State and Local Cybersecurity Grant Program (SLCGP) – Notice of Funding Opportunity of 374.9 Million for Fiscal Year 2023

Share This Post

fema cisa dohs notice of funding opportunity state and local cybersecurity grant program

Grants Opportunity Link (deadline 10/6/23): View Opportunity | GRANTS.GOV & FEMA eServices Application Suite – Login

Link to Additional Information:NDGrants@fema.dhs.gov
Grantor Contact Information:

If you have difficulty accessing the full announcement electronically, please contact:

ND Grants Service Desk Phone: 1-800-865-4076 E-mail: NDGrants@fema.dhs.gov

Summary:

Attention to all state, local, and territorial governments: The State and Local Cybersecurity Grant Program (SLCGP) is offering $374.9 million in funding for the Fiscal Year 2023 to enhance your cybersecurity and reduce cyber risks. This program is a joint effort between the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA). Here’s what you need to know:

Timeline and Tasks:

  1. Application Period: Applications opened on August 7th.

  2. Deadline: The application deadline is October 6th.

  3. Requirements: Eligible entities can apply via grants.gov and the Non-Disaster (ND) Grants system.

  4. Contact Information: If you have questions or need clarification on requirements, contact FEMA at fema-grants-news@fema.dhs.gov or CISA at SLCGPinfo@cisa.dhs.gov.

Program Details:

  • This funding is part of a four-year program, providing $1 billion to state, local, and territorial partners.

  • In the first year (FY22), $185 million was awarded, and now an additional $374.9 million is available in FY23.

  • The focus this year includes assessing your cybersecurity posture, training personnel, and implementing security protections based on risk.

Key Requirements:

  • Assessments and Evaluations: Regular assessments to understand your cybersecurity posture and identify areas for improvement.

  • Building a Cybersecurity Planning Committee: Implement advanced best practices, such as multifactor authentication, data encryption, and more.

  • Create a Cybersecurity Plan: Develop a statewide plan with specific elements, including progress metrics.

Additional Support:

  • CISA offers ongoing support, with cybersecurity advisors and experts available year-round.

Eligible Entity Cybersecurity Plan Requirements:

To qualify for cybersecurity funding, an eligible entity must have a Cybersecurity Plan that includes the following elements:

(A) Incorporate Existing Plans:

  • Include existing plans to protect against cybersecurity risks and threats to information systems operated by or on behalf of State, local, or Tribal governments.
  • If the entity is a State, consult and gather feedback from local governments and associations within their jurisdiction.

(B) Describe How the Entity Will:

  • Manage, monitor, and track information systems, applications, and user accounts, including legacy systems and unsupported technology.
  • Monitor, audit, and track network traffic.
  • Enhance preparation, response, and resiliency against cybersecurity risks and threats.
  • Continuously assess and mitigate cybersecurity vulnerabilities based on risk.
  • Implement best practices, such as those recommended by the National Institute of Standards and Technology.
  • Promote trustworthy online services, including using the .gov internet domain.
  • Ensure continuity of operations in the event of a cybersecurity incident.
  • Enhance the cybersecurity workforce and provide training.
  • Ensure continuity of communications and data networks, especially with local governments.
  • Assess and mitigate cybersecurity risks to critical infrastructure and key resources.
  • Share cyber threat indicators and information with relevant parties.
  • Leverage cybersecurity services offered by the Department.
  • Modernize information technology and operational technology cybersecurity.
  • Develop and coordinate cybersecurity strategies in consultation with relevant stakeholders.
  • Ensure access to services by rural areas.
  • Distribute funds, items, services, or capabilities to local governments, including rural areas.

(C) Assess Capabilities:

  • Evaluate the entity’s capabilities related to the actions described in (B).

(D) Describe Responsibilities:

  • Outline the responsibilities of the entity and local governments in implementing the plan.

(E) Outline Resources and Timeline:

  • Specify necessary resources and create a timeline for implementing the plan.

(F) Define Metrics for Progress:

  • Describe the metrics used to measure progress in implementing the plan and reducing cybersecurity risks and threats.

These requirements aim to ensure comprehensive and effective cybersecurity planning and implementation within eligible entities.

Conclusion:

This funding opportunity is crucial for enhancing your cybersecurity and reducing risks. Don’t miss the October 6th deadline. For further assistance or questions, reach out to FEMA or CISA. Ensure the safety and resilience of your government systems against cyber threats by taking advantage of this opportunity. Consider partnering with a Managed Security Service Provider like EasyITGuys for expert guidance and support.

Source #1 (released 8/8/23): CISA and FEMA Partner to Provide $374.9 Million in Grants to Bolster State and Local Cybersecurity | CISA

Source #2 (Released 9/16/22): State and Local Cybersecurity Grant Program | CISA

Source #3 (Released 9/16/22): Fiscal Year 2022 State and Local Cybersecurity Grant Program Fact Sheet | FEMA.gov

Source #4 (Released 9/16/22): Fiscal Year 2022 State and Local Cybersecurity Grant Program FAQs | FEMA.gov

Source #5 (Released 7/8/22): Department of Homeland Security’s Strategic Plan for Fiscal Years 2020-2024 | Homeland Security (dhs.gov)

Source #6 (Released 08/07/23): View Opportunity | GRANTS.GOV

F.A.Q

How much funding is available?

For FY 2023, Congress appropriated $400 million. This includes $374.9 million for SLCGP, $12 million for TCGP, $20 million for the Department of Homeland Security (DHS) to administer the grant, and $1 million for the DHS Inspector General to evaluate the grant program. Congress also appropriated $300 million for FY 2024 and $100 million for FY 2025.

What percentage of the funds must be passed through to rural entities?

A minimum of 25% of federal funds must pass-through to rural areas. This 25% pass-through to rural entities contributes to the overall 80% pass-through requirement to local governments. The same four criteria and exceptions for passthrough to local governments also apply to the pass-through to rural areas within those local governments. Because the pass-through to rural entities is part of the overall 80% pass-through requirement to local governments, SLCGP SAAs must obtain the consent of local governments if intending to pass-through non-funding assistance to rural areas in lieu of funding.

What are the changes in funding levels between program years?

The appropriated funding amount has increased from $200 million in FY 2022 to $400 million in FY 2023. Congress also authorized appropriations of $300 million for FY 2024 and $100 million for FY 2025.

Who is eligible to apply?

The 56 SAAs for states and territories are the only eligible applicants for SLCGP funding. In addition, two or more eligible entities may jointly apply for assistance as a multi-entity group. Under SLCGP, a multi-entity group is two or more SAAs that apply for joint projects. However, each SAA must submit separate applications.
Local governments can participate in the SLCGP as subrecipients to their state. Local governments interested in participating in the SLCGP should contact their SAAs.

To be eligible for FY 2023 SLCGP funding, each eligible entity is required to fulfill the FY 2022 NOFO requirements. Any state that did not apply in FY 2022, must satisfy the requirements of the FY 2022 NOFO (i.e., CISA-approved Cybersecurity Plan) before FY 2023 funds will be released. Specifically, the submission of a Cybersecurity Plan, Cybersecurity Planning Committee Membership List, and Cybersecurity Planning Committee Charter that aligns with the criteria detailed in the NOFO, unless the applicant already has a CISA-approved Cybersecurity Plan, Committee List, and Charter. All 56 states and territories are eligible to receive funding for FY 2023 SLCGP after fulfilling the FY 2022 requirements.

For more information on FY 2022 requirements that must be met prior to the development of FY 2023 applications, please refer to Appendices A–C of the NOFO.

What are the priorities of the program?

In FY 2022, the program established a strong foundation to build a sustainable cybersecurity program. Initial priorities included the following, all of which are statutory conditions for receiving grant funding:

  • Establish a Cybersecurity Planning Committee that can lead entity-wide efforts.
  • Develop a Cybersecurity Plan that addresses the entire jurisdiction and incorporates cybersecurity best practices.

In FY 2023, the focus is to achieve a secure cyberspace and critical infrastructure that assesses and counters the evolving cybersecurity risks. Priorities include the following, all of which are statutory conditions for receiving grant
funding:

  • Conduct assessments and evaluations to identify gaps that can be mitigated by individual projects throughout the life of the grant program.
  • Adopt key Cybersecurity Best Practices and consult Cybersecurity Performance Goals.

For more information on how to meet these conditions, applicants should refer to Appendices A–B of the NOFO

Are there services that recipients are required to participate in?

All SLCGP recipients and subrecipients are required to participate in CISA Cyber Hygiene Service’s Vulnerability Scanning service. Participation is not required for submission and approval of a grant but is a post-award requirement. (Please
note, Web Application Scanning (WAS) was an additional FY 2022 requirement but was removed from FY 2023.)

Additionally, recipients and subrecipients receiving funding assistance are required to participate in the Nationwide Cybersecurity Review (NCSR). Subrecipients receiving non-funding assistance are not required to participate in the NCSR but are encouraged to do so. All SLCGP recipients are strongly encouraged to participate in other memberships.

For more information on required services, please refer to Appendix F: Required, Encouraged, and Optional Services, Memberships, and Resources in the NOFO.

How often should the Nationwide Cybersecurity Review (NCSR) be completed?

Entities and subrecipients are required to complete the NCSR during the first year of the award/subaward period of performance and annually thereafter. In FY 2023, the open reporting period for the NCSR is October 1, 2023 – February 28, 2024

What are the recommended services?

It is strongly encouraged that recipients and subrecipients become members of the Multi-State Information Sharing and Analysis Center (MS-ISAC) and/or Election Infrastructure Information Sharing and Analysis Center (EI-ISAC). Membership for these two organizations is free.

In addition, CISA offers a range of free cyber resources for managing risk and strengthening cybersecurity that can be found on the Cyber Resource Hub.

How are local governments defined?

“Local government” is defined in 6 U.S.C. § 101(13) as

a. A county, municipality, city, town, township, local public authority, school district, special district, intrastate district, council of governments (regardless of whether the council of governments is incorporated as a nonprofit corporation under state law), regional or interstate government entity, or agency or instrumentality of a local government;

b. *An Indian tribe or authorized tribal organization, or in Alaska a Native village or Alaska Regional Native Corporation; and

c. A rural community, unincorporated town or village, or other public entity

How are rural areas defined?

The FY 2023 SLCGP NOFO includes a definition of rural area: per 49 U.S.C. 5302 “rural” is any area with a population of less than 50,000 individuals. To meet the 25% rural pass-through requirement, the eligible subrecipient must be a local government entity within a rural area (a jurisdiction with a population of less than 50,000 individuals)

What is the process for selecting which local governments and rural areas will get funds and for which projects?

All pass-through entities must meet all program and grant administration requirements. Cybersecurity Planning Committees must work collaboratively across the state to identify and prioritize individual projects that align with the state’s Cybersecurity Plan. If passing through items or services in lieu of funding, ultimately, it is up to the state/territory to determine where and how to pass-through funds, with the permission of applicable local governments.

More To Explore