State and Local Cybersecurity Grant Program
DHS Announces $91.7 million in Grant Funding for the Fiscal year 2025 State and Local Cybersecurity Grant Program
Overview
On September 16, 2022, the Department of Homeland Security (DHS) announced a first-of-its-kind cybersecurity grant program specifically for state, local, tribal, and territorial (SLTT) governments across the country.
Our nation faces unprecedented threats to the homeland from increasingly sophisticated criminal groups and nation-state actors. SLTT entities stand at the forefront of cyber defense. Their partnership with DHS includes enforcing laws, assisting the federal government in securing cyberspace, and dismantling transnational criminal organizations. Cybersecurity threats, including ransomware intrusions, and widespread software vulnerabilities affecting SLTT systems and critical infrastructure are increasingly exploited by malicious actors, operating both domestically and abroad.
Funding from the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) helps eligible entities address cybersecurity risks and threats to information systems owned or operated by—or on behalf of—SLTT governments. Through separate Notices of Funding Opportunities (NOFOs), the SLCGP and TCGP combined will make $1 billion available over four years, including more than $400 million in FY 2023 and more than $300 million in FY 2024. For detailed SLCGP funding allocations by fiscal year, please visit: SLCGP Funding Allocations at FEMA.gov.
On August 1, 2025, DHS announced an additional $12.1 million of awards through the TCGP. Learn more about this program on our TCGP page: Tribal Cybersecurity Grant Program | CISA.
Read about the authorization for SLCGP
Congress established the State and Local Cybersecurity Grant Program and appropriated $1 billion for the program to be distributed over four years.
These entities face unique challenges that could limit their participation in critical homeland security missions and are at varying levels of preparedness in defending against increasingly sophisticated and ever-changing cyber threats. DHS, through the Cybersecurity and Infrastructure Security Agency (CISA) in coordination with the Federal Emergency Management Agency (FEMA), is taking steps to help stakeholders across the country understand the severity of their unique local cyber threats and cultivate partnerships to reduce related risks across the SLT enterprise.
Read below or print the SLCGP Fact Sheet and Frequently Asked Questions.
NOFO and documents
FY 2025 Notice of Funding Opportunity.
Read the U.S. Department of Homeland Security's press release announcing the cyber grant in its fourth year: DHS Announces Additional $91.7 Million in Funding to Boost State, Local Cybersecurity
Release Date: August 1st, 2025
Read: How will the SLCGP be administered?
DHS will implement the SLCGP through CISA and the FEMA. While CISA will serve as the program management subject-matter expert in cybersecurity related issues, FEMA will provide grant administration and oversight for appropriated funds, including award and allocation of funds to eligible entities, financial management, and oversight of funds execution.
The program is designed to allocate funding to the most vulnerable and least mature cyber entities: local governments. States and territories will use their State Administrative Agencies (SAAs) to receive SLCGP funds from the federal government and then distribute at least 80% of the funding to local governments in accordance with state law, procedures, and federal legislative requirements. This is the same way in which funding is distributed to local governments in the Homeland Security Grant Program administered by FEMA.
Application Process and Timeline
- DHS issued the latest SLCGP Notice of Funding Opportunity (NOFO) in August 2025. The NOFO includes all requirements and details, including information on funding eligibility for states and territories.
- The established SAA for states and territories will be the only entities that can apply for grant awards under the SLCGP, with local entities receiving sub-awards through states. The legislation requires states to distribute at least 80% of funds to local governments, with a minimum of 25% of the allocated funds distributed to rural areas.
- Eligible entities can apply via the FEMA Grant Outcomes (FEMA GO) System. To be eligible for FY 2024 SLCGP funding, each eligible entity is required to fulfill the FY 2022 NOFO requirements. Applications may include a completed or revised Cybersecurity Plan (if applicable), capabilities assessment, and individual projects approved by the Cybersecurity Planning Committee and Chief Information Officer (CIO), Chief Information Security Officer (CISO), or equivalent.
- CISA and FEMA will review each submission, then CISA will work with states and territories to address any missing content and/or approve final or revised Cybersecurity Plans and individual projects. This year one requirement must be completed and submitted before states and territories are eligible for year four funds. Once approved, FEMA will remove any holds placed on funding and eligible entities can execute projects and make sub-awards.
Key Requirement: Assessments and Evaluations
Applicants must conduct assessments and evaluations that provide a basis for individual projects throughout the life of the program. This requirement is intended to help eligible entities understand their current cybersecurity posture and areas for improvement.
Key Requirement: Cybersecurity Best Practices
As states, territories, and local entities increase their cybersecurity maturity, CISA recommends they move toward implementing more advanced best practices. To assist in the development and revision of SLT cyber planning efforts, the following Cybersecurity Best Practices are provided in the NOFO:
- Implement multifactor authentication
- Enable enhanced logging
- Use data encryption for data at rest and in transit
- End the use of unsupported/end of life software and hardware that are accessible from the internet
- Prohibit use of known/fixed/default passwords and credentials
- Ensure the ability to reconstitute systems (backups)
- Actively engage in rapid bidirectional sharing between CISA and SLT entities to drive down cyber risk
- Migrate to the .gov internet domain
CISA's Cybersecurity Performance Goals (CPGs) are a prioritized subset of information technology and operational technology cybersecurity practices aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. The CPGs help establish a common set of fundamental cybersecurity practices for critical infrastructure that recipients should aim to implement to ensure a strong cybersecurity risk posture. The resources committed through the FY 2024 SLCGP will assist SLT entities in implementing the cyber baselines outlined in CISA's CPGs, as well as enhance CISA's visibility into the challenges entities may face in executing these practices.
Key Requirement: Cybersecurity Plan
The Cybersecurity Plan is a statewide strategic document that must be approved by the Cybersecurity Planning Committee and the entity's CIO/CISO or equivalent individual. All applicants must resubmit their approved Cybersecurity Plan (revised, if needed) no later than January 30, 2026. It must contain the following components:
- Incorporate, to the extent practicable, any existing plans to protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, state, local and tribal governments.
- How input and feedback from local governments and associations of local governments was incorporated.
- Include all of the specific required elements
- Describe, as appropriate and to the extent practicable, the individual responsibilities of the state and local governments within the state in implementing the Cybersecurity Plan.
- Assess each of the required elements from an entity-wide perspective.
- Outline, to the extent practicable, the necessary resources and a timeline for implementing the plan.
- Summary of associated projects.
- Metrics that the eligible entity will use to measure progress.
- See link to the Cybersecurity Plan Template under Tools and Resources.
Fact Sheets & Program Guidance
- State and Local Cybersecurity Grant Program Fact Sheet
- FY 2025 Key Changes Document
- State and Local Cybersecurity Grant Program Frequently Asked Questions
- SLCGP and TCGP Goals and Objectives
- SLCGP and TCGP Committee and Charter Requirements
Contact Information
SLCGP Email: SLCGPinfo@mail.cisa.dhs.gov
TCGP Email: TCGPinfo@mail.cisa.dhs.gov
Social Media Handle(s): Visit CISA on Social Media.
Tools and Resources
(Please note other links will be added as they become available)
The following list of CISA resources are recommended products, services, and tools at no cost to the state, local, tribal, and territorial governments, as well as public and private sector critical infrastructure organizations.
Free Cybersecurity Services and Tools
Information Technology Sector Specific Goals
To report an incident, visit www.cisa.gov/report
FEMA Resources
Key Links:
- Grants.gov
- Grants Program Directorate Information Bulletins
- FEMA Standard Terms and Conditions (updated each fiscal year)
- FEMA State and Local Cybersecurity Grant Program Funding Allocations
Program Office Contact
FEMA has assigned state- and territory-specific Preparedness Officers for the SLCGP. If you do not know your Preparedness Officer, please email FEMA-SLCGP@fema.dhs.gov or FEMA Grants News at FEMA-Grants-News@fema.dhs.gov.
TCGP applicants and recipients may contact their FEMA Preparedness Officers for more information by email at FEMA-TCGP@fema.dhs.gov.