State and Local Cybersecurity Grant Program Key Changes
Overview
The State and Local Cybersecurity Grant Program (SLCGP) focuses on strengthening the cybersecurity and resilience of state, local, and territorial (SLT) governments’ information systems. The SLCGP enables the Department of Homeland Security (DHS) to make targeted cybersecurity investments to improve the capabilities of SLT government agencies that partner with DHS to enforce laws, assist in securing borders and cyberspace, and in dismantling transnational criminal organizations. This document outlines key changes for the Fiscal Year (FY) 2025 SLCGP.
Program Goals, Objectives, and Priorities
Each year, SLCGP guidance is updated to ensure applicants remain on track to produce the intended outcomes related to the program’s goals, objectives, and priorities.
Program Objectives
Program objectives remain the same throughout the four-year program. In FY 2024, each project was required to align with an objective, but there was not a specified objective under which applicants had to apply. This remains the same in FY 2025. The FY 2025 SLCGP Notice of Funding Opportunity (NOFO) states:
“Applicants are required to submit applications that address at least one of the following program objectives in their applications:
- Objective 1: Develop and establish appropriate governance structures, including by developing, implementing, or revising Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents, and ensure continuity of operations.
- Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
- Objective 3: Implement security protections commensurate with risk.
- Objective 4: Ensure organization personnel are appropriately trained in cybersecurity commensurate with responsibility.”
Starting in FY 2025, a detailed overview of the program goals and objectives will not be included in the NOFO as an appendix. Instead, they will be available as a webpage on CISA.gov: www.cisa.gov/cybergrants/slcgp
Cybersecurity Plan Resubmission
One of the priority outcomes of SLCGP is the approval of Cybersecurity Plans for each applicant. Applicants are still required to have a CISA-approved Cybersecurity Plan. In FY 2025, there are no additional plan requirements, but all entities with a CISA-approved Cybersecurity Plan must submit their current plan to CISA via the FEMA SLCGP Inbox FEMA-SLCGP@fema.dhs.gov no later than January 30, 2026, to meet the annual resubmission requirement. When they submit, entities must indicate if the plan has been revised since CISA’s approval. If it has been revised, they must provide a brief explanation of any revisions.
There is no requirement for an entity to revise their CISA-approved Cybersecurity Plan unless CISA notifies them that it does not meet plan requirements. CISA has streamlined the instructions and provided additional suggestions about the process for revising or updating a plan. For example, CISA recommends that applicants consider including a future funding plan as part of their resubmission due to their increasing cost share responsibility.
Starting in FY 2025, the requirements for Cybersecurity Plans and additional suggestions for revising or updating will not be included in the NOFO as an appendix. Instead, those requirements and suggestions will be available as a webpage on CISA.gov: www.cisa.gov/cybergrants/slcgp
Cybersecurity Planning Committees and Charter Requirements
Starting in FY 2025, requirements for cybersecurity planning committees, their associated charter and associated best practices will not be included in the NOFO as an appendix. Instead, those requirements will be available as a webpage on CISA.gov: www.cisa.gov/cybergrants/slcpg.
Performance Measures
CISA remains invested in collecting data to gauge program performance. In FY 2025, performance measures were adjusted to better inform applicants of the information CISA will collect through the program duration. Each performance measure now includes a recommended target range to better communicate how CISA will measure the program’s performance to applicants. Adjusted performance measures include the following:
- Percentage of entities conducting annual tabletop and full-scale exercises to test Cybersecurity Plans (40% target range).
- Amount of grant funds budgeted for cybersecurity exercises (10% target range).
- Percentage of grant funds expended on exercise plans for entities (10% target range).
- Percentage of entities conducting annual cyber risk assessments conducted to identify cyber risk management gaps and areas for improvement (80% target range).
- Percentage of entities performing phishing training (70% target range).
- Percentage of entities conducting awareness campaigns (90% target range).
- Percentage of entities providing role-based cybersecurity awareness training (90% target range).
- Percentage of entities with capabilities to analyze network traffic and activities related to potential threats (60% target range).
- Percentage of entities implementing multi-factor authentication (MFA) for all remote access and privileged accounts (70% target range).
- Percentage of entities with programs to anticipate and discontinue end-of-life software and hardware (60% target range).
- Percentage of entities prohibiting the use of known/fixed/default passwords and credentials (60% target range).
- Percentage of entities operating under the “.gov” internet domain (70% target range).
- Percentage of entities that reported CISA-identified Cybersecurity Gaps (50% target range).
- Percentage of entities with Endpoint Detection and Response systems that were funded for implementation (90% target range).
- Number of capabilities ratings improved (50% target range).
- Percentage of state/territory-created performance metrics that were met (50% target range).
- Percentage of entities participating inn CISA services (50% target range).
- Percentage of entities that have implemented data encryption projects (50% target range).
- Percentage of entities that have implemented enhanced logging projects (60% target range).
- Percentage of entities that have implemented system reconstitution projects (60% target range).
Similar performance measures to those listed above have previously been included in the NOFO. CISA views the implementation of those best practices as informative in determining SLCGP’s success. The following performance measures have been deprioritized and removed from the FY 2025 NOFO:
- Number of employees that completed continuous learning activities on current cyber threats.
- Number of employees that completed education or training on software security concepts.
- Number of funding improvements that were made for Continuity of Operations Plans.
- Percentage of entities with membership in the Multi-State Information Sharing and Analysis Center (50% target range).
Program Funding, Cost Share, and Period of Performance
The total funding allocated for the SLCGP decreased from $279.9 million in FY 2024 to $91.7 million in FY 2025. Allocation percentages to states and territories remain the same, including the population-based ratio for rural areas.
Cost Share Requirement
The minimum percentage for the cost share requirement increased from 30% in FY 2024 to 40% in FY 2025. Eligible applicants must ensure there are non-federal funds available to carry out an SLCGP award in an amount no less than 40%. For a multi-entity group project, the cost share is changed to 30% for the FY 2025 SLCGP. Exceptions to the Pass-through Requirement remain the same as previous fiscal years: grant funding awarded solely to support projects integral to the revision of the state or territory Cybersecurity Plan; and, the District of Columbia, the Commonwealth of Puerto Rico, American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, and the United States Virgin Islands.
Cost share waivers will not be considered for any entities for the FY 2025 SLCGP. For FY 2025, in accordance with 48 U.S.C. § 1469a, cost share requirements are waived only for the insular areas of the U.S. territories of American Samoa, Guam, the U.S. Virgin Islands and the Commonwealth of the Northern Mariana Islands.
FY 2025 Period of Performance (POP)
The FY 2025 POP is specified in the funding notice and remains 4 years from the date the awards are made. Unlike FY 2022, 2023, and 2024, DHS will not consider requests for any extensions to the FY 2025 POP.
Required, Encouraged, and Optional Services, Memberships, and Resources
The FY 2025 NOFO does not require entities and sub-entities receiving subawards to complete the National Cybersecurity Review (NCSR). CISA and FEMA will not require entities and sub-entities to certify NCSR completion on the required FY 2025 annual PPRs. All entities and sub-entities are still required to participate in CISA’s Cyber Hygiene services.
CISA has added its Information Technology Sector Specific Goals (SSGs) to the Required, Encouraged, and Optional Services, Memberships, and Resources list (Appendix B of the NOFO). The Information Technology SSGs are additional voluntary practices with high-impact security actions, beyond the Cross-Sector CPGs, that outline measures IT Sector businesses and critical infrastructure owners can take to protect themselves against cyber threats. They were developed based on CISA’s operational data, research on the current threat landscape, and in collaboration with government, industry groups, and private sector experts. Additionally, all membership costs utilizing SLCGP funding must be approved in advance by FEMA.
Payment Reviews
FEMA is instituting additional reviews on all grant payments and obligations to ensure allowability in accordance with 2 C.F.R. § 200.305. These measures will ensure funds are disbursed appropriately while continuing to support and prioritize communities that rely on FEMA for assistance. Once a recipient submits a payment request, FEMA will review the request. If FEMA approves a payment, it will process the payment through FEMA GO and inform recipients accordingly for drawdown purposes. If FEMA disapproves a payment, FEMA will inform the recipient.