State and Local Cybersecurity Grant Program (SLCGP) & Tribal Cybersecurity Grant Program (TCGP): Cybersecurity Plan Overview

Cybersecurity Plan 

The Cybersecurity Plan is a key component of a strategic approach to building cyber resilience. The Cybersecurity Plan should establish high level goals and finite objectives to reduce specific cybersecurity risks at state, local, tribal, and territorial (SLTT) governments across the eligible entity. The Cybersecurity Plan should also serve as the overarching framework for the achievement of the SLCGP and TCGP goals, with grant funded projects working to achieve outcomes. Regional approaches, as part of an entity-wide approach, should also be considered. 

At the highest level, the Cybersecurity Plan:

• Provides a comprehensive, strategic plan to reduce cybersecurity risk and increase capability across the entity.
• Encompasses the entire enterprise and is not limited to a single entity.
• Provides strategic direction for two to three years.
• Includes required elements, with discretion to add other elements as necessary.
• Leverages existing plans, to the extent they are in place.
• Aligns individual projects to the Cybersecurity Plan.
• Receives approval from the Cybersecurity Committee and Chief Information Officer (CIO)/Chief Information Security Officer (CISO)/equivalent (e.g., Chief Cyber Officer, Governor’s cabinet official overseeing cybersecurity).
• Receives CISA review and approval.

In further developing the Cybersecurity Plans, the following is recommended:

• Incorporate existing governance and planning documents and identification of any planning gaps that should be addressed by the Cybersecurity Plan;
• Leverage existing assessments and evaluations (e.g., reports, after action reports) conducted by SLTT governments within the entity and any planning gaps that require additional assessments and/or evaluations; and
• Identify potential SLCGP/TCGP projects to address planning gaps and prioritize mitigation efforts.

Cybersecurity Plan Components

1. Items for Inclusion in the Cybersecurity Plan
2. Submission and Approval Processes
3. Process for Revisions/Updates
4. Required Elements
5. A summary of projects
6. Metrics

1. Items for Inclusion in Cybersecurity Plan

The following identifies the plan requirements and additional considerations that eligible entities should consider when constructing the Cybersecurity Plan and future updates. Although there is no required format for the Cybersecurity Plan, the approved Cybersecurity Planning Committees are encouraged to review the Cybersecurity Plan Template, which includes additional details, samples, and templates.
Cybersecurity Plans must include and address the following items:

• Incorporate, to the extent practicable, any existing plans to protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, SLTs. Building upon and incorporating existing structures and capabilities allows entities to provide governance and a framework to meet the critical cybersecurity needs across the entity while making the best use of available resources. For example, consider referencing an existing emergency management plan to address potential cascading impacts affecting emergency services when responding to or recovering from a cybersecurity incident.
• Describe how input and feedback from local governments (or in the case of tribal governments their sub-units), and associations of local governments was incorporated. For states, the SLCGP is intended to reduce cybersecurity risk across the eligible entity. Incorporating input from local entities is critical to building a holistic Cybersecurity Plan.
• Include the specific required elements (see Required Elements section below). There are 16 required elements that are central to the Cybersecurity Plan and represent a broad range of cybersecurity capabilities and activities. They also include specific cybersecurity best practices that, when implemented over time, will substantially reduce cybersecurity risk and cybersecurity threats. Although each of the 16 required elements must be addressed in the plan, this may include a brief explanation as to why certain elements are not currently being prioritized. Not all 16 elements are required to be aligned to projects and have associated funding. These determinations should be addressed in accordance with capability gaps and vulnerabilities identified through an objective assessment process.
• Describe, as appropriate and to the extent practicable, the individual responsibilities of the state and local governments within the state in implementing the Cybersecurity Plan. Defining the roles and responsibilities of SLTT governments is critical from both governance and implementation perspectives.
• Assess the required elements from an entity-wide perspective. The candid assessment of the current capabilities of SLTT entities is the first step in reducing cybersecurity risk across the entity. This assessment also serves as the justification for individual projects. Additional information on the assessment is provided below and in the Cybersecurity Plan Template which includes a fillable capabilities assessment chart.
• Outline, to the extent practicable, the necessary resources and a timeline for implementing the plan. The Cybersecurity Plan is a strategic planning tool that looks two to three years into the future. Accordingly, it should set forth how the approved Cybersecurity Planning Committee seeks to achieve plan goals and objectives. Cybersecurity Plans should address how SLCGP funds will help develop and/or implement the plan, along with milestones related to major projects. It should also set forth how other activities and funding sources contribute to the achieving the outcomes described in the plans.
• Summary of associated projects. Individual projects are the way elements of the plan are implemented over time. The plan must include a summary of projects associated with each required and discretionary element, designating which will use SLCGP or TCGP funds. Details for each project using SLCGP or TCGP funds must be included in the Investment Justifications (IJs). NOTE: Given the Cybersecurity Plan is a strategic document, it should not identify specific vulnerabilities but instead capture the broad level of capability across the state or territory. The assessment will become the road map for the state’s, territory’s, or tribe's individual projects and activities using SLCGP or TCGP funds. All IJs must provide a baseline understanding of the existing cybersecurity gaps, risks, and threats that the applicant entity faces which have influenced the development of the IJs. Also, applicants must include a summary of the current capabilities within the applicant jurisdiction to address these threats and risks. The Cybersecurity Plan Capabilities Assessment in the Cybersecurity Plan Template provides an easy way for approved Cybersecurity Planning Committees to capture this information and can be customized as appropriate.
• Describe the metrics that the eligible entity will use to measure progress. The metrics that will be used must measure implementation of the Cybersecurity Plan and, more broadly, cybersecurity risks reduction across the state. These are different than the metrics that will be used to measure outcomes of the program, as described in the FY 2025 SLCGP Notice of Funding Opportunity (NOFO). Additional information is provided in the Cybersecurity Plan Metric Section below and in the Cybersecurity Plan Template.

2. Submission and Approval Processes

Submission of a CISA-approved Cybersecurity Plan is required for any eligible entity participating in the SLCGP or TCGP. All SLCGP Cybersecurity Plans must be submitted to the FEMA SLCGP Inbox at FEMA-SLCGP@fema.dhs.gov no later than January 30, 2026, and annually thereafter on the same date throughout the grant's period of performance. When submitting a Cybersecurity Plan, an applicant must inform CISA whether or not it revised its plan since CISA’s last approval of it.

• Eligible applicants must coordinate with the appropriate Cybersecurity and CISA Regional Representatives before submitting their Cybersecurity Plan, IJ, and/or Project Worksheet (PW) (See the funding notice for relevant contact information).
• Additionally, all updated plans must be approved by the entity’s respective Cybersecurity Planning Committee and the CIO/CISO/equivalent (e.g., Chief Cyber Officer, Governor’s cabinet official overseeing cybersecurity). The eligible entity, upon submitting the Cybersecurity Plan, must certify that the Cybersecurity Plan has been formally approved by the Cybersecurity Planning Committee and the CIO/CISO/Equivalent of the eligible entity. The committee is responsible for developing, approving, revising, and implementing the approved Cybersecurity Plan (Please see the relevant site on CISA.gov titled: Cybersecurity Planning Committee, Charter Requirements, and Best Practices).

3. Process for Revisions/Updates

If an entity has revised its Cybersecurity Plan, the applicant must provide a brief explanation of the revisions. There is not requirement for an applicant to revise a cybersecurity plan that CISA has approved unless CISA notifies the applicant that the plan does not meet plan requirements.

• If resubmitting Cybersecurity Plans by January 30, 2026, applicants should consider providing the following items:
  • Updated signed letter from the entity Cybersecurity Planning Committee. Initial Cybersecurity Plans included a signed letter from the Cybersecurity Planning Committee, which documented the entity’s commitment to improving cybersecurity and supporting the state or territory government and practitioners across local jurisdictions. An updated letter should include an updated date with language acknowledging the Cybersecurity Planning Committee’s support for this updated plan, and updated signatures.
  • Updated Capabilities Assessment. The capabilities assessment provides insight into the entity’s cybersecurity capabilities across the program elements. Some include the management of information systems, adoption of best practices, continuity of operations, and distribution of funds and services. Through the implementation of SLCGP-funded projects, entities should see improvements in their capabilities in addressing program elements. It should also identify the funding expended in pursuit of enhancing entity capabilities.
  • Updated Implementation Plan. The Implementation Plan includes information related to the organization, roles, and responsibilities of the entity as it pertains to cybersecurity and the committee. This should be updated as appropriate with new committee members and organizational changes. The Implementation Plan also includes a Resource Overview, a list of resources needed to implement the plan, and a Projected Timeline, which outlines the time it will take to implement the Cybersecurity Plan. The Implementation Plan should be updated to include new information related to the entity’s resources and projected timeline to implement the plan and its projects.
  • Updated Project Worksheet. The Project Worksheet includes all cybersecurity projects the entity plans to pursue through SLCGP and includes the total project cost. During the program, entities have established and made progress on projects with SLCGP funding. This section should be updated with new projects and revised project costs, as applicable.
  • Updated Metrics. The Metrics section allows entities to list the measures and data being collected to evaluate progress against the SLCGP objectives. Through the duration of the program, the entity has likely made progress on meeting defined metrics and establishing new metrics. As applicable, the entity should update its metrics section with changes made to program goals, and associated metrics as applicable. A CISA metrics menu can be accessed through the entity’s Cybersecurity Advisor (CSA)/Cybersecurity Coordinator (CSC), or directly from CISA through the SLCGP mailbox at SLCGPinfo@mail.cisa.dhs.gov.

Cybersecurity Planning Committees should also consider the following when resubmitting and updating the Cybersecurity Plan:

• Holistic approach to the Cybersecurity Plan. The Cybersecurity Plan should be strategic in nature, guiding development of capabilities to address cybersecurity risks and threats across the state or territory. Individual state, territorial, and local entity projects should demonstrably achieve those capabilities over time.
• Prioritizing projects that address cybersecurity for critical infrastructure. SLT entities are strongly encouraged to include projects related to law enforcement/emergency services, K-12 education, water/wastewater, healthcare, energy, and defense.
• Consider shared services as an effective method in developing projects that address the cybersecurity needs of more than one SLT entity while benefiting from economies of scale.
• Focused investments that are affordable over time without future federal support. The SLCGP and TCGP are currently authorized for four years, and limited funds are available. Entities should consider how to maintain capabilities once the programs end or funds are no longer available. Given the increasing cost share and portion for which states/tribes will be responsible, it is crucial to include a future funding plan.
• State and territory role as leader and service provider. Many states and territories have significant cyber defenses and elect to provide services to local entities to improve capabilities. Where appropriate, states should consider approaches to support state-wide efforts, that may include using funds to provide services to local entities. Multi-entity projects are another way that eligible entities can group together to address cybersecurity risk and build capabilities. In addition, states/territories may wish to obtain information and pricing on commonly purchased solutions and vendors, across the National Institute for Science and Technology (NIST) Cybersecurity Framework (CSF) tiers (i.e. I vs. IV).
• Building from existing efforts. Cybersecurity Committees should consider describing how cooperative programs developed by groups of local governments are integrated into the entity-wide approach.
• Additional cybersecurity elements prioritized by the approved Cybersecurity Planning Committee.

4. Required Elements

If there are any existing plans that meet the required elements, references to them may be used in lieu of incorporating them in their entirety. The Cybersecurity Plan must describe, to the extent practicable, how the state plans to address the below elements. The Cybersecurity Plan is a strategic document, looking broadly across the entire jurisdiction. The entity’s analysis of each element should support the vision, mission and other strategic guidance set by the Cybersecurity Planning Committee.

1. Manage, monitor, and track information systems, applications, and user accounts owned or operated by, or on behalf of, the state, tribal government, or local governments within the state and the information technology deployed on those information systems, including legacy information systems and information technology that are no longer supported by the manufacturer of the systems or technology.
2. Monitor, audit, and track network traffic and activity transiting or traveling to or from information systems, applications, and user accounts owned or operated by, or on behalf of, the state, tribal government, or local governments within the state.
3. Enhance the preparation, response, and resilience of information systems, applications, and user accounts owned or operated by, or on behalf of, the state, tribal government or local governments within the state, against cybersecurity risks and cybersecurity threats.
4. Implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats on information systems, applications, and user accounts owned or operated by, or on behalf of, the state, tribal government, or local governments within the state.
5. Ensure that the state, tribal government, or local governments within the state, adopt and use best practices and methodologies to enhance cybersecurity, discussed further below. The following cybersecurity best practices under required element 5 must be included in each eligible entity’s Cybersecurity Plan:
   • Implement multi-factor authentication;
   • Implement enhanced logging;
   • Data encryption for data at rest and in transit;
   • End use of unsupported/end of life software and hardware that are accessible from the internet;
   • Prohibit use of known/fixed/default passwords and credentials;
   • Ensure the ability to reconstitute systems (backups);
   • Actively engage in bidirectional sharing between CISA and SLTT entities in cyber relevant time frames to drive down cyber risk; and
   • Migration to the .gov internet domain.

Additional best practices that the Cybersecurity Plan can address include:

• NIST Cybersecurity Framework
• NIST’s cyber chain supply chain risk management best practices; and
• Knowledge bases of adversary tools and tactics.

Key Cybersecurity Best Practices must be addressed in the Cybersecurity Plan, but immediate adoption by every SLTT entity is not required. Cybersecurity Plans must clearly articulate efforts to implement these cybersecurity best practices across the eligible entity within reasonable timelines as funding permits. Cybersecurity Planning Committees should prioritize these best practices in individual projects that assist SLTT entities. As there are multiple ways to implement the best practices, this program provides committees the flexibility to work with SLTT entities to design a plan that takes resource constraints, existing programs, and other factors into account.

6. Promote the delivery of safe, recognizable, and trustworthy online services by the state, tribal government, or local governments within the state, including through the use of the .gov internet domain.
7. Ensure continuity of operations of the state, tribal government, or local governments within the state, in the event of a cybersecurity incident, including by conducting exercises to practice responding to a cybersecurity incident.
8. Use the National Initiative for Cybersecurity Education (NICE) Workforce Framework for Cybersecurity developed by NIST to identify and mitigate any gaps in the cybersecurity workforces of the state or local governments within the state, enhance recruitment and retention efforts for those workforces, and bolster the knowledge, skills, and abilities of personnel of the state or local governments within the state, to address cybersecurity risks and cybersecurity threats, such as through cybersecurity hygiene training.
9. Ensures continuity of communication and data networks within the jurisdiction of the state between the state and local governments within the state in the event of an incident involving those communications or data networks.
10. Assess and mitigate, to the greatest degree possible, cybersecurity risks and cybersecurity threats relating to critical infrastructure and key resources, the degradation of which may impact the performance of information systems within the jurisdiction of the state.
11. Enhance capabilities to share cyber threat indicators and related information between the state, local governments within the state, and CISA.
12. Leverage cybersecurity services (listed in appendix A of the funding notice) offered by the Department.
13. Implement an information technology and operational technology modernization cybersecurity review process that ensures alignment between information technology and operational technology cybersecurity objectives.
14. Develop and coordinate strategies to address cybersecurity risks and cybersecurity threats. Local governments and associations of local governments within the state should be consulted. Tribal governments are encouraged to consult sub-units and tribally owned critical infrastructure providers. Cybersecurity Planning Committees should also consider consulting neighboring entities, including adjacent states and countries.
15. Ensure adequate access to, and participation in, the services and programs described in this subparagraph by rural areas within the state.
16. Distribute funds, items, services, capabilities, or activities to local governments.

Cybersecurity Planning Committees are strongly encouraged to expand their Cybersecurity Plans beyond the required elements. This may include a focus on specific critical infrastructure or emphasis on different types of SLTT entities.

5. Summary of Projects

Although the Cybersecurity Plan is a strategic document, it must show how individual projects and activities will contribute to the implementation of the Plan over time. A summary of projects using FY 2024 SLCGP funds associated with each required and discretionary element provides a helpful snapshot of state-, tribal-, and territory-wide capability and capacity that will be achieved as a result of this funding. Details for each project using SLCGP or TCGP funds must be included in IJs and are to include a description of the purpose of the project and what it will accomplish, and, more specifically, how the project will address an identified gap or need and how it supports one or more of the required elements.

The Cybersecurity Plan Template includes a fillable Project Plan Worksheet, a sample of which is below.

• Column 1. Project number assigned by the entity
• Column 2. Name the project
• Column 3. Brief (e.g., 1-line) Description of the purpose of the project
• Column 4. The number of the Required Elements the project addresses
• Column 5. Estimated project cost
• Column 6. Status of project (future, ongoing, complete)
• Column 7. Project priority listing (high, medium, low)
• Column 8. Project Type (Plan, Organize, Equip, Train, Exercise)
• Column 9. Activities to accomplish the project with projected dates of completion

Sample Table – Project Plan Worksheet:

6. Cybersecurity Plan Metrics 

Cybersecurity Plans must include language detailing processes and methods for measuring the following:

• How the state, tribe, or territory will implement the plan;
• How the state, tribe, or territory will reduce cybersecurity risks; and
• How the state, tribe, or territory will identify, respond to, and recover from cybersecurity threats to information systems owned or operated by, or on behalf of, the state, tribal governments, or local governments within the state.

These measures should be at the macro level, related to the goals, objectives, and priorities as part of the overarching strategic plan and not associated with individual projects.

The SLCGP State Administrative Agencies and TCGP applicants, in partnership with their approved Cybersecurity Planning Committees, should consider the following when developing Cybersecurity Plan metrics:

• Aligning metrics to the Cybersecurity Plan and the established program goals and objectives and state/tribal/territory priorities;
• Reviewing existing metrics that are in use across the state, tribe, or territory;
• Reporting data for each metric that is accurate, timely, accessible and validated; and
• Ensuring that the collection of metric data is not burdensome to the jurisdiction from which it must be obtained.
• Reviewing CISA metrics menu, accessed through the entity’s CSA/CSC, or directly from CISA through the SLCGP mailbox at SLCGPinfo@mail.cisa.dhs.gov or TCGP mailbox at TCGPinfo@mail.cisa.dhs.gov.

The Cybersecurity Plan Template provides a fillable table for reporting metrics.

Sample Table – Cybersecurity Plan Metrics: