State and Local Cybersecurity Grant Program
Blog: FY23 State and Local Cybersecurity Grant Program.
CISA and FEMA have announced the availability of $374.9 million in grant funding for the FY 2023 State and Local Cybersecurity Grant Program:
On September 16, 2022, the Department of Homeland Security (DHS) announced a first-of-its-kind cybersecurity grant program specifically for state, local, and territorial (SLT) governments across the country.
Funding from the State and Local Cybersecurity Grant Program (SLCGP) and the forthcoming Tribal Cybersecurity Grant Program (TCGP) helps eligible entities address cybersecurity risks and threats to information systems owned or operated by—or on behalf of—SLT governments and Tribal governments. Through two distinct Notices of Funding Opportunity (NOFOs), SLCGP and TCGP combined will make available $1 billion over four years to support projects throughout the performance period of up to four years which established the State and Local Cybersecurity Grant Program, appropriating $1 billion to be awarded over four years, including $200 million in FY22 and $400 million in FY23."
The FY23 TCGP is forthcoming.
Read about the authorization for SLCGP
Through the Infrastructure Investment and Jobs Act (IIJA) of 2021, Congress established the State and Local Cybersecurity Improvement Act, which established the State and Local Cybersecurity Grant Program, appropriating $1 billion to be awarded over four years.
These entities face unique challenges and are at varying levels of preparedness in defending against increasingly sophisticated and ever-changing cyber threats. DHS, through CISA in coordination with FEMA, is taking steps to help stakeholders across the country understand the severity of their unique local cyber threats and cultivate partnerships to reduce related risks across the SLT enterprise.
NOFO and documents
The goal of SLCGP is to assist SLT governments with managing and reducing systemic cyber risk.
Read the U.S. Department of Homeland Security's press release announcing the cyber grant in its second year: DHS Announces Additional $374.9 Million in Funding to Boost State, Local Cybersecurity
Release Date: August 7, 2023
Read: How will the SLCGP be administered?
DHS will implement the SLCGP through CISA and the Federal Emergency Management Agency (FEMA). While CISA will serve as the program management subject-matter expert in cybersecurity related issues, FEMA will provide grant administration and oversight for appropriated funds, including award and allocation of funds to eligible entities, financial management, and oversight of funds execution.
The program is designed to allocate funding where it is needed most: into the hands of local entities. States and territories will use their State Administrative Agencies (SAAs) to receive SLCGP funds from the federal government and then distribute the funding to local governments in accordance with state law and procedures. This is the same way in which funding is distributed to local governments in the Homeland Security Grant Program administered by FEMA.
Application Process and Timeline
- DHS issued the SLCGP Notice of Funding Opportunity (NOFO) in August 2023. The NOFO includes all requirements and details, including information on funding eligibility for states and territories.
- The established SAA for states and territories will be the only entities that can apply for grant awards under the SLCGP, with local entities receiving sub-awards through states. The legislation requires states to distribute at least 80% of funds to local governments, with a minimum of 25% of the allocated funds distributed to rural areas.
- Eligible entities can apply via Grants.gov. Applications may include a completed Cybersecurity Plan, capabilities assessment, and individual projects approved by the Cybersecurity Planning Committee and CIO/CISO/equivalent. Entities without a completed plan are encouraged to apply and submit it by September 30, 2023. This requirement must be completed and submitted in year one, to be eligible for year two funding.
- CISA and FEMA will review each submission, then CISA will work with states and territories to address any missing content and/or approve final Cybersecurity Plans and individual projects. This year 1 requirement must be completed and submitted before states and territories are eligible for year two funds. Once approved, FEMA will remove any holds placed on funding and eligible entities can execute projects and make sub-awards.
Key Requirement: Assessments and Evaluations
Applicants must conduct assessments and evaluations that provide a basis for individual projects throughout the life of the program. This requirement is intended to help eligible entities understand their current cybersecurity posture and areas for improvement.
Key Requirement: Building a Cybersecurity Planning Committee
As states, territories, and local entities increase their cybersecurity maturity, CISA recommends they move toward implementing more advanced best practices. To assist in the development and revision of SLT cyber planning efforts, the following Cybersecurity Best Practices are provided in the NOFO:
- Implement multifactor authentication
- Enable enhanced logging
- Use data encryption for data at rest and in transit
- End the use of unsupported/end of life software and hardware that are accessible from the internet
- Restrict the use of known/fixed/default passwords and credentials
- Ensure the ability to reconstitute systems (backups)
- Engage in rapid bidirectional sharing between CISA and SLT entities to drive down cyber risk
- Migrate to the .gov internet domain
The FY 2023 SLCGP will assist CISA in the continued development of consistent baseline Cybersecurity Performance Goals (CPGs), a prioritized subset of information technology and operational technology cybersecurity practices aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. The CPGs help establish a common set of fundamental cybersecurity practices for critical infrastructure that recipients should aim to implement to ensure a strong cybersecurity risk posture. The states and territories will consult the CPGs throughout their development of plans and projects within the program.
Key Requirement: Create a Cybersecurity Plan
The Cybersecurity Plan is a statewide planning document that must be approved by the Cybersecurity Planning Committee and the CIO/CISO equivalent. The Plan will be subsequently updated in FY24 and 25. It must contain the following components:
- Incorporate, to the extent practicable, any existing plans to protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, SLTs.
- How input and feedback from local governments and associations of local governments was incorporated.
- Include all of the specific required elements (see Required Elements section of Appendix C of the NOFO)
- Describe, as appropriate and to the extent practicable, the individual responsibilities of the state and local governments within the state in implementing the Cybersecurity Plan.
- Assess each of the required elements from an entity-wide perspective.
- Outline, to the extent practicable, the necessary resources and a timeline for implementing the plan.
- Summary of associated projects.
- Metrics that the eligible entity will use to measure progress.
- See link to the Cybersecurity Plan Template under Tools and Resources.
SLCGP Email: SLCGPinfo@cisa.dhs.gov
TCGP Email: TCGPinfo@cisa.dhs.gov
Social Media Handle(s): Visit CISA on Social Media.
Tools and Resources
(Please note other links will be added as they become available)
The following list of CISA resources are recommended products, services, and tools at no cost to the state, local, tribal, and territorial governments, as well as public and private sector critical infrastructure organizations.
Cybersecurity Plan Template (click "Related Documents" tab to download)
To report an incident, visit www.cisa.gov/report
- Grants Program Directorate Information Bulletins
- Fiscal Year 2022 FEMA Standard Terms and Conditions
Program Office Contact
FEMA has assigned state-specific Preparedness Officers for the SLCGP. If you do not know your Preparedness Officer, please contact the Centralized Scheduling and Information Desk (CSID) by phone at (800) 368-6498 or by email at email@example.com, Monday through Friday, 9 a.m. – 5 p.m. ET.
Centralized Scheduling and Information Desk (CSID)
CSID is a non-emergency comprehensive management and information resource developed by FEMA for grant stakeholders. CSID provides general information on all FEMA grant programs and maintains a comprehensive database containing key personnel contact information at the federal, state and local levels. When necessary, recipients will be directed to a federal point of contact who can answer specific programmatic questions or concerns. CSID can be reached by phone at (800) 368-6498 or by e-mail at firstname.lastname@example.org, Monday through Friday, 9 a.m. – 5 p.m. ET.