Guide To the State and Local Cybersecurity Grant Program

In 2022, the U.S. Department of Homeland Security (DHS) announced a new initiative: a cybersecurity grant program targeted specifically at state, local, and territorial governments within the United States.

Congress passed the Infrastructure Investment and Jobs Act (IIJA) of 2021, which included the State and Local Cybersecurity Improvement Act.

The State and Local Cybersecurity Grant Program (SLCGP) is jointly offered through and managed by two agencies: the Federal Emergency Management Program (FEMA) and the Cybersecurity and Infrastructure Security Agency (CISA).

CISA spearheads the nation's initiatives to learn about, manage, and address any risks that threaten the cyber and physical infrastructures upon which all of us rely daily.

CISA's mission covers cybersecurity, infrastructure security, and emergency communications. CISA will provide the subject-matter expertise and make decisions about eligible activities, while FEMA will carry out eligibility reviews and administer the grant awards.

Who Is Eligible for the State and Local Cybersecurity Grant Program?

The State and Local Cybersecurity Grant Program (SLCGP) provides funding to entities (that is, state, local, and territorial governments) to enhance their abilities to address cybersecurity risks and threats to their information systems.

Only the 56 State Administrative Agencies (SAAs) for states and territories are eligible applicants for SLCGP funding.

However, two or more eligible entities may join together to apply for assistance for a joint project as a multi-entity group (although each SAA must submit a separate application).

If local governments wish to participate, they may do so as subrecipients to their states, so they should contact their SAAs.

The SLCGP's project funding will enable stakeholders to better understand their particular local cyber threats and to develop partnerships aimed at reducing those risks.

A separate initiative, the Tribal Cybersecurity Grant Program (TCGP), is available to eligible tribal entities throughout the nation.

How Much Funding Is Available Through the State and Local Cybersecurity Grant Program?

The total combined funding available to support projects through both the SLCGP and TCGP will be $1 billion spread over four years.

For FY 2023, Congress appropriated approximately $375 million for the State and Local Cybersecurity Grant Program to improve the security of critical infrastructure in particular communities, with another $300 million allocated for FY 2024.

Allocations for states and territories are based on both state and rural population totals. 80% of a state's or territory's total allocations must support local entities; however, 25% of the state's or territory's allocations must support rural entities.

The SLCGP limits the use of its funding for management and administrative purposes to a cap of 5%.

What Are the SLCGP's Goals and Objectives?

The State and Local Cybersecurity Grant Program aims to help grant recipients achieve the following goals and objectives in a sequential process over a multi-year period:

1. implementing cyber governance and planning

2. assessing and evaluating systems and capabilities

3. mitigating prioritized issues

4. building a cybersecurity workforce

The Central Piece of the SLCGP Application is the Cybersecurity Plan

Each applicant entity's Cybersecurity Plan should focus on reducing specific cybersecurity risks throughout its territory by establishing 'high-level goals and finite objectives.'

The ideal plan will serve as the overarching framework for the entity to achieve the SLCGP goals. Each entity should propose projects to achieve specific outcomes. These may include regional approaches within the entity.

The committee developing the Cybersecurity Plan should:

• consider governance and planning documents already in place to identify any planning gaps that the Cybersecurity Plan would need to address
• review existing government assessments and evaluations conducted within the entity to determine any planning gaps
• identify potential projects for the SLCGP to fund that would address planning gaps and prioritize efforts for mitigation

The Importance of Cybersecurity Planning Committees

Composition of the Cybersecurity Planning Committee

To be eligible for SLCGP funding, each applicant entity must have developed a Cybersecurity Planning Committee composed of representatives from each of the following:

• the eligible state or territory
• the Chief Information Officer (CIO), Chief Information Security Officer (CISO), or equivalent official of the eligible entity
• representatives from counties, cities, and towns within the entity's jurisdiction
• representatives from public education institutions within the entity's jurisdiction
• representatives from public health institutions within the entity's jurisdiction
• representatives of rural, suburban, and high-population jurisdictions as appropriate

At least 50% of the members of the Cybersecurity Planning Committee must have professional cybersecurity or information technology experience.

Other members may include state and county judicial figures, members of the state legislature, elected officials, public safety officials (including homeland security, emergency management, law enforcement, emergency communications, etc.), and others.

Role of the Cybersecurity Planning Committee

The responsibilities of each Cybersecurity Planning Committee are to assist with developing, approving, implementing, and revising the entity's Cybersecurity Plan.

Each committee will also assist in determining funding priorities and will serve as the entity's liaison with other entities (and their Committees) to coordinate efforts.

The Cybersecurity Planning Committee works to ensure that government representatives from its district provide written consent for services, capabilities, or activities that the state or territory will need to provide through the State and Local Cybersecurity Grant Program.

Resources Are Available Online for the Grant Application Process

For more information, prospective applicants may visit the following resource pages:

• cisa.gov/state-and-local-cybersecurity-grant-program
• cisa.gov/about/regions

Applicants may also email CISA at SLCGPinfo@cisa.dhs.gov or FEMA (regarding funding and budgetary technical assistance) at FEMA-SLCGP@fema.dhs.gov.