Funding from President Biden’s Bipartisan Infrastructure Law will be available over four years to help States and Territories become more resilient to cyber threats. The Department of Homeland Security (DHS) announced a first-of-its-kind cybersecurity grant program specifically for state, local, and territorial (SLT) governments across the country.
This State and Local Cybersecurity Grant Program, made possible thanks to President Biden’s Bipartisan Infrastructure Law, provides $1 billion in funding to SLT partners over four years, with $185 million available for FY22, to support SLT efforts to address cyber risk to their information systems. With this funding, SLT governments will be better equipped to address cybersecurity risks, strengthen the cybersecurity of their critical infrastructure, and ensure resilience against persistent cyber threats for the services SLT governments provide their communities.
With the release today of a Notice of Funding Opportunity (NOFO), DHS has opened the application process for the grant program. Applicants have 60 days to apply for a grant, which can be used to fund new or existing cybersecurity programs.
State, local, and territorial government cybersecurity grant program
Read video transcript at the end of this page.
This program is the latest example of a unified approach across DHS, in which a FEMA-administered program leverages CISA’s capabilities to accomplish the Department’s goal of increasing state and local cyber defenses. By leveraging FEMA’s grant administration expertise, along with CISA’s expertise in cybersecurity, DHS is taking steps to help more SLT stakeholders across the country understand the severity of cyber threats and cultivate partnerships to reduce risks across the state, local, and territorial enterprise.
“Cyberattacks have emerged as one of the most significant threats to our homeland,” said Secretary of Homeland Security Alejandro N. Mayorkas. “In response, we continue to strengthen our nation’s cybersecurity, including by resourcing state and local communities to build and enhance their cyber defenses. The cybersecurity grant process we are starting today is a vital step forward in this critical effort. Our approach is one of partnership, in the service of an all-of-society investment in the security of our homeland.”
“As we build a better America, we’re ensuring that our infrastructure is more modern and digitally connected. But along the way, we must also take proactive steps to increase our resilience to the increasing threat of cyberattacks,” said White House Infrastructure Coordinator Mitch Landrieu. “Thanks to the President’s Bipartisan Infrastructure Law, we’re making a once-in-a-generation investment of $1 billion in infrastructure cybersecurity, giving our state and local governments the resources they need to guard against debilitating cyber threats. Today’s announcement marks an important step in our commitment to strengthen resilience, protect and improve our nation’s infrastructure, and safeguard our economy.”
“As the nation’s cyber defense agency, CISA works hand-in-hand with our partners in state, local, and territorial governments who face unique cybersecurity challenges but often lack the resources to address them. The State and Local Cybersecurity Grant Program will play a critical role in helping these organizations build their capability and capacity,” said CISA Director Jen Easterly. “We encourage all eligible entities to apply for grant funds to protect our critical infrastructure and communities from malicious cyber activity and to grow their partnership with CISA. CISA is here to provide the expertise, tools, and technical assistance to be a reliable partner to state, local, and territorial governments in combating the growing cyber threats they face each day.”
“FEMA’s mission to help people before, during, and after disasters is not limited to climate-related events. Responding to man-made threats to our nation’s critical infrastructure, like cybersecurity, is a role we take seriously and stand ready to support,” said FEMA Administrator Deanne Criswell. “We value our partnership with CISA and look forward to administering this novel cybersecurity grant program that will help protect crucial resources nationwide and ensure that state, local, and territorial governments have more tools to become more resilient to all hazards.”
“Today’s announcement is another example of President Biden’s commitment to secure the essential services Americans rely on. The Biden-Harris Administration is committed to trying creative, new approaches, like this grant program to state and local governments, to strengthen our cyber defenses to protect the Americans we serve,” said Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology.
“Securing the Nation’s cyber ecosystem requires a whole-of-society approach, and that includes the crucial work that state, local, and territorial governments do in partnership with the Federal government every day. This program, made possible by the Bipartisan Infrastructure Law, demonstrates the Biden-Harris Administration’s commitment to ensuring that all Americans can thrive in cyberspace,” said National Cyber Director Chris Inglis.
The cyber grant program is an innovative program established by the State and Local Cybersecurity Improvement Act, part of the Bipartisan Infrastructure Law, to help address the unique challenges state and territorial governments face when defending against cyber threats. This new grant program will help state and local partners reduce cyber risk and build resilience to the dynamic and evolving cybersecurity threat environment.
Specifically, the cyber grant program will fund efforts to establish critical governance frameworks across states and territories to address cyber threats and vulnerabilities, identify key vulnerabilities and evaluate needed capabilities, implement measures to mitigate the threats, and develop a 21st-century cyber workforce across local communities. CISA will support these efforts with a suite of available resources, including state cybersecurity coordinators and cybersecurity advisors.
The grants will significantly improve national resilience to cyber threats by giving state, local, and territorial governments much-needed resources to address network security and take steps to protect against cybersecurity risks to help them strengthen their communities. There will be two funding opportunities for this program. The funding opportunity being announced today is for state, local, and territorial governments. As part of this NOFO, local governments are eligible sub-recipients through their respective states and territories. A separate tribal grant program will be released later in the fall.
FY22 STATE AND LOCAL CYBERSECURITY GRANT PROGRAM FACT SHEET
In fiscal year (FY) 2022, through the Infrastructure Investment and Jobs Act, the Department of Homeland Security is providing $185 million to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, state, local and territorial governments.
The goal of the State and Local Cybersecurity Grant Program (SLCGP) is to help states, local governments, rural areas, and territories address cybersecurity risks and cybersecurity threats to information systems. The program enables DHS to make targeted cybersecurity investments in state, local and territorial government agencies, thus improving the security of critical infrastructure and resilience of the services that state, local, and territorial governments provide to their communities. Federally recognized Tribes also have a dedicated grant program; details on the Tribal Cybersecurity Grant Program are forthcoming.
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Emergency Management Agency (FEMA) are jointly managing the SLCGP. CISA will provide subject-matter expertise and determine allowable activities, while FEMA will conduct eligibility reviews, and issue/administer the grant awards consistent with all applicable laws, regulations, and policies.
Goals and Objectives
CISA developed a series of overarching goals and objectives for the SLCGP based on input from state, local, and territorial stakeholders, and consideration of national priorities, frameworks, and the national cyber threat environment:
Implement cyber governance and planning;
Assess and evaluate systems and capabilities;
Mitigate prioritized issues; and
Build a cybersecurity workforce.
In FY 2022, $183.5 million is available under the SLCGP, with varying funding amounts allocated over four years from the Infrastructure Investment and Jobs Act. This year, each state and territory will receive a funding allocation as determined by the statutory formula:
Allocations for states and territories include a base funding level as defined for each entity: 1% for each state, the District of Columbia, and Puerto Rico; and 0.25% for American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, and the U.S. Virgin Islands.
State allocations include additional funds based on a combination of state population and rural population totals.
80% of total state allocations must support local entities, while 25% of the total state allocations must support rural entities; these amounts may overlap.
All 56 states and territories, including any state of the United States, the District of Columbia Puerto Rico, American Samoa, and the Commonwealth of the Northern Mariana Islands, Guam, and the U.S. Virgin Islands, are eligible to apply for SLCGP funds. The designated State Administrative Agency (SAA) for each state and territory is the only entity eligible to apply for SLCGP funding.
An SAA may partner with one or more other SAAs to form a multi-entity group. Members of these groups work together to address cybersecurity risks and cybersecurity threats to information systems within their jurisdictions. There is no limit to the number of participating entities in a multi-entity group. Local entities can be included in the project, but their respective eligible entity (i.e., the SAA) must also participate at some level. There is no separate funding for multi-entity awards. Instead, they should be considered as group projects within their existing state or territory allocations. These projects should be included as individual Investment Justifications from each participating eligible entity, each approved by the respective Cybersecurity Planning Committee and be aligned with each respective eligible entity’s Cybersecurity Plan.
Cybersecurity Committee and Plan Requirements
Each state and territory must establish a Cybersecurity Planning Committee that coordinates, develops, and approves a Cybersecurity Plan. These plans are meant to guide development of cybersecurity capabilities across the state or territory. The Cybersecurity Planning Committee is responsible for approving the Cybersecurity Plan and prioritizing individual projects. Eligible entities submit Cybersecurity Plans for review and approval as part of their grant application. Initial Cybersecurity Plans will be approved for two years. Subsequent Cybersecurity Plans, building on the investments from the previous year(s), must be submitted for approval annually.
Awards made to the entity or multi-entity group for SLCGP carry additional pass-through requirements. The SAA must pass-through at least 80% of the funds awarded under the SLCGP to local units of government, including at least 25% of funds to rural entities, within 45 calendar days of receipt of the funds. “Receipt of the funds” occurs either when the SAA accepts the award or 15 calendar days after the SAA receives notice of the award, whichever is earlier.
Pass-through is defined as an obligation on the part of the entity or multi-entity group to make funds available to local units of government, combinations of local units, tribal governments, or other specific groups or organizations. Four requirements must be met to pass-through grant funds:
The SAA must make a firm written commitment to passing through grant funds to subrecipients.
The SAA’s commitment must be unconditional (i.e., no contingencies for the availability of SAA funds).
There must be documentary evidence (e.g., award document, terms, and conditions) of the commitment.
The award terms must be communicated to the subrecipient.
Eligible entities applying as a single entity must meet a 10% non-federal cost-share requirement for the FY 2022 SLCGP. The recipient contribution can be cash (hard match) or third-party in-kind (soft match). Eligible applicants shall agree to make available non-federal funds to carry out an SLCGP award in an amount not less than 10% of the total project cost. In other words, the federal share applied toward the SLCGP budget at the project/activity level shall not exceed 90% of the total budget as submitted in the application and approved in the award. If the total project ends up costing more, the recipient is responsible for any additional costs. If the total project ends up costing less, the recipient may owe FEMA an amount required to ensure that the federal cost share is not in excess of 90%.
Unless otherwise authorized by law, federal funds cannot be matched with other federal funds. The recipient’s contribution should be specifically identified. These non-federal contributions have the same eligibility requirements as the federal share.
The Secretary of Homeland Security may waive or modify the non-federal share for an individual entity if the entity demonstrates economic hardship. More information on what constitutes economic hardship, and how to request a cost-share waiver will be forthcoming.
For a multi-entity group project, a cost share or cost match is not required for the FY 2022 SLCGP.
Applying for an award under the SLCGP is a multi-step process. Applicants are encouraged to register early as the registration process can take four weeks or more to complete. Registration should be done in sufficient time to ensure it does not impact a state or territory’s ability to meet required submission deadlines. Section D in the FY 2022 SLCGP Notice of Funding Opportunity contains more detailed information and instructions.
Eligible applicants must submit their initial application through the grants.gov portal at www.grants.gov. Applicants needing grants.gov support should contact the grants.gov customer support hotline at (800) 518-4726, 24 hours per day, 7 days per week except federal holidays.
Eligible applicants will be notified by FEMA and asked to proceed with submitting their complete application package in the Non-Disaster (ND) Grants System. Applicants needing technical support with the ND Grants System should contact NDgrants@fema.dhs.gov or (800) 865-4076, Monday-Friday from 9 a.m. to 6 p.m. Eastern Time (ET).
Completed applications must be submitted no later than 5 p.m. ET by the deadline included in the funding notice.
There are a variety of resources available to address programmatic, technical and financial questions, which can assist with SLCGP applications:
The SLCGP funding notice will be released on September 16, 2022 and available online at www.fema.gov/grants as well as www.grants.gov.
For SLCGP program-specific questions, please email SLCGPinfo@cisa.dhs.gov.
For additional program-specific information, please contact the Centralized Scheduling and Information Desk (CSID) help line at (800) 368-6498 or AskCSID@fema.dhs.gov. CSID hours of operation are from 9 a.m. to 5 p.m. ET, Monday through Friday.
For support regarding financial grants management and budgetary technical assistance, applicants may contact the FEMA Award Administration Help Desk via e-mail at ASK-GMD@fema.dhs.gov.
Video intro Transcript:
Jen Easterly, director of CISA.
“I’m super excited to announce a first of its kind cybersecurity grant program for state and local governments across our country. The cyber threat is real. It’s dynamic and it’s evolving. And because of this, the administration has made cybersecurity a top national security priority. And we know many communities are hard pressed to address cybersecurity due to resource challenges.
In fact, some of you may already have had firsthand experience with threats like ransomware, and that’s just one type of cyber threat. Our state and local partners are not alone in the cybersecurity mission. To support our communities across the nation, we’ve launched the State and Local Cybersecurity Grant Program.
It’s a huge step toward building national resilience from the ground up. And the administration has tasked the Department of Homeland Security to develop and administer this grant program to get communities the resources they need to reduce risks to cyber threats and raise the security baseline to keep all Americans safe.
This program is an example of the strong collaboration taking place across DHS to deliver for our state and local partners with CISA lending its immense subject matter expertise to the grant development and implementation process, while FEMA brings its long experience in administering the grants.
Bottom line, these grants will be a game changer for our communities. Supporting our state and local government partners is critical to our national security, and these grants will provide state, local, and territorial governments much needed resources to take action to protect against cybersecurity risks and strengthen our communities.
Funding from these grants will help communities better understand their cyber risk profile and develop a plan to reduce those risks and build resilience. Specifically, the grants will provide funds to assist in addressing identified vulnerabilities. So find out who is eligible and get all of the details at CISA.gov. Applications should include a completed cybersecurity plan and a capabilities assessment. Thank you for doing your part to make sure our nation’s cybersecurity defense is the new offense.”