Cyber ​​Grant | CISA

On September 16, 2022, the Department of Homeland Security (DHS) announced a first-of-its-kind cybersecurity grant program dedicated to State, Local and Territory (SLT) governments nationwide .

Funding from the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) allows eligible entities to apply to State, Local, and Territory (SLLT) owned or operated information systems address cybersecurity risks and threats to government. Through two separate Notices of Funding Opportunity (NOFO), the combined SLCGP and TCGP will distribute $1 billion over four years to support the project through a performance period of up to four years. This year, the TCGP will be held following the SLCGP.

Read about SLCGP approval

Congress enacted state and local cybersecurity improvement laws through the Infrastructure Investment and Jobs Act of 2021 (IIJA). This established a state and local cybersecurity grant program with an allocation of $1 billion over four years.

These entities face unique challenges in defending against cyberthreats such as ransomware. This is due to the lack of resources to defend against ever-changing threats. The Department of Homeland Security (DHS), through the Cybersecurity and Infrastructure Security Agency (CISA), is committed to helping stakeholders across the country understand the significance of their own local cyber threats and reduce the associated risks across SLT enterprises. We take steps to foster partnerships.

Read below or print the SLCGP Fact Sheet and FAQs.

Read: How will the SLCGP operate?

DHS implements the SLCGP grant program through CISA and the Federal Emergency Management Agency (FEMA). While CISA serves as subject matter expert on cybersecurity-related issues, FEMA is responsible for grant management of allocated funds, including the awarding and allocation of funds to eligible entities, financial management, and oversight of fund execution. and provide monitoring.

The program is designed to get funds where they are most needed: in the hands of local organizations. States and territories use State Administrations (SAAs) to receive funding from the federal government and distribute funds to local governments in accordance with state laws/procedures. This is the same way funds are distributed to local governments in the Homeland Security Grant Program.

Application process and timeline

• DHS has issued a Notice of Funding Opportunity (NOFO) in September 2022. It contains all the requirements and details, including information about state funding eligibility.
• State and Territory established SAAs will be the only entities eligible to apply for grants under the SLCGP. Local organizations receive secondary prizes through the state. The law requires states to allocate at least 80% of their funds to local governments and at least 25% of allotted funds to rural areas.
• Eligible entities can submit applications via Grants.gov. Applications may include completed cybersecurity plans, capability assessments, and individual projects approved by cybersecurity planning committees and CIO/CISO/peers. Entities with incomplete plans are encouraged to apply and complete in year one.
• CISA and FEMA review each submission, and CISA approves the final cybersecurity plan and individual projects.
• Once approved, FEMA will release the funding hold and the eligible entity will be able to execute the project and create sub-awards.

Key requirement: Building a cybersecurity planning committee

Eligible entities can develop a cybersecurity plan and develop a cybersecurity plan (subject to the minimum requirements set forth in state and local cybersecurity improvement laws). This is a requirement to receive the grant. State-level Cybersecurity Planning Commissions leverage previously established advisory bodies that states may have established. Cybersecurity Planning Commission membership is left to individual states, subject to meeting the law and her NOFO requirements. States are encouraged to expand the Cybersecurity Planning Commission to include additional expertise based on individual state needs. DHS provides a list of these proposed additional personnel on NOFO. However, states are not limited to personnel added to this list.

The Cybersecurity Planning Commission identifies and prioritizes statewide efforts. This includes identifying opportunities to consolidate projects to increase efficiency. Each eligible entity must submit confirmation that the committee is composed of the required representatives. Qualified entities must also ensure that at least half of the committee representatives have professional experience related to cybersecurity or information technology. See Appendix B of the Notice of Funding Opportunity for more information on the composition of a cybersecurity planning committee, including how to leverage an existing planning committee.

Members of the cybersecurity planning committee should include at least one representative from relevant stakeholders, including:

• Eligible Entities;
• If the eligible entity is a state, representatives of counties, cities and towns within the jurisdiction of the eligible entity.
• public education within the jurisdiction of the eligible entity;
• public health; and
• Rural, Suburban, and Populated Jurisdictions.

At least half of the cybersecurity planning committee representatives must have professional experience in cybersecurity or information technology. Eligibility is determined by the state.

Eligible entities are given the flexibility to identify specific public health and public education institutions and communities to be represented by Planning Commission members.

Key Requirement: Create a Cybersecurity Plan

A cybersecurity plan is a statewide planning document that must be approved by the Cybersecurity Planning Commission and equivalent CIO/CISO. The plan is then renewed for his 24th and 25th grades. Your plan should include the following elements:

• To the extent practicable, incorporate existing plans to protect against cybersecurity risks and threats to information systems owned or operated by or on behalf of SLT.
• How have you incorporated input and feedback from local governments and municipal federations?
• Include all specific required elements (see NOFO Appendix C, “Required Elements” section)
• Where appropriate, and to the extent practicable, describe the individual responsibilities of state and local governments within the state in implementing the cybersecurity plan.
• Evaluate each required element from the perspective of the entity as a whole.
• To the extent feasible, outline the resources and timelines needed to implement the plan.
• Overview of related projects.
• A metric used by eligible entities to measure progress.
• See links to cybersecurity plan templates under Tools and Resources.

resource link

SLCGP Email: SLCGPinfo@cisa.dhs.gov

TCGP Email: TCGPinfo@cisa.dhs.gov

Social Media Handle: Visit CISA twitterFacebook, LinkedIn, Instagram

tools and resources

(Additional links will be added as they become available)

The following list of CISA resources are free, recommended products, services, and tools for state, local, tribal, and territory governments, as well as public and private sector critical infrastructure organizations.

State and Local Cybersecurity Grant Program Fact Sheet

Frequently Asked Questions About State and Local Cybersecurity Grant Programs

Cyber ​​Resource Hub

Ransomware Guide (September 2020)

cyber resilience review

Free cybersecurity services and tools

Cybersecurity Plan Template (click the Related Documents tab to download)

To report an incident, please visit www.cisa.gov/report.

FEMA Resources:

Main links:

Program Secretariat Contact Information

FEMA has assigned state-specific preparedness officers for the SLCGP. If you do not know your preparedness officer, please contact the Centralized Scheduling and Information Desk (CSID) at (800) 368-6498 or email askcsid@fema.dhs.gov. Monday to Friday 9am to 5pm ET.

Centralized Scheduling and Information Desk (CSID)

CSID is a non-emergency, comprehensive administrative and information resource developed by FEMA for grant stakeholders. CSID provides general information about all her FEMA grant programs and maintains a comprehensive database with contact information for key personnel at the federal, state and local levels. If necessary, recipients will be forwarded to a federal contact who can answer specific questions or concerns about the program. CSID can be reached by calling (800) 368-6498 or emailing askcsid@fema.dhs.gov Monday through Friday from 9:00 am to 5:00 pm Eastern Time.