announces Additional $279.9 Million in Funding to Boost State, Local Cybersecurity

Release Date: September 23, 2024

A blue cyber node

Read: How will the SLCGP be administered?

DHS will implement the SLCGP through CISA and the Federal Emergency Management Agency (FEMA). While CISA will serve as the program management subject-matter expert in cybersecurity related issues, FEMA will provide grant administration and oversight for appropriated funds, including award and allocation of funds to eligible entities, financial management, and oversight of funds execution.

The program is designed to allocate funding where it is needed most: into the hands of local entities. States and territories will use their State Administrative Agencies (SAAs) to receive SLCGP funds from the federal government and then distribute the funding to local governments in accordance with state law and procedures. This is the same way in which funding is distributed to local governments in the Homeland Security Grant Program administered by FEMA.

Application Process and Timeline

  • DHS issued the SLCGP Notice of Funding Opportunity (NOFO) in September 2024. The NOFO includes all requirements and details, including information on funding eligibility for states and territories.
  • The established SAA for states and territories will be the only entities that can apply for grant awards under the SLCGP, with local entities receiving sub-awards through states. The legislation requires states to distribute at least 80% of funds to local governments, with a minimum of 25% of the allocated funds distributed to rural areas.
  • Eligible entities can apply via the FEMA Grant Outcomes (FEMA GO) System. To be eligible for FY 2024 SLCGP funding, each eligible entity is required to fulfill the FY 2022 NOFO requirements. Applications may include a completed or revised Cybersecurity Plan (if applicable), capabilities assessment, and individual projects approved by the Cybersecurity Planning Committee and Chief Information Officer (CIO), Chief Information Security Officer (CISO), or equivalent. 
  • CISA and FEMA will review each submission, then CISA will work with states and territories to address any missing content and/or approve final or revised Cybersecurity Plans and individual projects.  This year one requirement must be completed and submitted before states and territories are eligible for year three funds. Once approved, FEMA will remove any holds placed on funding and eligible entities can execute projects and make sub-awards.
A blue cyber node

Key Requirement: Assessments and Evaluations

Applicants must conduct assessments and evaluations that provide a basis for individual projects throughout the life of the program. This requirement is intended to help eligible entities understand their current cybersecurity posture and areas for improvement.

Key Requirement: Cybersecurity Best Practices

As states, territories, and local entities increase their cybersecurity maturity, CISA recommends they move toward implementing more advanced best practices. To assist in the development and revision of SLT cyber planning efforts, the following Cybersecurity Best Practices are provided in the NOFO:

  • Implement multifactor authentication
  • Enable enhanced logging
  • Use data encryption for data at rest and in transit
  • End the use of unsupported/end of life software and hardware that are accessible from the internet
  • Restrict the use of known/fixed/default passwords and credentials
  • Ensure the ability to reconstitute systems (backups)
  • Engage in rapid bidirectional sharing between CISA and SLT entities to drive down cyber risk
  • Migrate to the .gov internet domain

CISA's Cybersecurity Performance Goals (CPGs) are a prioritized subset of information technology and operational technology cybersecurity practices aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. The CPGs help establish a common set of fundamental cybersecurity practices for critical infrastructure that recipients should aim to implement to ensure a strong cybersecurity risk posture. The resources committed through the FY 2024 SLCGP will assist SLT entities in implementing the cyber baselines outlined in CISA's CPGs, as well as enhance CISA's visibility into the challenges entities may face in executing these practices.

Key Requirement: Cybersecurity Plan

The Cybersecurity Plan is a statewide planning document that must be approved by the Cybersecurity Planning Committee and the CIO/CISO equivalent. All applicants must submit their approved Cybersecurity Plan (revised, if needed) no later than January 30, 2025. It must contain the following components:

  • Incorporate, to the extent practicable, any existing plans to protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, SLTs.
  • How input and feedback from local governments and associations of local governments was incorporated.
  • Include all of the specific required elements (see Required Elements section of Appendix C of the NOFO)
  • Describe, as appropriate and to the extent practicable, the individual responsibilities of the state and local governments within the state in implementing the Cybersecurity Plan.
  • Assess each of the required elements from an entity-wide perspective.
  • Outline, to the extent practicable, the necessary resources and a timeline for implementing the plan.
  • Summary of associated projects.
  • Metrics that the eligible entity will use to measure progress.
  • See link to the Cybersecurity Plan Template under Tools and Resources.
A blue cyber node

Fact Sheets

A blue cyber node

Contact Information

SLCGP Email: SLCGPinfo@cisa.dhs.gov

TCGP Email: TCGPinfo@cisa.dhs.gov

Social Media Handle(s):  Visit CISA on Social Media.

A blue cyber node

Tools and Resources

(Please note other links will be added as they become available)

The following list of CISA resources are recommended products, services, and tools at no cost to the state, local, tribal, and territorial governments, as well as public and private sector critical infrastructure organizations.

Cyber Resource Hub

Ransomware Guide (Sept. 2020)

Cyber Resilience Review

Free Cybersecurity Services and Tools

Cybersecurity Plan Template (click "Related Documents" tab to download)

To report an incident, visit www.cisa.gov/report

A blue cyber node

FEMA Resources

Key Links:

Program Office Contact

FEMA has assigned state-specific Preparedness Officers for the SLCGP. If you do not know your Preparedness Officer, please contact the Centralized Scheduling and Information Desk (CSID) by phone at (800) 368-6498 or by email at askcsid@fema.dhs.gov, Monday through Friday, 9 a.m. – 5 p.m. ET.

Centralized Scheduling and Information Desk (CSID)

CSID is a non-emergency comprehensive management and information resource developed by FEMA for grant stakeholders. CSID provides general information on all FEMA grant programs and maintains a comprehensive database containing key personnel contact information at the federal, state and local levels. When necessary, recipients will be directed to a federal point of contact who can answer specific programmatic questions or concerns. CSID can be reached by phone at (800) 368-6498 or by e-mail at askcsid@fema.dhs.gov, Monday through Friday, 9 a.m. – 5 p.m. ET.