Tribal Cybersecurity Grant Program

On August 1, 2025, DHS Announced $12.1 million of Awards Through the Tribal Cybersecurity Grant Program

Grants will assist Tribal governments with managing and reducing systemic cyber risk. Learn more here.

Overview

The Department of Homeland Security (DHS) announced the Tribal Cybersecurity Grant Program (TCGP) in September 2023 to assist Tribal governments with addressing cybersecurity risks and threats to information systems owned or operated by, or on behalf of, those Tribal governments. On August 1, 2025, DHS announced awards of an additional $12.1 million in grants to Tribal governments. 

In addition to helping Tribal governments address cybersecurity risks and threats to their information systems, TCGP is enabling DHS to provide targeted cybersecurity resources that will improve the security of critical infrastructure and resilience of the services that Tribal governments provide to their members. The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Emergency Management Agency (FEMA) jointly manage the TCGP. CISA provides cybersecurity programmatic subject-matter expertise by defining goals and objectives, reviewing and approving cybersecurity plans, and establishing measures of effectiveness. FEMA provides administrative guidance through conducting eligibility reviews and issuing and administering the grant awards consistent with all applicable laws, regulations, and policies.

Digital threats impacting American Indian and Alaska Native tribes are increasing and becoming more complex, and tribal sovereignty creates unique cybersecurity challenges for these communities who for far too long have been underfunded and under-resourced. This program is an example of a unified approach across DHS, in which a FEMA-administered program leverages CISA’s capabilities to accomplish the Department’s goal of increasing tribal cyber defenses, similar to the State and Local Cybersecurity Grant Program.

DHS respects the sovereignty and self-determination of Tribal governments and recognizes the intent of Congress to provide flexibility to Tribal governments to meet cybersecurity needs across Indian Country through the TCGP. The framework of the program was made as a result of nation-to-nation consultations with tribal representatives across the country and is intended to support tribal cybersecurity resiliency. 

Objectives 

CISA developed four overarching objectives for the TCGP based on the consideration of national priorities, frameworks, and the national cyber threat environment: 

1. Establish cyber governance and planning;
2. Assess and evaluate systems and capabilities;
3. Implement security protections commensurate with risk; and
4. Build and train a cybersecurity workforce. 

Tribal governments were required to address how they will meet Program Objective 1 in their FY 2023 applications. Objectives 2, 3, and 4 were eligible, but were not required to be addressed in FY 2023 applications.  

Funding 

FEMA and CISA are making an additional $12.1 million available through the FY 2025 Notice of Funding Opportunity. Similar to FY 2023's release this combines the funding available for FYs 2024 and 2025. This is in addition to the $18.2 million made available in the FY 2023 TCGP NOFO, which combined available funding from FYs 2022 and 2023. 

Eligibility 

For FY 2025, FEMA and CISA have changed the eligibility criteria. Only Tribal governments listed in the FY 2025 funding notice are eligible to apply. Eligible applicants were selected from meritorious applications that were received in response to the FY 2023 funding notice but did not receive funding due to the limited funding available.

For FY 2023, all 574 federally recognized Tribal governments were eligible to apply by the deadline of January 10, 2024. Tribes that applied were required to submit a Cybersecurity Plan, Cybersecurity Planning Committee List, and Charter.

Funding Guidelines 

Cybersecurity Planning Committee and Cybersecurity Plan Requirements 

Each Tribal government is required to establish a Cybersecurity Planning Committee that approves a Cybersecurity Plan and assists with developing, implementing, and revising that plan. An existing Tribal Council/Governing Body that includes 1) a grants administration office representative, and 2) a designated Chief Information Officer (CIO), Chief Information Security Officer (CISO), or equivalent official to the CIO or CISO with expertise in Information Technology (IT) may be used to meet the Committee requirement. 

These plans are meant to guide implementation of cybersecurity capabilities within the Tribal government. The Cybersecurity Planning Committee is responsible for approving the Cybersecurity Plan and assisting with determining effective projects. Applicants were encouraged to download the TCGP Cybersecurity Plan Template from www.grants.gov. The template was an optional tool for applicants to use to develop and submit their Cybersecurity Plans to ensure they met all the required statutory elements. CISA is available to provide technical assistance to Tribal governments on Cybersecurity Plan implementation. 

CISA considers Cybersecurity Plans to be living, strategic documents. Following the submission of their plan as part of the grant application, Tribal governments may continue to work with CISA after funds are approved to update their plan. More information about the plans can be found on CISA.gov.

Programmatic Criteria 

Each Tribal government’s application was evaluated through a three-part review and selection process. 

1. A FEMA HQ Preparedness Officer reviewed applications to ensure that the applicant meets all eligibility requirements and checked submitted applications for completeness.
2. CISA organized an objective review panel and established programmatic scoring and the selection process. Subject Matter Experts (SMEs) with cybersecurity and tribal engagement experience served as review panelists. Reviewers evaluated applications, scored Investment Justifications (IJs), and make recommendations for funding within each discretionary tier.
3. FEMA HQ Grants Management Specialists conducted financial reviews of the top scoring investments.

Cybersecurity Best Practices, Assessments, and Evaluations 

Each applicant addressed key Cybersecurity Best Practices in their Cybersecurity Plan and within individual projects. In addition, the Cybersecurity Best Practices should consult the Cybersecurity Performance Goals (CPGs) to ensure a strong cybersecurity posture. 

All TCGP recipients are required to participate in a limited number of free services provided by CISA. Participation in these services were not required for submission and approval of the grant but are post-award requirements. 

The post-award required services are: 

• Cyber Hygiene Vulnerability Scanning – Evaluates external network presence by executing continuous scans of public, static internet protocol (IPs) for accessible services and vulnerabilities.

TCGP Resources 

There are a variety of resources available to address programmatic, technical, and financial questions: 

• For additional support and guidance on Cybersecurity Plans, Tribal governments should reach out to their CISA Regional Staff. For contact information for your region, please visit cisa.gov/about/regions.
• For additional technical assistance, applicants may contact CISA via e-mail at TCGPinfo@cisa.dhs.gov.
• FY 2025 Notice of Funding Opportunity
• FY 2025 Fact Sheet and Frequently Asked Questions
• FY 2025 Key Changes
• SLCGP and TCGP Goals and Objectives
• SLCGP and TCGP Committee and Charter Requirements