The federal government will issue State and Local Cybersecurity Grants totaling $1 billion over four years for states to distribute to local governments and school systems.
The U.S. Department of Homeland Security (DHS) will begin issuing the first-ever cybersecurity grant program designed for state, local and territorial governments and will distribute $1 billion directly to states over the next four years.
The cybersecurity grant funding is available through the State and Local Cybersecurity Grant Program and was established by the Infrastructure Investment and Jobs Act of 2021. While localities and school districts cannot directly apply for the federal funding, states can apply for and then allocate to local governments and their entities, including school districts. More details on eligibility and requirements are below.
DHS will implement the grant program through the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA). CISA will serve as the subject-matter expert in cybersecurity related issues and FEMA will provide grant administration and oversight for appropriated funds, including award and allocation of funds to eligible entities, financial management and oversight of funds execution.
A press release reads:
Funding from the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) helps eligible entities address cybersecurity risks and threats to information systems owned or operated by—or on behalf of—state, local and territorial (SLLT) governments. Through two distinct Notice of Funding Opportunities (NOFO), SLCGP and TCGP combined will distribute $1 billion over four years to support projects throughout the performance period of up to four years. This year, the TCGP will be released after SLCGP.
The program is designed to put the funding where it is needed most: into the hands of local entities. States and territories will use their State Administrative Agencies (SAAs) to receive the funds from the Federal Government and then distribute the funding to local governments in accordance with state law/procedure. This is the same way in which funding is distributed to local governments in the Homeland Security Grant Program.
Eligibility and grant fund usage
The FAQ section of CISA’s website explains that “The legislation requires states to distribute at least 80% of funds to local governments, with a minimum of 25% of the allocated funds distributed to rural areas.”
The federal grant funding can be used to “address cybersecurity risks or threats on information systems owned or operated by school districts to support best cybersecurity practices, such as multi-factor authentication, enhanced logging and data encryption.”
Notably, however, the funds cannot be used to purchase cybersecurity insurance or for extortion payments stemming from a ransomware incident.
Application process and timeline
- DHS issued a Notice of Funding Opportunity (NOFO) in September 2022 that includes all requirements and details, including information on funding eligibility for states.
- The established SAA for states and territories will be the only entities that can apply for grant awards.
- Eligible entities can submit an application via Grants.gov.
- Applications may include a completed Cybersecurity Plan, capabilities assessment and individual projects approved by the Cybersecurity Planning Committee and CIO/CISO/equivalent.
- Entities without a completed plan are encouraged to apply and complete it in Year One.
- CISA and FEMA will review each submission, and CISA will approve final Cybersecurity Plans and individual projects.
- Once approved, FEMA will remove any holds that they placed on funding and eligible entities can execute projects and make sub-awards to local governments and divisions of local government.