State and local cybersecurity grant program: what you need to know
$185 million in formula-based funding is available to boost local government resilience to cyberattacks
The $1.2 trillion Infrastructure Investment and Jobs Act (IIJA), also known as the Bipartisan Infrastructure Law, gives state and local governments resources for much-needed roads, bridges, water, rural broadband, climate focused-projects and other improvements. The bill also aims to create 1.5 million jobs per year.
Through funding from the IIJA, the State and Local Cybersecurity Grant Program (SLCGP) enables the Department of Homeland Security to make targeted cybersecurity investments within state, local and territory (SLT) government agencies. This first-of-its-kind grant program will improve the security of critical infrastructure and the resilience of the services SLT governments provide their community.
Over the next four years, the federal government will be disbursing $1 billion in cybersecurity funds through two grant programs—the State and Local Cybersecurity Grant Program and the Tribal Cybersecurity Grant Program.
The Fiscal Year 2022 SLCGP grant program has made $185 million available in formula-based funding to state and territory State Administrative Agencies (SAAs), with applications due November 15, 2022.
State agencies are the only eligible applicants for the State and Local Cybersecurity Grant Program, but local governments will benefit as sub-recipients. All 56 states and territories, including the District of Columbia, the Commonwealth of Puerto Rico, the U.S. Virgin Islands, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands, are eligible to apply for SLCGP funds. The designated SAA is the only entity eligible to submit SLCGP applications directly to DHS/FEMA.
SAAs must ensure at least 80% of the awarded state allocation is passed on to local entities, while 25% of the total state allocation must be passed on to rural entities; these amounts may overlap. Recipients are required to meet a 10% cash or in-kind cost share (non-federal match).
Federally recognized tribes will also have a dedicated grant program: $6 million in funding will be directly available to tribal entities under the upcoming Tribal Cybersecurity Grant Program. DHS expects to publish the Notice of Funding Opportunity later this fall. Although tribes are not eligible to apply directly for SLCGP funding, they may be eligible sub-recipients, and can receive SLCGP pass-through funding as a tribal government entity.
Priorities for This Program
The Homeland Security Act of 2002, as amended by the Bipartisan Infrastructure Law, requires grant recipients to develop a Cybersecurity Plan, establish a Cybersecurity Planning Committee to support the development and approval of the plan, and identify priority implementation projects utilizing State and Local Cybersecurity Grant Program funding.
To support these efforts, recipients are highly encouraged to prioritize the following activities using FY2022 SLCGP funds, all of which are statutorily required as a condition of receiving a grant:
- Establish a Cybersecurity Planning Committee
- Develop a statewide Cybersecurity Plan, unless the recipient already has a statewide Cybersecurity Plan and uses the funds to implement or revise an existing statewide Cybersecurity Plan
- Conduct assessments and evaluations as the basis for individual projects throughout the life of the program
- Adopt key cybersecurity best practices
Goals for This Program
The goal of SLCGP is to assist state, local and territory governments with managing and reducing systemic cyber risk to critical infrastructure. For FY2022, applicants are required to address in their applications how the following program objectives will be met:
- Objective 1: Develop and establish appropriate governance structures, including developing, implementing or revising cybersecurity plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.
- Objective 2: Understand your organization’s current cybersecurity posture and areas for improvement based on continuous testing, evaluation and structured assessments.
- Objective 3: Implement security protections commensurate with risk.
- Objective 4: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.
Specific investments made in support of the funding priorities discussed in the Notice of Funding Opportunity generally fall into one of the following six allowable expense categories:
- Management & Administration (M&A)
How Can Your Community Participate?
State applicants must establish a Cybersecurity Plan to guide statewide efforts and implement a Cybersecurity Planning Committee that includes representatives with professional experience that reflects the entity’s unique cybersecurity risk profile. The Planning Committee must include stakeholder groups like the SAA, Chief Information Officer, Chief Information Security Officer or equivalent, and representatives from local government, public education, public health, and rural, suburban and urban areas.
Once your state receives funding, local and tribal communities can participate as a sub-award recipient. Keep in mind that 80% of total state allocations must support local governments and 25% of the total state allocations must support rural communities.
Build Protection and Resilience
Cybersecurity is critical to state and local organizations because risks and threats to information systems can have real-world consequences to the public and national security. Cyberattacks can render an organization inoperable until resolved, especially when they directly impact systems and government or social services that communities depend on.
The State and Local Cybersecurity Grant Program allocates funding to state and local organizations to build and strengthen their Cybersecurity Plans and aligned cybersecurity activities, making them more resilient to, and better protected against, cyber threats.