State and Local Cybersecurity Grant Program (SLCGP) & Tribal Cybersecurity Grant Program (TCGP): Cybersecurity Planning Committee, Charter Requirements, and Best Practices

Cybersecurity Planning Committee and Charter

Governance 

In keeping with the guiding principles of governance for all Department of Homeland Security (DHS) preparedness programs and statutory requirements, SLCGP recipients must coordinate activities across preparedness disciplines and levels of government, including state, local and territorial (SLT) governments. TCGP recipients are also encouraged to coordinate with their applicable sub-units and state governments if applicable. Specific attention should be paid to how funding sources can effectively support a whole of state approach to cyber preparedness and resiliency. In FY 2022, the entity must have established or reestablished a Cybersecurity Planning Committee. A Cybersecurity Planning Committee is also required pursuant to the statute authorizing the SLCGP (see section 2220A(g) of the Homeland Security Act of 2002, as amended (6 U.S.C. § 665g(g)).

In FY 2025, applicants are not required to resubmit their Cybersecurity Planning Committee membership and Charter. However, applicants are encouraged to provide any updated membership and bylaws in the application. In FY 2023, tribal governments were given the option of using an existing tribal council or governing body to meet the planning committee requirement. It is also included in FY 2025. Similar to SLCGP recipients, tribes are encouraged to provide any updated membership and bylaws in their application.

A blue cyber node

 

Cybersecurity Planning Committee 

The Cybersecurity Planning Committee builds upon previously established advisory bodies under other preparedness grant programs. The committee membership must reflect an eligible entity’s unique cybersecurity risk profile.

Existing multijurisdictional planning committees can be used if they meet the membership requirements outlined in the next section. An existing committee’s membership can be expanded or leveraged to meet the requirements as well as each eligible entity's unique requirements. It is recommended that eligible entities consider using Senior Advisory Committees or create a subcommittee within an existing multijurisdictional committee, modified to meet the requirements. Any reference to a Cybersecurity Planning Committee elsewhere in the program materials, and its accompanying requirements, also apply to these alternative committee options.

Tribal governments participating in TCGP are encouraged to use existing councils or governing bodies if they include as a member their Chief Information Officer (CIO) or CIO-equivalent with expertise in information technology (IT) and systems as a member. The CIO or equivalent person must fulfill the duties of the CIO, even if they have additional responsibilities.

A blue cyber node

Cybersecurity Planning Committee Composition and Scope Requirements

SLCGP Cybersecurity Planning Committees must include at least one representative from each of the stakeholders below:

  • The eligible entity;
  • The Chief Information Office (CIO), the Chief Information Security Officer (CISO), or equivalent official (e.g., Chief Cyber Officer, Governor’s cabinet official overseeing cybersecurity) of the eligible entity;
  • Representatives from counties, cities, and towns within the jurisdiction of the eligible entity;
  • Institutions of public education and health within the jurisdiction of the eligible entity; and
  • As appropriate, representatives of rural, suburban, and high-population jurisdictions.

At least one half of the representatives of the approved Cybersecurity Planning Committee must have professional experience relating to cybersecurity or information technology. Qualifications are determined by the eligible entity.

DHS strongly encourages membership from critical infrastructure sectors and subsectors including K-12 education, water/wastewater, healthcare, energy, defense, and elections infrastructure. Eligible entities are given the flexibility to identify which public health and public education representatives to include.

DHS strongly encourages eligible entities to consider naming additional members to the approved Cybersecurity Planning Committee, including but not limited to representatives from the following:

  • State and county judicial entities;
  • State legislature;
  • Election Infrastructure officials, including Secretaries of State and Election Directors;
  • Representatives from state, territorial, and local public safety, homeland security, emergency management, and law enforcement agencies;
  • Emergency Communications Officials, such as Interoperability Coordinators;
  • City and county CIOs and CISOs;
  • Publicly owned or operated critical infrastructure;
  • State National Guard if such entities have a cybersecurity mission;
  • Municipal, city, county, rural area, or other local government councils or associations; and
  • Other entities with expertise and skillsets that best represent the cybersecurity interests across the eligible entity.

The composition, structure, and charter of the approved Cybersecurity Planning Committee should focus on building cybersecurity capabilities across the eligible entity instead of simply combining previously existing advisory bodies under other grant programs.  Eligible entities should continue to verify compliance with Cybersecurity Planning Committee membership requirements and should submit updates as appropriate. The below table provides a suggested format for submitting the list of required Cybersecurity Planning Committee members.

Table: Suggested Cybersecurity Planning Committee Composition
RepresentationCommittee Member NameCommittee Member TitleCommittee Member’s OrganizationCybersecurity/IT experience (Yes/No)
State or Territory    
Counties, cities, and towns within the jurisdiction of the entity    
Institution of Public Education within the eligible entity    
Institution of Public Health within the eligible entity    
(Additional)    
As appropriate, representatives of rural, suburban, and high-population jurisdictions    
(Here the entity may add others at their discretion)    

As mentioned above, TCGP recipients can leverage an existing tribal council or governing body as long as it includes their CIO or equivalent member. However, if the tribal government decides to create a new committee, it must include the following members:

  • A representative of the entity's grant administration office; and
  • The entity's CIO or equivalent employee.

Additional members are encouraged, but not required.

A blue cyber node

Cybersecurity Planning Committee Responsibilities

Approved Cybersecurity Planning Committees will fulfil the following responsibilities:

  • Assisting with the development, implementation, and revision of the Cybersecurity Plan;
  • Approving the Cybersecurity Plan;
  • Assisting with the determination of effective funding priorities;
  • Coordinating with other committees and like entities with the goal of maximizing coordination and reducing duplication of effort;
  • Creating a cohesive planning network that builds and implements cybersecurity preparedness initiatives using CISA and FEMA resources, as well as other federal, SLT, private sector, and faith-based community resources;
  • Ensuring investments support closing capability gaps or sustaining capabilities; and
  • In the case of SLCGP entities, ensuring local government members, including representatives from counties, cities, and towns within the eligible entity provide consent on behalf of all local entities across the eligible entity for services, capabilities, or activities provided by the eligible entity through this program.
A blue cyber node

Limitations 

Cybersecurity Planning Committees that meet these requirements and the statute are not permitted to make decisions relating to information systems owned or operated by, or on behalf of, the state.

A blue cyber node

Cybersecurity Planning Committee Charter

SLCGP and TCGP governance of the approved Cybersecurity Planning Committee must be documented in a charter. All members of the Cybersecurity Planning Committee should sign and date the charter showing their agreement with its content and their representation on the committee. Eligible entities should continue to verify compliance with Cybersecurity Planning Committee charter requirements and are encouraged to submit updates as applicable to the recipient’s assigned FEMA Preparedness Officer. The Cybersecurity Planning Committee charter must, at a minimum, provide:

  • A detailed description of the Cybersecurity Planning Committee’s composition and an explanation of key governance processes;
  • A description of the frequency at which the Cybersecurity Planning Committee will meet;
  • An explanation as to how the committee will leverage existing governance bodies;
  • A detailed description of how decisions on programmatic priorities funded by SLCGP/TCGP will be made and how those decisions will be documented and shared with its members and other stakeholders, as appropriate; and
  • A description of defined roles and responsibilities for financial decision making and meeting administrative requirements.

To ensure ongoing coordination efforts, SLCGP eligible entities are encouraged to share community preparedness information from other preparedness grant programs as submitted in a state’s Biannual Strategy Implementation Report with members of the approved Cybersecurity Planning Committee. For TCGP, tribes are encouraged to share community preparedness information from other preparedness grant programs as submitted in a tribe's Performance Progress Report (PPR) with members of the approved Cybersecurity Planning Committee. SLCGP and TCGP eligible entities are also encouraged to share their Threat and Hazard Identification and Risk Assessment/Stakeholder Preparedness Review data with members of the approved Cybersecurity Planning Committee who are applying for other FEMA preparedness grants to enhance their understanding of statewide capability gaps.

To manage this effort and to further reinforce collaboration and coordination across the stakeholder community, a portion of an eligible entity's award may be utilized to support the approved Cybersecurity Planning Committee and to ensure representation and active participation of members. Funding may be used for hiring and training planners, establishing and maintaining a program management structure, identifying and managing projects, conducting research necessary to inform the planning process, and developing plans that bridge mechanisms, documents, protocols, and procedures.