State and Local Cybersecurity Grant Program Fact Sheet

In Fiscal Year (FY) 2024, through the Infrastructure Investment and Jobs Act, the Department of Homeland Security (DHS) is providing $279.9 million to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, state, local, and territorial governments.

Overview

The goal of the State and Local Cybersecurity Grant Program (SLCGP) is to help states, local governments, rural areas, tribes, and territories address cybersecurity risks and threats to critical infrastructure. The program enables DHS to make targeted cybersecurity investments in state, local, and territorial government agencies, thus improving the security of critical infrastructure and resilience of the services that those entities provide to their communities. Federally recognized tribes also have a dedicated grant program; details on the Tribal Cybersecurity Grant Program can be found at https://www.cisa.gov/cybergrants/tcgp. 

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Emergency Management Agency (FEMA) are jointly managing the SLCGP. CISA will provide subject-matter expertise and determine allowable activities and FEMA will conduct eligibility reviews and administer the grant awards consistent with all applicable laws, regulations, and policies.

Goals and Objectives

CISA and FEMA developed a series of goals and objectives for the SLCGP based on input from state, local, and territorial stakeholders, and consideration of national priorities, frameworks, and the national cyber threat environment: 

1. Implement cyber governance and planning; 
2. Assess and evaluate systems and capabilities;
3. Mitigate prioritized issues; and
4. Build a cybersecurity workforce.

Applicants who have completed and received approval of their initial requirements under Objective 1 can pursue any of the four program objectives in FY 2024. In FY 2024, applicants should continue to build from their previous projects submitted in FY 2022 and FY 2023 in accordance with their Cybersecurity Plan.

Available Funding

In FY 2024, $279.9 million is available for awards under the SLCGP. Consistent with FY 2022 and FY 2023, each state and territory will receive a funding allocation as determined by the statutory formula:

• Allocations for states and territories include a base funding level as defined for each entity: 1% for each state, the District of Columbia, and Puerto Rico; and 0.25% for American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, and the U.S. Virgin Islands.
• State allocations include additional funds based on a combination of state population and rural population totals.
• 80% of total state allocations must support local entities, while 25% of the total state allocations must support rural entities; these amounts may overlap.

Eligibility

All 56 states and territories, including any state of the United States, the District of Columbia, Puerto Rico, American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, and the U.S. Virgin Islands, are eligible to apply for SLCGP funds. To be eligible to receive FY 2024 SLCGP funding, states and territories must have fulfilled the initial SLCGP requirements of developing a CISA-approved Cybersecurity Plan, Cybersecurity Planning Committee List, and Charter. The designated State Administrative Agency (SAA) for each state and territory is the only entity eligible to apply for SLCGP funding.

Funding Guidelines

Cybersecurity Planning Committee and Cybersecurity Plan

Cybersecurity Planning Committees are charged with coordinating, developing, and approving the entity’s Cybersecurity Plan. Eligible entities were required to submit Cybersecurity Plans for review and approval as part of their FY 2022 grant application. Additionally, plans are treated as living documents that can be resubmitted and updated as appropriate and can receive CISA regional staff support as needed. 

All entities with a CISA-approved Cybersecurity Plan must submit their current plan to CISA via the FEMA SLCGP Inbox (FEMA-SLCGP@fema.dhs.gov) no later than January 30, 2025, and annually thereafter on the same date throughout the grant's period of performance. When they submit, entities must indicate if the plan has been revised since CISA’s approval. If it has been revised, they must provide a brief explanation of any revisions. 

There is no requirement for an entity to revise their CISA-approved Cybersecurity Plan unless CISA notifies them that it does not meet plan requirements.

Cybersecurity Best Practices and Performance Measures

Entities must clearly articulate efforts to implement the Key Cybersecurity Best Practices for Individual Projects as listed in the FY 2024 Notice of Funding Opportunity (NOFO). These efforts should be documented in their Cybersecurity Plan and should be prioritized in the individual projects the entity pursues. The assessment and evaluation activities described in Objective 2 of the program can be used to measure the successes and failures of adopted Key Cybersecurity Best Practices as outlined in the Cybersecurity Plan.

Performance measures are data used to gauge program performance. The FY 2024 NOFO contains a list of performance measures, some of which overlap with the best practices, that applicants are encouraged to consider when evaluating their program performance. Conforming with these measures will help applicants ensure their projects are meeting CISA standards for improving cybersecurity posture.

Pass-Through to Local Entities

The SLCGP SAA recipient must pass-through at least 80% of its awarded funds to local units of government, including at least 25% of its awarded funds to rural areas of the state or territory. The pass-through to rural entities is part of the overall 80% pass-through requirement to local governments. All pass-through entities must meet all program and grant administration requirements. See 2 CFR § 200.332. For a description of eligible subrecipients, please see Section C.3.b. of the FY 2024 SLCGP NOFO.

After the funds have been released, FY 2024 SLCGP recipients must submit a letter to FEMA signed by the Authorized Official listed in the grant award certifying that they have met the 45-day pass-through requirement and collected any signed local government consents. Local consents must be signed by the Authorized Official for the local government entity receiving the items, services, capabilities, or activities in lieu of funding, and the consent must specify the amount and intended use of the funds. This letter is due no later than 10 calendar days after the 45-day period for issuing pass-through funding has passed. The letter should be emailed to FEMA-SLCGP@fema.dhs.gov. FEMA will send a copy of the letter to CISA.

Pass-through is defined as an obligation on the part of the entity or multi-entity group to make funds available to local units of government, combinations of local units, tribal governments, or other groups or organizations; not necessarily the full funding passed within that 45-day window. Four requirements must be met to pass-through grant funds:

• The SAA must make a firm written commitment to passing through grant funds or equivalent services to local government subrecipients;
• The SAA’s commitment must be unconditional (i.e., no contingencies for the availability of SAA funds);
• There must be documentary evidence (e.g., subgrant award document with terms and conditions) of the commitment; and
• The award terms must be communicated to the subrecipient.

Cost Share Requirements

Eligible entities applying as a single entity must meet a 30% non-federal cost share requirement for the FY 2024 SLCGP. Multi-Entity Projects require a 20% cost share. The recipient contribution can be cash (hard match) or third-party in-kind (soft match). In other words, the federal share applied toward the SLCGP budget at the project/activity level shall not exceed 70% of the total budget as submitted in the application and approved in the award. If the total project ends up costing more, the recipient is responsible for any additional costs. 

Unless otherwise authorized by law, federal funds cannot be matched with other federal funds. The recipient’s contribution should be specifically identified. These non-federal contributions have the same eligibility requirements as the federal share.

The Secretary of Homeland Security may waive or modify the non-federal share for an individual entity if the entity demonstrates economic hardship. Additionally, the Secretary has issued a blanket waiver of cost share requirements for the insular areas of the U.S. territories of Puerto Rico, American Samoa, Guam, the U.S. Virgin Islands, and the Commonwealth of the Northern Mariana Islands. More information on what constitutes economic hardship and how to request a cost share waiver is in the NOFO in Section C.5.f.

Multi-Entity Groups

An SAA may partner with other SAAs to form a multi-entity group. Members of these groups work together to address cybersecurity risks and cybersecurity threats to information systems within their jurisdictions. There is no limit to the number of participating entities in a multi-entity group. Local entities can be included in the project, but their respective eligible entity (i.e., the SAA) must also participate at some level. There is no separate funding for multi-entity awards. Instead, they should be considered as group projects within their existing state or territory allocations. These projects should be included as individual Investment Justifications from each participating eligible entity, each approved by the respective Cybersecurity Planning Committee and be aligned with each respective eligible entity’s Cybersecurity Plan.

Application Process

Applying for an award under the SLCGP is a multi-step process. Applicants are encouraged to register early as the registration process can take four weeks or more to complete. Registration should be done in sufficient time to ensure it does not impact a state or territory’s ability to meet required submission deadlines. Section D in the FY 2024 SLCGP NOFO contains more detailed information and instructions.

Eligible applicants must submit their application through the FEMA GO system at https://go.fema.gov/login. Applicants needing technical support with the FEMA GO system should contact femago@fema.dhs.gov or (800) 865-4076, Monday-Friday from 9 a.m. to 6 p.m. Eastern Time (ET).

Completed applications must be submitted no later than 5 p.m. ET by the deadline included in the funding notice.

SLCGP Resources

There are a variety of resources available to address programmatic, technical, and financial questions, which can assist with SLCGP applications:

• The FY 2024 SLCGP funding notice is located online at grants.gov.
• For additional program-specific information, please email FEMA-SLCGP@fema.dhs.gov.
• For support regarding financial grants management and budgetary technical assistance, applicants may contact the FEMA Award Administration Help Desk, via e-mail at ASK-GMD@fema.dhs.gov.
• For support regarding programmatic elements, applicants may contact CISA via e-mail at SLCGPinfo@cisa.dhs.gov. SLTs can reach out to their CISA Regional Staff. For regional contact information, please visit cisa.gov/about/regions.