Fiscal Year 2025 State and Local Cybersecurity Grant Program Fact Sheet

In Fiscal Year (FY) 2025, through the Infrastructure Investment and Jobs Act, the U.S. Department of Homeland Security (DHS) is providing $91.75 million to address cybersecurity risks and threats to information systems owned, operated by, or on behalf of state, local and territorial (SLT) governments.

Overview

The goal of the State and Local Cybersecurity Grant Program (SLCGP) is to help states and territories, specifically rural and local governments, address cybersecurity risks and cybersecurity threats. The SLCGP enables DHS to make targeted cybersecurity investments in SLT government agencies, thus improving the security of critical infrastructure and resilience of the services SLT governments provide to their communities.

Goals and Objectives

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) developed a series of overarching goals and objectives for the SLCGP based on input from SLT stakeholders and associations, and consideration of national priorities, frameworks, and the national cyber threat environment.

• Develop and implement cyber governance and planning.
• Assess and evaluate systems and capabilities.
• Implement security protections commensurate with risk.
• Build a cybersecurity workforce.

For FY 2025, applicants who have completed and received approval of their initial requirements under Objective 1, Governance and Planning can pursue any of the four program objectives listed above. In accordance with their Cybersecurity Plan, applicants should continue to build future projects during FY 2025 from those projects submitted in previous fiscal years.

Funding

In FY 2025, $91.75 million is available under the SLCGP. Each state and territory will receive a funding allocation as determined by the statutory formula. Allocations for states and territories include a base level as defined for each entity: 1% for each state, the District of Columbia, and the Commonwealth of Puerto Rico; and 0.25% for American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, and the U.S. Virgin Islands. State allocations include additional funds based on a combination of state and rural population totals. 80% of total state or territory allocations must support local entities, while 25% of the total state or territory allocations must support rural entities.

Eligibility

All 56 states and territories, including the District of Columbia, the Commonwealth of Puerto Rico, the U.S. Virgin Islands, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands, are eligible to apply for SLCGP funds. The governor-designated SLCGP State Administrative Agency (SAA) is the only entity eligible to submit SLCGP applications to DHS/FEMA. To be eligible to receive FY 2025 SLCGP funding, states and territories must have fulfilled the initial SLCGP requirements of developing a CISA-approved Cybersecurity Plan, Cybersecurity Planning Committee List, and Charter.

Funding Guidelines

Pass-Through Requirements

The SLCGP SAA recipient must pass through at least 80% of the federal funds provided under the grant to local governments, and 25% of the federal funds must be provided to local jurisdictions within rural areas of the state or territory. The pass-through to rural entities is part of the overall 80% pass-through requirement to local governments. All pass-through entities must meet all program and grant administration requirements, as detailed in 2 C.F.R. § 200.332. For a description of eligible subrecipients, please see Section 8.B. of the FY 2025 SLCGP Notice of Funding Opportunity (NOFO).

FEMA interprets the date that an entity “receives a grant” to be the date upon which FEMA releases the funding hold in the FEMA Grants Outcomes (FEMA GO) system. Therefore, the 45-day pass-through requirement starts on the date when the amendment is issued in FEMA GO and FEMA makes the funding available to the SAA for drawdown. After the funds have been released, FY 2025 SLCGP recipients must submit a letter to FEMA signed by the Authorized Official listed on the grant award certifying that they have met the 45-day pass-through requirement and collected any signed local government consents. Local consents must be signed by the Authorized Official, or designee, for the local government entity receiving the items, services, capabilities or activities in lieu of funding, and the consent must specify the amount and intended use of the funds. This letter is due no later than 10 calendar days after the 45-day period for issuing pass-through funding has passed. The letter should be emailed to FEMA-SLCGP@fema.dhs.gov. FEMA will send a copy of the letter to CISA.

Pass-through is defined as an obligation on the part of the entity or multi-entity group to make funds available to local units of government, combinations of local units, tribal governments, or other specific groups or organizations; not necessarily the full funding passed within that 45-day window. With the consent of the local government, this pass-through may be in the form of in-kind services, capabilities or activities, or a combination of funding and other services. Four requirements must be met to pass-through grant funds:

• The SLCGP SAA must make a firm written commitment to passing through grant funds or equivalent services to local government subrecipients.
• The SLCGP SAA’s commitment must be unconditional (i.e., no contingencies for the availability of eligible entity funds).
• There must be documentation (i.e., subgrant award document with terms and conditions) of the commitment.
• The award terms must be communicated to the local subrecipient.

Multi-Entity Projects

Multiple eligible entities (states or territories) can group together to address shared cybersecurity risks and threats to information systems within the states and territories that are the eligible entities. (including local governments and rural jurisdictions). There is no separate funding for multi-entity projects. Instead, these investments would be considered as group projects: each group member contributes an agreed-upon funding amount from their SLCGP award to the overall project. Each group member’s financial contribution is then funded from their individual SLCGP award. Each participating state or territory in the group should include the multi-entity project in their individual Investment Justification (IJ) and Project Worksheet (PW) submissions with their application. It is expected that IJs and PWs for multi-entity projects will be almost identical. Any differences should be as a result of alignment with each group member’s respective Cybersecurity Plan.

Timing: Even though applications from each state and/or territory that are part of the multi-entity project may come in at different times, FEMA and CISA will need to approve the multi-entity projects in each separate application at the same time. This is because, unless both states and/or territories complete their respective responsibilities in the multi-entity project, then the project would not be successful. As a result, FEMA and CISA will not award one state’s or state’s/territory’s portion of the multi-entity project in isolation without approving the other.

Nature of a Multi-Entity Project: The states and/or territories must work together to implement each other’s cybersecurity plans to address cybersecurity risk and cybersecurity threats to their information systems in order to have a multi-entity project. If one state or territory can accomplish the scope of work under a project without any need to work with the other state and/or territory, then it is not a multi-entity project.

Cooperating Purchasing. To foster greater economy and efficiency, two or more states, for example, may conduct a joint procurement or pursue some other type of cooperative purchasing arrangement to procure equipment, supplies, or services. Such a collaborative procurement action does not mean that the states are pursuing a multi-entity project. Rather, it is the substance of the underlying scope of work that makes a project a multi-entity project and not the manner in which a state is procuring services in accomplishing a project’s scope of work. 

Examples. The following examples help illustrate the considerations above. 

• Example 1: States X and Y seek to jointly conduct cybersecurity training of their state personnel. Rather than each state conducting its own $250,000 worth of training for their respective employees, they want to work together to have joint training sessions so that all trainees get $500,000 worth of training. There will be 10 training sessions for all state X and Y employees, and each state will be responsible for organizing and executing five sessions. The states, furthermore, jointly conduct a procurement to obtain a contractor that will provide services to help the states carry out all 10 sessions. This would be a multi-entity project because both states have to work together to carry out the scope of work, each state is implementing the cybersecurity plan of each other’s by training the other state’s employees, and there is a shared project objective.
• Example 2: States X and Y seek to conduct cybersecurity training for their own staffs. To obtain greater cost-savings, the states jointly procure a contractor to conduct their cybersecurity training. Following the procurement, each state runs their own training program and uses the same contractor in doing so. This is not a multi-entity project. This is because each state could accomplish their respective project without working together with the other state to carry out the scope of work; one state is not implementing the cybersecurity plan of the other state by carrying out activities to reduce cybersecurity threats and cybersecurity risks to the other state’s information systems; and there is no shared project objective.

Cost-Share Requirements

Eligible entities must meet a 40% cost-share requirement for the FY 2025 SLCGP, except for multi-entity projects, which require a 30% cost share. The recipient contribution can be cash (hard match) or third-party in-kind (soft match). Eligible applicants must agree to make available non-federal funds to carry out an SLCGP award in an amount not less than 40% of the total project costs (federal award amount plus cost-share amount, rounded up to the nearest whole dollar). Consistent with previous fiscal years and in accordance with 48 U.S.C. §1469a, cost share requirements for FY 2025 are waived for: American Samoa, Guam, the U.S. Virgin Islands, and the Commonwealth of the Northern Mariana Islands.

Cost share waivers will not be considered for any entities in FY 2025 SLCGP. Also, unless otherwise authorized by law, federal funds cannot be matched with other federal funds. The recipient’s contribution should be specifically identified. These non-federal contributions have the same eligibility requirements as the federal share.

Management and Administrative Costs

Management and Administrative (M&A) Costs are allowed. A maximum of up to 5% of SLCGP federal funds awarded may be retained by the SAA, and any funds retained are to be used solely for M&A purposes associated with the SLCGP award. Subrecipients (state agencies or local units of government) may also retain a maximum of up to 5% of the federal funding passed through by the state solely for M&A purposes associated with the SLCGP award. Although the eligible entity may retain up to 5% of this total for M&A, the state must still ensure that all subrecipient award amounts meet the mandatory minimum pass-through requirements that are applicable to SLCGP. To meet this requirement, the percentage of funds passed through to local governments must be based on the state’s total SLCGP award before withholding any M&A.

Planning Committee and Cybersecurity Plan

Cybersecurity Planning Committees are charged with coordinating, developing and approving the entity’s Cybersecurity Plan. Eligible entities were required to submit Cybersecurity Plans for review and approval as part of their FY 2022 grant application. Additionally, plans are treated as living documents that can be resubmitted and updated as appropriate. CISA regional staff support is available, as needed. There is no requirement for an entity to revise their CISA-approved Cybersecurity Plan unless CISA notifies them that it does not meet plan requirements.

No later than Jan. 30, 2026,all SLCGP recipients with a CISA-approved Cybersecurity Plan are required to do one of the following:

• Email your FEMA Preparedness Officer at FEMA-SLCGP@fema.dhs.gov that your entity will continue to use the CISA-approved Cybersecurity Plan; or
• Email your entity’s revised Cybersecurity Plan, including a list of the revisions, to your FEMA Preparedness Officer at FEMA-SLCGP@fema.dhs.gov.
• Once the email or revised Cybersecurity Plan is received, FEMA will share that with CISA for their review and approval. FEMA will maintain records of CISA-approved plans and resubmitted plans for CISA review.

Cybersecurity Best Practices and Performance Measures

Entities must clearly articulate efforts to implement the Key Cybersecurity Best Practices for Individual Projects as listed in the FY 2025 NOFO. These efforts should be documented in their Cybersecurity Plan and should be prioritized in the individual projects the entity pursues. The assessment and evaluation activities described in Objective 2 of the program can be used to measure the successes and failures of adopted Key Cybersecurity Best Practices as outlined in the Cybersecurity Plan.

Performance measures are data used to gauge program performance. The FY 2025 NOFO contains a list of performance measures, some of which overlap with the best practices, that applicants are encouraged to consider when evaluating their program performance. Referencing these measures will help applicants ensure their projects are meeting CISA standards for improving cybersecurity posture.

Application Process

Applying for an award under the SLCGP is a multi-step process. Applicants are encouraged to register early in the System for Award Management (SAM.gov) and the FEMA GO system, as the registration process can take four weeks or more to complete. Registration should be done in sufficient time to ensure it does not impact your ability to meet the required submission deadline. Please refer to Section 7 in the FY 2025 SLCGP Notice of Funding Opportunity for detailed information and instructions.

All application materials will be posted on Grants.gov and the FEMA SLCGP Website. Eligible applicants must submit their application through the FEMA GO system. Applicants needing technical support with FEMA GO should contact FEMAGO@fema.dhs.gov or call the FEMA GO Help Desk at 877-585-3242, Monday – Friday from 9 a.m. – 6 p.m. ET.

Completed applications must be submitted in the FEMA GO system no later than 4 p.m. ET on Aug. 15th, 2025.

Period of Performance Extension Requests

Extensions to the FY 2025 SLCGP period of performance (POP) for this program are not allowed.  

SLCGP Resources

There are a variety of resources available to address programmatic, technical and financial questions, which can assist with SLCGP applications:

• The FY 2025 SLCGP Notice of Funding Opportunity is located online at Grants.gov.
• For additional program-specific information, please email FEMA-SLCGP@fema.dhs.gov. You may also contact your preparedness officer.
• For support regarding financial grants management and budgetary technical assistance, applicants may contact the FEMA Award Administration Help Desk via e-mail at ASK-GMD@fema.dhs.gov.
• For support regarding programmatic elements, applicants may contact CISA via e-mail at SLCGPinfo@mail.cisa.dhs.gov. SLTs can reach out to their CISA Regional Staff. For regional contact information, please visit cisa.gov/about/regions.