The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) have announced more than $100 million in grant funding to help states, tribes, and local governments bolster their cybersecurity defenses. The grants will play a critical role in enhancing cybersecurity resilience by providing resources to strengthen network security and reduce cyber risks.
The Notice of Funding Opportunity is made up of two separate grants – the Fiscal Year 2025 State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP). The SLCGP makes $91.7 million available to state and local governments for various cybersecurity improvements, including planning and exercises, hiring experts in the community, and improving services for their citizens. The TCGP provides $12.1 million to tribal governments for similar uses.
“This grant funding ensures communities and our partners across the nation have the crucial resources needed to strengthen their cyber defense capabilities and mitigate risk,” Madhu Gottumukkala, CISA Acting Director, said in a media statement. “CISA is proud to empower state, local, and tribal governments to build more resilient cyber ecosystems.”
Gottumukkala identifies that this unified DHS approach enables innovative solutions that strengthen digital infrastructure, and helps communities invest in meaningful cybersecurity improvements to protect the critical services they provide. “This is another example of investing in our communities while being good stewards of our taxpayer dollars.”
On Sept. 16, 2022, the Department of Homeland Security (DHS) announced a first-of-its-kind cybersecurity grant program specifically for state, local, tribal, and territorial (SLTT) governments across the country. DHS, through the CISA in coordination with FEMA, is taking steps to help stakeholders across the country understand the severity of their unique local cyber threats and cultivate partnerships to reduce related risks across the SLT enterprise.
“Our nation faces unprecedented threats to the homeland from increasingly sophisticated criminal groups and nation-state actors. SLTT entities stand at the forefront of cyber defense,” the CISA recognizes. “Their partnership with DHS includes enforcing laws, assisting the federal government in securing cyberspace, and dismantling transnational criminal organizations.”
Cybersecurity threats, including ransomware intrusions, and widespread software vulnerabilities affecting SLTT systems and critical infrastructure are increasingly exploited by malicious actors, operating domestically and abroad.
Funding from the SLCGP and the TCGP helps eligible entities address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, SLTT governments. Through separate Notices of Funding Opportunities, the SLCGP and TCGP combined will make $1 billion available over four years, including more than $400 million in FY 2023 and more than $300 million in FY 2024.
Congress established the SLCGP and appropriated $1 billion for the program to be distributed over four years. These entities face unique challenges that could limit their participation in critical homeland security missions and are at varying levels of preparedness in defending against increasingly sophisticated and changing cyber threats.
The DHS will implement the SLCGP through CISA and FEMA. While CISA will serve as the program management subject-matter expert in cybersecurity related issues, FEMA will provide grant administration and oversight for appropriated funds, including award and allocation of funds to eligible entities, financial management, and oversight of funds execution.
The program is designed to allocate funding to the most vulnerable and least mature cyber entities: local governments. States and territories will use their State Administrative Agencies (SAAs) to receive SLCGP funds from the federal government and then distribute at least 80% of the funding to local governments in accordance with state law, procedures, and federal legislative requirements. This is the same way in which funding is distributed to local governments in the Homeland Security Grant Program administered by FEMA.
This month, the DHS issued the latest SLCGP Notice of Funding Opportunity (NOFO), which outlines program requirements and details, including eligibility criteria for states and territories. Under the program, the designated SAA for each state or territory is the only entity permitted to apply for grant awards. Local governments will receive funding through sub-awards issued by their respective states. The legislation mandates that at least 80 percent of the funds be distributed to local governments, with a minimum of 25 percent directed specifically to rural areas.
Eligible entities must submit their applications through the FEMA Grant Outcomes (FEMA GO) system. To qualify for Fiscal Year 2024 funding, each entity must have completed the requirements outlined in the FY 2022 NOFO. Applications may include a completed or updated Cybersecurity Plan, a capabilities assessment, and proposed projects approved by the Cybersecurity Planning Committee, as well as by the state’s chief information officer (CIO), chief information security officer (CISO), or an equivalent official.
CISA and FEMA will review all submissions. Following this review, CISA will coordinate with states and territories to resolve any deficiencies and approve final or revised Cybersecurity Plans and projects. Completion and submission of at least one approved requirement is necessary before entities become eligible to receive funding for year four. Once plans and projects are approved, FEMA will lift any funding holds, allowing recipients to begin project implementation and issue sub-awards.
As states, territories, and local entities advance their cybersecurity capabilities, CISA encourages them to adopt more sophisticated best practices. To support the development and refinement of state, local, and tribal (SLT) cybersecurity planning efforts, the Notice of Funding Opportunity outlines several recommended practices.
These include implementing multifactor authentication, enabling enhanced logging, and using encryption to protect data both at rest and in transit. Entities are advised to phase out unsupported or end-of-life software and hardware that are accessible from the internet. They should also prohibit the use of known, fixed, or default passwords and credentials, and ensure systems can be fully restored through reliable backups.
CISA also recommends that SLT entities actively participate in rapid, bidirectional information sharing with the agency to reduce cyber risk. Additionally, migrating to the .gov internet domain is encouraged to enhance public trust and improve security posture.
The agency also detailed the Cybersecurity Plan, a statewide strategic document that must be approved by both the Cybersecurity Planning Committee and the entity’s CIO, CISO, or an equivalent official. All applicants are required to resubmit their approved Cybersecurity Plan, revised if necessary, no later than Jan. 30, 2026.
The plan must incorporate, to the extent practicable, any existing strategies to defend against cybersecurity risks and threats to information systems owned or operated by, or on behalf of, state, local, and tribal governments. It should also explain how input and feedback from local governments and associations of local governments were considered and integrated into the final document.
Applicants must include required elements outlined in the program guidance. The plan should describe, as appropriate and where feasible, the distinct responsibilities of both state and local governments in its implementation. It must also assess each required element from an entity-wide perspective and outline the resources and timeline necessary for executing the plan.
A summary of associated projects must be included, along with metrics the entity will use to evaluate progress. A link to the Cybersecurity Plan Template is available under Tools and Resources to assist in meeting these requirements.
In April, the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection reviewed the SLCGP, which is up for reauthorization this year. Witnesses noted that although the program is operational, it may need adjustments to boost its effectiveness. Having assessed the SLCGP’s current impact, Subcommittee members also explored potential collaborations with the federal administration to strengthen state and local governments’ preparedness and resilience against cyberattacks.
