DHS more than doubles SLCGP funding to about US$375 million, in bid to boost state and local cybersecurity

The U.S. Department of Homeland Security (DHS) announced the availability of US$374.9 million in grant funding for the Fiscal Year (FY) 2023 State and Local Cybersecurity Grant Program (SLCGP). Now in its second year, the SLCGP cybersecurity grant program is specifically for state, local, and territorial (SLT) governments across the country to help them strengthen their cyber resilience. 

The additional funding provides state and local governments with financial resources to face increasingly sophisticated cyber threats to their critical infrastructure and public safety, demonstrating the administration and Congress’s commitment to help improve the cybersecurity of communities across the nation.

State and local governments have until Oct. 6 to apply for this FY23 grant opportunity. Eligible applicants should submit their initial application at least one week before the final application submission through the grants.gov portal. 

Last fiscal, $183.5 million was available under the SLCGP, with varying funding amounts allocated over four years from the Infrastructure Investment and Jobs Act (IIJA). Jointly managed by the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Emergency Management Agency (FEMA), the SLCGP is managed with the CISA providing subject-matter expertise and determining allowable activities, while FEMA conducts eligibility reviews, and issue/administer the grant awards consistent with applicable laws, regulations, and policies. 

In January, the State of Michigan disclosed that it submitted “Michigan’s application for the Federal Cybersecurity Grant which was due Nov. 15. Michigan has been awarded $4,775,415.00. As a condition of this award, Michigan is required to contribute a cost match in the amount of $530,602.00 of non-Federal funds or 10% of the total approved project costs of $5,306,017.00.”

Additionally, they did not “have information yet on how that will be handled as far as subrecipients go. Four grant cycles, one per year beginning FY22. Each are three-year performance periods. Statewide cybersecurity plan is due by Sept 2023.” 

Furthermore, the SLCGP workgroup is developing a public webpage with additional information on the grant, and the projects available (once these are determined), and will also include guidance on applying. “More to come now that we know we have been awarded funds,” it added.

The North Carolina Department of Public Safety said that the “FY22 SLCGP awardees will be announced once DHS/FEMA approves the projects submitted by the NC Cybersecurity Planning Committee. Once DHS/FEMA approves the projects and gives clearance to release the awardee list, the awardees will be notified.  We anticipate getting clearance to notify awardees soon.  Applicants who are not selected for an FY22 SLCGP award will also be notified of the decision.”

It added that “this website was updated Aug. 3, 2023, and will be updated again when we open the FY23 SLCGP application period later this year.”

Established by the State and Local Cybersecurity Improvement Act, and part of the Bipartisan Infrastructure Law, the SLCGP is providing $1 billion in funding over four years to support SLT governments as they develop capabilities to detect, protect against, and respond to cyber threats. 

The agencies have created goals and objectives for the SLCGP based on input from SLTT stakeholders and associations, and consideration of national priorities, frameworks, and the national cyber threat environment. These include implementing cyber governance and planning; assessing and evaluating systems and capabilities; mitigating prioritized issues; and building a cybersecurity workforce. Award recipients may use the funding for various cybersecurity improvements and capabilities, including cybersecurity planning and exercising, hiring cyber personnel, and improving the services that citizens rely on daily.

“In today’s threat environment, any locality is vulnerable to a devastating cyber attack targeted at a hospital, school, water, or other system,” Alejandro N. Mayorkas, secretary of Homeland Security, said in a media statement. “The Department of Homeland Security is helping to ensure that every community, regardless of size, funding, or resources, can meet these threats and keep their residents and their critical infrastructure safe and secure. These cybersecurity grants will help state, local, and territorial governments do just that, and I strongly urge communities across the country to submit an application.”

“State and local governments are facing increasingly sophisticated cyber threats to their critical infrastructure and public safety,” according to Jen Easterly, CISA director. “As the Nation’s Cyber Defense Agency, CISA is pleased to make available yet another tool to that will help strengthen cyber defenses for communities across the nation and bolster our collective cybersecurity.”

“Building resilience requires more than mitigating against natural hazards,” Deanne Criswell, FEMA administrator, said. “As our threat landscape continues to evolve, the funding provided through the state, local, and territorial cybersecurity grant program will increase capability to help communities better prepare and reduce cyber risks.”

During FY 2022, applicants focused on the first objective and developed and established appropriate governance structures, improving capabilities to respond to cybersecurity incidents and ensure continuity of operations. 

In FY 2023, applicants are required to focus on implementing their cybersecurity plans by addressing the second objective of understanding their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments; third objective of implementing security protections commensurate with risk; and fourth objective of ensuring organization personnel are appropriately trained in cybersecurity, commensurate with their responsibilities.

With the available grant amount of $374.9 million, each state and territory will receive a funding allocation as determined by the statutory formula, according to a Fact Sheet released Monday. “Allocations for states and territories include a base level as defined for each entity: 1% for each state, the District of Columbia, and the Commonwealth of Puerto Rico; and 0.25% for American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, and the U.S. Virgin Islands. State allocations include additional funds based on a combination of state and rural population totals. 80% of total state or territory allocations must support local entities, while 25% of the total state or territory allocations must support rural entities,” it added. 

Additionally, all 56 states and territories, including any state of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the U.S. Virgin Islands, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands, are eligible to apply for SLCGP funds. The governor-designated SLCGP State Administrative Agency (SAA) is the only entity eligible to submit SLCGP applications to DHS/FEMA.

The SLCGP SAA recipient must pass through at least 80 percent of the federal funds provided under the grant to local governments, and 25 percent of the federal funds must be provided to local jurisdictions within rural areas of the state or territory, the Fact Sheet added. “The pass-through to rural entities is part of the overall 80 pass-through requirement to local governments. All pass-through entities must meet all program and grant administration requirements.”

“Eligible entities must meet a 20% cost share requirement for the FY 2023 SLCGP except for Multi-Entity Projects which require a 10% cost share. The recipient contribution can be cash (hard match) or third-party in-kind (soft match),” the Fact Sheet disclosed. “Eligible applicants must agree to make available non-federal funds to carry out an SLCGP award in an amount not less than 20% of the total project costs (federal award amount plus cost share amount).” 

It added that for FY 2023, in accordance with 48 U.S.C. § 1469a, cost share requirements are waived for the following: American Samoa, Guam, the U.S. Virgin Islands, and the Commonwealth of the Northern Mariana Islands. “Unless otherwise authorized by law, federal funds cannot be matched with other federal funds. The recipient’s contribution should be specifically identified. These non-federal contributions have the same eligibility requirements as the federal share.” 

Furthermore, the Secretary of Homeland Security may waive or modify the non-federal share for an individual entity if the entity demonstrates economic hardship. More information on what constitutes economic hardship, and how to request a cost-share waiver, will be forthcoming. 

“For a multi-entity group project, the cost share is 10% for the FY 2023 SLCGP,” the Fact Sheet added.

Additionally, FEMA interprets the date that an entity ‘receives a grant’ to be the date upon which FEMA releases the funding held in the ND Grants system, the fact Sheet disclosed. “Therefore, the 45-day pass-through requirement starts on the date when the amendment is issued in ND Grants and FEMA makes the funding available to the SAA for drawdown. After the funds have been released, FY 2023 SLCGP recipients must submit a letter to FEMA signed by the Authorized Official listed on the grant award certifying that they have met the 45-day pass-through requirement and collected any signed local government consents.”  

Applying for an award under the SLCGP is a multi-step process. Applicants are encouraged to register early, which can take four weeks or more to complete. Registration should be done in sufficient time to ensure it does not impact the ability to meet the required submission deadline. 

Last week, the U.S. administration introduced the National Cyber Workforce and Education Strategy (NCWES), a comprehensive approach to address immediate and long-term cyber workforce needs. The strategy aims to fill hundreds of thousands of cyber job vacancies, preparing the nation for the digital economy and empowering Americans to participate in the digital ecosystem. Coordinated by the Office of the National Cyber Director, the Administration’s implementation of this Strategy is already underway.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.