The Department of Homeland Security (DHS) released its long-awaited State and Local Cybersecurity Grant Program (SLCGP) and Tribal Cybersecurity Grant Program (TCGP) on Friday, September 17.
$185 million
Anticipated number of awards: 56
Program duration: 36 months
Release date: September 16, 2022
Apply by: November 15, 2022
Match requirement: 10% for individual entity projects, no cost-share for multi-entity projects
This grant funding aims to address cybersecurity threats to information systems owned and operated by state, territory, local, and tribal governments or on their behalf. This funding was authorized by Congress when it enacted the Infrastructure Investment and Jobs Act (IIJA) in 2021. The $185 million is only for fiscal year 2022 — Congress authorized $400 million for FY 2023, $300 million for 2024, and $100 million for FY 2025.
DHS will implement this program through the Cybersecurity and Infrastructure Agency (CISA) and the Federal Emergency Management Agency (FEMA), providing grant administration and oversight. The program will work similarly to FEMA's Homeland Security Grant Program.
The first funding opportunity is for $185 million, and the projected closing date for applications is November 15, 2022. State, territory, county, local (city and township), and federally recognized tribal governments are eligible to apply.
Only the State Administrative Agency (SAA) can apply for SLCGP funding — local entities will receive subawards from their state. States must distribute at least 80 percent of the funding to local governments, with a minimum of 25 percent to rural areas.
SAAs must apply via Grants.gov; applications must include a completed cybersecurity plan, capabilities assessment, and individual projects approved by the SAA’s planning committee, as well as the state’s chief information officer (CIO) or chief information security officer (CISO), or the equivalent. If a state does not have a completed cybersecurity plan, it can still apply and then leverage any award to complete this plan in the first year of the grant cycle.
Priorities of the program in the first year include:
☑️ A statewide cybersecurity planning committeeStates must form a statewide cybersecurity planning committee and create a cybersecurity plan to receive grant funds (again, the latter can be funded with year-one grant dollars.)
The state’s planning committee must approve the cybersecurity plan, which is required and must include strategies for protecting against cybersecurity threats. It also must describe the following:
Statewide efforts should be prioritized, including consolidating projects to achieve efficiencies.
☑️ Cybersecurity assessments and evaluations
Additional first-year priorities include conducting assessments to identify gaps that projects can address throughout the lifecycle of the grant program.