Tribal Cybersecurity Grant Program
Overview
In September 2023, the Department of Homeland Security (DHS) announced the Tribal Cybersecurity Grant Program (TCGP), which will provide approximately $18.2 million to address cybersecurity risks and cybersecurity threats to information systems owned or operated by tribal governments in Fiscal Year 2023.
The Tribal Cybersecurity Grant Program (TCGP) will help tribal governments address cybersecurity risks and threats to their information systems by enabling DHS to provide targeted cybersecurity resources that improve the security of critical infrastructure and resilience of the services that tribal governments provide to their members. The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Emergency Management Agency (FEMA) are jointly managing the TCGP. CISA will provide cybersecurity programmatic subject-matter expertise by defining goals and objectives, reviewing and approving cybersecurity plans establishing measures of effectiveness, and organizing Objective Review Panels to review and score applications. FEMA will provide administrative guidance through conducting eligibility reviews and issue and administering the grant awards consistent with all applicable laws, regulations, and policies.
DHS respects the sovereignty and self-determination of tribal governments and recognizes the intent of Congress to provide flexibility to tribal governments to meet cybersecurity needs across Indian Country through the TCGP. The framework of the program was made as a result of nation-to-nation consultation with tribal representatives across the country and is intended to support tribal cybersecurity resiliency.
Objectives
CISA developed four overarching objectives for the TCGP based on the consideration of national priorities, frameworks, and the national cyber threat environment:
Establish cyber governance and planning;
Assess and evaluate systems and capabilities;
Implement security protections commensurate with risk; and
Build and train a cybersecurity workforce.
Tribal governments must address how they will meet Program Objective 1 in their FY 2023 application. Objectives 2, 3, and 4 are eligible, but are not required to be addressed in FY 2023 applications. Applicants should refer to Appendix A: Program Goals and Objectives in the FY 2023 TCGP Notice of Funding Opportunity (NOFO) for more information on program outcomes required in their application.
Funding
The funding apportioned for tribal governments by the Bipartisan Infrastructure Law (BIL) was $6 million in FY 2022 and over $12.2 million for FY 2023. FEMA and CISA combined FY 2022 and FY 2023 into a single funding notice for a total of approximately $18.2 million.
The TCGP is a discretionary grant program that divides the 574 federally recognized tribes with membership of greater than one individual into four categories based on overall population. The $18.2 million is divided across the four categories. The funding categories allow for applications to be evaluated from among applications from similarly populated tribes, a programmatic change directly as a result of the nation-to-nation consultation. The following table outlines the four population levels, number of tribes, and the corresponding combined funding levels for FY 2022 and FY 2023:
Table 1: Funding Categories
Tribal Population | Number of Tribes * | Maximum Allocation of Funding Per Category |
100,000 or more | 8 | $8,109,709 million |
10,000-99,999 | 33 | $5,068,568, million |
1,000-9,999 | 124 | $3,041,141 million |
1-999 | 392 | $2,027,472 million |
* The number of tribes with a population greater than 1 total 557. The remaining 17 tribes have a represented population of less than 1 per the US Census.gov data collected in 2020.
Eligibility
All 574 federally recognized Tribal Governments are eligible to apply. Tribes that apply must submit a Cybersecurity Plan, Cybersecurity Planning Committee List, and Charter. These requirements must be fulfilled by January 10, 2024 before they can receive award funding.
Funding Guidelines
Cybersecurity Planning Committee and Cybersecurity Plan Requirements
Each tribal government is required to establish a Cybersecurity Planning Committee that coordinates, implements, and approves a Cybersecurity Plan. An existing Tribal Council/Governing Body that includes 1) a grants administration office representative, and 2) a designated Chief Information Officer (CIO), Chief Information Security Officer (CISO), or equivalent official to the CIO or CISO with expertise in Information Technology (IT) may be used to meet the Committee requirement.
These plans are meant to guide implementation of cybersecurity capabilities within the tribal government. The Cybersecurity Planning Committee is responsible for approving the Cybersecurity Plan and prioritizing individual projects. Applicants can download the TCGP Cybersecurity Plan Template from www.grants.gov. The template is an optional tool for applicants to use to revise and submit their cybersecurity plans to ensure they meet all the required statutory elements. CISA is available to provide technical assistance to tribal governments on Cybersecurity Plan implementation.
CISA considers Cybersecurity Plans to be living, strategic documents. Following the submission of their plan as part of the grant application, tribal governments may work with CISA after funds are approved to update their plan.
Programmatic Criteria
Each tribal government’s application will be evaluated through a three-part review and selection process.
A FEMA HQ Preparedness Officer will review applications to ensure that the applicant meets all eligibility requirements and check submitted applications for completeness.
CISA will organize an objective review panel and establish programmatic scoring and the selection process. Subject Matter Experts (SMEs) with cybersecurity and tribal engagement experience will serve as review panelists. Reviewers will evaluate applications, score IJs, and make recommendations for funding within each discretionary tier.
- FEMA HQ Grants Management Specialists will conduct a financial review of the top scoring investments.
More information about the review process can be found in Section E.2 of the TCGP FY 2023 NOFO.
Cybersecurity Best Practices, Assessments, and Evaluations
Each applicant must address key Cybersecurity Best Practices in their Cybersecurity Plan and within individual projects. In addition, the Cybersecurity Best Practices should consult the Cybersecurity Performance Goals (CPGs) to ensure a strong cybersecurity posture.
All TCGP recipients are required to participate in a limited number of free services provided by CISA. Participation in these services is not required for submission and approval of the grant but are post-award requirements.
The post-award required services are:
- Cyber Hygiene Vulnerability Scanning – Evaluates external network presence by executing continuous scans of public, static internet protocol (IPs) for accessible services and vulnerabilities.
- Nationwide Cybersecurity Review (NCSR) – A free, anonymous, annual self-assessment designed to measure gaps and capabilities of a recipient’s cybersecurity programs.
Application Process
Applying for an award under the TCGP is a multi-step process. Applicants are encouraged to register early as the process can take four weeks or more to complete. Registration should be done in sufficient time to ensure it does not impact a tribes' ability to meet required submission deadlines. Section D in the FY 2023 TCGP NOFO contains more detailed information and instructions.
Eligible tribes must submit their initial application through the portal at www.grants.gov. Applicants needing grants.gov support should contact the customer support hotline at (800) 518-4726. This support service is available 24 hours per day, 7 days per week excluding federal holidays.
Eligible tribes will be notified by FEMA and asked to proceed with submitting their complete application package in the Non-Disaster (ND) Grants System. Applicants needing technical support with the ND Grants System should contact ndgrants@fema.dhs.gov or (800) 865-4076, Monday-Friday from 9 a.m. to 6 p.m. Eastern Time (ET).
Completed applications must be submitted no later than 5 p.m. ET by the deadline included in the funding notice.
TCGP Resources
There are a variety of resources available to address programmatic, technical, and financial questions, which can assist with TCGP applications:
- The TCGP funding notice was released on September 27, 2023, and is available online at www.fema.gov/grants and www.grants.gov.
- For additional support and guidance on Cybersecurity Plans, tribal governments should reach out to their CISA Regional Staff. For contact information for your region, please visit cisa.gov/about/regions.
- For additional technical assistance, applicants may contact CISA via e-mail at TCGPinfo@cisa.dhs.gov.
- FY 2023 Notice of Funding Opportunity.
- Fact Sheet and Frequently Asked Questions
Contact Information
For more information about the Tribal Cybersecurity Grant Program (TCGP), please email TCGPinfo@cisa.dhs.gov.