State and Local Cybersecurity Grant Program (SLCGP) & Tribal Cybersecurity Grant Program (TCGP): Program Goals and Objectives

Our nation face unprecedented threats to the homeland from increasingly sophisticated criminal groups and nation-state actors. State, local, tribal, and territorial (SLTT) entities stand at the forefront of cyber defense. Thier partnership with DHS includes enforcing laws, assisting the federal government in securing cyberspace, and dismantling transnational criminal organizations. Cybersecurity threats, including ransomware intrusions, and widespread software vulnerabilities affecting SLTT systems and critical infrastructure are increasingly exploited by malicious actors, operating both domestically and abroad.

Considering the risk and potential consequences of cyber incidents, strengthening the cybersecurity practices and resilience of SLTT governments is the focus of the SLCGP and TCGP. Through funding from the Infrastructure Investment and Jobs Act, referred to as the Bipartisan Infrastructure Law (BIL) throughout this document, these programs enable DHS to make targeted cybersecurity investments in SLTT government agencies that strengthen the security and resilience of critical infrastructure and improve the cybersecurity resilience of services SLTTs provide to their communities.

As part of the Department of Homeland Security (DHS), CISA is at the heart of mobilizing a collective defense to understand and manage risk to our critical infrastructure partners. In its unique role, CISA is proactively supporting efforts to achieve a cybersecurity ecosystem in which malicious actors face insurmountably high costs to execute damaging intrusions, vulnerabilities are rapidly identified before exploitation, and technology is used to reduce the most harmful and systemic risks to critical infrastructure. CISA programs and services are driven by a comprehensive understanding of the risk environment and the corresponding needs identified by our partners. The SLCGP and TCGP are key to achieving this vision and enables DHS to make targeted investments in SLT government agencies, improving the security and resilience of critical infrastructure upon which Americans rely.

The goals and objectives outlined below, if achieved, will significantly reduce the risk of a cybersecurity threat against SLTT government information technology (IT) networks. These broad outcomes are listed in logical sequence to aid recipients in focusing on the overall intent of the SLCGP and TCGP. These outcomes will help prioritize the use of scarce resources and to develop metrics to gauge success at both the project and organizational level. Outcomes of the program will be measured by how well recipients can achieve outlined goals and improve the risk posture of the information systems they either own or those that are operated on their behalf.

The program objectives for SLCGP and TCGP are as follows: (1) develop and establish appropriate governance structures, as well as develop, implement, or revise Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations; (2) ensure SLTT agencies understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments; (3) implement security protections commensurate with risk (outcomes of SLCGP Objectives 1 & 2); and (4) ensure organization personnel are appropriately trained in cybersecurity, commensurate with their responsibilities.

These program objectives are further divided into sub-objectives and outcomes with accompanying sample evidence of implementation provided to assist the reader in development of their application.

Goal of SLCGP

Assist state, local, and territorial (SLT) governments with managing and reducing systemic cyber risk.

Goal of TCGP

Assist tribal governments with managing and reducing systemic cyber risk.

Program Objectives, Sub-Objectives, and Outcomes

Program Objective 1: Develop and establish appropriate governance structures

Program Objective	Program Sub-Objective(s)	Outcome(s)	Evidence of Implementation Example
1. Develop and establish appropriate governance structures, as well as develop, implement, or revise cybersecurity plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations	1.1: Establish cybersecurity governance structures and implement a program to evaluate maturity of the cybersecurity program aligned to Cybersecurity Performance Goals established by CISA and the National Institute of Standards and Technology (NIST).	1.1.1 Participants have established and documented a uniform cybersecurity governance structure that is accountable to organizational leadership and works together to set the vision for cyber risk management. 1.1.2 Participants have identified senior officials to enable whole-of organization coordination on cybersecurity policies, processes and procedures.	Organization has a cybersecurity defense concept of operations, with responsibilities assigned to specific organizational roles.
	1.2 Develop, implement, or revise, and test cybersecurity plans, including cyber incident response plans, with clearly defined roles and responsibilities.	1.2.1 Develop, implement, or revise and exercise cyber incident response plans.	Organization conducts annual table-top and full-scope exercises that include practical execution of restoration and recovery processes to test approved cybersecurity plans. Conducting these exercises allow organizations to test approved cybersecurity plans to identify, protect, detect, respond to and recover from cybersecurity incidents, in line with the NIST Cybersecurity Framework, and demonstrates process to incorporate lessons learned from the exercise into their cybersecurity program.
	1.3 Asset (e.g., devices, data, software) protections and recovery actions are prioritized based on the asset’s criticality and business value.	1.3.1 Ensure that systems and network functions are prioritized and reconstituted according to their impact to essential functions.	Organization conducts a regular business impact assessment to prioritize which systems must be protected and recovered first.

Program Objective

Program Sub-Objective(s)

Outcome(s)

Evidence of Implementation Example

1. Develop and establish appropriate governance structures, as well as develop, implement, or revise cybersecurity plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations

1.1: Establish cybersecurity governance structures and implement a program to evaluate maturity of the cybersecurity program aligned to Cybersecurity Performance Goals established by CISA and the National Institute of Standards and Technology (NIST).

1.1.1 Participants have established and documented a uniform cybersecurity governance structure that is accountable to organizational leadership and works together to set the vision for cyber risk management.

1.1.2 Participants have identified senior officials to enable whole-of organization coordination on cybersecurity policies, processes and procedures.

Organization has a cybersecurity defense concept of operations, with responsibilities assigned to specific organizational roles.

1.2 Develop, implement, or revise, and test cybersecurity plans, including cyber incident response plans, with clearly defined roles and responsibilities.

1.2.1 Develop, implement, or revise and exercise cyber incident response plans.

Organization conducts annual table-top and full-scope exercises that include practical execution of restoration and recovery processes to test approved cybersecurity plans. Conducting these exercises allow organizations to test approved cybersecurity plans to identify, protect, detect, respond to and recover from cybersecurity incidents, in line with the NIST Cybersecurity Framework, and demonstrates process to incorporate lessons learned from the exercise into their cybersecurity program.

1.3 Asset (e.g., devices, data, software) protections and recovery actions are prioritized based on the asset’s criticality and business value.

1.3.1 Ensure that systems and network functions are prioritized and reconstituted according to their impact to essential functions.

Organization conducts a regular business impact assessment to prioritize which systems must be protected and recovered first.

Program Objective 2: Understand their current cybersecurity posture and areas for improvement

Program Objective	Program Sub-Objective(s)	Outcome(s)	Evidence of Implementation Example
2. SLT agencies understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation and structured assessments	2.1 Physical devices and systems, as well as software platforms and applications, are inventoried.	2.1.1 Establish and regularly update asset inventory.	Organization maintains and regularly updates an asset inventory list.
	2.2 Cybersecurity risk to the organization’s operations and assets are understood.	2.2.1 Conduct an annual cyber risk assessment to identify cyber risk management gaps and areas for improvement.	Organization annually completes the Nationwide Cybersecurity Review (NCSR).
	2.3 Vulnerability scans are performed, and a risk-based vulnerability management plan is developed and implemented.	2.3.1 Participate in CISA’s Vulnerability Scanning service, part of the Cyber Hygiene program. 2.3.2 Effectively manage vulnerabilities by prioritizing mitigation of high impact vulnerabilities and those most likely to be exploited.	Organization is an active participant in CISA’s Cyber Hygiene program. Organization has a plan to manage vulnerabilities based on those with the highest criticality, internet-facing vulnerabilities, as well as known exploited vulnerabilities identified in CISA’s Known Exploited Vulnerabilities Catalog.
	2.4 Capabilities are in place to monitor assets to identify cybersecurity events.	2.4.1 SLT agencies are able to analyze network traffic and activity transiting or traveling to or from information systems, applications, and user accounts to understand baseline activity and identify potential threats.	Not Applicable
	2.5 Processes are in place to action insights derived from deployed capabilities.	2.5.1 SLT agencies are able to respond to identified events and incidents, document root cause, and share information with partners.	Not Applicable

Program Objective 3: Implement security protections commensurate with risk

Program Objective	Program Sub-Objective(s)	Outcome(s)	Evidence of Implementation Example
3. Implement security protections commensurate with risk (Outcomes of goals 1 & 2)	3.1 SLT agencies adopt fundamental cybersecurity best practices.	3.1.1 Implement multi-factor authentication (MFA), prioritizing privileged users, Internet-facing systems, and cloud accounts.	The organization implements MFA for all remote access and privileged accounts.
	3.2 Reduce gaps identified through assessment and planning process and apply increasingly sophisticated security protections commensurate with risk.	3.2.1 Individual participants address items identified through assessments and planning process 3.2.2 SLT entities improve cybersecurity ecosystem by collaborating to address items identified through assessments and planning process (e.g., regional and intra-state efforts).	Not Applicable

Program Objective

Program Sub-Objective(s)

Outcome(s)

Evidence of Implementation Example

3. Implement security protections commensurate with risk (Outcomes of goals 1 & 2)

3.1 SLT agencies adopt fundamental cybersecurity best practices.

3.1.1 Implement multi-factor authentication (MFA), prioritizing privileged users, Internet-facing systems, and cloud accounts.

The organization implements MFA for all remote access and privileged accounts.

3.2 Reduce gaps identified through assessment and planning process and apply increasingly sophisticated security protections commensurate with risk.

3.2.1 Individual participants address items identified through assessments and planning process

3.2.2 SLT entities improve cybersecurity ecosystem by collaborating to address items identified through assessments and planning process (e.g., regional and intra-state efforts).

Not Applicable

Program Objective 4: Ensure organization personnel are appropriately trained in cybersecurity

Program Objective	Program Sub-Objective(s)	Outcome(s)	Evidence of Implementation Example
4. Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.	4.1 Train personnel to have the fundamental knowledge and skills necessary to recognize cybersecurity risks and understand their roles and responsibilities within established cybersecurity policies, procedures, and practices.	4.1.1 Organization requires regular ongoing phishing training, awareness campaigns are conducted, and organization provides role-based cybersecurity awareness training to all employees. 4.1.2 Organization has dedicated resources and funding available for its cybersecurity professionals to attend technical trainings and conferences.	Not Applicable
	4.2 Organization has adopted the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.	4.2.1 Organization has established cyber workforce development and training plans, based on the NICE Cybersecurity Workforce Framework.	Not Applicable

Program Objective

Program Sub-Objective(s)

Outcome(s)

Evidence of Implementation Example

4. Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.

4.1 Train personnel to have the fundamental knowledge and skills necessary to recognize cybersecurity risks and understand their roles and responsibilities within established cybersecurity policies, procedures, and practices.

4.1.1 Organization requires regular ongoing phishing training, awareness campaigns are conducted, and organization provides role-based cybersecurity awareness training to all employees.

4.1.2 Organization has dedicated resources and funding available for its cybersecurity professionals to attend technical trainings and conferences.

Not Applicable

4.2 Organization has adopted the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.

4.2.1 Organization has established cyber workforce development and training plans, based on the NICE Cybersecurity Workforce Framework.

Not Applicable