Tribal Cybersecurity Grant Program

On July 1, 2024, DHS Announced the First $18.2 million of Awards Through the Tribal Cybersecurity Grant Program

These grants will assist Tribal governments with managing and reducing systemic cyber risk. Learn more here.

Overview

The Department of Homeland Security (DHS) announced the Tribal Cybersecurity Grant Program (TCGP) in September 2023 to assist Tribal governments with addressing cybersecurity risks and threats to information systems owned or operated by, or on behalf of, those Tribal governments. On July 1, 2024, DHS announced awards of more than $18.2 million in grants to 32 Tribal governments. These are the first grants ever to be awarded under the TCGP, which was authorized by the Bipartisan Infrastructure Law. 

In addition to helping Tribal governments address cybersecurity risks and threats to their information systems, TCGP is enabling DHS to provide targeted cybersecurity resources that will improve the security of critical infrastructure and resilience of the services that Tribal governments provide to their members. The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Emergency Management Agency (FEMA) jointly manage the TCGP. CISA provides cybersecurity programmatic subject-matter expertise by defining goals and objectives, reviewing and approving cybersecurity plans establishing measures of effectiveness, and organizing Objective Review Panels to review and score applications. FEMA provides administrative guidance through conducting eligibility reviews and issuing and administering the grant awards consistent with all applicable laws, regulations, and policies.

Digital threats impacting American Indian and Alaska Native tribes are increasing and becoming more complex, and tribal sovereignty creates unique cybersecurity challenges for these communities who for far too long have been underfunded and under-resourced. This program is an example of a unified approach across DHS, in which a FEMA-administered program leverages CISA’s capabilities to accomplish the Department’s goal of increasing tribal cyber defenses, similar to the State and Local Cybersecurity Grant Program, which was announced in 2023.

DHS respects the sovereignty and self-determination of Tribal governments and recognizes the intent of Congress to provide flexibility to Tribal governments to meet cybersecurity needs across Indian Country through the TCGP. The framework of the program was made as a result of nation-to-nation consultations with tribal representatives across the country and is intended to support tribal cybersecurity resiliency. 

Objectives 

CISA developed four overarching objectives for the TCGP based on the consideration of national priorities, frameworks, and the national cyber threat environment: 

1. Establish cyber governance and planning; 
2. Assess and evaluate systems and capabilities; 
3. Implement security protections commensurate with risk; and 
4. Build and train a cybersecurity workforce. 

Tribal governments were required to address how they will meet Program Objective 1 in their FY 2023 applications. Objectives 2, 3, and 4 were eligible, but were not required to be addressed in FY 2023 applications.  

Funding 

FEMA and CISA made $18.2 million available in the TCGP NOFO, which combined available funding from FY 2022 and FY 2023. 

The TCGP is a discretionary grant program that divides the 574 federally recognized tribes with membership of greater than one individual into four categories based on overall population. The $18.2 million was divided across the four categories. The funding categories allowed for applications to be evaluated among applications from similarly populated tribes. This approach was implemented as a result of nation-to-nation consultations. The following table outlines the four population levels, number of tribes, and the corresponding combined funding levels for FY 2022 and FY 2023: 

Table 1: Funding Categories 

* The number of tribes with a population greater than 1 total 557. The remaining 17 tribes have a represented population of less than 1 per the US Census.gov data collected in 2020. 

Eligibility 

All 574 federally recognized Tribal governments were eligible to apply by the deadline of January 10, 2024. Tribes that applied were required to submit a Cybersecurity Plan, Cybersecurity Planning Committee List, and Charter.

Funding Guidelines 

Cybersecurity Planning Committee and Cybersecurity Plan Requirements 

Each Tribal government was required to establish a Cybersecurity Planning Committee that approves a Cybersecurity Plan and assists with developing, implementing, and revising that plan. An existing Tribal Council/Governing Body that includes 1) a grants administration office representative, and 2) a designated Chief Information Officer (CIO), Chief Information Security Officer (CISO), or equivalent official to the CIO or CISO with expertise in Information Technology (IT) may be used to meet the Committee requirement. 

These plans are meant to guide implementation of cybersecurity capabilities within the Tribal government. The Cybersecurity Planning Committee is responsible for approving the Cybersecurity Plan and assisting with determining effective projects. Applicants were encouraged to download the TCGP Cybersecurity Plan Template from www.grants.gov. The template was an optional tool for applicants to use to develop and submit their Cybersecurity Plans to ensure they met all the required statutory elements. CISA is available to provide technical assistance to Tribal governments on Cybersecurity Plan implementation. 

CISA considers Cybersecurity Plans to be living, strategic documents. Following the submission of their plan as part of the grant application, Tribal governments may continue to work with CISA after funds are approved to update their plan. 

Programmatic Criteria 

Each Tribal government’s application was evaluated through a three-part review and selection process. 

1. A FEMA HQ Preparedness Officer reviewed applications to ensure that the applicant meets all eligibility requirements and checked submitted applications for completeness. 
2. CISA organized an objective review panel and established programmatic scoring and the selection process. Subject Matter Experts (SMEs) with cybersecurity and tribal engagement experience served as review panelists. Reviewers evaluated applications, scored Investment Justifications (IJs), and make recommendations for funding within each discretionary tier. 
3. FEMA HQ Grants Management Specialists conducted financial reviews of the top scoring investments.

More information about the review process can be found in Section E.2 of the TCGP FY 2023 NOFO. 

Cybersecurity Best Practices, Assessments, and Evaluations 

Each applicant addressed key Cybersecurity Best Practices in their Cybersecurity Plan and within individual projects. In addition, the Cybersecurity Best Practices should consult the Cybersecurity Performance Goals (CPGs) to ensure a strong cybersecurity posture. 

All TCGP recipients are required to participate in a limited number of free services provided by CISA. Participation in these services were not required for submission and approval of the grant but are post-award requirements. 

The post-award required services are: 

• Cyber Hygiene Vulnerability Scanning – Evaluates external network presence by executing continuous scans of public, static internet protocol (IPs) for accessible services and vulnerabilities. 
• Nationwide Cybersecurity Review (NCSR) – A free, anonymous, annual self-assessment designed to measure gaps and capabilities of a recipient’s cybersecurity programs. 

TCGP Resources 

There are a variety of resources available to address programmatic, technical, and financial questions: 

• For additional support and guidance on Cybersecurity Plans, Tribal governments should reach out to their CISA Regional Staff. For contact information for your region, please visit cisa.gov/about/regions. 
• For additional technical assistance, applicants may contact CISA via e-mail at TCGPinfo@cisa.dhs.gov. 
• FY 2023 Notice of Funding Opportunity.
• Fact Sheet and Frequently Asked Questions