State and Local Cybersecurity Grant Program Key Changes

Overview

The State and Local Cybersecurity Grant Program (SLCGP) focuses on strengthening the cybersecurity and resilience of state, local, and territorial (SLT) governments’ information systems. The SLCGP enables the Department of Homeland Security (DHS) to make targeted cybersecurity investments in support of SLT government agencies. This document outlines key changes for the Fiscal Year (FY) 2024 SLCGP.

Program Goals, Objectives, and Priorities

Each year, SLCGP guidance is updated to ensure applicants remain on track to produce the intended outcomes related to the program’s goals, objectives, and priorities.

Program Objectives

Program objectives remain the same throughout the four-year program. In FY 2023, the focus of SLCGP objectives shifted from Objective 1 to Objectives 2-4. In FY 2024, each project must still be aligned to an objective, but there is not a specified objective under which applicants must apply. The FY 2024 SLCGP NOFO now states: 

“Applicants are required to submit applications that address at least one of the following program objectives in their applications: 

• Objective 1: Develop and establish appropriate governance structures, including by developing, implementing, or revising Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents, and ensure continuity of operations.
• Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
• Objective 3: Implement security protections commensurate with risk.
• Objective 4: Ensure organization personnel are appropriately trained in cybersecurity commensurate with responsibility.”

Cybersecurity Plans

One of the priority outcomes of SLCGP is the approval of Cybersecurity Plans for each applicant. Applicants are still required to have a CISA-approved Cybersecurity Plan. In FY 2024, there are no additional plan requirements, but all entities with a CISA-approved Cybersecurity Plan must submit their current plan to CISA via the FEMA SLCGP Inbox FEMA-SLCGP@fema.dhs.gov no later than January 30, 2025, and annually thereafter on the same date throughout the grant's period of performance. When they submit, entities must indicate if the plan has been revised since CISA’s approval. If it has been revised, they must provide a brief explanation of any revisions. 

There is no requirement for an entity to revise their CISA-approved Cybersecurity Plan unless CISA notifies them that it does not meet plan requirements. The CISA provided cybersecurity plan template can be downloaded from the “Related Documents” tab on grants.gov.

Additionally, the FY 2024 NOFO includes an additional column in the project worksheet. This column, “project milestones,” is more aligned to the investment justification template and designed for applicants to demonstrate the project activities they will complete within the period of performance.

Critical Infrastructure

Protecting critical infrastructure remains an important goal of SLCGP investments. This remains a priority in FY 2024, and additional encouragement to address risks and resilience in critical infrastructure appears throughout the NOFO. For example, “critical infrastructure” was added in the following language:

“Cyber risk management is further complicated by the ability of malicious actors to operate remotely, linkages between cyber and physical systems, and the difficulty of reducing vulnerabilities in critical infrastructure.”

Best Practices

The FY 2024 Key Cybersecurity Best Practices for Individual Projects are consistent with FY 2023. CISA did clarify, however, that they are not required for implementation within the period of performance. Existing language was updated to the following:

“Cybersecurity Plans must clearly articulate efforts to implement these cybersecurity best practices across the eligible entity within reasonable timelines as funding permits. Cybersecurity Planning Committees should prioritize these best practices in individual projects that assist SLT entities.”

Performance Measures

CISA remains invested in collecting data to gauge program performance. In FY 2024, additional performance measures were added to the existing list to inform applicants of the information CISA will collect through the program duration. The new performance measures included are the following:

• Addressing CISA-identified cybersecurity vulnerabilities.
• Funding Endpoint Detection Response System implementation.
• Improving capabilities’ ratings
• Funding improvements for Continuity of Operations Plans
• Meeting SAA performance metrics 
• Increasing the use of CISA Services
• Enhancing Data Encryption
• Adopting Enhanced Logging
• Adopting Systems Reconstitution
• Increasing Multi-State Information Sharing and Analysis Center (MS-ISAC) Membership

Some of the new performance measures listed above have previously been included in the NOFO as best practices. CISA views the implementation of those best practices as informative in determining SLCGP’s success.

Rural Area Pass-through and Local Consent

The below clarification is applicable for both FY 2022 and FY 2023 SLCGP awards.

The FY 2023 SLCGP funding notice included a definition of a rural area. Per 49 U.S.C. 5302, “rural” is any area with a population of less than 50,000 individuals. To meet the 25% rural pass-through requirement, the eligible subrecipient must be a local government entity within a rural area (a jurisdiction with a population of less than 50,000 individuals).

The FY 2024 NOFO clarifies that because the pass-through to rural entities is part of the overall 80% pass-through requirement to local governments, the eligible entity or multi-entity must obtain the consent of local governments if intending to pass through items, services, capabilities, or activities to rural areas in lieu of funding to count that dollar value as part of the overall 80% passthrough requirement (see 6 U.S.C. §665g(n)(2)(A)-(B)). The same four criteria for pass-through to local governments (as outlined in Section F.2 of the FY 2024 SLCGP NOFO) also applies to the pass-through to rural areas within those local governments.

Program Funding and Cost Share

The total funding allocated for the SLCGP decreased from $400 million in FY 2023 to $300 million in FY 2024. Allocation percentages to states and territories remain the same, including the population-based ratio for rural areas. 

Unrecovered Indirect Costs

The below clarification is applicable for both FY 2022 and FY 2023 SLCGP awards.

With prior approval by FEMA, recipients may use unrecovered indirect costs for the cost share for FY 2022 and FY 2023 SLCGP awards, as well as future awards. All requests to use unrecovered indirect costs for cost share must be submitted to your FEMA SLCGP Preparedness Officer for consideration and approval. Recipients will be notified in writing if approval is granted.

Economic Hardship Factors

In the Infrastructure Investment and Jobs Act (IIJA), the statute at 6 U.S.C. § 665g(m)(l) requires SLCGP recipients to provide a non-federal cost share. The statute at 6 U.S.C. § 665g(m)(2) also authorizes the Department of Homeland Security (DHS) Secretary to waive or modify the non-federal cost share requirements if an eligible entity or multi-entity group demonstrates economic hardship, based on guidelines published by the Secretary.

In developing the guidelines, 6 U.S.C. § 665g(m)(2)(C) requires the Secretary to consider: 1) changes in rates of unemployment from previous years; 2) changes in percentage of individuals eligible for Supplemental Nutrition Assistance Program benefits; and 3) any other factors the Secretary considers appropriate.

The Secretary recently approved the proposed updates to the non-statutory factors for the FY 2024 SLCGP:

• For discretionary criteria, remove financial distress that could be caused by changes to SLT budgets already approved prior to knowledge of the SLCGP cost share requirement.
• Retain factors related to the rate of unemployment exceeding the annual national average and if the entity has filed for bankruptcy or been placed under third party financial oversight within the past three years.
• Use the Climate and Economic Justice Screening Tool (CEJST) instead of the Social Vulnerability Index (SVI) since CEJST is a more comprehensive tool. The key difference between SVI and CEJST is that SVI relates only to social burdens and CEJST also includes economic and environmental stressors as well. This results in better identification of things like economic considerations in rural areas.

Cost Share Requirement

The minimum percentage for the cost share requirement increased from 20% in FY 2023 to 30% in FY 2024. Eligible applicants must ensure non-federal funds are available to carry out an SLCGP award in an amount no less than 30%. However, DHS will still consider requests for cost-share waivers due to hardship. For a multi-entity group project, the cost share is changed to 20% for the FY 2024 SLCGP.

Required and Recommended Services

Required Services

The required services for SLCGP have not changed from FY 2023 to FY 2024, but additional language and tables have been added to the NOFO to identify the services required based on sub-applicant status in an easily digestible, visual format. The FY 2024 NOFO clarifies existing guidance that the only local governments required to participate in cyber hygiene vulnerability scanning services and Nationwide Cybersecurity Review (NCSR) are those receiving subawards. Local governments receiving non-funding assistance are not required to participate.

Known Exploited Vulnerabilities Catalog

Utilizing the CISA known exploited vulnerabilities (KEV) catalog is listed as a new recommended resource in the FY 2024 NOFO. The purpose of this recommendation is to encourage governments to regularly view information related to cybersecurity vulnerabilities confirmed by CISA, prioritizing those exploited in the wild. A link to the KEV catalog is included in the NOFO to encourage SLT governments to use it as part of their vulnerability management plan.