Introducing the State and Local Cybersecurity Grant Program
So many cybersecurity issues to address, so little funding and time to do it with, right? Well, the big boys in Washington are stepping in to help! Via the State and Local Cybersecurity Grant Program (SLCGP), the Federal government is providing funding for States, Local Governments (such as counties and municipalities), rural areas, tribes and territories to address the ever-burgeoning cybersecurity threats out there. If you haven’t heard of this, read on to learn how to get a piece of that $375 million dollar pie.
$375 million dollars Is the amount the Department of Homeland Security has allocated for this fiscal year. Approximately $300 million remain as of September 2024.
Given the nature and quantity of how much information local governments have access to, the Department of Homeland Security (the parent agency of this offering) sees the benefit of mitigating their own ‘supply chain’ risk of that information falling into the wrong hands and wants to help with getting these organizations secured. They’ve charged their sub-agencies of the Federal Emergency Management Agency (FEMA) and the Cybersecurity and Infrastructure Security Agency (CISA) with administering the funding program with separate responsibilities:
- CISA knows their way around security and provides the best practices, as well as determining whether the project falls under the cybersecurity umbrella they are promoting.
- FEMA ensures that the applying organization is eligible for the program and issues the funding awards.
As with anything from the Federal government, there is a decent bit of paperwork to do in order to qualify for this funding and it sure is confusing to even know where to start. Yeah, we know how dissuading that is for darn near everyone. That’s why we made this start-up guidance! The good news is that it the entire process is not as arduous as many other programs and has multiple responsive contacts at each step of the process.
Most of this paperwork is for the State and Territorial governments to do, whom CISA and FEMA work with. Local governments will essentially be applying to the State/Territorial government’s sub-agency for this, known as the State Administrative Agency, who will handle initial qualifications and vetting of the applicant, garnering adherence to the cybersecurity framework they’ve developed and then facilitating the CISA/FEMA communications.
What does the Program cover?
Want to know more about how it works and what is covered (fact: most of what you want and need is covered!!)?
We’ve got the quick questions you want answered here (excerpted from the CISA Frequently Asked Questions page; note that “SLTT” abbreviation stands for State, Local, Territorial and Tribal government entities):
Are SLTT entities required to adopt a specific cybersecurity framework? No. SLTT entities are not required to adopt a specific framework but are strongly encouraged to review existing frameworks.
Are there specific best practices that SLTT entities will have to adopt? Yes. Cybersecurity Plans must address how the best practices listed below and the 16 required elements will be implemented across SLTT entities. Adoption is not required immediately, nor by all SLTT entities. Instead, the Cybersecurity Plan should detail the implementation approach over time and how the following will be consistent with the program goal and objectives. In addition to the 16 required elements, the Cybersecurity Plan must discuss the below seven best practices:
- Multi-factor authentication;
- Enhanced logging;
- Data encryption for data at rest and in transit;
- End use of unsupported/end of life software and hardware that are accessible from the Internet;
- Prohibit use of known/fixed/default passwords and credentials;
- The ability to reconstitute systems (backups); and
- Migration to the .gov internet domain.
What can the grant funds be used for? Eligible entities can use grant funds for:
- Developing the Cybersecurity Plan;
- Implementing or revising the Cybersecurity Plan;
- Paying expenses directly relating to the administration of the grant, which cannot exceed 5% of the amount of the grant award
- Assisting with allowed activities that address imminent cybersecurity threats confirmed by DHS; and
- Other appropriate activities as noted in the funding notice.
Are there any specific things the funds cannot be used for? Funds cannot be used for:
- Supplanting state or local funds;
- Recipient cost-sharing contributions;
- Payment of a ransom from cyberattacks;
- Recreational or social purposes, or for any purpose that does not address cybersecurity risks or cybersecurity threats on SLTT information systems;
- Lobbying or intervention in federal regulatory or adjudicatory proceedings;
- Suing the federal government or any other government entity;
- Acquiring land or constructing, remodeling or altering buildings or other physical facilities; or
- Cybersecurity Insurance; or
- Any purpose that does not address cybersecurity risks or cybersecurity threats on information systems owned or operated by, or on behalf of, the eligible entity or a local government within the jurisdiction of the eligible entity.
Can personnel be hired with grant funds? Yes, if aligned to the Cybersecurity Plan. Applicants must address how these functions will be sustained when the funds are no longer available in their application.
What equipment or software should be purchased? Applicants should determine what equipment is most appropriate for their needs based on their Cybersecurity Plan to mitigate cybersecurity risks or gaps.
Is equipment installation considered construction (e.g., installation of fiber optics in a wall or ground)? Certain equipment installations are not considered to be construction projects, but this will depend on the specific details of each project. If applicable, an Environmental Planning and Historic Preservation review will be required. Most equipment installations (e.g., generators) will be considered to be “construction” and therefore will not be permitted.
- The complete FAQ is hosted here: https://www.cisa.gov/state-and-local-cybersecurity-grant-program-frequently-asked-questions
- Ready for the deep dive? CISA provides the larger scope details and steps in their Fiscal Year 2024 guide, available here: https://www.cisa.gov/sites/default/files/2024-09/FY24%20SLCGP%20NOFO%20FAQs_508%20Compliant_09.23.2024.pdf
How do Local Governments Apply for the Grant?
Applying to your State Administrative Agency’s contact is the first step; they’ll provide the package of what will need doing and how to get started on it. We’ve taken the liberty of providing the contacts for each state and territory further below.
Development of a Cybersecurity Plan is the big idea of what they’ll want, as this Plan will be used to dictate what the agencies applying for funding should be doing and what funding may be allowed to pass through down to them for implementation of those projects and initiatives outlined therein.
In terms of the needed documentation, most of them are essentially cybersecurity posture and policy documentation that has already been created or that should be done as part of creating a proper cybersecurity foundation for the future, coupled with oversight and review planning.
Note: If you need help with drafting a Cybersecurity Plan, reviewing and adopting a framework provided by the State Administrative Agency is a practical method to jump start what you need to get going. They already have them; no reason to develop your own from scratch when you could simply modify one of theirs to suit your specific needs. If there is a preference for translating some of this or other assistance, Tangent can help!
Start by sending them an email inquiring about how they’d like you to get started with the SLCGP and for their state/territory-specific startup package.
Want a script to get you started? You got it.
“Hello <FirstNameOfSAAContactHere>,
My name is <YourName > of <MunipalityNameHere>; I’m interested in applying for the ‘State and Local Cybersecurity Grant Program (SLCGP)’ in order to pursue some cybersecurity initiatives we’re planning here.
When time permits, please let me know of the specific documentation needed for me to get together and any application forms to sign off on and I’ll get those processed and back to you.
Thank you!”
State Administrative Agency Contact List
Below is a list of the State Administrative Agency contacts for each territory and state as of September 2024.
The latest contact list can be found here at the FEMA website: https://www.fema.gov/grants/preparedness/state-local-cybersecurity-grant-program