The Department of Homeland Security (DHS) Notice of Funding Opportunity (NOFO) Fiscal Year 2023 Tribal Cybersecurity Grant Program (TCGP)

Release Date:
June 1, 2024

Download a PDF copy of this webpage

All entities wishing to do business with the federal government must have a unique entity identifier (UEI). The UEI number is issued by the system. Instructions for requesting a UEI using Sam.gov can be found at: https://sam.gov/content/entity-registration.

Grants.gov registration information can be found at: https://www.grants.gov/web/grants/register.html.

Planned UEI Updates in Grant Application Forms

On April 4, 2022, the Data Universal Numbering System (DUNS) Number was replaced by a new, non-proprietary identifier requested in, and assigned by, the System for Award Management (SAM.gov). This new identifier is the Unique Entity Identifier (UEI).
Additional Information can be found on Grants.gov:
https://www.grants.gov/web/grants/forms/planned-uei-updates.html
 

Table of Contents

The Department of Homeland Security (DHS)

Planned UEI Updates in Grant Application Forms

A. Program Description.

  1. Issued By
  2. Assistance Listings Number
  3. Assistance Listings Title
  4. Funding Opportunity Title
  5. Funding Opportunity Number
  6. Authorizing Authority for Program
  7. Appropriation Authority for Program
  8. Announcement Type
  9. Program Category
  10. Program Overview, Objectives, and Priorities
    1. Overview
    2. Objectives
    3. Priorities
  11. Performance Measures

B. Federal Award Information.

  1. Available Funding for the NOFO: $18,246,845
  2. Period of Performance: 48 months.
  3. Projected Period of Performance Start Date(s): Mar. 1, 2024
  4. Projected Period of Performance End Date(s): Feb. 29, 2028 Funding Instrument Type: Grant

C. Eligibility Information.

  1. Eligible Applicants
  2. Applicant Eligibility Criteria
  3. Other Eligibility Criteria/Restrictions
  4. Cost Share or Match

D. Application and Submission Information.

  1. Key Dates and Times
    1. Application Start Date: Sept. 27, 2023, at 1:00 p.m. ET
    2. Application Submission Deadline: Jan. 10, 2024, at 5:00 p.m. ET
    3. Other Key Dates
  2. Agreeing to Terms and Conditions of the Award
  3. Address to Request Application Package
  4. Requirements: Obtain a Unique Entity Identifier (UEI) and Register in the System for Award Management (SAM)
  5. Steps Required to Obtain a Unique Entity Identifier, Register in the System for Award Management (SAM), and Submit an Application
  6. Electronic Delivery
  7. How to Register to Apply through Grants.gov
    1. General Instructions
    2. Obtain an UEI Number
    3. Obtain Employer Identification Number
    4. Create a login.gov account
    5. Register with SAM
    6. Create a Grants.gov Account
    7. Add a Profile to a Grants.gov Account
    8. EBiz POC Authorized Profile Roles
    9. Track Role Status
    10. Electronic Signature
  8. How to Submit an Initial Application to FEMA via Grants.gov
    1. Create a Workspace
    2. Complete a Workspace
    3. Adobe Reader
    4. Mandatory Fields in Forms
    5. Complete SF-424 Fields First
    6. Submit a Workspace
    7. Track a Workspace
    8. Additional Training and Applicant Support
  9. Submitting the Final Application in ND Grants
  10. Timely Receipt Requirements and Proof of Timely Submission
  11. Content and Form of Application Submission
    1. Standard Required Application Forms and Information
    2. Program-Specific Required Forms and Information
  12. Intergovernmental Review
  13. Funding Restrictions and Allowable Costs
    1. Prohibitions on Expending FEMA Award Funds for Covered Telecommunications Equipment or Services
    2. Pre-Award Costs
    3. Management and Administration (M&A) Costs
    4. Indirect Facilities & Administrative (F&A) Costs
    5. Other Direct Costs

E. Application Review Information

  1. Application Evaluation Criteria
    1. Discretionary-Based Allocation Method
    2. Programmatic Criteria
    3. Financial Integrity Criteria
    4. Supplemental Financial Integrity Criteria and Review
  2. Review and Selection Process

F. Federal Award Administration Information

  1. Notice of Award
  2. Administrative and National Policy Requirements
    1. DHS Standard Terms and Conditions
    2. Ensuring the Protection of Civil Rights
    3. Environmental Planning and Historic Preservation (EHP) Compliance
    4. SAFECOM Guidance Compliance
    5. Requirement for using CISA Services
  3. Reporting
    1. Financial Reporting Requirements
    2. Programmatic Performance Reporting Requirements
    3. Closeout Reporting Requirements
    4. Additional Reporting Requirements
  4. 4. Program Evaluation
  5. 5. Monitoring and Oversight
    1. a. Financial and Program Monitoring Overview and Approach

G. DHS Awarding Agency Contact Information

  1. Contact and Resource Information
    1. FEMA TCGP Preparedness Officers
    2. CISA Grant Program Office
    3. Grant Programs Directorate (GPD) Award Administration Division (AAD)
    4. FEMA Grants News
    5. Equal Rights
    6. Environmental Planning and Historic Preservation
  2. Systems Information
    1. Grants.gov
    2. Non-Disaster (ND) Grants
    3. Payment and Reporting System (PARS)

H. Additional Information

  1. Termination Provisions
    1. Noncompliance
    2. With the Consent of the Recipient
    3. Notification by the Recipient
  2. Program Evaluation
  3. Period of Performance Extensions
  4. Disability Integration
  5. Conflicts of Interest in the Administration of Federal Awards or Subawards
  6. Procurement Integrity
    1. Important Changes to Procurement Standards in 2 C.F.R. Part 200
    2. Competition and Conflicts of Interest
    3. Supply Schedules and Purchasing Programs
    4. Procurement Documentation
  7. 7. Financial Assistance Programs for Infrastructure
    1. Build America, Buy America Act
    2. Waivers
    3. Definitions
  8. Record Retention
    1. Record Retention Period
    2. Types of Records to Retain
  9. Actions to Address Noncompliance
  10. Audits
  11. Payment Information
  12. Whole Community Preparedness
  13. Continuity Capability
  14. Appendices
    1. Appendix A: Program Goals and Objectives
    2. Appendix B: Cybersecurity Planning Committee and Charter
    3. Appendix C: Cybersecurity Plan
    4. Appendix D: POETE Solution Areas for Investments
    5. Appendix E: TCGP Requirements Matrix
    6. Appendix F: Required, Encouraged, and Optional Services, Memberships, and Resources

A.  Program Description

1.  Issued By

U.S. Department of Homeland Security (DHS)/Federal Emergency Management Agency (FEMA)/Resilience/Grant Program Directorate (GPD) 

2.  Assistance Listings Number

97.137 

3.  Assistance Listings Title

Tribal Cybersecurity Grant Program 

4.  Funding Opportunity Title

Fiscal Year 2023 Tribal Cybersecurity Grant Program (TCGP) 

5.  Funding Opportunity Number

DHS-23-GPD-137-00-02

6.  Authorizing Authority for Program

Section 2220A of the Homeland Security Act of 2002, as amended (Pub. L. No. 107-296) (6 U.S.C.   665g) 

7.  Appropriation Authority for Program

Infrastructure Investments and Jobs Act (Pub L. No. 117-58, Division J, Title V)

8.  Announcement Type

Initial

9.  Program Category

Preparedness: Infrastructure Security 

10. Program Overview, Objectives, and Priorities

a.  Overview

Tribal nations face unprecedented cybersecurity risks, including increasingly sophisticated adversaries, widespread vulnerabilities in commonly used hardware and software, and broad dependencies on networked technologies for the day-to-day operation of critical infrastructure. Cyber risk management is further complicated by the ability of malicious actors to operate remotely, linkages between cyber and physical systems, and the difficulty of reducing vulnerabilities. 

Considering the risk and potential consequences of cyber incidents, strengthening the cybersecurity practices and resilience of tribal governments is an important homeland security mission and the primary focus of TCGP. Through funding from the Infrastructure Investment and Jobs Act referred to as the Bipartisan Infrastructure Law (BIL) throughout this document, the TCGP enables DHS to make targeted cybersecurity investments in tribal governments, thus improving the security of critical infrastructure and improving the resilience of the services tribal governments provide their communities. 

The Fiscal Year (FY) 2023 TCGP aligns with the National Cybersecurity Strategy by addressing three of the five pillars: Pillar One   Defend Critical Infrastructure, Pillar Two   Disrupt and Dismantle Threat Actors, and Pillar Four   Invest in a Resilient Future. The FY 2023 TCGP also addresses the 2020-2024 DHS Strategic Plan by helping DHS achieve Goal 3: Secure Cyberspace and Critical Infrastructure, including Objective 3.3: Assess and Counter Evolving Cybersecurity Risks. 

Lastly, the FY 2023 TCGP supports the 2022-2026 FEMA Strategic Plan, which outlines a bold vision with three ambitious goals and three supporting objectives for each goal, including Goal 3: Promote and Sustain a Ready FEMA and Prepared Nation and its Objective 3.2: Posture FEMA to meet current and emergent threats. The FY 2023 TCGP supports the Cybersecurity and Infrastructure Security Agency s (CISA) 2023 2025 Strategic Plan, which includes Goal 1: Cyber Defense, Goal 2: Risk Reduction and Resilience, and Goal 3: Operational Collaboration. 

b.  Objectives

The goal of TCGP is to assist tribal governments with managing and reducing systemic cyber risk. Accomplishment of this goal can be achieved implementing or revising Cybersecurity Plans, priorities, projects and addressing TCGP objectives

Tribal applicants must address how the following program objective will be met in their applications for FY 2023:

  •  Objective 1: Develop and establish appropriate governance structures, including by implementing or revising Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.

In addition to Objective 1, the following objectives are eligible, but not required, for FY 2023 applications:

  •  Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
  •  Objective 3: Implement security protections commensurate with risk.
  •  Objective 4: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.

Applicants should refer to Appendix A,  Program Goals and Objectives  for more information on TCGP program goals, objectives, sub-objectives, and desired outcomes required in their FY 2023 TCGP application.

c. Priorities

i. Cybersecurity Plans, Committees and Charter

The Homeland Security Act of 2002, as amended by the BIL, requires TCGP grant recipients to develop a Cybersecurity Plan, establish a Cybersecurity Planning Committee to support development of the Cybersecurity Plan, and identify projects to implement using TCGP funding. To support these efforts, recipients must prioritize the following activities using FY 2023 TCGP funds, all of which are statutorily required as a condition of receiving a grant:

1.  Establish a Cybersecurity Planning Committee*; and

2.  Implement or revise a Cybersecurity Plan, unless the recipient already has a Cybersecurity Plan and plans to revise it.

*Tribal Cybersecurity Planning Committee

An existing Tribal Council/Governing Body that includes the participation of a designated Chief Information Officer (CIO), Chief Information Security Officer (CISO), or equivalent official to the CIO or CISO with expertise in information technology (IT) and systems. The CIO, CISO, or equivalent official to the CIO or CISO is one who fulfills the duties of the CIO, even if their job includes other duties and responsibilities. If the tribal government would prefer to establish a separate Cybersecurity Planning Committee, the required members of that committee must include the following: the grants administration office and a designated CIO, CISO, or equivalent official to the CIO or CISO with expertise in IT and systems. Additional members are encouraged but not required.

II.  Cybersecurity Activities, Best Practices, Investments and Projects

Cybersecurity Activities

The tribal government must consult with its CIO, CISO, or equivalent official to the CIO or CISO (who fulfills the duties of the CIO or CISO, even if their job includes other duties and responsibilities), in the plans for allocating TCGP funds. To support the FY 2023 TCGP requirements, Cybersecurity Plans must include the following activities:

a. An assessment of the capabilities of the tribal government relating to the 13 required cybersecurity plan elements; and

b.  Adopting key cybersecurity best practices and consulting Cybersecurity Performance Goals (CPGs).

  i. The CPGs are a prioritized subset of information technology and operational technology cybersecurity practices aimed at meaningfully reducing risks to both critical infrastructure operations.

  ii. These goals are applicable across all critical infrastructure sectors and are informed by the most common and impactful threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners, making them a common set of protections that all critical infrastructure entities   from large to small   should implement.

  iii. The CPGs do not reflect an all-encompassing cybersecurity program   rather, they are a minimum set of practices that organizations should implement towards ensuring a strong cybersecurity posture.

  iv. The Cross-Sector Cybersecurity Performance Goals are regularly updated, with a targeted revision cycle of at least every 6 to 12 months.

Key Cybersecurity Best Practices for Individual Projects

To keep pace with today s dynamic and increasingly sophisticated cyber threat environment, tribal governments must take decisive steps to modernize their approach to cybersecurity. As tribes increase their cybersecurity maturity, CISA recommends they move toward implementing more advanced best practices, such as endpoint detection and response capabilities, as well as conducting regular penetration testing. To assist in the revision of tribal cyber planning efforts, the following Cybersecurity Best Practices are provided. As appropriate, the strategic elements listed in the table below should be included in FY 2023 individual projects: 

Cybersecurity Best Practices for Individual Projects
Implement multi-factor authentication
Implement enhanced logging
Data encryption for data at rest and in transit
End use of unsupported/end of life software and hardware that are accessible from the internet
Prohibit use of known/fixed/default passwords and credentials
Ensure the ability to reconstitute systems (backups)
Actively engage in bidirectional sharing between CISA and tribal governments in cyber relevant time frames to drive down cyber risk
Migration to the .gov internet domain

Cybersecurity Investments and Projects

Given the Cybersecurity Plan is a strategic document, it should not identify specific vulnerabilities but instead capture the broad level of capability across the tribal government. The Cybersecurity Plan must also show how the implementation of the individual projects and activities over time will help achieve the goals and objectives of the plan. A summary of projects using FY 2023 TCGP funds associated with each required and discretionary element provides a helpful snapshot of tribal capabilities and capacity that will be achieved as a result of this funding. Details for each project using TCGP funds must be included in the Investment Justifications (IJs).

Each IJ must provide a baseline understanding of the existing cybersecurity gaps, risks, and threats that the applicant entity faces, which have influenced the development of the IJ. The IJ must include a summary of the current capabilities within the applicant tribal government to address these threats and risks. The IJ should also include a description of how the proposed project addresses gaps and/or sustainment in the Cybersecurity Plan and how the project aligns to the cybersecurity elements in this funding notice. Finally, the IJ should include implementation planning data to assist in project management.

The Project Worksheet (PW) will be used to identify the budget details and the budget narrative portion of the application. Eligible applicants should submit only one PW as part of the overall application and must include information for each IJ submitted as part of the application for funding. More information on the IJ Template, PW and instructions can be found in Section D.11 in this funding notice.

 III.  Multi-Entity Projects

Eligible tribal governments can group together to address cybersecurity risks and threats to information systems within tribal jurisdictions. Each participating tribal jurisdiction in the group should include the multi-entity project in their individual IJ submissions with their application. There is no separate funding for multi-entity projects proposed by a group of eligible tribal governments. Instead, these investments would be considered as group projects: each tribal jurisdiction contributes an agreed-upon funding amount to the overall project. It is expected that IJs for multi-entity projects will be almost identical. Any differences should be due to alignment with each tribal jurisdiction s respective Cybersecurity Plan. Each tribal jurisdiction s financial contribution will be funded from their individual TCGP award.

The multi-entity project submissions must be approved by each tribal jurisdiction s Cybersecurity Planning Committees, and each multi-entity project submission must be aligned with each tribal jurisdiction s respective Cybersecurity Plan. The projects must improve or sustain capabilities identified in the respective Cybersecurity Plan for each tribal jurisdiction in the group. If two or more tribes apply for a multi-entity group project, the group will participate within the category of the highest populated tribe. For example, if a smaller tribe wants to join a larger tribe for a group project, then the application will be reviewed for funding within the larger tribe s population category.

Multi-Entity Project Requirements and Process Overview

The following must be included in each of the participating tribal governments  Cybersecurity Plans, as well as the IJs and PWs for the multi-entity project:

  • A detailed description of the overall project;
  • The division of responsibilities among each participating tribal group member;
  • The distribution of funding among the participating tribal group members; and
  • An overview of how implementation of the multi-entity project will help achieve the goals and objectives in the Cybersecurity Plan of each participating tribal group member.

Multi-Entity Project Benefits

A multi-entity project is funded from each participating tribal governments  TCGP award in accordance with their agreed-upon contribution amounts. At the same time, all parties to a multi-entity project may realize cost savings due to volume purchases.

IV.  Imminent Cybersecurity Threat

TCGP is primarily a security preparedness program focused on reducing cyber risks by helping tribal governments address cybersecurity vulnerabilities and build cybersecurity capabilities. Over time, the program activities and investments reduce the potential impact of cybersecurity threats and incidents. Section 2220A(d)(4) of the  Homeland Security Act of 2002 (6 U.S.C.   665g(d)(4)) provides that  An eligible entity that receives a grant under this section and a local government that receives funds from a grant under this section, as appropriate, shall use the grant to (4) assist with activities that address imminent cybersecurity threats, as confirmed by the Secretary, acting through the [CISA] Director, to the information systems owned or operated by, or on behalf of, the eligible entity or a local government within the jurisdiction of the eligible entity. 

The following provides a general overview of the processes for the FY 2023 grant cycle from a grant management perspective. Specific details on CISA s criteria and process for confirming an imminent cybersecurity threat are not included here. The following also does not supersede or replace existing threat notification procedures or existing methods to collaborate on operational cybersecurity matters.

Process Overview

  • Any eligible entity seeking to use TCGP funds to address an imminent cybersecurity threat, as confirmed by the Secretary, acting through the CISA Director, must have a Cybersecurity Plan approved by CISA.
  • DHS, through CISA will determine whether an incident constitutes as an imminent cybersecurity threat.
  • Upon confirmation, DHS will notify the tribal recipient who will, in turn, notify the Cybersecurity Planning Committee and CIO, CISO, or equivalent official to the CIO or CISO.
  • DHS will notify impacted tribal governments, as appropriate, of permissible imminent cybersecurity threat fund usage.
  • FEMA will issue an Information Bulletin (IB) detailing the impacted governments and procedures for reprograming TCGP funds to support the specific imminent cybersecurity threat. The scope of the IB will be dependent on the nature of the imminent cybersecurity threat.

11. Performance Measures

DHS will communicate with all TCGP recipients on the information collection process related to performance measures data. DHS will measure the recipient s performance of the grant by comparing the number of activities and projects needed and requested in its IJs with the number of activities and projects acquired and delivered by the end of the period of performance (POP) using the following programmatic metrics: 

Performance Measures
Percentage of tribes with CISA approved tribal Cybersecurity Plans 
Percentage of tribes with Tribal Cybersecurity Planning Committees that meet the Homeland Security Act of 2002 and TCGP funding notice requirements
Percentage of tribes conducting annual table-top and full-scope exercises to test Cybersecurity Plans
Percent of the tribes  TCGP budget allocated to exercises
Average dollar amount expended on exercise planning for tribes
Percentage of tribes conducting an annual cyber risk assessment to identify cyber risk management gaps and areas for improvement
Percentage of tribes performing phishing training
Percentage of tribes conducting awareness campaigns
Percent of tribes providing role-based cybersecurity awareness training to employees
Percentage of tribes adopting the Workforce Framework for Cybersecurity (NICE Framework) as evidenced by established workforce development and training plans
Percentage of tribes with capabilities to analyze network traffic and activities related to potential threats
Percentage of tribes implementing multi-factor authentication (MFA) for all remote access and privileged accounts
Percentage of tribes with programs to anticipate and discontinue use of end-of-life software and hardware
Percentage of tribes prohibiting the use of known/fixed/default passwords and credentials
Percentage of tribes operating under the  .gov  internet domain
Number of cybersecurity gaps or issues addressed annually by tribes

B.  Federal Award Information

1.  Available Funding for the NOFO:  $18,246

The BIL appropriated $200 million in FY 2022 and $400 million in FY 2023 for the state, territorial, local, and tribal cybersecurity grant programs, to remain available until expended. The amount apportioned for tribal governments is $6 million for FY 2022 (3% of the total appropriations of $200 million). For FY 2023, the amount apportioned for the tribal governments is $12,246,845 (3% of the total appropriations of $400 million for FY 2023) plus $8,228,169 remaining from FY 2022. FEMA and CISA combined FY 2022 and FY 2023 into a single funding notice for a total of $18,246,845.

TCGP uses an allocation methodology that establishes four funding categories and divides the $18,246,845 across them. The funding categories allow for applications to be evaluated from among applications from similarly populated tribes. The following table illustrates the four population levels, number of tribes, and the corresponding combined funding levels for FY 2022 and FY 2023:

Tribal PopulationNumber of Tribes [1]Maximum Allocation of Funding Per Category
100,000 or more8$8,109,709
10,000-99,99933$5,068,568
1,000-9,999124$3,041,141
1-999392$2,027,427

Additional information related to the discretionary allocation methodology is detailed in Section E. of this funding notice.

2.  Period of Performance:   48 months

Extensions to the period of performance are allowed. For additional information on period of performance extensions, please refer to Section H of this funding notice.

3.  Projected Period of Performance Start Date(s):  Mar. 1, 2024

4.  Projected Period of Performance End Date(s):  Feb. 29, 2028

5.  Funding Instrument Type:  Grant

C.  Eligibility Information

1.  Eligible Applicants

Tribal governments.

"Tribal government" is defined at Section 2220A(a)(7) of the Homeland Security Act (codified as amended at U.S.C.   665g(a)(7)) as the recognized governing body of any Indian or Alaska Native Tribe, band, nation, pueblo, village, community, component band, or component reservation, that is individually identified (including parenthetically) in the most recent published list of Federally Recognized Tribes.

2.  Applicant Eligibility Criteria

Applicants must be a tribal government that is eligible for the program. Two or more tribal governments may apply together as a tribal consortium and submit one application for the consortium.

3.  Other Eligibility Criteria/Restrictions

Each eligible tribal government is required to meet the following criteria for FY 2023:

  • Submit a Cybersecurity Plan, Cybersecurity Planning Committee List, and a Cybersecurity Charter that aligns with the criteria detailed in this funding notice.
  • Cybersecurity projects funded by the Tribal Homeland Security Grant Program (THSGP) may be considered for TCGP funding if not duplicative of the THSGP project(s).

FEMA will not release funds to a recipient until CISA approves the entity s Cybersecurity Plan. Details on the requirements for the Cybersecurity Plan, Committee Membership List, and Charter can be found in Appendices A - C in this funding notice.

4.  Cost Share or Match

Cost share or match is waived for the FY 2023 TCGP.

D.  Application and Submission Information

1.  Key Dates and Times

a.  Application Start Date:  Sept. 27, 2023, at 1:00 p.m. ET

b.  Application Submission Deadline:  Jan. 10, 2024, at 5:00 p.m. ET

All applications must be received by the established deadline.

The Non-Disaster (ND) Grants System has a date stamp that indicates when an application is submitted. Applicants will receive an electronic message confirming receipt of their submission. For additional information on how an applicant will be notified of application receipt, see the subsection titled  Timely Receipt Requirements and Proof of Timely Submission  in Section D of this funding notice.

FEMA will not review applications that are received after the deadline or consider these late applications for funding. FEMA may, however, extend the application deadline on request for any applicant who can demonstrate that good cause exists to justify extending the deadline. Good cause for an extension may include technical problems outside of the applicant s control that prevent submission of the application by the deadline, other exigent or emergency circumstances, or statutory requirements for FEMA to make an award.

Applicants experiencing technical problems outside of their control must notify FEMA as soon as possible and before the application deadline. Failure to timely notify FEMA of the issue that prevented the timely filing of the application may preclude consideration of the award.  Timely notification  of FEMA means before the application deadline and within 48 hours after the applicant became aware of the issue.

A list of FEMA contacts can be found in Section G of this funding notice,  DHS Awarding Agency Contact Information.  For additional assistance using the ND Grants System, please contact the ND Grants Service Desk at (800) 865-4076 or NDGrants@fema.dhs.gov. The ND Grants Service Desk is available Monday through Friday, 9:00 a.m.   6:00 p.m. ET. For programmatic or grants management questions, please contact your Program Analyst or Grants Specialist. If applicants do not know who to contact or if there are programmatic questions or concerns, please contact FEMA Grants News by phone at (800) 368-6498 or by e-mail at fema-grants-news@fema.dhs.gov, Monday through Friday, 9:00 a.m.   5:00 p.m. ET.

c.  Other Key Dates

EventSuggested Deadline for Completion
Initial registration in SAM.gov includes UEI issuanceFour weeks before actual submission deadline 
Obtaining a valid Employer Identification Number (EIN)Four weeks before actual submission deadline
Creating an account with login.govFour weeks before actual submission deadline
Registering in SAM or Updating SAM registrationFour weeks before actual submission deadline
Registering in Grants.govFour weeks before actual submission deadline
Registering in ND GrantsFour weeks before actual submission deadline
Starting application in Grants.govOne week before actual submission deadline
Submitting the final application inND GrantsBy the submission deadline

2.  Agreeing to Terms and Conditions of the Award

By submitting an application, applicants agree to comply with the requirements of this funding notice and the terms and conditions of the award.

3.  Address to Request Application Package

Initial applications are processed through the Grants.gov portal. Final applications are completed and submitted through FEMA s ND Grants System. Application forms and instructions are available at Grants.gov. To access these materials, go to http://www.grants.gov.

4.  Requirements: Obtain a Unique Entity Identifier (UEI) and Register in the System for Award Management (SAM)

Each applicant, unless they have a valid exception under2 C.F.R. 25.110, must:

1.  Be registered in Sam.Gov before application submission.

2.  Provide a valid Unique Entity Identifier (UEI) in its application.

3.  Continue to always maintain an active System for Award Management (SAM) registration with current information during the Federal Award process.

5.  Steps Required to Obtain a Unique Entity Identifier, Register in the System for Award Management (SAM), and Submit an Application

Applying for an award under this program is a multi-step process and requires time to complete. Applicants are encouraged to register early as the registration process can take four weeks or more to complete. Therefore, registration should be done in sufficient time to ensure it does not impact your ability to meet required submission deadlines.

Please review the table above for estimated deadlines to complete each of the steps listed. Failure of an applicant to comply with any of the required steps before the deadline for submitting an application may disqualify that application from funding.

To apply for an award under this program, all applicants must:

a. Apply for, update, or verify their Unique Entity Identifier (UEI) number from SAM.gov and Employer Identification Number (EIN) from the Internal Revenue Service;

b.  In the application, provide an UEI number;

c. Have an account with login.gov;

d.  Register for, update, or verify their SAM account and ensure the account is active before submitting the application;

e. Create a Grants.gov account;

f. Add a profile to a Grants.gov account;

g.  Establish an Authorized Organizational Representative (AOR) in Grants.gov;

h.  Register in ND Grants<

i.  Submit an initial application in Grants.gov;

j.  Submit the final application in ND Grants, including electronically signing applicable forms; and

k.  Continue to maintain an active SAM registration with current information at all times during which it has an active federal award or an application or plan under consideration by a federal awarding agency. As part of this, applicants must also provide information on an applicant s immediate and highest-level owner and subsidiaries, as well as on all predecessors that have been awarded federal contracts or federal financial assistance within the last three years, if applicable.

Specific instructions on how to apply for, update, or verify an UEI number or SAM registration or establish an AOR are included below in the steps for applying through Grants.gov.

Applicants are advised that FEMA may not make a federal award until the applicant has complied with all applicable SAM requirements. Therefore, an applicant s SAM registration must be active not only at the time of application, but also during the application review period a nd when FEMA is ready to make a federal award. Further, as noted above, an applicant s or recipient s SAM registration must remain active for the duration of an active federal award. If an applicant s SAM registration is expired at the time of application, expires during application review, or expires any other time before award, FEMA may determine that the applicant is not qualified to receive a federal award and use that determination as a basis for making a federal award to another applicant.

Per 2 C.F.R.   25.110(c)(2)(iii), if an applicant is experiencing exigent circumstances that prevents it from obtaining an UEI number and completing SAM registration prior to receiving a federal award, the applicant must notify FEMA as soon as possible by contacting fema-grants-news@fema.dhs.gov and providing the details of the circumstances that prevent completion of these requirements. If FEMA determines that there are exigent circumstances and FEMA has decided to make an award, the applicant will be required to obtain an UEI number, if applicable, and complete SAM registration within 30 days of the federal award date.

6.  Electronic Delivery

DHS is participating in the Grants.gov initiative to provide the grant community with a single site to find and apply for grant funding opportunities. DHS encourages or requires applicants to submit their applications online through Grants.gov, depending on the funding opportunity.

For this funding opportunity, FEMA requires applicants to submit initial applications through Grants.gov and a final application through ND Grants.

7.  How to Register to Apply through Grants.gov

a.  General Instructions

Registering and applying for an award under this program is a multi-step process and requires time to complete. Read the instructions below about registering to apply for FEMA funds. Applicants should read the registration instructions carefully and prepare the information requested before beginning the registration process. Reviewing and assembling the required information before beginning the registration process will alleviate last-minute searches for required information.

The registration process can take up to four weeks to complete. To ensure an application meets the deadline, applicants are advised to start the required steps well in advance of their submission.

Organizations must have an UEI number, an EIN, an active System for Award Management (SAM) registration and Grants.gov account to apply for grants.

Organizations must also have a Grants.gov account to apply for an award under this program. Creating a Grants.gov account can be completed online in minutes, but UEI and SAM registrations may take several weeks. Therefore, an organization's registration should be done in sufficient time to ensure it does not impact the entity's ability to meet required application submission deadlines. Complete organization instructions can be found on Grants.gov here: https://www.grants.gov/web/grants/applicants/organization-registration.html

If individual applicants are eligible to apply for this grant funding opportunity, refer to https://www.grants.gov/web/grants/applicants/registration.html.

b.  Obtain an UEI Number

All entities applying for funding, including renewal funding, prior to April 4, 2022, must have a UEI number. Applicants must enter the UEI number in the applicable data entry field on the SF-424 form.

For more detailed instructions for obtaining a UEI number, refer to: Sam.gov.

c.  Obtain Employer Identification Number

All entities applying for funding must provide an Employer Identification Number (EIN). The EIN can be obtained from the IRS by visiting https://www.irs.gov/businesses/small-businesses-self-employed/apply-for-an-employer-identification-number-ein-online

d.  Create a login.gov account

Applicants must have a login.gov account in order to register with SAM or update their SAM registration. Applicants can create a login.gov account here: https://secure.login.gov/sign_up/enter_email?request_id=34f19fa8-14a2-438c-8323-a62b99571fd3

Applicants only have to create a login.gov account once. For applicants that are existing SAM users, use the same email address for the login.gov account as with SAM.gov so that the two accounts can be linked.

For more information on the login.gov requirements for SAM registration, refer to: https://www.sam.gov/SAM/pages/public/loginFAQ.jsf.

e.  Register with SAM

All organizations applying online through Grants.gov must register with SAM. Failure to register with SAM will prevent your organization from applying through Grants.gov. SAM registration must be renewed annually. Organizations will be issued a UEI number with the completed SAM registration.

For more detailed instructions for registering with SAM, refer to https://www.grants.gov/web/grants/applicants/organization-registration/step-2-register-with-sam.html.

Note: As a new requirement per2 C.F.R.   25.200, applicants must also provide the applicant s immediate and highest-level owner, subsidiaries, and predecessors that have been awarded federal contracts or federal financial assistance within the past three years, if applicable.

i.  Additional SAM Reminders

Existing SAM.gov account holders should check their account to make sure it is  ACTIVE.  SAM registration should be completed at the very beginning of the application period and should be renewed annually to avoid being  INACTIVE. Please allow plenty of time before the grant application submission deadline to obtain an UEI number and then to register in SAM. It may be four weeks or more after an applicant submits the SAM registration before the registration is active in SAM, and then it may be an additional 24 hours before FEMA s system recognizes the information.

It is imperative that the information applicants provide is correct and current. Please ensure that your organization s name, address, and EIN are up to date in SAM and that the UEI number used in SAM is the same one used to apply for all other FEMA awards. Payment under any FEMA award is contingent on the recipient s having a current SAM registration.

ii.  Help with SAM

The SAM quick start guide for new recipient registration and SAM video tutorial for new applicants are tools created by the General Services Administration (GSA) to assist those registering with SAM. If applicants have questions or concerns about a SAM registration, please contact the Federal Support Desk at https://www.fsd.gov/fsd-gov/home.do or call toll free (866) 606-8220.

f.  Create a Grants.gov Account

The next step in the registration process is to create an account with Grants.gov. If applicable, applicants must know their organization s UEI number to complete this process.

For more information, follow the on-screen instructions or refer to https://www.grants.gov/web/grants/applicants/registration.html.

See also Section D.8 in this funding notice,  Submitting the Final Application in ND Grants,  for instructions on how to register early in ND Grants.

g.  Add a Profile to a Grants.gov Account

A profile in Grants.gov corresponds to a single applicant organization the user represents (i.e., an applicant) or an individual applicant. If you work for or consult with multiple organizations and have a profile for each, you may log in to one Grants.gov account to access all of your grant applications. To add an organizational profile to your Grants.gov account, if applicable, enter the UEI number for the organization in the UEI field while adding a profile.

For more detailed instructions about creating a profile on Grants.gov, refer to https://www.grants.gov/web/grants/applicants/registration/add-profile.html.

h.  EBiz POC Authorized Profile Roles

After you register with Grants.gov and create an Organization Applicant Profile, the organization applicant's request for Grants.gov roles and access is sent to the EBiz POC. The EBiz POC will then log in to Grants.gov and authorize the appropriate roles, which may include the Authorized Organization Representative (AOR) role, thereby giving you permission to complete and submit applications on behalf of the organization. You will be able to submit your application online any time after you have been assigned the AOR role.

For more detailed instructions about creating a profile on Grants.gov, refer to https://www.grants.gov/web/grants/applicants/registration/authorize-roles.html.

i.  Track Role Status

To track your role request, refer to https://www.grants.gov/web/grants/applicants/registration/track-role-status.html.

j.  Electronic Signature

When applications are submitted through Grants.gov, the name of the organization applicant with the AOR role that submitted the application is inserted into the signature line of the application, serving as the electronic signature. The EBiz POC must authorize individuals who are able to make legally binding commitments on behalf of the organization as an AOR; this step is often missed, and it is crucial for valid and timely submissions.

8.  How to Submit an Initial Application to FEMA via Grants.gov

Standard Form 424 (SF-424) is the initial application for this NOFO.

Grants.gov applicants can apply online using a workspace. A workspace is a shared, online environment where members of a grant team may simultaneously access and edit different web forms within an application. For each funding notice, you can create individual instances of a workspace. Applicants are encouraged to submit their initial applications in Grants.gov at least seven days before the application deadline.

In Grants.gov, applicants need to submit the following forms:

  • SF-424, Application for Federal Assistance; and
  • Grants.gov Lobbying Form, Certification Regarding Lobbying.

Below is an overview of applying on Grants.gov. For access to complete instructions on how to apply for opportunities using workspace, refer to https://www.grants.gov/web/grants/applicants/workspace-overview.html

a.  Create a Workspace

Creating a workspace allows you to complete it online and route it through your organization for review before submitting.

b.  Complete a Workspace

Add participants to the workspace to work on the application together, complete all the required forms online or by downloading PDF versions, and check for errors before submission.

c.  Adobe Reader

If you decide not to apply by filling out webforms you can download individual PDF forms in Workspace so that they will appear similar to other Standard or DHS forms. The individual PDF forms can be downloaded and saved to your local device storage, network drive(s), or external drives, then accessed through Adobe Reader.

NOTE: Visit the Adobe Software Compatibility page on Grants.gov to download the appropriate version of the software at https://www.grants.gov/web/grants/applicants/adobe-software-compatibility.html.

d.  Mandatory Fields in Forms

In the forms, you will note fields marked with an asterisk and a different background color. These fields are mandatory fields that must be completed to successfully submit your application.

e.  Complete SF-424 Fields First

The forms are designed to fill in common required fields across other forms, such as the applicant name, address, and UEI number. To trigger this feature, an applicant must complete the SF-424 information first. Once it is completed, the information will transfer to the other forms.

f.  Submit a Workspace

An application may be submitted through workspace by clicking the  Sign and Submit  button on the Manage Workspace page, under the Forms tab. Grants.gov recommends submitting your application package at least 24-48 hours prior to the close date to provide you with time to correct any potential technical issues that may disrupt the application submission.

g.  Track a Workspace

After successfully submitting a workspace package, a Grants.gov Tracking Number (GRANTXXXXXXXX) is automatically assigned to the application. The number will be listed on the confirmation page that is generated after submission. Using the tracking number, access the Track My Application page under the Applicants tab or the Details tab in the submitted workspace.

h.  Additional Training and Applicant Support

For additional training resources, including video tutorials, refer to https://www.grants.gov/web/grants/applicants/applicant-training.html.

Grants.gov provides applicants 24/7 (except federal holidays) support via the toll-free number (800) 518-4726, email at support@grants.gov and the website at https://www.grants.gov/support.html. For questions related to the specific grant opportunity, contact the number listed in the application package of the grant you are applying for.

If you are experiencing difficulties with your submission, it is best to call the Grants.gov Support Center and get a ticket number. The Support Center ticket number will assist FEMA with tracking your issue and understanding background information on the issue.

9.  Submitting the Final Application in ND Grants

After submitting the initial application in Grants.gov, eligible applicants will be notified by FEMA and asked to proceed with submitting their complete application package in ND Grants. Applicants can register early with ND Grants and are encouraged to begin their ND Grants registration at the time of this announcement or, at the latest, seven days before the application deadline. Early registration will allow applicants to have adequate time to start and complete their applications.

Applicants needing assistance registering for the ND Grants system should contact ndgrants@fema.dhs.gov or (800) 865-4076. For step-by-step directions on using the ND Grants system and other guides, please see https://www.fema.gov/grants/guidance-tools/non-disaster-grants-management-system

In ND Grants, applicants will be prompted to submit the standard application information and any program-specific information required as described in Section D.10 of this notice,  Content and Form of Application Submission.  The Standard Forms (SF) are auto generated in ND Grants, but applicants may access these forms in advance through the Forms tab under the SF-424 family on Grants.gov. Applicants should review these forms before applying to ensure they have all the information required.

For additional application submission requirements, including program-specific requirements, please refer to the subsection titled  Content and Form of Application Submission  under Section D of this funding notice.

10. Timely Receipt Requirements and Proof of Timely Submission

As application submission is a two-step process, the applicant with the AOR role who submitted the application in Grants.gov will receive an acknowledgement of receipt and a tracking number (GRANTXXXXXXXX) from Grants.gov with the successful transmission of its initial application. This notification does not serve as proof of timely submission, as the application is not complete until it is submitted in ND Grants. Applicants can also view the ND Grants Agency Tracking Number by accessing the Details tab in the submitted workspace section in Grants.gov, under the Agency Tracking Number column. Should the Agency Tracking Number not appear, the application has not yet migrated from Grants.gov into the ND Grants System. Please allow 24 hours for your ND Grants application tracking number to migrate.

All applications must be received in ND Grants by 5 p.m. ET on the application deadline. Proof of timely submission is automatically recorded by ND Grants. An electronic date/time stamp is generated within the system when the application is successfully received by ND Grants. Additionally, the applicant(s) listed as contacts on the application will receive a system-generated email to confirm receipt.

11. Content and Form of Application Submission

a.  Standard Required Application Forms and Information

The following forms or information are required to be submitted in either Grants.gov or ND Grants. The Standard Forms (SF) are submitted either through Grants.gov, through forms generated in ND Grants, or as an attachment in ND Grants. Applicants may also access the SFs at https://www.grants.gov/web/grants/forms/sf-424-family.html.

i.  Grants.Gov
  •  SF-424, Application for Federal Assistance, initial application submitted through Grants.gov.
  •  Grants.gov Lobbying Form, Certification Regarding Lobbying, submitted through Grants.gov.
ii.  ND Grants
  •  SF-424A, Budget Information (Non-Construction), submitted via the forms generated by ND Grants.
    • For construction under an award, submit SF-424C, Budget Information (Construction), submitted via the forms generated by ND Grants, in addition to or instead of SF-424A.
    • SF-424B, Standard Assurances (Non-Construction), submitted via the forms generated by ND Grants.
  •  For construction under an award, submit SF-424D, Standard Assurances (Construction), submitted via the forms generated by ND Grants, in addition to or instead of SF-424B.
  •  SF-LLL, Disclosure of Lobbying Activities, submitted via the forms generated by ND Grants.

Indirect Cost Agreement or Proposal.

Submitted as an attachment in ND Grants if the budget includes indirect costs and the applicant is required to have an indirect cost rate agreement or proposal. If the applicant does not have, or is not required to have, an indirect cost rate agreement or proposal, please see Section D.13 of this notice,  Funding Restrictions and Allowable Costs,  for further information regarding allowability of indirect costs and whether alternatives to an indirect cost rate agreement or proposal might be available. Contact the relevant FEMA staff identified in Section G of this notice,  DHS Awarding Agency Contact Information  for further instructions.

b.  Program-Specific Required Forms and Information

The following program-specific forms or information are required to be submitted in ND Grants as file attachments:

 I. IJ Template and Instructions

Applicants can download the IJ Template from the Grants.gov website in the  Related Documents  tab on the  View Grant Opportunity  page. Each eligible tribe is required to submit completed project-level information detailing how the TCGP program objectives and goals will be met through the development, implementation, and/or revision of its Cybersecurity Plan. The tribe must establish a Cybersecurity Planning Committee to approve the Cybersecurity Plan submitted with the grant application. Project-level information should also include tribal projects which address the requirement to conduct assessments and evaluation and to incorporate the adoption of key cybersecurity best practices. Tribal governments should consult the CISA Cybersecurity Performance Goals during the development of plans, investments, and project for their TCGP application.

Only one application can be submitted by the eligible tribe. Requirements for the application are listed in order of hierarchy below:

  •  Application level: No more than four IJs can be submitted with the application.
    • Objective: Each TCGP objective requires no more than one IJ and at least one project.
      •  Projects: Project-level information will vary based on the associated TCGP objectives and sub-objectives as outlined in the NOFO.
        •  PW: Applicants must submit only one PW with the application. Multi-entity projects must be included as individual projects within a PW, aligned to the applicable IJ and TCGP objectives.
        • Use the following naming convention for the IJs and PWs: [Insert name of Tribal Government] Objective [insert number of corresponding objectives   1, 2, 3 or 4]. For example:  Tribal Government Name PW Objective 2  or  Tribal Government Name IJ Objective 2 .

IJ Implementation Schedule

The implementation schedule table should be used as a planning tool for the key activities and milestones associated with each project identified in the Cybersecurity Plan. Applicants must also describe how implementing the plan will be measured (metrics). For each project and each year of the grant, the applicant should include the activities necessary to accomplish the goals of each project, as well as the estimated start and completion dates (by calendar quarter) for each activity. The standard definition of a project is a temporary endeavor with a defined beginning and end (usually time-constrained, and often constrained by funding or a deliverable), undertaken to meet unique goals and objectives, typically to bring about beneficial change or added value. Applying this standard to projects using preparedness grant funds, a project is a related set of activities and purchases supporting the building or sustaining of core capabilities; and it is associated with a single entity responsible for execution. 

The IJ Template is useful for the Program Narrative portion of the application. All IJs must provide a baseline understanding of the existing cybersecurity gaps, risks, and threats that the applicant entity faces which have influenced the development of the IJs. Also, applicants must include a summary of the current capabilities within the applicant jurisdiction to address these threats and risks.

II.  Project Worksheet

Applicants can download the PW from the Grants.gov website in the  Related Documents  tab on the  View Grant Opportunity  page. The PW is useful for the Budget Details and Budget Narrative portion of the application. Eligible applicants must submit one PW as part of the overall application submission through the ND Grants system. The PW must include information for each IJ submitted as part of the application for funding: IJ Number, Objective, Project Name, etc. The PW should be used to record all proposed projects with budget details, budget narrative, Management and Administrative (M&A) costs, amount, etc. The Planning, Organization, Equipment, Training, and/or Exercises (POETE) Solution Areas associated with the IJs and Projects should be indicated on the PW. Please keep in mind that the Federal Amount and Cost Share Amount must be included for each project within the PW.

The PW provides drop-down selections for several of the project attributes. All project attribute fields must be completed for the PW to be considered complete. Incomplete PWs will not be accepted. Information provided should primarily align to one objective to facilitate project review. If a project aligns to multiple objectives, then applicant must provide sufficient detail to determine which projects, POETE elements, and requested funds belong under which objective. The applicant may then use the information collected in the worksheet for rapid transfer to the ND Grants interface. Each project will be given a unique identifier as it is submitted via ND Grants. Applicants should keep a record of the project identifiers as they will be required to report on each project using that identifier. All requested funding must be associated with specific projects.

III.  Cybersecurity Plan or Cybersecurity Plan Template

Applicants can download the TCGP Cybersecurity Plan Template from the Grants.gov website in the  Related Documents  tab on the  View Grant Opportunity  page. Section 2220A requires a tribal government to have a Cybersecurity Plan that meets 13 required statutory elements, as determined by the CISA Director, to receive a grant under the Tribal Cybersecurity Grant Program. The Cybersecurity Plan Template is provided as an optional tool for eligible tribal governments to use to develop and submit their cybersecurity plans with their grant applications to help ensure their plans meet the 13 required statutory elements. Ultimately, tribal governments are encouraged to develop a plan that reflects their unique situation while meeting program requirements. This includes using existing plans and documents to the extent that any plans of the tribal government protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by or on behalf of the tribal government.

Cybersecurity Plans are intended to be strategic in nature and do not represent a firm commitment to complete all associated activities in alignment with respective objectives within a given period of performance. Additionally, Cybersecurity Plans are intended to be living documents and a tribal government, following submission of its final plan in its grant application, may later update that plan. FEMA and CISA are available to provide technical assistance to tribal governments on Cybersecurity Plan development. Tribal governments can connect with their FEMA Tribal Liaisons if they need assistance in locating their respective CISA regional Cybersecurity Advisor or Cybersecurity State Coordinator.

While a living document, the Cybersecurity Plan Template must have sufficient information for FEMA/CISA to conduct a meaningful review as part of the TCGP. Only one application can be submitted by the eligible entity. Eligible applicants must include at least one IJ, one PW, and one completed Cybersecurity Plan or the Cybersecurity Plan Template as part of the overall application submission through ND Grants. If a tribe already has a cybersecurity plan, then the plan should be submitted with the IJ and PW as part of their application in ND Grants.

Applicants can email questions about the IJ, PW, Cybersecurity Plan or Cybersecurity Plan Template application requirements to FEMA-TCGP@fema.dhs.gov.

12. Intergovernmental Review

The TCGP is excluded from coverage under Executive Order 12372. An intergovernmental review may be required. Applicants must contact their state s Single Point of Contact (SPOC) to comply with the state s process under Executive Order 12372

(see https://www.archives.gov/federal-register/codification/executive-order/12372.html;  Intergovernmental Review (SPOC List) (whitehouse.gov).   

13. Funding Restrictions and Allowable Costs

All costs charged to awards covered by this funding notice must comply with the Uniform Administrative Requirements, Cost Principles, and Audit Requirements at2 C.F.R. Part 200, unless otherwise indicated in the funding notice and the terms and conditions of the award. This includes, among other requirements, that costs must be incurred, and products and services must be delivered, within the period of performance of the award.See 2 C.F.R.   200.403(h) (referring to budget periods, which for FEMA awards under this program is the same as the period of performance).

In general, the Cost Principles establish standards for the allowability of costs, provide detailed guidance on the cost accounting treatment of costs as direct or administrative costs, and set forth allowability principles for selected items of cost. More specifically, except as otherwise stated in this notice, the terms and condition of an award, or other program materials, costs charged to awards covered by this notice must be consistent with the cost principles for federal awards located at2 C.F.R. Part 200, Subpart E. In order to be allowable, all costs charged to a FEMA award must be reasonable in nature and amount and allocable to the particular FEMA award.

Additionally, all costs charged to awards must comply with the grant program s applicable statutes, policies, requirements in this notice as well as with the terms and conditions of the award. If FEMA staff identify costs that are inconsistent with any of these requirements, these costs may be disallowed, and FEMA may recover funds as appropriate, consistent with applicable laws, regulations, and policies.

As part of those requirements, grant recipients may only use federal funds or funds applied for the purposes set forth in this notice and the terms and conditions of the award, and those costs must be consistent with the statutory authority for the award.

Grant funds may not be used for matching funds for other federal grants/cooperative agreements, lobbying, or intervention in federal regulatory or adjudicatory proceedings. In addition, federal funds may not be used to sue the federal government or any other government entity.

Unallowable Costs

For FY 2023 TCGP, grant funds may not be used for the following:

  • a. Spyware;
  • b.  Construction;
  • c. Renovation;
  • d.  To pay a ransom;
  • e. For recreational or social purposes;
  • f. To pay for cybersecurity insurance premiums;
  • g.  To acquire land or to construct, remodel, or perform alterations of buildings or other physical facilities;
  • h.  For any purpose that does not address cybersecurity risks or cybersecurity threats on information systems owned or operated by, or on behalf of, the eligible entity that receives the grant or a local government within the jurisdiction of the eligible entity; and
  • i.  To supplant tribal funds; however, this shall not be construed to prohibit the use of funds from a grant under this notice for otherwise permissible uses on the basis that the tribe has previously used tribal funds to support the same or similar uses.

a.  Prohibitions on Expending FEMA Award Funds for Covered Telecommunications Equipment or Services

Recipients and subrecipients of FEMA federal financial assistance are subject to the prohibitions described in section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (FY 2019 NDAA), Pub. L. No. 115-232 (2018) and2 C.F.R.   200.216, 200.327, 200.471, and Appendix II to2 C.F.R. Part 200. Beginning August 13, 2020, the statute   as it applies to FEMA recipients, subrecipients, and their contractors and subcontractors   prohibits obligating or expending federal award funds on certain telecommunications and video surveillance products and contracting with certain entities for national security reasons.

Guidance is available at Prohibitions on Expending FEMA Award Funds for Covered Telecommunications Equipment or Services FEMA Policy  #405-143-1, or superseding document. Guidance is available at Prohibitions on Expending FEMA Award Funds for Covered Telecommunications Equipment or Services FEMA Policy  #405-143-1, or superseding document.

Additional guidance is available at Contract Provisions Guide: Navigating Appendix II to Part 200 - Contract Provisions for Non-Federal Entity Contracts Under Federal Awards (fema.gov).

Effective Aug. 13, 2020, FEMA recipients and subrecipients may not use any FEMA funds under open or new awards to:

  • Procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology of any system;
  • Enter into, extend, or renew a contract to procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology of any system; or
  • Enter into, extend, or renew contracts with entities that use covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.
i.  Replacement Equipment and Services

FEMA grant funding may be permitted to procure replacement equipment and services impacted by this prohibition, provided the costs are otherwise consistent with the requirements of the funding notice and the Preparedness Grants Manual.

ii.  Definitions

Per section 889(f)(2)-(3) of the FY 2019 NDAA and2 C.F.R.   200.216, covered telecommunications equipment or services means:

  i. Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation, (or any subsidiary or affiliate of such entities);

  ii. For the purpose of public safety, security of Government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities);

  iii. Telecommunications or video surveillance services provided by such entities or using such equipment; or

  iv. Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense, in consultation with the Director of National Intelligence or the Director of the Federal Bureau of Investigation, reasonably believes to be an entity owned or controlled by, or otherwise connected to, the People s Republic of China.

Examples of the types of products covered by this prohibition include phones, internet, video surveillance, and cloud servers when produced, provided, or used by the entities listed in the definition of  covered telecommunications equipment or services.  See2 C.F.R.   200.471.

b.  Pre-Award Costs

Pre-award costs are allowable only with the prior written approval of DHS/FEMA and as included in the award agreement. Grant funds cannot be used to pay for products and services contracted for or obligated prior to the effective date of the award. Grant writer fees, which are limited to $1,500 per eligible entity per application, are considered an exception and may be included as a Pre-Award expenditure. 

Please note, the applicant must seek approval from FEMA at the time of application and before the award is announced.

To request pre-award costs, a written request must be included with the Tribe s application and signed by the AOR of the entity. The letter must outline the purposes for the pre-award costs, a detailed budget and budget narrative describing the pre-award costs from the post-award costs and a justification for the request. All pre-award and post-award costs should be included in the IJ and PW and clearly identified as such. The recipient must receive written confirmation from FEMA that the expenses have been reviewed and that FEMA has determined the costs to be justified, unavoidable, and consistent with the grant s scope of work. The pre-award cost must meet the requirements of2 C.F.R.   200.458, which provides that the costs must be reasonable and necessary for efficient and timely performance of the grant s scope of work.

FEMA may re-evaluate and disallow pre-award costs if it is later determined that the services were not properly procured or do not satisfy the requirements of2 C.F.R.   200.458. See Section H of this NOFO for general procurement under grants requirements.

c.  Management and Administration (M&A) Costs

A maximum of up to five percent of TCGP funds awarded may be used by the tribal government solely for M&A purposes associated with the TCGP award.

M&A costs are for activities directly related to the management and administration of the award, such as financial management, reporting, and program and financial monitoring. Some examples of M&A costs include grants management training for M&A staff, equipment and supplies for M&A staff to administer the grant award, travel costs for M&A staff to attend conferences or training related to the grant program, travel costs for the M&A staff to conduct project oversight and monitoring, contractual services to support the M&A staff with M&A activities, and auditing costs related to the grant award to the extent required or permitted by statute or2 C.F.R. Part 200. Characteristics of M&A expenses can include the following:

1.  Direct costs that are incurred to administer a particular federal award;

2.  Identifiable and unique to each federal award;

3.  Charged based on the activity performed for that particular federal award; and

4.  Not duplicative of the same costs that are included in the approved Indirect Cost Rate Agreement, if applicable.

d.  Indirect Facilities & Administrative (F&A) Costs

Indirect costs are allowable under this program as described in2 C.F.R. Part 200, including2 C.F.R.   200.414. Per2 C.F.R. Part 200 Appendix VII (d) (1) (c): Each Indian tribal government desiring reimbursement of indirect costs must submit its indirect cost proposal to the Department of the Interior (its cognizant agency for indirect costs). Applicants with a current negotiated indirect cost rate agreement that desire to charge indirect costs to an award must provide a copy of their negotiated indirect cost rate agreement at the time of application. Not all applicants are required to have a current negotiated indirect cost rate agreement. Applicants that are not required by2 C.F.R. Part 200 to have a negotiated indirect cost rate agreement but are required by2 C.F.R. Part 200 to develop an indirect cost rate proposal must provide a copy of their proposal at the time of application. Applicants who do not have a current negotiated indirect cost rate agreement (including a provisional rate) and wish to charge the de minimis rate must reach out to the FEMA Grants Management Specialist for further instructions. Applicants who wish to use a cost allocation plan in lieu of an indirect cost rate must also reach out to the FEMA Grants Management Specialist for further instructions.

e.  Other Direct Costs

Funding guidelines established within this section support the development, updating, and implementing a Cybersecurity Plan. Allowable investments made in support of this goal must fall into POETE, aligned to closing capability gaps or sustaining capabilities. More information on the POETE solution areas can be found in Appendix D,  POETE Solution Areas for Investments. 

E.  Application Review Information

1.  Application Evaluation Criteria

a.  Discretionary-Based Allocation Method

TCGP is a discretionary grant program that divides the 574 federally recognized tribes with membership of greater than one individual into four categories based on overall population, and then FEMA makes discretionary awards to tribes within each category of population. Tribal applicants are required to provide and certify population on the IJ Template. FEMA and CISA utilized population data for all available federally recognized tribes to establish these four funding categories and divide the $18,246,845 across those four categories. The funding categories allow for applications to be evaluated from amongst applications from similarly populated tribes. The following table illustrates the four population levels, number of tribes, and the corresponding combined funding levels for FY 2022 and FY 2023:

Tribal PopulationNumber of TribesMaximum Allocation of Funding Per Category
100,000 or more8$8,109,709
10,000-99,99933$5,068,568
1,000-9,999124$3,041,141
1-999392$2,027,427

b. Programmatic Criteria

The application requires the applicant to describe its existing capabilities and its proposal to facilitate the successful implementation of this program. For this reason, the application will be evaluated primarily based upon the applicant's method for the program s implementation. Tribes should demonstrate their understanding of this announcement s objectives and plan for implementing and successfully demonstrating these objectives. In particular, the applicant must address how it meets the eligibility criteria listed in section C of this funding notice and provide evidence demonstrating this eligibility.

If the application fails to address each of the eligibility criteria listed in the above sections, the applicant will be deemed ineligible and will not be selected for an award.

FY 2023 TCGP applications will be evaluated through a three-part review and selection process:

1.  A FEMA HQ Preparedness Officer will review applications to ensure that the applicant meets all eligibility requirements. To determine eligibility, the FEMA HQ Preparedness Officer will review submitted applications for completeness.  Completeness is determined by confirming:

  •   The applicant has submitted the self-certification [2] of eligibility and population section on the IJ Template stating the tribe s eligibility per theHomeland Security Act of 2002 (see Section C. Eligibility Information, for further information);

  • The information provided in the self-certification of eligibility and population section on the IJ Template is accurate;
  • Activities under each investment are allowable; and
  • The application meets all the administrative criteria identified in this funding notice, to include the required submission of an IJ by the established due dates. 

2.  CISA is responsible for organizing an objective review panel and establishing the programmatic scoring and selection process. Subject-matter experts on the panel will review and score applications meeting eligibility requirements. The merit review will focus on the overall quality, thoroughness, and completeness of the proposal. The review panel will determine whether the proposal addresses the TCGP objectives for the current fiscal year. Scoring is based on the following four IJ sections:

  • Overview (description of the investment);
  • Baseline (goals/objectives/capabilities of the investment);
  • Project management and milestones (funding amount/core capabilities/projects); and
  • Accomplishments and impacts (outcomes).

3.  FEMA HQ Grants Management Specialists will conduct a financial review of the top scoring investments using the following criteria:

  • Allowability, allocability, and financial reasonableness of the proposed budget and investment information; and
  • Whether the recipient meets the financial and legal requirements listed in2 C.F.R. Part 200.

b.  Financial Integrity Criteria

Prior to making a federal award, FEMA is required by31 U.S.C.   3354 as enacted by the Payment Integrity Information Act of 2019, Pub. L. No. 116-117 (2020);41 U.S.C.   2313; and2 C.F.R.   200.206 to review information available through any Office of Management and Budget (OMB) designated repositories of governmentwide eligibility qualification or financial integrity information, including whether the applicant is suspended or debarred. FEMA may also pose additional questions to the applicant to aid in conducting the pre-award risk review. Therefore, application evaluation criteria may include the following risk-based considerations of the applicant:

  i. Financial stability;

  ii. Quality of management systems and ability to meet management standards;

  iii. History of performance in managing federal award;

  iv. Reports and findings from audits; and

  v. Ability to effectively implement statutory, regulatory or other requirements.

c.  Supplemental Financial Integrity Criteria and Review

Prior to making a federal award where the anticipated total federal share will be greater than the simplified acquisition threshold, currently $250,000:

  i. FEMA is required to review and consider any information about the applicant, including information on the applicant s immediate and highest-level owner, subsidiaries, and predecessors, if applicable, that is in the designated integrity and performance system accessible through the System for Award Management (SAM), which is currently the Federal Awardee Performance and Integrity Information System (FAPIIS).

  ii. An applicant, at its option, may review information in FAPIIS and comment on any information about itself that a federal awarding agency previously entered.

  iii. FEMA will consider any comments by the applicant, in addition to the other information in FAPIIS, in making a judgment about the applicant s integrity, business ethics, and record of performance under federal awards when completing the review of risk posed by applicants as described in2 C.F.R.   200.206.

2.  Review and Selection Process

The objective review panel will analyze and score the investments from all applications that the FEMA determines to be complete and eligible. CISA will assign reviewers who meet one or more of the following criteria:

  • Federal employees from the Cybersecurity Division (CSD) whose office administers the program, the Grants Officer and federal employees who serve as technical reviewers.
  • Experience working with tribes and tribal professionals.

The reviewers will analyze and score the anticipated effectiveness of each individual proposed investment. Effectiveness is determined based on completeness and adherence to programmatic guidelines. Reviewers will score each investment individually using five criteria to assess how well the investments satisfy the four sections in the IJ template: Overview, Baseline, Project Management and Milestones, and Accomplishments and Impact.

The questions the reviewers will score are below:

a. Overview Section (5 Points)

  • How well are the activities described, including any activities that include planning, organization, equipment, training and/or exercises?

b.  Baseline Section (5 Points)

  • How well does the investment identify existing capability levels and address capability gaps?

c. Project Management and Milestones Section (10 Points total)

  • Does the budget narrative provide a clear explanation of why funds are needed and the outcomes the recipient wants to achieve?  (5 points)
  • Will the investment s projects and activities achieve progress during the grant s period of performance? (5 points)

d.  Accomplishments and Impact Section (5 Points)

  • Does the outcome(s) demonstrate progress towards building the capability and closing the gap(s) identified in the investment?

Each of the five questions that the reviewers score is worth a maximum of five points. Reviewers will provide a score from one to five points for each question.  Each investment will be reviewed by no less than two persons, who will use the following scoring scale to assess how well the information provided in each investment answers the question being scored:

1 = Little to None

2 = Inadequate

3 = Adequate

4 = Substantial

5 = Strong

To calculate the final score for each proposed investment, the scores from the five investment questions are first normalized by taking the average of the five scores, dividing this number by five, and multiplying the result by 100. For example, if an investment received the following scores for the five questions:

Question 1: 2

Question 2: 3

Question 3: 5

Question 4: 5

Question 5: 3

The sum of the scores is 18 (the average score is 3.6). The average score, 3.6, is then divided by five, and the result is multiplied by 100. The resulting normalized score is 72. The investment s final score is determined by averaging the normalized scores from all reviewers of that investment.

All final investment scores will be sorted in descending order by final score, and investments will be selected for recommendation from the highest score to lowest score until available FY 2023 TCGP funding has been exhausted. In the event of a tie during the investment recommendation determination process, FEMA and CISA will give priority to the tribal government that submitted the Cybersecurity Plan Template that more effectively meets program objectives and addresses the 13 required Cybersecurity Plan elements.

FEMA will use the results of the review process to make funding recommendations to the Secretary of DHS. Final funding determinations will be made by the DHS Secretary.

F.  Federal Award Administration Information

1.  Notice of Award

Before accepting the award, the AOR and recipient should carefully read the award package. The award package includes instructions on administering the grant award and the terms and conditions associated with responsibilities under federal awards. Recipients must accept all conditions in this notice as well as any specific terms and conditions in the Notice of Award to receive an award under this program.

Notification of award approval is made through the ND Grants system through an automatic electronic mail to the recipient s authorized official listed in the initial application. The recipient should follow the directions in the notification to confirm acceptance of the award.

Recipients must accept their awards no later than 60 days from the award date. The recipient shall notify FEMA of its intent to accept and proceed with work under the award or provide a notice of intent to decline through the ND Grants system. For instructions on how to accept or decline an award in the ND Grants system, please see the ND Grants Grant Recipient User Guide, which is available at https://www.fema.gov/grants/guidance-tools/non-disaster-grants-management-system along with other ND Grants materials.

Funds will remain on hold until the recipient accepts the award through the ND Grants system and all other conditions of the award have been satisfied or until the award is otherwise rescinded. Failure to accept a grant award within the 60-day timeframe may result in a loss of funds.

2.  Administrative and National Policy Requirements

In addition to the requirements in this section and in this funding notice, FEMA may place specific terms and conditions on individual awards in accordance with2 C.F.R. Part 200.

a.  DHS Standard Terms and Conditions

All successful applicants for DHS grant and cooperative agreements are required to comply with DHS Standard Terms and Conditions, which are available online at DHS Standard Terms and Conditions.

The applicable DHS Standard Terms and Conditions will be those in effect at the time the award was made. What terms and conditions will apply for the award will be clearly stated in the award package at the time of award.

b.  Ensuring the Protection of Civil Rights

As the Nation works toward achieving the National Preparedness Goal, it is important to continue to protect the civil rights of individuals. Recipients and subrecipients must carry out their programs and activities, including those related to the building, sustainment, and delivery of core capabilities, in a manner that respects and ensures the protection of civil rights for protected populations.

Federal civil rights statutes, such as Section 504 of the Rehabilitation Act of 1973 and Title VI of the Civil Rights Act of 1964, along with DHS and FEMA regulations, prohibit discrimination on the basis of race, color, national origin, sex, religion, age, disability, limited English proficiency, or economic status in connection with programs and activities receiving federal financial assistance from FEMA.

The DHS Standard Terms and Conditions include a fuller list of the civil rights provisions that apply to recipients. These terms and conditions can be found in the DHS Standard Terms and Conditions. Additional information on civil rights provisions is available at https://www.fema.gov/about/offices/equal-rights/civil-rights.

Monitoring and oversight requirements in connection with recipient compliance with federal civil rights laws are also authorized pursuant to44 C.F.R. Part 7.

In accordance with civil rights laws and regulations, recipients and subrecipients must ensure the consistent and systematic fair, just and impartial treatment of all individuals, including individuals who belong to underserved communities that have been denied such treatment.

c.  Environmental Planning and Historic Preservation (EHP) Compliance

As a federal agency, FEMA is required to consider the effects of its actions on the environment and historic properties to ensure that all activities and programs funded by FEMA, including grant-funded projects, comply with federal EHP laws, Executive Orders, regulations and policies, as applicable.

All non-critical new construction or substantial improvement of structures in a Special Flood Hazard Area must, at a minimum, apply the flood elevations of the Federal Flood Risk Management Standard s Freeboard Value Approach unless doing so would cause the project to be unable to meet applicable program cost-effectiveness requirements. All other types of projects may choose to apply the flood elevations of the Federal Flood Risk Management Standard s Freeboard Value Approach. see Executive Order (EO) 14030, Climate-Related Financial Risk and FEMA Policy #-206-21-0003, Partial Implementation of the Federal Flood Risk Management Standard for Hazard Mitigation Assistance Programs (Interim) (fema.gov)

Recipients and subrecipients proposing projects that have the potential to impact the environment, including, but not limited to, the construction of communication towers, modification or renovation of existing buildings, structures and facilities, or new construction including replacement of facilities, must participate in the FEMA EHP review process. The EHP review process involves the submission of a detailed project description along with any supporting documentation requested by FEMA in order to determine whether the proposed project has the potential to impact environmental resources or historic properties.

In some cases, FEMA is also required to consult with other regulatory agencies and the public in order to complete the review process. Federal law requires EHP review to be completed before federal funds are released to carry out proposed projects.FEMA may not be able to fund projects that are not incompliance with applicable EHP laws, Executive Orders, regulations and policies.

DHS and FEMA EHP policy is found in directives and instructions available on the FEMA.gov EHP page, the FEMA website page that includes documents regarding EHP responsibilities and program requirements, including implementation of the National Environmental Policy Act and other EHP regulations and Executive Orders.

The GPD EHP screening form is located at https://www.fema.gov/media-library/assets/documents/90195. Additionally, all recipients under this funding opportunity are required to comply with the FEMA GPD EHP Policy Guidance, FEMA Policy #108-023-1, available at https://www.fema.gov/media-library/assets/documents/85376.

d.  SAFECOM Guidance Compliance

All entities using TCGP funding to support emergency communications investments are required to comply with the SAFECOM Guidance on Emergency Communications Grants (SAFECOM Guidance). The SAFECOM Guidance provides current information on emergency communications policies, eligible costs, best practices, and technical standards for tribal recipients investing federal funds in emergency communications projects. It is also designed to promote and align with the National Emergency Communications Plan (NECP). Conformance with the SAFECOM Guidance helps ensure that federally funded investments are compatible, interoperable, resilient, and support national goals and objectives for improving emergency communications. Applicants should use the SAFECOM Guidance during planning, development, and implementation of emergency communications projects and in conjunction with other planning documents. Specifically,Appendix F,  Required, Encouraged, and Optional Services, Memberships, and Resources  of the SAFECOM Guidance contains compliance instructions for TCGP grant recipients.

If an entity uses TCGP funding to support emergency communications investments, the following requirements shall apply to all such grant-funded communications investments in support of the emergency communications priorities and recognized best practices:

  • The signatory authority for the eligible entity must certify in writing to DHS/FEMA their compliance with the SAFECOM Guidance.
  • The certification letter should be coordinated with the Statewide Interoperability Coordinator (SWIC) for each state and must be uploaded to ND Grants at the time of the first Program Performance Report (PPR) submission.

e.  Requirement for using CISA Services

As a condition of receiving TCGP funding, the grant recipient is required to adhere to or sign up for the following services, sponsored by CISA and further described in Appendix F, upon award as part of the statutory requirements in implementing, or revising an approved Cybersecurity Plan.

a. Sign up for cyber hygiene services, specifically vulnerability scanning; and

b.  Complete the Nationwide Cybersecurity Review, administered by the MS-ISAC, during the first year of the award/subaward period of performance and annually thereafter.

Participation in these services and memberships are not required for submission and approval of a grant but are a post-award requirement. Recipients are also encouraged to sign up for the other services and memberships identified in Appendix F.

3.  Reporting

Recipients are required to submit various financial and programmatic reports as a condition of award acceptance. Future awards and funds drawdown may be withheld if these reports are delinquent. Reports may also be returned for further information if insufficient information and data was submitted.

a.  Financial Reporting Requirements

i.  Federal Financial Report (FFR)

Recipients must report obligations and expenditures through the FFR form (SF-425) to FEMA.

Recipients may review the SF-425 at https://www.grants.gov/web/grants/forms/post-award-reporting-forms.html#sortby=1.

Recipients must file the FFR electronically using the Payment and Reporting Systems (PARS).

ii.  FFR Reporting Periods and Due Dates

An FFR must be submitted quarterly throughout the POP, including partial calendar quarters, as well as in periods where no grant award activity occurs. The final FFR is due within 120 calendar days after the end of the POP. Future awards and fund drawdowns may be withheld if these reports are delinquent, demonstrate lack of progress, or are insufficient in detail.

Except for the final FFR due at 120 days after the end of the POP for purposes of closeout, the following reporting periods and due dates apply for the FFR:

Reporting PeriodReport Due Date
Oct. 1   Dec. 31Jan. 30
Jan. 1   March 31April 30
April 1   June 30July 30
July 1   Sept. 30Oct. 30
Closeout FFRNo Later than 120 days after the end of the POP

b.  Programmatic Performance Reporting Requirements

i.  Performance Progress Report (PPR)

Recipients are responsible for providing updated performance reports on an annual basis, consistent with section 2200A(q)(1) of the Homeland Security Act of 2002, as an attachment in ND Grants. The PPR should include a:

  • Brief narrative of overall project(s) status;
  • Summary of project expenditures;
  • Description of any potential issues that may affect project completion;
  • Data collected for DHS performance measures; and
  • PPR must be signed by the Authorized Official or Signatory Authority.

Questions regarding programmatic performance reporting should be submitted to the recipient s assigned FEMA Preparedness Officer by emailing the TCGP general email inbox at FEMA-TCGP@fema.dhs.gov. Please include the recipient s grant award number with the email.

Additionally, any questions regarding financial reporting should be directed to the FEMA Grants Management Specialist (GMS) by contacting ASK-GMD@fema.dhs.gov

ii.  Additional Programmatic Reporting Requirements

Program Performance Reporting Periods and Due Dates

The annual PPR submission is due Jan. 30 of each year to account for the previous calendar  year.

c.  Closeout Reporting Requirements

i.  Closeout Reporting

Within 120 calendar days after the end of the period of performance for the prime award, or after an amendment has been issued to close out an award before the original POP ends, recipients must liquidate all financial obligations and must submit the following:

  i. The final request for payment, if applicable;

  ii. The final FFR (SF-425);

  iii. The final progress report detailing all accomplishments, including a narrative summary of the impact of those accomplishments throughout the period of performance;

  iv. Other documents required by this notice, terms and conditions of the award, or other FEMA guidance.

In addition, pass-through entities are responsible for closing out their subawards as described in2 C.F.R.   200.344; subrecipients are still required to submit closeout materials to the direct recipient within 90 calendar days of the direct recipient s prime award period of performance end date. When a subrecipient completes all closeout requirements, the direct recipient must promptly complete all closeout actions for subawards in time for the direct recipient to submit all necessary documentation and information to FEMA during the closeout of the prime award.

After the prime award closeout reports have been reviewed and approved by FEMA, a closeout notice will be completed to close out the grant. The notice will indicate the period of performance as closed, list any remaining funds that will be de-obligated, and address the requirement of maintaining the grant records for at least three years from the date of the final FFR.The record retention period may be longer, such as due to an audit or litigation, for equipment or real property used beyond the period of performance, or due to other circumstances outlined in2 C.F.R.   200.334.

The recipient is responsible for refunding to FEMA any balances of unobligated cash that FEMA paid that are not authorized to be retained per2 C.F.R.   200.344(d).

ii.  Administrative Closeout

Administrative closeout is a mechanism for FEMA to unilaterally move forward with closeout of an award using available award information in lieu of final reports from the recipient per2 C.F.R.   200.344(h)-(i). It is a last resortavailable to FEMA, and if FEMAneeds to administratively close an award, this may negatively impact a recipient s ability to obtain future funding. This mechanism can also require FEMA to make cash or cost adjustments and ineligible cost determinations based on the information it has, which may result in identifying a debt owed to FEMA by the recipient.

When a recipient is not responsive to FEMA s reasonable efforts to collect required reports needed to complete the standard closeout process, FEMA is required under2 C.F.R.   200.344(h) to start the administrative closeout process within the regulatory timeframe. FEMA will make at least three written attempts to collect required reports before initiating administrative closeout.If the recipient does not submit all required reports in accordance with2 C.F.R.   200.344, this notice, and the terms and conditions of the award, FEMA must proceed to administratively close the award with the information available within one year of the period of performance end date. Additionally, if the recipient does not submit all required reports within one year of the period of performance end date, per2 C.F.R.   200.344(i), FEMA must report in FAPIIS the recipient s material failure to comply with the terms and conditions of the award.

If FEMA administratively closes an award where no final FFR has been submitted, FEMA uses that administrative closeout date in lieu of the final FFR submission date as the start of the record retention period under2 C.F.R.   200.334.

In addition, if an award is administratively closed, FEMA may decide to impose remedies for noncompliance per2 C.F.R.   200.339, consider this information in reviewing future award applications, or apply special conditions to existing or future awards.

d.  Additional Reporting Requirements

i.  Disclosing Information per 2 C.F.R.   180.335

This reporting requirement pertains to disclosing information related to government-wide suspension and debarment requirements. Before a recipient enters into a grant award with FEMA, the recipient must notify FEMA if it knows if it or any of the recipient s principals under the award fall under one or more of the four criteria listed at2 C.F.R.   180.335:

i.  Are presently excluded or disqualified;

ii.  Have been convicted within the preceding three years of any of the offenses listed in2 C.F.R.   180.800(a) or had a civil judgment rendered against it or any of the recipient s principals for one of those offenses within that time period;

iii.  Are presently indicted for or otherwise criminally or civilly charged by a governmental entity (federal, state, or local) with commission of any of the offenses listed in2 C.F.R.   180.800(a); or

iv.  Have had one or more public transactions (federal, state, or local) terminated within the preceding three years for cause or default.

At any time after accepting the award, if the recipient learns that it or any of its principals falls under one or more of the criteria listed at2 C.F.R.   180.335, the recipient must provide immediate written notice to FEMA in accordance with2 C.F.R.   180.350.

ii. Reporting of Matters Related to Recipient Integrity and Performance

Per2 C.F.R. Part 200, Appendix I   F.3, the additional post-award reporting requirements in2 C.F.R. Part 200, Appendix XII may apply to applicants who, if upon becoming recipients, have a total value of currently active grants, cooperative agreements, and procurement contracts from all federal awarding agencies that exceeds $10 million for any period of time during the period of performance of an award under this funding opportunity.

Recipients that meet these criteria must maintain current information reported in FAPIIS about civil, criminal, or administrative proceedings described in paragraph 2 of Appendix XII at the reporting frequency described in paragraph 4 of Appendix XII.

iii. Single Audit Report

For audits of fiscal years beginning on or after Dec 26, 2014, recipients that expend $750,000 or more from all federal funding sources during their fiscal year are required to submit an organization-wide financial and compliance audit report, also known as the single audit report.

The audit must be performed in accordance with the requirements of U.S. Government Accountability Office s (GAO) Government Auditing Standards, located at https://www.gao.gov/yellowbook/overview, and the requirements ofSubpart F of 2 C.F.R. Part 200, located at http://www.ecfr.gov/cgi-bin/text-idx?node=sp2.1.200.f.

4. Program Evaluation

Recipients and subrecipients are encouraged to incorporate program evaluation activities from the outset of their program design and implementation to meaningfully document and measure their progress towards the proposed outcomes. Title I of the Foundations for Evidence-Based Policymaking Act of 2018(Evidence Act), Pub. L. No. 115-435 (2019) defines evaluation as  an assessment using systematic data collection and analysis of one or more programs, policies, and organizations intended to assess their effectiveness and efficiency.  Evidence Act   101 (codified at5 U.S.C.   311). Credible program evaluation activities are implemented with relevance and utility, rigor, independence and objectivity, transparency, and ethics (OMB Circular A-11, Part 6 Section 290).

Evaluation costs are allowable costs (either as direct or indirect), unless prohibited by statute or regulation, and such costs may include the personnel and equipment needed for data infrastructure and expertise in data analysis, performance, and evaluation. (2 C.F.R.   200).

In addition, recipients are required to participate in a DHS-led evaluation if selected, which may be carried out by a third-party on behalf of the Program Office or DHS. By accepting grant funds, recipients agree to participate in the evaluation, which may include analysis of individuals who benefit from the grant, and provide access to program operating personnel and participants, as specified by the evaluator(s) for six months after the period of performance.

5.  Monitoring and Oversight

Per2 C.F.R.   200.337, FEMA, through its authorized representatives, has the right, at all reasonable times, to make site visits or conduct desk reviews to review project accomplishments and management control systems to review award progress and to provide any required technical assistance. During site visits or desk reviews, FEMA will review recipients  files related to the award. As part of any monitoring and program evaluation activities, recipients must permit FEMA, upon reasonable notice, to review grant-related records and to interview the organization s staff and contractors regarding the program. Recipients must respond in a timely and accurate manner to FEMA requests for information relating to the award.

Effective monitoring and oversight help FEMA ensure that recipients use grant funds for their intended purpose(s); verify that projects undertaken are consistent with approved plans; and ensure that recipients make adequate progress toward stated goals and objectives. Additionally, monitoring serves as the primary mechanism to ensure that recipients comply with applicable laws, rules, regulations, program guidance, and requirements. FEMA regularly monitors all grant programs both financially and programmatically in accordance with federal laws, regulations (including2 C.F.R. Part 200), program guidance, and the terms and conditions of the award. All monitoring efforts ultimately serve to evaluate progress towards grant goals and proactively target and address issues that may threaten grant success during the period of performance.

FEMA staff will periodically monitor recipients to ensure that administrative processes, policies and procedures, budgets, and other related award criteria are meeting Federal Government-wide and FEMA regulations. Aside from reviewing quarterly financial and programmatic reports, FEMA may also conduct enhanced monitoring through either desk-based reviews, onsite monitoring visits, or both. Enhanced monitoring will involve the review and analysis of the financial compliance and administrative processes, policies, activities, and other attributes of each federal assistance award, and it will identify areas where the recipient may need technical assistance, corrective actions, or other support.

Financial and programmatic monitoring are complementary processes within FEMA s overarching monitoring strategy that function together to ensure effective grants management, accountability, and transparency; validate progress against grant and program goals; and safeguard federal funds against fraud, waste, and abuse. Financial monitoring primarily focuses on statutory and regulatory compliance with administrative grant requirements, while programmatic monitoring seeks to validate and assist in grant progress, targeting issues that may be hindering achievement of project goals and ensuring compliance with the purpose of the grant and grant program. Both monitoring processes are similar in that they feature initial reviews of all open awards, and additional, in-depth monitoring of grants requiring additional attention.

Recipients who are pass-through entities are responsible for monitoring their subrecipients in a manner consistent with the terms of the federal award at2 C.F.R. Part 200, including2 C.F.R.   200.332. This includes the pass-through entity s responsibility to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.

In terms of overall award management, recipient and subrecipient responsibilities include, but are not limited to: accounting of receipts and expenditures, cash management, maintaining adequate financial records, reporting and refunding expenditures disallowed by audits, monitoring if acting as a pass-through entity, or other assessments and reviews, and ensuring overall compliance with the terms and conditions of the award or subaward, as applicable, including the terms of2 C.F.R. Part 200.

a.  Financial and Program Monitoring Overview and Approach

FEMA s approach to financial and program monitoring provides a standard monitoring framework that promotes consistent processes across all monitoring staff. There are four core components of the monitoring process:

1. Monitoring Assessment: Monitoring staff measure each grant s monitoring needs using a system of pre-determined evaluation criteria. The criteria help assess the recipient and potential challenges to the success of the grant award.

2. Monitoring Selection and Scheduling: Monitoring staff make selection and scheduling decisions in accordance with applicable statutory requirements, such as the Homeland Security Act of 2002, as amended, and consider the results of the monitoring assessment process.

3. Monitoring Activities: Financial monitoring activities include cash analysis, desk reviews, and site visits. Grants Management Specialists are responsible for conducting quarterly or semi-annual reviews of all grants via cash analysis. Program monitoring is conducted by FEMA and CISA and will include a review of the grant program performance, particularly the implementation of the recipient s project activities toward meeting the goals and objectives in the approved Cybersecurity Plan. Desk reviews and site visits are additional monitoring activities conducted on grants where the monitoring assessment process identified the need for additional monitoring and validated the use of FEMA resources for these activities.

4. Post-Monitoring Actions: Monitoring staff may follow up with recipients via post-monitoring actions based on the outcomes of monitoring activities. Post-monitoring actions include conducting additional monitoring; reviewing Corrective Action Plans (CAP) and monitoring the progress of CAP deliverables; documenting the resolution of identified corrective actions and issues; providing technical assistance and recipient training; and debt collection.

G.  DHS Awarding Agency Contact Information

1.  Contact and Resource Information

a.  FEMA TCGP Preparedness Officers

The FEMA Preparedness Officers can provide general information on all FEMA grant programs and additional guidance surrounding questions on TCGP administration. If desired, applicants and recipients may contact their FEMA Preparedness Officers for more information by email at FEMA-TCGP@fema.dhs.gov.

b.  CISA Grant Program Office

The CISA Grant Program Office has programmatic staff as well as regional staff available to provide general information regarding the TCGP and additional guidance surrounding programmatic requirements and performance metrics. If desired, applicants and recipients may contact their CISA grant program staff and/or regional staff for more information by email at TCGPinfo@cisa.dhs.gov.

c.  Grant Programs Directorate (GPD) Award Administration Division (AAD)

GPD s AAD provides support regarding financial matters and budgetary technical assistance. Additional guidance and information can be obtained by contacting the AAD s Help Desk via e-mail at ASK-GMD@fema.dhs.gov

d.  FEMA Grants News

FEMA Grants News provides general information on all FEMA grant programs and maintains a comprehensive database containing key personnel contact information at the federal, state, and local levels. When necessary, recipients will be directed to a federal point of contact who can answer specific programmatic questions or concerns. FEMA Grants News can be reached by phone at (800) 368-6498 or by e-mail at fema-grants-news@fema.dhs.gov, Monday through Friday, 9:00 AM   5:00 p.m. ET.

e.  Equal Rights

The FEMA Office of Equal Rights (OER) is responsible for compliance with and enforcement of federal civil rights obligations in connection with programs and services conducted by FEMA and recipients of FEMA financial assistance. All inquiries and communications about federal civil rights compliance for FEMA grants under this notice should be sent to FEMA-CivilRightsOffice@fema.dhs.gov.

f.  Environmental Planning and Historic Preservation

GPD s EHP Team provides guidance and information about the EHP review process to recipients and subrecipients. All inquiries and communications about GPD projects under this NOFO or the EHP review process, including the submittal of EHP review materials, should be sent to gpdehpinfo@fema.dhs.gov.

2.  Systems Information

a.  Grants.gov

For technical assistance with Grants.gov, call the customer support hotline 24 hours per day, seven days per week (except federal holidays) at (800) 518-4726 or e-mail at support@grants.gov.

b.  Non-Disaster (ND) Grants

For technical assistance with the ND Grants system, please contact the ND Grants Helpdesk at ndgrants@fema.dhs.gov or (800) 865-4076, Monday through Friday, 9:00 AM   6:00 PM ET. User resources are available at https://www.fema.gov/grants/guidance-tools/non-disaster-grants-management-system

c.  Payment and Reporting System (PARS)

FEMA uses PARS for financial reporting, invoicing, and tracking payments. FEMA uses the Direct Deposit/Electronic Funds Transfer (DD/EFT) method of payment to recipients. To enroll in the DD/EFT, recipients must complete a Standard Form 1199A, Direct Deposit Form. If you have questions about the online system, please call the Customer Service Center at (866) 927-5646 or email ask-GMD@fema.dhs.gov.

H.  Additional Information

1.  Termination Provisions

FEMA may terminate a federal award in whole or in part for one of the following reasons. FEMA and the recipient must still comply with closeout requirements at2 C.F.R.   200.344-200.345 even if an award is terminated in whole or in part. To the extent that subawards are permitted under this NOFO, pass-through entities should refer to2 C.F.R.   200.340 for additional information on termination regarding subawards.

a.  Noncompliance

If a recipient fails to comply with the terms and conditions of a federal award, FEMA may terminate the award in whole or in part. If the noncompliance can be corrected, FEMA may first attempt to direct the recipient to correct the noncompliance. This may take the form of a Compliance Notification. If the noncompliance cannot be corrected or the recipient is non-responsive, FEMA may proceed with a Remedy Notification, which could impose a remedy for noncompliance per2 C.F.R.   200.339, including termination. Any action to terminate based on noncompliance will follow the requirements of2 C.F.R.   200.341-200.342 as well as the requirement of2 C.F.R.   200.340(c) to report in FAPIIS the recipient s material failure to comply with the award terms and conditions. See also the section on Actions to Address Noncompliance in this notice.

b.  With the Consent of the Recipient

FEMA may also terminate an award in whole or in part with the consent of the recipient, in which case the parties must agree upon the termination conditions, including the effective date, and in the case of partial termination, the portion to be terminated.

c.  Notification by the Recipient

The recipient may terminate the award, in whole or in part, by sending written notification to FEMA setting forth the reasons for such termination, the effective date, and in the case of partial termination, the portion to be terminated. In the case of partial termination, FEMA may determine that a partially terminated award will not accomplish the purpose of the federal award, so FEMA may terminate the award in its entirety. If that occurs, FEMA will follow the requirements of2 C.F.R.   200.341-200.342 in deciding to fully terminate the award.

2.  Program Evaluation

Recipients and subrecipients are encouraged to incorporate program evaluation activities from the outset of their program design and implementation to meaningfully document and measure their progress towards meeting an agency priority goal(s). Title I of the Foundations for Evidence-Based Policymaking Act of 2018 (Evidence Act), Pub. L. No. 115-435 (2019) urges federal awarding agencies and federal assistance recipients and subrecipients to use program evaluation as a critical tool to learn, to improve equitable delivery, and to elevate program service and delivery across the program lifecycle. Evaluation means  an assessment using systematic data collection and analysis of one or more programs, policies, and organizations intended to assess their effectiveness and efficiency.  Evidence Act   101 (codified at5 U.S.C.   311). Evaluation costs are allowable costs (either as direct or indirect), unless prohibited by statute or regulation.

In addition, recipients are required to participate in a DHS-led evaluation if selected, which may be carried out by a third-party on behalf of the Program Office or DHS. By accepting grant funds, recipients agree to participate in the evaluation, which may include analysis of individuals who benefit from the grant, and provide access to program operating personnel and participants, as specified by the evaluator(s) during the award.

3.  Period of Performance Extensions

Extensions to the POP for this program are allowed. Extensions to the POP identified in the award will only be considered through formal, written requests to the recipient s FEMA Preparedness Officer and must contain specific and compelling justifications as to why an extension is required. Recipients are advised to coordinate with FEMA Preparedness Officer as needed when preparing an extension request.

All extension requests must address the following:

a. The grant program, fiscal year, and award number;

b.  Reason for the delay  including details of the legal, policy, or operational challenges that prevent the final outlay of awarded funds by the deadline;

c. Current status of the activity(ies);

d.  Approved POP termination date and new project completion date;

e. Amount of funds drawn down to date;

f. Remaining available funds, both federal and, if applicable, non-federal;

g.  Budget outlining how remaining federal and, if applicable, non-federal funds will be expended;

h.  Plan for completion, including milestones and timeframes for achieving each milestone and the position or person responsible for implementing the plan for completion; and

i.  Certification that the activity(ies) will be completed within the extended POP without any modification to the original statement of work, as described in the investment justification and as approved by FEMA.

Extension requests will be granted only due to compelling legal, policy, or operational challenges. Extension requests will only be considered for the following reasons:

1.  Contractual commitments by the recipient or subrecipient with vendors prevent completion of the project, including delivery of equipment or services, within the existing POP;

2.  The project must undergo a complex environmental review that cannot be completed within the existing POP;

3.  Projects are long-term by design, and therefore acceleration would compromise core programmatic goals; or

4.  Where other special or extenuating circumstances exist.

Recipients should submit all proposed extension requests to FEMA as an amendment to the award in the ND Grants System for review and approval at least 120 days before the end of the POP to allow sufficient processing time. Extensions are typically granted for no more than a six-month period. Recipients considering submitting a grant extension should contact their FEMA Preparedness Officer by email at FEMA-TCGP@fema.dhs.gov.

4.  Disability Integration

Pursuant to Section 504 of the Rehabilitation Act of 1973, recipients of FEMA financial assistance must ensure that their programs and activities do not discriminate against other qualified individuals with disabilities.

Grant recipients should engage with the whole community to advance individual and community preparedness and to work as a nation to build and sustain resilience. In doing so, recipients are encouraged to consider the needs of individuals with disabilities into the activities and projects funded by the grant.

FEMA expects that the integration of the needs of people with disabilities will occur at all levels, including planning; alerting, notification and public outreach; training; purchasing of equipment and supplies; protective action implementation; and exercises/drills.

The following are examples that demonstrate the integration of the needs of people with disabilities in carrying out FEMA awards:

a. Include representatives of organizations that work with/for people with disabilities on planning committees, work groups and other bodies engaged in development and implementation of the grant programs and activities.

b.  Hold all activities related to the grant in locations that are accessible to persons with physical disabilities to the extent practicable.

c. Acquire language translation services, including American Sign Language, that provide public information across the community and in shelters.

d.  Ensure shelter-specific grant funds are in alignment with FEMA's Guidance on Planning for Integration of Functional Needs Support Services in General Population Shelters.

e. If making alterations to an existing building to a primary function area utilizing federal funds, complying with the most recent codes and standards, and making path of travel to the primary function area accessible to the greatest extent possible.

f. Implement specific procedures used by public transportation agencies that include evacuation and passenger communication plans and measures for individuals with disabilities.

g.  Identify, create, and deliver training to address any training gaps specifically aimed toward whole-community preparedness. Include and interact with individuals with disabilities, aligning with the designated program capability.

h.  Establish best practices in inclusive planning and preparedness that consider physical access, language access and information access. Examples of effective communication access include providing auxiliary aids and services such as sign language interpreters, Computer Aided Real-time Translation (CART) and materials in Braille or alternate formats.

FEMA grant recipients can fund projects toward the resiliency of the whole community, including people with disabilities, such as training, outreach, and safety campaigns, provided that the project aligns with this notice and the terms and conditions of the award.

5.  Conflicts of Interest in the Administration of Federal Awards or Subawards

For conflicts of interest under grant-funded procurements and contracts, refer to the section on Procurement Integrity in this NOFO and2 C.F.R.   200.317   200.327.

To eliminate and reduce the impact of conflicts of interest in the subaward process, recipients and pass-through entities must follow their own policies and procedures regarding the elimination or reduction of conflicts of interest when making subawards. Recipients and pass-through entities are also required to follow any applicable federal or Tribal statutes or regulations governing conflicts of interest in the making of subawards.

The recipient or pass-through entity must disclose to the respective Program Analyst or Program Manager, in writing, any real or potential conflict of interest that may arise during the administration of the federal award, as defined by the federal or Tribal statutes or regulations or their own existing policies, within five days of learning of the conflict of interest. Similarly, subrecipients, whether acting as subrecipients or as pass-through entities, must disclose any real or potential conflict of interest to the recipient or next-level pass-through entity as required by the recipient or pass-through entity s conflict of interest policies, or any applicable federal or tribal statutes or regulations.

Conflicts of interest may arise during the process of FEMA making a federal award in situations where an employee, officer, or agent, any members of his or her immediate family, his or her partner has a close personal relationship, a business relationship, or a professional relationship, with an applicant, recipient, subrecipient, or FEMA employees.

6.  Procurement Integrity

Through audits conducted by the DHS Office of Inspector General (OIG) and FEMA grant monitoring, findings have shown that some FEMA recipients have not fully adhered to the proper procurement requirements at2 C.F.R.   200.317   200.327 when spending grant funds. Anything less than full compliance with federal procurement requirements jeopardizes the integrity of the grant as well as the grant program. To assist with determining whether an action is a procurement or instead a subaward, please review2 C.F.R.   200.331. For detailed guidance on the federal procurement standards, recipients and subrecipients should refer to various materials issued by FEMA s Procurement Disaster Assistance Team (PDAT), such as the PDAT Field Manual and Contract Provisions Guide. Additional resources, including an upcoming trainings schedule can be found on the PDAT webpage: https://www.fema.gov/grants/procurement.

The below highlights the federal procurement requirements for FEMA recipients when procuring goods and services with federal grant funds. FEMA will include a review of recipients  procurement practices as part of the normal monitoring activities. All procurement activity must be conducted in accordance with federal procurement standards at2 C.F.R.   200.317   200.327. Select requirements under these standards are listed below. The recipient and any of its subrecipients must comply with all requirements, even if they are not listed below.

Under2 C.F.R.   200.317, when procuring property and services under a federal award, states (including territories) must follow the same policies and procedures they use for procurements from their non-federal funds; additionally, states must now follow2 C.F.R.   200.321 regarding socioeconomic steps, 200.322 regarding domestic preferences for procurements, 200.323 regarding procurement of recovered materials, and2 C.F.R.   200.327 regarding required contract provisions.

All other non-federal entities, such as tribes (collectively, non-state entities), must have and use their own documented procurement procedures that reflect applicable tribal laws and regulations, provided that the procurements conform to applicable federal law and the standards identified in2 C.F.R. Part 200. These standards include, but are not limited to, providing for full and open competition consistent with the standards of2 C.F.R.   200.319 and the required procurement methods at  200.320.

a.  Important Changes to Procurement Standards in 2 C.F.R. Part 200

OMB recently updated various parts of Title 2 of the Code of Federal Regulations, among them, the procurement standards. States are now required to follow the socioeconomic steps in soliciting small and minority businesses, women s business enterprises and labor surplus area firms per2 C.F.R.   200.321. All non-federal entities should also, to the greatest extent practicable under a federal award, provide a preference for the purchase, acquisition, or use of goods, products, or materials produced in the United States per2 C.F.R.   200.322. More information on OMB s revisions to the federal procurement standards can be found in the Purchasing Under a FEMA Award: OMB Revisions Fact Sheet.

The recognized procurement methods in2 C.F.R.   200.320 have been reorganized into informal procurement methods, which include micro-purchases and small purchases; formal procurement methods, which include sealed bidding and competitive proposals; and noncompetitive procurements. The federal micro-purchase threshold is currently $10,000, and non-state entities may use a lower threshold when using micro-purchase procedures under a FEMA award. If a non-state entity wants to use a micro-purchase threshold higher than the federal threshold, it must follow the requirements of2 C.F.R.   200.320(a)(1)(iii)-(v). The federal simplified acquisition threshold is currently $250,000, and a non-state entity may use a lower threshold but may not exceed the federal threshold when using small purchase procedures under a FEMA award. See2 C.F.R.   200.1 (citing the definition of simplified acquisition threshold from 48 C.F.R. Part 2, Subpart 2.1).

See2 C.F.R.   200.216, 200.471, and Appendix II as well as Section D.13.a of the funding notice regarding prohibitions on covered telecommunications equipment or services.

b.  Competition and Conflicts of Interest

Among the requirements of2 C.F.R.   200.319(b) applicable to all non-federal entities other than states, in order to ensure objective contractor performance and eliminate unfair competitive advantage, contractors that develop or draft specifications, requirements, statements of work, or invitations for bids or requests for proposals must be excluded from competing for such procurements. FEMA considers these actions to be an organizational conflict of interest and interprets this restriction as applying to contractors that help a non-federal entity develop its grant application, project plans, or project budget. This prohibition also applies to the use of former employees to manage the grant or carry out a contract when those former employees worked on such activities while they were employees of the non-federal entity.

Under this prohibition, unless the non-federal entity solicits for and awards a contract covering both development and execution of specifications (or similar elements as described above), and this contract was procured in compliance with2 C.F.R.   200.317   200.327, federal funds cannot be used to pay a contractor to carry out the work if that contractor also worked on the development of those specifications. This rule applies to all contracts funded with federal grant funds, including pre-award costs, such as grant writer fees, as well as post-award costs, such as grant management fees.

Additionally, some of the situations considered to be restrictive of competition include, but are not limited to:

  Placing unreasonable requirements on firms for them to qualify to do business;

  Requiring unnecessary experience and excessive bonding;

  Noncompetitive pricing practices between firms or between affiliated companies;

  Noncompetitive contracts to consultants that are on retainer contracts;

  Organizational conflicts of interest;

  Specifying only a  brand name  product instead of allowing  an equal  product to be offered and describing the performance or other relevant requirements of the procurement; and

  Any arbitrary action in the procurement process.

Per2 C.F.R.   200.319(c), non-federal entities other than states must conduct procurements in a manner that prohibits the use of statutorily or administratively imposed tribal geographical preferences in the evaluation of bids or proposals, except in those cases where applicable federal statutes expressly mandate or encourage geographic preference. Nothing in this section preempts state licensing laws. When contracting for architectural and engineering services, geographic location may be a selection criterion provided its application leaves an appropriate number of qualified firms, given the nature and size of the project, to compete for the contract.

Under2 C.F.R.   200.318(c)(1), non-federal entities other than states are required to maintain written standards of conduct covering conflicts of interest and governing the actions of their employees engaged in the selection, award, and administration of contracts. No employee, officer, or agent may participate in the selection, award, or administration of a contract supported by a federal award if he or she has a real or apparent conflict of interest. Such conflicts of interest would arise when the employee, officer or agent, any member of his or her immediate family, his or her partner, or an organization that employs or is about to employ any of the parties indicated herein, has a financial or other interest in or a tangible personal benefit from a firm considered for a contract. The officers, employees, and agents of the non-federal entity may neither solicit nor accept gratuities, favors, or anything of monetary value from contractors or parties to subcontracts. However, non-federal entities may set standards for situations in which the financial interest is not substantial, or the gift is an unsolicited item of nominal value. The standards of conduct must provide for disciplinary actions to be applied for violations of such standards by officers, employees, or agents of the non-federal entity.

Under2 C.F.R. 200.318(c)(2), if the recipient or subrecipient (other than states) has a parent, affiliate, or subsidiary organization that is not a state, local, tribal, or territorial government, the non-federal entity must also maintain written standards of conduct covering organizational conflicts of interest. In this context, organizational conflict of interest means that because of a relationship with a parent company, affiliate, or subsidiary organization, the non-federal entity is unable or appears to be unable to be impartial in conducting a procurement action involving a related organization. The non-federal entity must disclose in writing any potential conflicts of interest to FEMA or the pass-through entity in accordance with applicable FEMA policy.

c.  Supply Schedules and Purchasing Programs

Generally, a non-federal entity may seek to procure goods or services from a federal supply schedule, state supply schedule, or group purchasing agreement.

i.  General Services Administration Schedules

State, tribes and local governments and any instrumentality thereof (such as local education agencies or institutions of higher education) may procure goods and services from a General Services Administration (GSA) schedule. GSA offers multiple efficient and effective procurement programs for state, tribal and local governments, and instrumentalities thereof, to purchase products and services directly from pre-vetted contractors. The GSA Schedules (also referred to as the Multiple Award Schedules and the Federal Supply Schedules) are long-term government-wide contracts with commercial firms that provide access to millions of commercial products and services at volume discount pricing.

Information about GSA programs for states, tribes and local governments, and instrumentalities thereof, can be found at https://www.gsa.gov/buy-through-us/purchasing-programs/multiple-award-schedule/help-with-mas-buying/mas-help-for-state-local-and-tribal-governments and https://www.gsa.gov/buy-through-us/purchasing-programs/multiple-award-schedule/help-with-mas-buying/mas-help-for-state-local-and-tribal-governments.

For tribes, their instrumentalities that purchase off of a GSA schedule, this will satisfy the federal requirements for full and open competition provided that the recipient follows the GSA ordering procedures; however, tribes, local governments, and their instrumentalities will still need to follow the other rules under2 C.F.R.   200.317   200.327, such as solicitation of minority businesses, women s business enterprises, small businesses, or labor surplus area firms(  200.321), domestic preferences(  200.322), contract cost and price(  200.324), and required contract provisions(  200.327 and Appendix II).

ii.  Other Supply Schedules and Programs

For non-federal entities other than states, such as tribes, local governments, and nonprofits, that want to procure goods or services from a state supply schedule, cooperative purchasing program, or other similar program, in order for such procurements to be permissible under federal requirements, the following must be true:

  • The procurement of the original contract or purchasing schedule and its use by the non-federal entity complies with state and local law, regulations, and written procurement procedures.
  • The state or other entity that originally procured the original contract or purchasing schedule entered the contract or schedule with the express purpose of making it available to the non-federal entity and other similar types of entities.
  • The contract or purchasing schedule specifically allows for such use, and the work to be performed for the non-federal entity falls within the scope of work under the contract as to type, amount, and geography.
  • The procurement of the original contract or purchasing schedule complied with all the procurement standards applicable to a non-federal entity other than states under at2 C.F.R.   200.317   200.327.
  • With respect to the use of a purchasing schedule, the non-federal entity must follow ordering procedures that adhere to applicable state, tribal and local laws and regulations and the minimum requirements of full and open competition under2 C.F.R. Part 200.

If a non-federal entity other than a state seeks to use a state supply schedule, cooperative purchasing program, or other similar type of arrangement, FEMA recommends the recipient discuss the procurement plans with its FEMA Grants Management Specialist.

d.  Procurement Documentation

Per 2 C.F.R.   200.318(i), non-federal entities other than states and territories are required to maintain and retain records sufficient to detail the history of procurement covering at least the rationale for the procurement method, selection of contract type, contractor selection or rejection, and the basis for the contract price. States and territories are encouraged to maintain and retain this information as well and are reminded that in order for any cost to be allowable, it must be adequately documented per2 C.F.R.   200.403(g).

Examples of the types of documents that would cover this information include but are not limited to:

  • Solicitation documentation, such as requests for quotes, invitations for bids, or requests for proposals.
  • Responses to solicitations, such as quotes, bids, or proposals.
  • Pre-solicitation independent cost estimates and post-solicitation cost/price analyses on file for review by federal personnel, if applicable.
  • Contract documents and amendments, including required contract provisions; and
  • Other documents required by federal regulations applicable at the time a grant is awarded to a recipient.
  • Additional information on required procurement records can be found on pages 24-26 of the PDAT Field Manual.

7. Financial Assistance Programs for Infrastructure

a.  Build America, Buy America Act

Recipients and subrecipients must comply with the Build America, Buy America Act (BABAA), which was enacted as part of the Infrastructure Investment and Jobs Act   70901-70927, Pub. L. No. 117-58 (2021); and Executive Order 14005, Ensuring the Future is Made in All of America by All of America s Workers. See also Office of Management and Budget (OMB), Memorandum M-22-11, Initial Implementation Guidance on Application of Buy America Preference in Federal Financial Assistance Programs for Infrastructure.

None of the funds provided under this program may be used for a project for infrastructure unless the iron and steel, manufactured products and construction materials used in that infrastructure are produced in the United States.

The Buy America preference only applies to articles, materials and supplies that are consumed in, incorporated into, or affixed to an infrastructure project. As such, it does not apply to tools, equipment and supplies, such as temporary scaffolding, brought to the construction site and removed at or before the completion of the infrastructure project. Nor does a Buy America preference apply to equipment and furnishings, such as movable chairs, desks, and portable computer equipment, that are used at or within the finished infrastructure project but are not an integral part of the structure or permanently affixed to the infrastructure project.

Please consult FEMA Interim Policy #207-22-0001: Buy America Preference in FEMA Financial Assistance Programs for Infrastructure for more information. To see whether a particular FEMA federal financial assistance program is considered an infrastructure program and thus required to include a Buy America preference, please see Programs and Definitions: Build America, Buy America Act | FEMA.gov.

b.  Waivers

When necessary, recipients may apply for, and FEMA may grant, a waiver from these requirements.

A waiver of the domestic content procurement preference may be granted by the agency awarding official if FEMA determines that:

  • Applying the domestic content procurement preference would be inconsistent with the public interest.
  • The types of iron, steel, manufactured products, or construction materials are not produced in the United States in sufficient and reasonably available quantities or of a satisfactory quality.
  • The inclusion of iron, steel, manufactured products, or construction materials produced in the United States will increase the cost of the overall project by more than 25%t.

For FEMA awards, the process for requesting a waiver from the Buy America preference requirements can be found on FEMA s website at: "Buy America" Preference in FEMA Financial Assistance Programs for Infrastructure | FEMA.gov.

c.  Definitions

Construction materials: an article, material, or supply other than an item primarily of iron or steel; a manufactured product; cement and cementitious materials; aggregates such as stone, sand, or gravel; or aggregate binding agents or additives that is or consists primarily of non-ferrous metals, plastic and polymer-based products (including polyvinylchloride, composite building materials, and polymers used in fiber optic cables), glass (including optic glass), lumber, paint, and drywall.

Domestic content procurement preference: Means all iron and steel used in the project are produced in the United States; the manufactured products used in the project are produced in the United States; or the construction materials used in the project are produced in the United States.

Federal financial assistance: Generally defined in2 C.F.R.   200.1 and includes all expenditures by a federal agency to a non-federal entity for an infrastructure project, except that it does not include expenditures for assistance authorities relating to major disasters or emergencies under sections 402, 403, 404, 406, 408, or 502 of the Robert T. Stafford Disaster Relief and Emergency Assistance Act relating to a major disaster or emergency declared under section 401 or 501, respectively, or pre and post disaster or emergency response expenditures.

Infrastructure:  infrastructure projects which serve a public function, including at a minimum, the structures, facilities, and equipment for, in the United States, roads, highways, and bridges; public transportation; dams, ports, harbors, and other maritime facilities; intercity passenger and freight railroads; freight and intermodal facilities; airports; water systems, including drinking water and wastewater systems; electrical transmission facilities and systems; utilities; broadband infrastructure; and buildings and real property; and structures, facilities, and equipment that generate, transport, and distribute energy.

Produced in the United States means the following for:

  • Iron and steel: All manufacturing processes, from the initial melting stage through the application of coatings, occurred in the United States.
  • Manufactured products: The product was manufactured in the United States, and the cost of the components of the manufactured product that are mined, produced, or manufactured in the United States is greater than 55% of the total cost of all components of the manufactured product, unless another standard for determining the minimum amount of domestic content of the manufactured product has been established under applicable law or regulation.
  • Construction Materials: All manufacturing processes for the construction material occurred in the United States.

Project: is any activity related to the construction, alteration, maintenance, or repair of infrastructure in the United States.

8.  Record Retention

a.  Record Retention Period

Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a federal award generally must be maintained for at least three years from the date the final FFR is submitted. See2C.F.R.   200.334. Further, if the recipient does not submit a final FFR and the award is administratively closed, FEMA uses the date of administrative closeout as the start of the general record retention period.

The record retention period may be longer than three years or have a different start date in certain cases. These include:

  • Records for real property and equipment acquired with Federal funds must be retained for three years after final disposition of the property.See2 C.F.R.   200.334(c).
  • If any litigation, claim, or audit is started before the expiration of the three-year period, the records must be retained until all litigation, claims, or audit findings involving the records have been resolved and final action taken. See2 C.F.R.   200.334(a).
  • The record retention period will be extended if the non-federal entity is notified in writing of the extension by FEMA, the cognizant or oversight agency for audit, or the cognizant agency for indirect costs, or pass-through entity.See2 C.F.R.   200.334(b).
  • Where FEMA requires recipients to report program income after the period of performance ends, the program income record retention period begins at the end of the recipient s fiscal year in which program income is earned. See2 C.F.R.   200.334(e).
  • For indirect cost rate computations and proposals, cost allocation plans, or any similar accounting computations of the rate at which a particular group of costs is chargeable (such as computer usage chargeback rates or composite fringe benefit rates), the start of the record retention period depends on whether the indirect cost rate documents were submitted for negotiation. If the indirect cost rate documents were submitted for negotiation, the record retention period begins from the date those documents were submitted for negotiation. If indirect cost rate documents were not submitted for negotiation,the record retention period begins at the end of the recipient s fiscal year or other accounting period covered by that indirect cost rate. See2 C.F.R.   200.334(f).

b.  Types of Records to Retain

FEMA requires that non-federal entities maintain the following documentation for federally funded purchases:

  • Specifications;
  • Solicitations;
  • Competitive quotes or proposals;
  • Basis for selection decisions;
  • Purchase orders;
  • Contracts;
  • Invoices; and
  • Canceled checks.

Non-federal entities should keep detailed records of all transactions involving the grant. FEMA may at any time request copies of any relevant documentation and records, including purchasing documentation along with copies of canceled checks for verification. See, e.g.,2 C.F.R.   200.318(i), 200.334, 200.337.

In order for any cost to be allowable, it must be adequately documented per2 C.F.R.   200.403(g). Non-federal entities who fail to fully document all purchases may find their expenditures questioned and subsequently disallowed.

9.  Actions to Address Noncompliance

Non-federal entities receiving financial assistance funding from FEMA are required to comply with requirements in the terms and conditions of their awards or subawards, including the terms set forth in applicable federal statutes, regulations, funding notices, and policies. Throughout the award lifecycle or even after an award has been closed, FEMA or the pass-through entity may discover potential or actual noncompliance on the part of a recipient or subrecipient. This potential or actual noncompliance may be discovered through routine monitoring, audits, closeout, or reporting from various sources.

In the case of any potential or actual noncompliance, FEMA may place special conditions on an award per2 C.F.R.   200.208and 200.339, FEMA may place a hold on funds until the matter is corrected, or additional information is provided per2 C.F.R.   200.339, or it may do both. Similar remedies for noncompliance with certain federal civil rights laws are authorized pursuant to44 C.F.R. Parts 7 and 19.

In the event the noncompliance is not able to be corrected by imposing additional conditions or the recipient or subrecipient refuses to correct the matter, FEMA might take other remedies allowed under2 C.F.R.   200.339. These remedies include actions to disallow costs, recover funds, wholly or partly suspend or terminate the award, initiate suspension and debarment proceedings, withhold further federal awards, or take other remedies that may be legally available. For further information on termination due to noncompliance, see the section on Termination Provisions in the funding notice.

FEMA may discover and take action on noncompliance even after an award has been closed. The closeout of an award does not affect FEMA s right to disallow costs and recover funds as long the action to disallow costs takes place during the record retention period. See2C.F.R.   200.334, 200.345(a). Closeout also does not affect the obligation of the non-federal entity to return any funds due as a result of later refunds, corrections, or other transactions.2 C.F.R.   200.345(a)(2).

The types of funds FEMA might attempt to recover include, but are not limited to, improper payments, cost share reimbursements, program income, interest earned on advance payments, or equipment disposition amounts.

FEMA may seek to recover disallowed costs through a Notice of Potential Debt Letter, a Remedy Notification, or other letter. The document will describe the potential amount owed, the reason why FEMA is recovering the funds, the recipient s appeal rights, how the amount can be paid, and the consequences for not appealing or paying the amount by the deadline.

If the recipient neither appeals nor pays the amount by the deadline, the amount owed will become final. Potential consequences if the debt is not paid in full or otherwise resolved by the deadline include the assessment of interest, administrative fees, and penalty charges; administratively offsetting the debt against other payable federal funds; and transferring the debt to the U.S. Department of the Treasury for collection.

FEMA notes the following common areas of noncompliance for FEMA s grant programs:

  • Insufficient documentation and lack of record retention;
  • Failure to follow the procurement under grants requirements;
  • Failure to submit closeout documents in a timely manner;
  • Failure to follow EHP requirements; and
  • Failure to comply with the POP deadline.

10. Audits

FEMA grant recipients are subject to audit oversight from multiple entities including the DHS OIG, the GAO, the pass-through entity, or independent auditing firms for single audits, and may cover activities and costs incurred under the award. Auditing agencies such as the DHS OIG, the GAO, and the pass-through entity (if applicable), and FEMA in its oversight capacity, must have access to records pertaining to the FEMA award. Recipients and subrecipients must retain award documents for at least three years from the date the final FFR is submitted, and even longer in many cases subject to the requirements of2 C.F.R.   200.334. In the case of administrative closeout, documents must be retained for at least three years from the date of closeout, or longer subject to the requirements of2 C.F.R.   200.334. If documents are retained longer than the required retention period, the DHS OIG, the GAO, and the pass-through entity, as well as FEMA in its oversight capacity, have the right to access these records as well. See2 C.F.R.   200.334, 200.337.

Additionally, non-federal entities must comply with the single audit requirements at2 C.F.R. Part 200, Subpart F. Specifically, non-federal entities, other than for-profit subrecipients, that expend $750,000 or more in federal awards during their fiscal year must have a single or program-specific audit conducted for that year in accordance withSubpart F. 2 C.F.R.   200.501. A single audit covers all federal funds expended during a fiscal year, not just FEMA funds. The cost of audit services may be allowable per2 C.F.R.   200.425, but non-federal entities must select auditors in accordance with2 C.F.R.   200.509, including following the proper procurement procedures.For additional information on single audit reporting requirements, see section F of this funding notice under the header  Single Audit Report  within the subsection  Additional Reporting Requirements. 

The objectives of single audits are to:

  • Determine if financial statements conform to generally accepted accounting principles (GAAP);
  • Determine whether the schedule of expenditures of federal awards is presented fairly;
  • Understand, assess, and test the adequacy of internal controls for compliance with major programs; and
  • Determine if the entity complied with applicable laws, regulations, and contracts or grants.

For single audits, the auditee is required to prepare financial statements reflecting its financial position, a schedule of federal award expenditures, and a summary of the status of prior audit findings and questioned costs. The auditee also is required to follow up and take appropriate corrective actions on new and previously issued but not yet addressed audit findings. The auditee must prepare a corrective action plan to address the new audit findings.2 C.F.R.   200.508, 200.510, 200.511.

Non-federal entities must have an audit conducted, either single or program-specific, of their financial statements and federal expenditures annually or biennially pursuant to2 C.F.R.   200.504. Non-federal entities must also follow the information submission requirements of2 C.F.R.   200.512, including submitting the audit information to the Federal Audit Clearinghouse within the earlier of 30 calendar days after receipt of the auditor s report(s) or nine months after the end of the audit period. The audit information to be submitted include the data collection form described at2 C.F.R.   200.512(c) andAppendix X to 2 C.F.R. Part 200 as well as the reporting package described at2 C.F.R.   200.512(b).

The non-federal entity must retain one copy of the data collection form and one copy of the reporting package for three years from the date of submission to the Federal Audit Clearinghouse.2 C.F.R.   200.512; see also 2 C.F.R.   200.517 (setting requirements for retention of documents by the auditor and access to audit records in the auditor s possession).

FEMA, the DHS OIG, the GAO, and the pass-through entity (if applicable), as part of monitoring or as part of an audit, may review a non-federal entity s compliance with the single audit requirements. In cases of continued inability or unwillingness to have an audit conducted in compliance with2 C.F.R. Part 200, Subpart F, FEMA and the pass-through entity, if applicable, are required to take appropriate remedial action under2 C.F.R.   200.339 for noncompliance, pursuant to2 C.F.R.   200.505.

11. Payment Information

FEMA uses the Direct Deposit/Electronic Funds Transfer (DD/EFT) method of payment to recipients.

FEMA utilizes PARS for financial reporting, invoicing, and tracking payments. For additional information, refer to https://isource.fema.gov/sf269/execute/LogIn?sawContentMessage=true.

12. Whole Community Preparedness

Preparedness is a shared responsibility that calls for the involvement of everyone not just the government in preparedness efforts. By working together, everyone can help keep the nation safe from harm and help keep it resilient when struck by hazards, such as natural disasters, acts of terrorism, and pandemics.

Whole Community includes:

  • Individuals and families, including those with access and functional needs;
  • Businesses;
  • Faith-based and community organizations;
  • Nonprofit groups;
  • Schools and academia;
  • Media outlets; and
  • All levels of government, including state, local, tribal, territorial, and federal partners.

The phrase  Whole Community  or  Whole of Community  often appears in preparedness materials, as it is one of the guiding principles. It means:

1.  Involving people in the development of national preparedness documents; and

2.  Ensuring their roles and responsibilities are reflected in the content of the materials.

13. Continuity Capability

Continuity should be integrated into each core capability and the coordinating structures that provide them. Protection of critical systems and networks that ensure continuity of operation, business and government are fundamental to ensuring the delivery of all core capabilities. Continuity capabilities increase resilience and the probability that organizations can perform essential functions in the delivery of core capabilities that support the mission areas. FEMA is responsible for developing, managing, and promulgating national continuity planning, guidance, training, and exercise programs for the whole community.

FEMA develops and promulgates directives, policy, and guidance for continuing tribal government jurisdictions, nongovernmental organizations, and private sector organizations  essential functions across a broad spectrum of emergencies. This direction and guidance assist in developing capabilities for continuing the essential functions of tribal governmental entities, as well as public/private critical infrastructure owners, operators, and regulators enabling them.

Continuity Guidance Circular outline continuity requirements for agencies and organizations and provide guidance, methodology, and checklists. For additional information on continuity programs, guidance, and directives, visit the Continuity Resource Toolkit at https://www.fema.gov/emergency-managers/national-preparedness/continuity/toolkit. For additional information on continuity programs, guidance, and directives, visit https://www.fema.gov/emergency-managers/national-preparedness/continuity.

This aligns with the requirements that approved Cybersecurity Plans ensure continuity of operations of the tribe government in the event of a cybersecurity incident, including by conducting exercises to practice responding to a cybersecurity incident, per 6 U.S.C.   665g(e)(2)(B)(vii).

14. Appendices

Appendix A: Program Goals and Objectives

Appendix B: Cybersecurity Planning Committee and Charter

Appendix C: Cybersecurity Plan

Appendix D: POETE Solution Areas for Investments

Appendix E: TCGP Requirements Matrix

Appendix F: Required, Encouraged, and Optional Services, Memberships, and Resources

Appendix A: Program Goals and Objectives

FEMA and CISA respect the sovereignty and self-determination of tribal governments and recognize the intent of Congress to provide flexibility to tribal governments to meet cybersecurity needs across Indian Country through the TCGP. Changes to the program were made as a result of nation-to-nation consultation with tribal representatives across the country and are intended to support tribal cybersecurity resiliency.

As part of DHS, CISA is at the heart of mobilizing a collective defense to understand and manage risk to our critical infrastructure partners. In its unique role, CISA is proactively working to achieve a cybersecurity ecosystem in which malicious actors face insurmountably high costs to execute damaging intrusions, vulnerabilities are rapidly identified before exploitation, and technology is used to reduce the most harmful and systemic risks. CISA programs and services are driven by a comprehensive understanding of the risk environment and the corresponding needs identified by our partners. The TCGP is key to achieving this vision and enables the Department to make targeted investments in tribal governments, while improving their security and resilience. The goals and objectives outlined below, if achieved, will significantly reduce the risk of a cybersecurity threat against tribal government information technology (IT) networks. These broad outcomes are listed in logical sequence to aid recipients in focusing on the overall intent of the TCGP. These outcomes will help prioritize the use of scarce resources and to develop metrics to gauge success at both the project and organization level. Outcomes of the program will be measured by how well recipients can achieve outlined goals and improve the risk posture of the information systems they either own or those that are operated on their behalf.

The program objectives for the TCGP are as follows:

1.  Develop and establish appropriate governance structures, as well as develop, implement, or revise Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations;

2.  Ensure tribal governments understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments;

3.  Implement security protections commensurate with risk; and

4.  Ensure organization personnel are appropriately trained in cybersecurity, commensurate with their responsibilities. These program objectives are further divided into sub-objectives and outcomes with accompanying sample evidence of implementation provided to assist the reader in development of their application.

Tribal applicants are required to submit a project that coincides with Objective 1 of the TCGP program. Depending on the tribal government s current cybersecurity posture, the tribe may choose to align additional projects to the three remaining objectives.

Goal of the Tribal Cybersecurity Grant Program: Assist tribal governments with managing and reducing systemic cyber risk.

Program ObjectiveProgram Sub-ObjectiveOutcome(s)Sample Evidence of Implementation
1. Develop and establish appropriate governance structures, as well as develop, implement, or revise cybersecurity plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.1.1: Establish cybersecurity governance structures and implement a program to evaluate maturity of the cybersecurity program aligned to Cybersecurity Performance Goals established by CISA and the National Institute of Standards and Technology (NIST).

1.1.1 Participants have established and documented a uniform cybersecurity governance structure that is accountable to organizational leadership and works together to set the vision for cyber risk management.

1.1.2 Participants have identified senior officials to enable whole-of tribe coordination on cybersecurity policies, processes, and procedures. 

Organization has a cybersecurity defense concept of operations, with responsibilities assigned to specific organizational roles.
 1.2 Develop, implement, or revise, and test cybersecurity plans, including cyber incident response plans, with clearly defined roles and responsibilities. 1.2.1 Develop, implement, or revise, and exercise cyber incident response plans.Organization conducts annual table-top and full-scope exercises that include practical execution of restoration and recovery processes to test approved cybersecurity plans. Conducting these exercises allow organizations to test approved cybersecurity plans to identify, protect, detect, respond to, and recover from cybersecurity incidents, in line with the NIST Cybersecurity Framework, and demonstrates process to incorporate lessons learned from the exercise into their cybersecurity program.
 1.3 Asset (e.g., devices, data, software) protections and recovery actions are prioritized based on the asset s criticality and business value.1.3.1 Ensure that systems and network functions are prioritized and reconstituted according to their impact to essential functions.Organization conducts a regular business impact assessment to prioritize which systems must be protected and recovered first.
Program GoalsProgram ObjectivesOutcome(s)Sample Evidence of Implementation
2. Tribal governments understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.2.1 Physical devices and systems, as well software platforms and applications, are inventoried.2.1.1 Establish and regularly update asset inventory.Organization maintains and regularly updates an asset inventory list.
 2.2 Cybersecurity risk to the organization s operations and assets are understood.2.2.1 Conduct an annual cyber risk assessment to identify cyber risk management gaps and areas for improvement.Organization annually completes the Nationwide Cybersecurity Review (NCSR).
 2.3 Vulnerability scans are performed, and a risk-based vulnerability management plan is developed and implemented.

2.3.1 Participate in CISA s Vulnerability Scanning service, part of the Cyber Hygiene program.

2.3.2 Effectively manage vulnerabilities by prioritizing mitigation of high impact vulnerabilities and those most likely to be exploited.

Organization is an active participant in CISA s Cyber Hygiene program.

Organization has a plan to manage vulnerabilities based on those with the highest criticality, internet-facing vulnerabilities, as well as known exploited vulnerabilities identified in CISA s Known Exploited Vulnerabilities Catalog.

 2.4 Capabilities are in place to monitor assets to identify cybersecurity events.2.4.1 Tribes are able to analyze network traffic and activity transiting or traveling to or from information systems, applications, and user accounts to understand baseline activity and identify potential threats.Not Applicable
 2.5 Processes are in place to action insights derived from deployed capabilities.2.5.1 Tribes are able to respond to identified events and incidents, document root cause, and share information with partners. Not Applicable
Program GoalsProgram ObjectivesOutcome(s)Sample Evidence of Implementation
3.  Implement security protections commensurate with risk (Outcomes of goals 1 & 2).3.1 Tribes adopt fundamental cybersecurity best practices.3.1.1 Implement multi-factor authentication (MFA), prioritizing privileged users, Internet-facing systems, and cloud accounts.The organization implements MFA for all remote access and privileged accounts.
 3.2 Reduce gaps identified through assessment and planning process and apply increasingly sophisticated security protections commensurate with risk.

3.2.1 Individual participants address items identified through assessments and planning process.

3.2.2 Tribal governments improve cybersecurity ecosystem by collaborating to address items identified through assessments and planning process (e.g., regional and intra-state efforts).

Not Applicable
Program GoalsProgram ObjectivesOutcome(s)Sample Evidence of Implementation
4.  Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.4.1 Train personnel to have the fundamental knowledge and skills necessary to recognize cybersecurity risks and understand their roles and responsibilities within established cybersecurity policies, procedures, and practices. 

4.1.1 Organization requires regular ongoing phishing training, awareness campaigns are conducted, and organization provides role-based cybersecurity awareness training to all employees.

4.1.2 Organization has dedicated resources and funding available for its cybersecurity professionals to attend technical trainings and conferences.

Not Applicable
 4.2 Organization has adopted the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.4.2.1 Organization has established cyber workforce development & training plans, based on the NICE Cybersecurity Workforce Framework.Not Applicable

Appendix B: Cybersecurity Planning Committee and Charter

Governance

In keeping with the guiding principles of governance for all FEMA preparedness programs and statutory requirements, recipients must coordinate activities across preparedness disciplines and levels of tribal government. Specific attention should be paid to how available funding sources can effectively support a tribal government s approach to cyber preparedness and resiliency.

To ensure this, 6 U.S.C. 665g(g) requires eligible tribal governments to create a Cybersecurity Planning Committee to receive grant funding under this program. This section describes planning committee requirements and membership composition. An exception, located at 6 U.S.C. 665g(h), allows the DHS Secretary, in consultation with the Secretary of the Interior and tribal governments, to prescribe an alternatively  substantively similar requirement  for Cybersecurity Planning Committees for tribal governments, if the DHS Secretary finds that the alternative requirement is necessary for the effective delivery and administration of grants to tribal governments.  The below section reflects alternative requirements that have been approved by the DHS Secretary for the tribes  benefit.

Cybersecurity Planning Committee

The Tribal Cybersecurity Planning Committee requirement can be met by an existing Tribal Council/Governing Body that includes the participation of a designated Chief Information Officer (CIO), Chief Information Security Officer (CISO), or equivalent official to the CIO or CISO with expertise in information technology (IT) and systems. If the tribal government would prefer to establish a separate Cybersecurity Planning Committee, the required members of that committee should include the following: the grants administration office and a designated Chief Information Officer (CIO), Chief Information Security Officer (CISO), or equivalent official to the CIO or CISO with expertise in IT and systems. Additional members are encouraged but not required.

Cybersecurity Planning Committee Composition and Scope Requirements

Cybersecurity Planning Committee membership shall include at least one representative from relevant stakeholders including:

  • The tribal government applicant;
  • The Chief Information Officer (CIO), Chief Information Security Officer (CISO), or equivalent official to the CIO or CISO;  
  • Grants administrative office; and
  • Additional tribal members are encouraged but not required.

The Cybersecurity Planning Committee must include the participation of a designated Chief Information Officer (CIO), Chief Information Security Officer (CISO), or equivalent official to the CIO or CISO with expertise in information technology and systems. The CIO, CISO, or equivalent official to the CIO or CISO is one who fulfills the duties of the CIO or CISO, even if their job includes other duties and responsibilities. Qualifications are determined by the tribes.

Eligible tribal governments are given the flexibility to identify the specific public health and public education agencies and communities these members represent. DHS strongly encourages eligible tribal governments to consider naming additional members to the approved Cybersecurity Planning Committee.

The composition, structure, and charter of the approved Cybersecurity Planning Committee should focus on building cybersecurity capabilities across the tribal government. The approved Cybersecurity Planning Committee POC s contact information must be provided to FEMA as part of the grant application. Tribal governments must ensure that information for current points of contact is on file with FEMA.

Tribal governments must submit the list of Cybersecurity Planning Committee members at the time of application as an attachment in ND Grants. Tribal governments must verify compliance with Cybersecurity Planning Committee charter requirements. The below table provides a suggested format for submitting the list of required Cybersecurity Planning Committee members.

Representation/
Organization
Committee Member NameCommittee Member TitleCommittee Member s OrganizationCybersecurity/IT experience (Yes/No)
     
     
     
     
     
     
     

Cybersecurity Planning Committee Responsibilities

The responsibilities of the approved Cybersecurity Planning Committee include:

  • Assisting with the development, implementation, and revision of the Cybersecurity Plan;
  • Approving the Cybersecurity Plan;
  • Assisting with the determination of effective funding priorities;
  • Coordinating with other committees and like entities with the goal of maximizing coordination and reducing duplication of effort;
  • Creating a cohesive planning network that builds and implements cybersecurity preparedness initiatives, using FEMA and other federal resources, and tribal resources; and
  • Ensuring investments support closing capability gaps or sustaining capabilities.

Cybersecurity Planning Committee Charter

The governance of the TCGP through the approved Cybersecurity Planning Committee should be directed by a charter. All members of the Cybersecurity Planning Committee should sign and date the charter showing their agreement with its content and their representation on the committee. Eligible applicants must submit the Cybersecurity Planning Committee charter at the time of application as an attachment in ND Grants. Revisions to the governing charter must also be sent to the recipient s assigned FEMA HQ Preparedness Officer. The Cybersecurity Planning Committee charter must, at a minimum, provide:

  • A detailed description of the Cybersecurity Planning Committee s composition and an explanation of key governance processes;
  • A description of the frequency at which the Cybersecurity Planning Committee will meet;
  • An explanation as to how the committee will leverage existing governance bodies;
  • A detailed description of how decisions on programmatic priorities funded by TCGP will be made and how those decisions will be documented and shared with its members and other stakeholders, as appropriate; and
  • A description of defined roles and responsibilities for financial decision making and meeting administrative requirements.

To ensure ongoing coordination efforts, tribes are encouraged to share community preparedness information from other preparedness grant programs as submitted in a tribe s Performance Progress Report (PPR) with members of the approved Cybersecurity Planning Committee. Tribes are also encouraged to share their Threat and Hazard Identification and Risk Assessment/Stakeholder Preparedness Review data with members of the approved Cybersecurity Planning Committee who are applying for other FEMA preparedness grants to enhance their understanding of statewide capability gaps.

To manage this effort and to further reinforce collaboration and coordination across the stakeholder community, a portion of the recipient s award may be utilized by the tribe to support the approved Cybersecurity Planning Committee and to ensure representation and active participation of Cybersecurity Planning Committee members. Funding may be used for hiring and training planners, establishing, and maintaining a program management structure, identifying and managing projects, conducting research necessary to inform the planning process, and updating plans that bridge mechanisms, documents, protocols, and procedures.

Appendix C: Cybersecurity Plan

Cybersecurity Plan Basics

  • Comprehensive strategic plan to reduce cybersecurity risk and increase capability across the government;
  • Tribal government-wide plan;
  • Should cover strategic direction for two to three years;
  • Must include required elements, with discretion to add other elements as necessary;
  • Existing plans can be used;
  • There is no required template, but required elements must be identifiable for review purpose;
  • Individual projects must align to Cybersecurity Plan;
  • Must be approved by the Cybersecurity Committee and CIO, CISO, or equivalent official to the CIO or CISO;
  • CISA approves for DHS; and
  • Plans are initially approved for two years; annually thereafter (as the plans are living documents, applicants may resubmit following award. Applicants may work with their CISA regional staff for guidance and to prepare for additional Plan requirements and updates).

Submission of a Cybersecurity Plan is required for any eligible entity participating in TCGP. The Cybersecurity Plan is a key component of a strategic approach to building cyber resilience. The approved Cybersecurity Planning Committee is responsible for developing, approving, revising, and implementing the approved Cybersecurity Plan.

Accordingly, the Cybersecurity Plan should establish high level goals and finite objectives to reduce specific cybersecurity risks at tribal governments across the eligible entity. The Cybersecurity Plan should also serve as the overarching framework for the achievement of the TCGP goal, with grant funded projects working to achieve outcomes.

For the Cybersecurity Plan, the approved Cybersecurity Planning Committee should consider the following:

  • Existing governance and planning documents and identification of any planning gaps that should be addressed by the Cybersecurity Plan;
  • Existing assessments and evaluations (e.g., reports, after action reports) conducted by the tribal government and any planning gaps that require additional assessments and/or evaluations; and
  • Identification of potential TCGP projects to address planning gaps and prioritize mitigation efforts.

Plan Components

  •     Roles and responsibilities;
  • Required elements;
  • Discretionary elements;
  • Capabilities assessment;
  • Implementation plan;
  • A summary of projects; and
  •        Metrics.

Cybersecurity Plan Overview

The following identifies the plan requirements and additional considerations that Tribal governments should consider when constructing the Cybersecurity Plan. Although there is no required format for the Cybersecurity Plan, the approved Cybersecurity Planning Committees are encouraged to review the Cybersecurity Plan Template.

Cybersecurity Plans must include and address the following items:

  •  Incorporate, to the extent practicable, any existing plans to protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, tribes. Building upon and incorporating existing structures and capabilities allows entities to provide governance and a framework to meet the critical cybersecurity needs across the entity while making the best use of available resources. For example, consider referencing an existing emergency management plan to address potential downstream impacts affecting health and safety when responding to or recovering from a cybersecurity incident.
  •  Include the specific required elements (see Required Elements section of this Appendix below). There are 13 required elements that are central to the Cybersecurity Plan and represent a broad range of cybersecurity capabilities and activities. They also include specific cybersecurity best practices that, when implemented over time, will substantially reduce cybersecurity risk and cybersecurity threats. Although each of the 13 required elements must be addressed in the plan, this may include a brief explanation as to why certain elements are not currently being prioritized. Not all 13 elements are required to be aligned to projects and have associated funding. These determinations should be addressed in accordance with capability gaps and vulnerabilities identified through an objective assessment process.
  •  Describe, as appropriate and to the extent practicable, the individual responsibilities within the tribal Government in implementing the Cybersecurity Plan. Defining the roles and responsibilities of tribal governments is critical from both governance and implementation perspectives.
  •  Assess the required elements from a tribal-entity-wide perspective. The candid assessment of the current capabilities of tribal governments is the first step in reducing cybersecurity risk across the tribe. This assessment also serves as the justification for individual projects. Additional information on the assessment is provided below and in the Cybersecurity Plan Template.
  •  Outline, to the extent practicable, the necessary resources and a timeline for implementing the plan. The Cybersecurity Plan is a strategic planning tool that looks two to three years into the future. Accordingly, it should map how the approved Cybersecurity Planning Committee seeks to achieve plan goals and objectives. Cybersecurity Plans should address how TCGP funds will help develop and/or implement the plan. It should also map how other activities and funding sources contribute to the achieving the outcomes described in the plans.
  •  Summary of associated projects. Individual projects are the way elements of the plan are implemented over time. The plan must include a summary of projects associated with each required and discretionary element, designating which will use TCGP funds. Details for each project using TCGP funds must be included in the IJs.
  •  Describe the metrics that the eligible tribe will use to measure progress. The metrics that will be used must measure implementation of the Cybersecurity Plan and, more broadly, cybersecurity risks reduction across the state. These are different than the metrics that will be used to measure outcomes of the TCGP, as described in the Performance Measures Section of this NOFO. Additional information is provided the Cybersecurity Plan Template.
  •  Approvals - the Cybersecurity Plan must be approved by the Cybersecurity Planning Committee and the CIO, CISO, or equivalent official to the CIO or CISO. The eligible tribe, upon submitting the Cybersecurity Plan, must certify that the Cybersecurity Plan has been formally approved by the Cybersecurity Planning Committee and the CIO, CISO, or equivalent official to the CIO or CISO of the eligible entity.

Cybersecurity Planning Committees should also consider the following when constructing the Cybersecurity Plan:

  • Holistic approach to the Cybersecurity Plan. The Cybersecurity Plan should be strategic in nature, guiding development of capabilities to address cybersecurity risks and threats across the tribe. Individual projects should demonstrably support the tribe in achieving those capabilities over time.
  • Prioritize projects that address critical cybersecurity infrastructure.
  • Focused investments that are sustainable over time. The TCGP currently is authorized for four years, and limited funds are available. Cybersecurity Plans must address how tribal governments will sustain capabilities once the program ends or funds are no longer available.
  • Building from existing efforts. Cybersecurity Committees should consider describing how tribes have integrated existing plans and partnerships into new activities.
  • Additional cybersecurity elements prioritized by the approved Cybersecurity Planning Committee.

Required Elements

If there are any existing plans that meet the required elements, references to the existing plan may be used in lieu of incorporating them in their entirety. The Cybersecurity Plan must describe, to the extent practicable, how the tribal government plans to address the below elements. The Cybersecurity Plan is a strategic document, looking broadly across the entire tribal government. The description should support the vision, mission and other strategic guidance set by the Cybersecurity Planning Committee.

1.  Manage, monitor, and track information systems, applications, and user accounts owned or operated by, or on behalf of, the tribal government, and the information technology deployed on those information systems, including legacy information systems and information technology that are no longer supported by the manufacturer of the systems or technology.

2.  Monitor, audit, and track network traffic and activity transiting or traveling to or from information systems, applications, and user accounts owned or operated by, or on behalf of, the tribal government.

3.  Enhance the preparation, response, and resilience of information systems,

applications, and user accounts owned or operated by, or on behalf of, the tribal government, against cybersecurity risks and cybersecurity threats.

4.  Implement a process of continuous cybersecurity vulnerability assessments and

threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats on information systems, applications, and user accounts owned or operated by, or on behalf of, the tribal government.

5.  Ensure that the tribal government adopts and uses best practices and methodologies to enhance cybersecurity, discussed further below. The following cybersecurity best practices under required element five must be included in each eligible entity s Cybersecurity Plan:

  • Implement multi-factor authentication;
  • Implement enhanced logging;
  • Data encryption for data at rest and in transit;
  • End use of unsupported/end of life software and hardware that are accessible from the Internet;
  • Prohibit use of known/fixed/default passwords and credentials;
  • Ensure the ability to reconstitute systems (backups); and
  • Migration to the .gov internet domain.

Additional best practices that the Cybersecurity Plan can address include:

  • The National Institute of Standards and Technology (NIST) Cybersecurity Framework;
  • NIST's cyber chain supply chain risk management best practices; and
  • Knowledge bases of adversary tools and tactics.

6.  Promote the delivery of safe, recognizable, and trustworthy online services including through the use of the .gov internet domain.

7.  Ensure continuity of operations of the tribal government in the event of a cybersecurity incident, including by conducting exercises to practice responding to a cybersecurity incident.

8.  Use the National Initiative for Cybersecurity Education (NICE) Workforce

Framework for Cybersecurity developed by National Institute of Science and Technology (NIST) to identify and mitigate any gaps in the cybersecurity workforces of the Tribe, enhance recruitment and retention efforts for those workforces, and bolster the knowledge, skills, and abilities of personnel of the eligible tribes to address cybersecurity risks and cybersecurity threats, such as through cybersecurity hygiene training.

9.  Assess and mitigate, to the greatest degree possible, cybersecurity risks and

cybersecurity threats relating to critical infrastructure and key resources, the

degradation of which may impact the performance of information systems within

the tribe.

10. Enhance capabilities to share cyber threat indicators and related information between the tribe and other governments, and CISA.

11. Leverage cybersecurity services offered by the Department (See Appendix

F for additional information on CISA resources and required services and

membership).

12. Implement an information technology and operational technology modernization cybersecurity review process that ensures alignment between information technology and operational technology cybersecurity objectives.

13. Develop and coordinate strategies to address cybersecurity risks and cybersecurity threats. Cybersecurity Planning Committees should also consider consulting other governments.

Cybersecurity Planning Committees are strongly encouraged to expand their Cybersecurity Plans beyond the required elements. This may include a focus on specific critical infrastructure or emphasis on different types of tribal governments.

Required Cybersecurity Best Practices

Although these cybersecurity best practices must be addressed in the Cybersecurity Plan, immediate adoption by every tribe is not required. Cybersecurity Plans must clearly articulate efforts to implement these cybersecurity best practices across the tribe within reasonable timelines. Individual projects that assist tribes adopt these best practices should also be prioritized by the approved Cybersecurity Planning Committee. As there are multiple ways to implement the best practices, this approach provides committees the flexibility to work with tribes to design a plan that takes resource constraints, existing programs, and other factors into account.

Required Cybersecurity Plan Capabilities Assessment

Given the Cybersecurity Plan is a strategic document, it should not identify specific vulnerabilities but instead capture the broad level of capability across the jurisdiction. The assessment will become the road map for individual projects and activities using TCGP funds. All IJs must provide a baseline understanding of the existing cybersecurity gaps, risks, and threats that the applicant entity faces which have influenced the development of the IJs. Also, applicants must include a summary of the current capabilities within the applicant jurisdiction to address these threats and risks. The Cybersecurity Plan Template provides an easy way for approved Cybersecurity Planning Committees to capture this information and can be customized as appropriate.

Summary of Projects

Although the Cybersecurity Plan is a strategic document, it must show how individual projects and activities will implement the plan over time. A summary of projects using FY 2023 TCGP funds associated with each required and discretionary element provides a helpful snapshot of tribal government-wide capability and capacity that will be achieved as a result of this funding. Details for each project using TCGP funds must be included in Investment Justifications and is to include a description of the purpose of the project and what it will accomplish, and, more specifically, how the project will address an identified gap or need and how it supports one or more of the required elements.

Cybersecurity Plan Metrics

Cybersecurity Plans must include language detailing processes and methods for measuring the following: 

  • How the tribe will implement the plan;
  • How the tribe will reduce cybersecurity risks; and
  • How the tribe will identify, respond to, and recover from cybersecurity threats to information systems owned or operated by, or on behalf of, the tribe.

These measures should be at the macro level, related to the goals, objectives, and priorities as part of the overarching strategic plan and not associated with individual projects.

The TCGP applicants, in partnership with their approved Cybersecurity Planning Committees, should consider the following when establishing Cybersecurity Plan metrics:

  • Aligning metrics to the Cybersecurity Plan and the established program goals and objectives and tribal priorities; 
  • Reviewing existing metrics that are in use across the tribe;
  • Reporting data for each metric that is accurate, timely, accessible, and validated; and
  • Ensuring that the collection of metric data is not burdensome to the tribal government from which it must be obtained.

Appendix D: POETE Solution Areas for Investments

Overview

Funding guidelines established within this section support updating and implementing a Cybersecurity Plan. Allowable investments made in support of this goal must fall into the categories of planning, organization, equipment, training, or exercises (POETE), aligned to closing capability gaps or sustaining capabilities.

Planning

Planning costs are allowable under this program. TCGP funds may be used for a range of planning activities, such as those associated with the review and revision of the approved Cybersecurity Plan and other planning activities that support the program goals and objectives and Cybersecurity Planning Committee requirements.

FEMA will not release funds to a recipient until CISA approves the entity s Cybersecurity Plan. When the eligible tribe applies for FY 2023 TCGP funding, the tribe should submit a completed IJ and PW with the proposed budget details, budget narrative and program narrative for the costs associated with the plan development. As part of the application review, FEMA will coordinate with CISA on the plan development costs.

Organization

Organization costs are allowable under this program. Tribes must justify proposed expenditures of TCGP funds to support organization activities within their IJ and PW submissions. Organizational activities may include the following:

  • Program management;
  • Development of whole community partnerships that support the approved Cybersecurity Planning Committee;
  • Structures and mechanisms for information sharing between the public and private sector; and
  • Operational support.

Personnel hiring, overtime, and backfill expenses are permitted under this grant to perform allowable TCGP POETE activities. Personnel expenses may include, but are not limited to training and exercise coordinators, program managers and planners, and cybersecurity navigators. The grant recipient must demonstrate that the personnel will be sustainable once the program ends, or funds are no longer available.

Equipment

Equipment costs are allowable under this program. TCGP equipment is intended to be used to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, tribes.

Unless otherwise stated, all equipment must meet all applicable statutory, regulatory, and DHS standards to be eligible for purchase using these funds. Please refer to FEMA's Authorized Equipment List | FEMA.gov. In addition, recipients will be responsible for obtaining and maintaining all necessary certifications and licenses for the requested equipment. Investments in emergency communications systems and equipment must meet applicable SAFECOM Guidance recommendations. Such investments must be coordinated with the Statewide Inoperability Coordinator (SWIC) and the State Interoperability Governing Body (SIGB) to ensure interoperability and long-term compatibility.

TCGP funds may be used to purchase maintenance contracts or agreements, warranty coverage, licenses, and user fees in support of a system or equipment. These contracts may exceed the period of performance if they are purchased incidental to the original purchase of the system or equipment as long as the original purchase of the system or equipment is consistent with that which is typically provided for, or available through, these types of agreements, warranties, or contracts. When purchasing a stand-alone warranty or extending an existing maintenance contract on an already-owned piece of equipment system, coverage purchased may not exceed the period of performance of the award used to purchase the maintenance agreement or warranty, and it may only cover equipment purchased with TCGP funds or for equipment dedicated for TCGP-related purposes. As with warranties and maintenance agreements, this extends to licenses and user fees as well.

The use of TCGP grant funds for maintenance contracts, warranties, repair or replacement costs, upgrades, and user fees are allowable, unless otherwise noted. Except for maintenance plans or extended warranties purchased incidental to the original purchase of the equipment, the period covered by maintenance or warranty plan must not exceed the POP of the specific grant funds used to purchase the plan or warranty.

Training

Training costs are allowable under this program. Allowable training-related costs under TCGP include the establishment, support, conduct, and attendance of training and/or in conjunction with training by other federal agencies. Training conducted using TCGP funds should align to the eligible entity s approved Cybersecurity Plan, address a performance gap identified through assessments, and contribute to building a capability that will be evaluated through a formal exercise. Any training or training gaps, including training related to underserved communities (e.g., children, seniors, individuals with disabilities or access and functional needs, individuals with diverse culture and language use, individuals with lower economic capacity, and other underserved populations that may be more impacted by disasters) should be identified in the assessment and addressed in the eligible entity s training cycle. Recipients are encouraged to use existing training rather than developing new courses. When developing new courses, recipients are encouraged to apply the Analyze, Design, Develop, Implement, and Evaluate (ADDIE) model of instructional design.

Recipients are also encouraged to use FEMA's National Preparedness Course Catalog. Trainings include programs or courses developed for and delivered by institutions and organizations funded by FEMA. This includes the Center for Domestic Preparedness (CDP), the Emergency Management Institute (EMI), and FEMA s Training Partner Programs, including the Continuing Training Grants (CTG), the National Domestic Preparedness Consortium (NDPC), the Rural Domestic Preparedness Consortium (RDPC), and other partners. The catalog features a wide range of course topics in multiple delivery modes to meet FEMA s mission scope as well as the increasing training needs of federal, state, local, tribal and territorial audiences.

Some training activities require EHP Review, including exercises, drills, or trainings that require any type of land, water, or vegetation disturbance or building of temporary structures or that are not located at facilities designed to conduct training and exercises. Additional information on training requirements and EHP review can be found online at https://www.fema.gov/media-library/assets/documents/90195.

CISA s Federal Virtual Training Environment (FedVTE) offers cybersecurity training to federal, state, local, tribal, and territorial government employees, which offer education and certifications aligned with the NICE Framework. Additional information can be found at https://fedvte.usalearning.gov.

Exercises

Exercise costs are allowable under this program. Exercises conducted with grant funding should be managed and conducted consistent with Homeland Security Exercise and Evaluation Program (HSEEP). HSEEP guidance for exercise design, development, conduct, evaluation, and improvement planning is located at https://www.fema.gov/emergency-managers/national-preparedness/exercises/hseep.

Some exercise activities require EHP review, including exercises, drills, or trainings that require any type of land, water, or vegetation disturbance or building of temporary structures or that are not located at facilities designed to conduct training and exercises. Additional information on training requirements and EHP review can be found online at https://www.fema.gov/media-library/assets/documents/90195.

Appendix E. TCGP Requirements Matrix
 

IDCategoryRequirementLocationDue Date CycleDue DateSubmission Plan
       
1ApplicationCybersecurity Plan or Cybersecurity Plan TemplateNOFO Sec APrior to award or during POP (if not already approved by CISA)VariesPrior to Award: ND Grants
2ApplicationCybersecurity Planning Committee Membership ListNOFO Sec APrior to award (or during POP (if not already approved by CISA)VariesPrior to Award: ND Grants
3ApplicationCybersecurity Planning Committee CharterNOFO Sec APrior to award or during POP (if not already approved by CISA)VariesPrior to Award: ND Grants
4ApplicationInvestment Justification NOFO Sec APrior to awardAt time of application

Prior to Award: ND Grants

Post Award: Submit to FEMA Preparedness Officer

5ApplicationProject WorksheetNOFO Sec APrior to awardAt time of application

Prior to Award: ND Grants

Post Award: Submit to FEMA Preparedness Officer

6CloseoutCloseout Reporting RequirementsNOFO Sec GWithin 120 days after end of POPVariesSubmit final SF-425 Federal Financial Report (FFR) in PARS; and process final reimbursement requests in PARS
7ExercisesEHP review/approvalNOFO Sec F Prior to conducting exercises that require EHP Review as outlined in NOFO Section F.VariesEmail to: GPDEHPInfo@fema.dhs.gov and cc: FEMA-TCGP@fema.dhs.gov
8Pre-AwardPre-award costNOFO Section DPrior to award (if applicable)At time of applicationWritten request included with the eligible entity s application and signed by the AOR of the entity. Letter must be submitted with the PW and IJ via ND Grants
9Post Award

Cybersecurity Membership (Cyber Hygiene Services

Nationwide Cybersecurity Review (NCSR))

NOFO Appendix FPost awardDuring the first year of the award POP, and annuallyTribes receiving funding must complete the NCSR.
10ReportingStandard Form (SF) 425, also known as the Federal Financial Report (FFR)NOFO Sec GQuarterly

30-Jan

30-Apr

30-Jul

30-Oct

Submit SF-425 FFR in Payment and Reporting Systems (PARS)
11Progress Reporting and Performance MeasurementPerformance Progress Report (PPR)NOFO Sec GOnce annually and at Closeout30-Jan and CloseoutSubmit Signed PPR (pdf) in ND Grants
12ReportingSingle Audit Report NOFO Sec GThroughout POPVariesFederal Audit Clearinghouse https://facweb.census.gov/uploadpdf.aspx

Appendix F: Required, Encouraged, and Optional Services, Memberships, and Resources

All TCGP recipients are required to participate in a limited number of free services by CISA.  Note that participation is not required for submission and approval of a grant but is a post-award requirement.

All TCGP recipients are strongly encouraged to participate in other memberships. Additional, optional CISA resources are also available in this appendix.

Required Services and Memberships

  •  Cyber Hygiene Services

    Vulnerability scanning evaluates external network presence by executing continuous scans of public, static Internet protocols for accessible services and vulnerabilities. This service provides weekly vulnerability reports and ad-hoc alerts.

To register for this service, email vulnerability@cisa.dhs.gov with the subject line  Requesting Cyber Hygiene Services   TCGP  to get started. Indicate in the body of your email that you are requesting this service as part of TCGP. For more information, visit CISA's Cyber Hygiene Information Page.

Nationwide Cybersecurity Review (NCSR)

The NCSR is a free, anonymous, annual self-assessment designed to measure gaps and capabilities of a SLTT s cybersecurity programs. It is based on the National Institute of Standards and Technology Cybersecurity Framework and is sponsored by DHS and the MS-ISAC.

Eligible tribal governments are required to complete the NCSR, administered by the MS-ISAC, during the first year of the award/subaward period of performance and annually.

For more information, visit Nationwide Cybersecurity Review (NCSR) (cisecurity.org).

Encouraged Services, Membership and Resources

Cyber Protective Visits

Prior to conducting a formal engagement with a tribe, such as an assessment or workshop, a Cybersecurity Advisor (CSA) may first conduct an initial visit to both gauge the tribe s interest in DHS s cybersecurity offerings and gain a better understanding of its needs and orientation within the broader cybersecurity landscape. Given the important role that these visits play in laying the foundation for future engagement and partnership, CSAs must conduct the preparation necessary to ensure that a favorable first impression is made.

Membership in the Multi-State Information Sharing and Analysis Center (MS-ISAC), Tribal Information Sharing and Analysis Center (Tribal-ISAC), and/or Election Infrastructure Information Sharing and Analysis Center (EI-ISAC):

Recipients are strongly encouraged to become a member of the MS-ISAC, Tribal-ISAC and/or EI-ISAC, as applicable.

The MS-ISAC receives support from and has been designated by DHS as the cybersecurity ISAC for SLTT governments. The MS-ISAC provides services and information sharing that significantly enhances SLTT governments  ability to prevent, protect against, respond to, and recover from cyberattacks and compromises. DHS maintains operational-level coordination with the MS- ISAC through the presence of MS-ISAC analysts in CISA Central to coordinate directly with its own 24x7 operations center that connects with SLTT government stakeholders on cybersecurity threats and incidents. To register, please visit https://learn.cisecurity.org/ms-isac-registration. For more information, visit MS-ISAC (cisecurity.org).

The Tribal-ISAC, a division of not-for-profit Tribal Share, Inc., is the platform for cyber threat information sharing, threat prevention, protection, community response, and a managed and trusted collaboration with other government agencies and industry ISACs for the nation s tribal governments and their operations and enterprises. For more information, visit https://tribalisac.org/.

The EI-ISAC is a collaborative partnership between the Center for Internet Security (CIS), CISA, and the Election Infrastructure Subsector Government Coordinating Council. The EIISAC is funded through DHS grants and offers state and local election officials a suite of elections-focused cyber defense tools, including threat intelligence products, incident response and forensics, threat and vulnerability monitoring, cybersecurity awareness, and training products. To register, please visit https://learn.cisecurity.org/ei-isac-registration. For more information, visit https://www.cisa.gov/election-security.

CISA Recommended Resources, Assessments, and Memberships (not mandatory)

  •  The Cyber Resource Hub is a recommended site for tribal governments that provides a comprehensive list of cybersecurity resources.

In addition to these resources, CISA's Interoperable Communications Technical Assistance Program (ICTAP) provides direct support to tribal emergency responders and government officials across all 56 states and territories through training, tools, and onsite assistance to advance public safety interoperable communications capabilities. These services are provided at no cost and scalable to the community s needs. Within the catalog, the 9-1-1/Public Safety Answering Point/Land Mobile Radio Cyber Assessment technical assistance offering provides organizations with a review of their cyber posture in accordance with nationally recognized best practices guidelines. CISA employs the NIST Special Publication 800-53, Rev 5,  Security and Privacy Controls for Information Systems and Organizations  as a framework. Requests for ICTAP assistance are coordinated through the Statewide Interoperability Coordinator from each state, territory, and tribe.

CISA Central: To report a cybersecurity incident, visit https://www.us-cert.gov/report.

For additional CISA services visit the CISA Services Catalog.

For additional information on memberships, visit Information Sharing and Analysis Organization (ISAO) Standards Organization.

[1] The number of tribes with a population greater than 1 total 557. The remaining 17 tribes have a represented population of less than 1 per the US Census.gov data collected in 2020. 

[2] The self-certification of eligibility and population is part of the required Investment Justification Template. For additional information on the Investment Justification Template or self-certification of eligibility and population, see section D.11 of this funding opportunity.

Tags:
Last updated