In fiscal year (FY) 2022, through the Infrastructure Investment and Jobs Act, the Department of Homeland Security is providing $185 million to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, state, local and territorial governments.
The goal of the State and Local Cybersecurity Grant Program (SLCGP) is to help states, local governments, rural areas, and territories address cybersecurity risks and cybersecurity threats to information systems. The program enables DHS to make targeted cybersecurity investments in state, local and territorial government agencies, thus improving the security of critical infrastructure and resilience of the services that state, local, and territorial governments provide to their communities. Federally recognized Tribes also have a dedicated grant program; details on the Tribal Cybersecurity Grant Program are forthcoming.
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Emergency Management Agency (FEMA) are jointly managing the SLCGP. CISA will provide subject-matter expertise and determine allowable activities, while FEMA will conduct eligibility reviews, and issue/administer the grant awards consistent with all applicable laws, regulations, and policies.
Goals and Objectives
CISA developed a series of overarching goals and objectives for the SLCGP based on input from state, local, and territorial stakeholders, and consideration of national priorities, frameworks, and the national cyber threat environment:
- Implement cyber governance and planning;
- Assess and evaluate systems and capabilities;
- Mitigate prioritized issues; and
- Build a cybersecurity workforce.
In FY 2022, $183.5 million is available under the SLCGP, with varying funding amounts allocated over four years from the Infrastructure Investment and Jobs Act. This year, each state and territory will receive a funding allocation as determined by the statutory formula:
- Allocations for states and territories include a base funding level as defined for each entity: 1% for each state, the District of Columbia, and Puerto Rico; and 0.25% for American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, and the U.S. Virgin Islands.
- State allocations include additional funds based on a combination of state population and rural population totals.
- 80% of total state allocations must support local entities, while 25% of the total state allocations must support rural entities; these amounts may overlap.
All 56 states and territories, including any state of the United States, the District of Columbia Puerto Rico, American Samoa, and the Commonwealth of the Northern Mariana Islands, Guam, and the U.S. Virgin Islands, are eligible to apply for SLCGP funds. The designated State Administrative Agency (SAA) for each state and territory is the only entity eligible to apply for SLCGP funding.
An SAA may partner with one or more other SAAs to form a multi-entity group. Members of these groups work together to address cybersecurity risks and cybersecurity threats to information systems within their jurisdictions. There is no limit to the number of participating entities in a multi-entity group. Local entities can be included in the project, but their respective eligible entity (i.e., the SAA) must also participate at some level. There is no separate funding for multi-entity awards. Instead, they should be considered as group projects within their existing state or territory allocations. These projects should be included as individual Investment Justifications from each participating eligible entity, each approved by the respective Cybersecurity Planning Committee and be aligned with each respective eligible entity’s Cybersecurity Plan.
Cybersecurity Committee and Plan Requirements
Each state and territory must establish a Cybersecurity Planning Committee that coordinates, develops, and approves a Cybersecurity Plan. These plans are meant to guide development of cybersecurity capabilities across the state or territory. The Cybersecurity Planning Committee is responsible for approving the Cybersecurity Plan and prioritizing individual projects. Eligible entities submit Cybersecurity Plans for review and approval as part of their grant application. Initial Cybersecurity Plans will be approved for two years. Subsequent Cybersecurity Plans, building on the investments from the previous year(s), must be submitted for approval annually.
Awards made to the entity or multi-entity group for SLCGP carry additional pass-through requirements. The SAA must pass-through at least 80% of the funds awarded under the SLCGP to local units of government, including at least 25% of funds to rural entities, within 45 calendar days of receipt of the funds. “Receipt of the funds” occurs either when the SAA accepts the award or 15 calendar days after the SAA receives notice of the award, whichever is earlier.
Pass-through is defined as an obligation on the part of the entity or multi-entity group to make funds available to local units of government, combinations of local units, tribal governments, or other specific groups or organizations. Four requirements must be met to pass-through grant funds:
- The SAA must make a firm written commitment to passing through grant funds to subrecipients.
- The SAA’s commitment must be unconditional (i.e., no contingencies for the availability of SAA funds).
- There must be documentary evidence (e.g., award document, terms, and conditions) of the commitment.
- The award terms must be communicated to the subrecipient.
Eligible entities applying as a single entity must meet a 10% non-federal cost-share requirement for the FY 2022 SLCGP. The recipient contribution can be cash (hard match) or third-party in-kind (soft match). Eligible applicants shall agree to make available non-federal funds to carry out an SLCGP award in an amount not less than 10% of the total project cost. In other words, the federal share applied toward the SLCGP budget at the project/activity level shall not exceed 90% of the total budget as submitted in the application and approved in the award. If the total project ends up costing more, the recipient is responsible for any additional costs. If the total project ends up costing less, the recipient may owe FEMA an amount required to ensure that the federal cost share is not in excess of 90%.
Unless otherwise authorized by law, federal funds cannot be matched with other federal funds. The recipient’s contribution should be specifically identified. These non-federal contributions have the same eligibility requirements as the federal share.
The Secretary of Homeland Security may waive or modify the non-federal share for an individual entity if the entity demonstrates economic hardship. More information on what constitutes economic hardship, and how to request a cost-share waiver will be forthcoming.
For a multi-entity group project, a cost share or cost match is not required for the FY 2022 SLCGP.
Applying for an award under the SLCGP is a multi-step process. Applicants are encouraged to register early as the registration process can take four weeks or more to complete. Registration should be done in sufficient time to ensure it does not impact a state or territory’s ability to meet required submission deadlines. Section D in the FY 2022 SLCGP Notice of Funding Opportunity contains more detailed information and instructions.
Eligible applicants must submit their initial application through the grants.gov portal at www.grants.gov. Applicants needing grants.gov support should contact the grants.gov customer support hotline at (800) 518-4726, 24 hours per day, 7 days per week except federal holidays.
Eligible applicants will be notified by FEMA and asked to proceed with submitting their complete application package in the Non-Disaster (ND) Grants System. Applicants needing technical support with the ND Grants System should contact NDgrants@fema.dhs.gov or (800) 865-4076, Monday-Friday from 9 a.m. to 6 p.m. Eastern Time (ET).
Completed applications must be submitted no later than 5 p.m. ET by the deadline included in the funding notice.
There are a variety of resources available to address programmatic, technical and financial questions, which can assist with SLCGP applications:
- The SLCGP funding notice will be released no later than September 13, 2022 and available online at www.fema.gov/grants as well as www.grants.gov.
- For SLCGP program-specific questions, please email SLCGPinfo@cisa.dhs.gov.
- For additional program-specific information, please contact the Centralized Scheduling and Information Desk (CSID) help line at (800) 368-6498 or AskCSID@fema.dhs.gov. CSID hours of operation are from 9 a.m. to 5 p.m. ET, Monday through Friday.
- For support regarding financial grants management and budgetary technical assistance, applicants may contact the FEMA Award Administration Help Desk via e-mail at ASK-GMD@fema.dhs.gov.