State and Local Cybersecurity Grant Program Tribal Cybersecurity Grant Program
The goal of the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) is to assist state, local, tribal and territorial (SLTT) governments with managing and reducing systemic cyber risk. This goal can be achieved over the course of the Period of Performance (POP) as applicants focus on their Cybersecurity Plans, priorities, projects, and implementation toward addressing the program objectives. Program Objectives for SLCGP and TCGP include: 1. Develop and establish appropriate governance structures, as well as plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations; 2. SLTT agencies understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments; 3. Implement security protections commensurate with risk (outcomes of Objectives 1 & 2); and 4. Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility. Performance Measures: Percentage of entities with CISA approved state-wide Cybersecurity Plans Percentage of entities with statewide Cybersecurity Planning Committees that meet the Homeland Security Act of 2002 and SLCGP funding notice requirements Percentage of entities conducting annual table-top and full-scope exercises to test Cybersecurity Plans Percent of the entities SLCGP budget allocated to exercises Average dollar amount expended on exercise planning for entities Percentage of entities conducting an annual cyber risk assessment to identify cyber risk management gaps and areas for improvement Percentage of entities performing phishing training Percentage of entities conducting awareness campaigns Percent of entities providing role-based cybersecurity awareness training to employees Percentage of entities adopting the Workforce Framework for Cybersecurity (NICE Framework) as evidenced by established workforce development and training plans Percentage of entities with capabilities to analyze network traffic and activities related to potential threats Percentage of entities implementing multi-factor authentication (MFA) for all remote access and privileged accounts Percentage of entities with programs to anticipate and discontinue use of end-of-life software and hardware Percentage of entities prohibiting the use of known/fixed/default passwords and credentials Percentage of entities operating under the .gov internet domain Number of cybersecurity gaps or issues addressed annually by entities
General information about this opportunity
Last Known Status
Active
Program Number
97.137
Federal Agency/Office
Federal Emergency Management Agency, Department of Homeland Security
Type(s) of Assistance Offered
A - Formula Grants
Program Accomplishments
Fiscal Year 2023 The State and Local Cybersecurity Grant Program and Tribal Cybersecurity Grant Program provides Federal funds to address cybersecurity risks and cybersecurity threats to information systems owned, operated by, or on behalf of SLTT governments.
Authorization
Pub. L. No. 107-296, as amended (codified at 6 U.S.C. § 665g), Title Homeland Security Act of 2002, Section Section 2220A
Who is eligible to apply/benefit from this assistance?
Applicant Eligibility
For SLCGP: States and U.S. Territories All 56 states and territories, including any state of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the U.S. Virgin Islands, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands, are eligible to apply for SLCGP funds. For TCGP: Federally Recognized Tribal Governments Tribal governments may apply directly through the Tribal Cybersecurity Grant Program or may receive funds as subrecipients of the State and Local Cybersecurity Grant Program. "Tribal government" is defined as the recognized governing body of any Indian or Alaska Native Tribe, band, nation, pueblo, village, community, component band, or component reservation, that is individually identified (including parenthetically) in the most recent published list of federally recognized tribes.
Beneficiary Eligibility
State, Local, U.S. Territories, & Federally Recognized Indian Tribal Governments
Credentials/Documentation
Eligible entities applying for a grant under this Assistance Listing must have an approved Cybersecurity Plan, Project Worksheet, and Investment Justification to have funds released. Eligible entities should also refer to the Notices of Funding Opportunity, once published, for additional documents required to apply for a grant.
What is the process for applying and being award this assistance?
Pre-Application Procedure
Preapplication coordination is required. This program is eligible for coverage under E.O. 12372, "Intergovernmental Review of Federal Programs." An applicant should consult the office or official designated as the single point of contact in his or her State for more information on the process the State requires to be followed in applying for assistance, if the State has selected the program for review. This program is eligible for coverage under E.O. 12372, "Intergovernmental Review of Federal Programs." An applicant should consult the office or official designated as the single point of contact in his or her State for more information on the process the State requires to be followed in applying for assistance if the State has selected the program for review.
If applying for a grant to implement a Cybersecurity Plan, a state must consult and obtain feedback from local governments within its jurisdiction, to the extent practicable, regarding the elements of the state’s Cybersecurity Plan. Similarly, if applying for a grant to implement a Cybersecurity Plan, states must consult with local governments and associations of local governments, and as applicable, neighboring states or tribal governments, information sharing and analysis organizations, and neighboring countries to develop and coordinate strategies to address cybersecurity risks and cybersecurity threats for that state’s Cybersecurity Plan.
Application Procedure
This program is excluded from coverage under 2 CFR 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards.
Award Procedure
TBD by program
Deadlines
Contact the headquarters or regional location, as appropriate for application deadlines
Approval/Disapproval Decision Time
TBD by program
Appeals
Not applicable.
Renewals
Not applicable.
How are proposals selected?
TBD by program
How may assistance be used?
SLTT governments shall use the grant funds to: (1) implement the Cybersecurity Plan of the eligible entity; (2) revise the Cybersecurity Plan of the eligible entity; (3) pay expenses directly relating to the management and administration of the grant, up to 5 percent of the grant amount; (4) assist with activities that address imminent cybersecurity threats to the information systems owned or operated by, or on behalf of, the SLTT government; (5) fund any other appropriate activity determined by the Department of Homeland Security.
An eligible entity applying for a grant shall agree to consult the Chief Information Officer (or equivalent), the Chief Information Security Officer, or an equivalent official of the eligible entity, in allocating grant funds under this program.
What are the requirements after being awarded this opportunity?
Reporting
Not applicable.
Auditing
FEMA grant recipients are subject to audit oversight from multiple entities including the DHS Office of the Inspector General (OIG), the Government Accountability Office (GAO), the pass-through entity, or independent auditing firms for single audits, and may cover activities and costs incurred under the award. Auditing agencies such as the DHS OIG, the GAO, and the pass-through entity (if applicable), and FEMA in its oversight capacity, must have access to records pertaining to the FEMA award. Additionally, non-federal entities must comply with the single audit requirements at 2 C.F.R. Part 200, Subpart F. Specifically, non-federal entities, other than for-profit subrecipients, that expend $750,000 or more in federal awards during their fiscal year must have a single or program-specific audit conducted for that year in accordance with Subpart F. 2 C.F.R. ? 200.501.
Records
Financial records, supporting documents, statistical records, and all other non-federal entity records pertinent to a federal award generally must be maintained for at least three years from the date the final Federal Financial Report ("FFR") is submitted. See 2 C.F.R. ? 200.334. Further, if the recipient does not submit a final FFR and the award is administratively closed, FEMA uses the date of administrative closeout as the start of the general record retention period.
Other Assistance Considerations
Formula and Matching Requirements
Statutory Formula: Title Homeland Security Act of 2002 Chapter Section 2220A Public Law Pub. L. No. 107-296, as amended (codified at 6 U.S.C. § 665g) Statutory Formula: For FY 2023, DHS will award funds to states and territories based on baseline minimums and population as required by section 2200A(l) of the Homeland Security Act of 2002 (codified at 6 U.S.C. § 665g(l)) and described below. Each state and territory will receive a baseline allocation using thresholds established in section 2200A(l) of the Homeland Security Act of 2002 (codified at 6 U.S.C. § 665g(l)). All 50 States, the District of Columbia, and the Commonwealth of Puerto Rico will receive a minimum of $4,082,282 each, equaling 1% of total funds appropriated to DHS in FY 2023. Each of the four territories (American Samoa, Guam, the Northern Mariana Islands, and the U.S. Virgin Islands) will receive a minimum of $1,020,570, equaling 0.25% of the total funds appropriated to DHS in FY 2023. $79,310,190, 50% of the remaining amount, will be apportioned based on the ratio that the population of each state or territory bears to the population of all states and territories. The remaining $79,310,190, equaling the other 50% of the remaining amount, will be apportioned based on the ratio that the population of each state that resides in rural areas bears to the population of all states that resides in rural areas.
Matching is mandatory. SLCGP: For FY 2023, eligible entities must meet a 20% cost share requirement. The recipient contribution can be cash (hard match) or third-party in-kind (soft match). For FY 2023, in accordance with 48 U.S.C. § 1469a, cost share requirements are waived for the insular areas of the U.S. territories of American Samoa, Guam, the U.S. Virgin Islands, and the Commonwealth of the Northern Mariana Islands. The Secretary of Homeland Security may waive or modify the non-federal share if an eligible entity demonstrates an economic hardship and meets the requirements as outlined in the FY 2023 SLCGP Notice of Funding Opportunity. TCGP: The Secretary of Homeland Security, in consultation with the Secretary of the Interior and tribal governments, waived the cost share requirement for TCGP applicants applying for FY 2022 and FY 2023 TCGP funding. Measures of Effectiveness (MOE) requirements are not applicable to this assistance listing
MOE requirements are not applicable to this assistance listing.
Length and Time Phasing of Assistance
State and Local Cybersecurity Grant Program and Tribal Cybersecurity Grant Program funds are available to eligible applicants for the duration of the period of performance, which will be up to 48 months. For SLCGP: recipients in the 50 states must pass through at least 80% of the federal funds provided under the grant to local governments within 45 days of the release of the funds from FEMA. FEMA interprets the date that an entity “receives a grant” to be the date upon which FEMA releases the funding hold in the Non-Disaster Grants Management System (ND Grants) system. With the consent of the local governments, this pass-through may be in the form of in-kind services, capabilities, or activities, or a combination of funding and other services. 25% of the total federal award must also go to rural areas. This pass-through to rural areas is a part of the overall 80% pass-through; however, it should be emphasized that 25% of the total federal amount must be passed through to rural areas (defined in 49 U.S. C. 5305 as any area with a population of 50,000 or less). The local government pass-through requirement, including the rural area pass-through requirement, does not apply to the following: The District of Columbia, the Commonwealth of Puerto Rico, American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, the United States Virgin Islands, or a Tribal government. For TCGP: no pass-through requirement. Method of awarding/releasing assistance: Lump.
Who do I contact about this opportunity?
Regional or Local Office
None/Not specified.
Headquarters Office
Department of Homeland Security, Federal Emergency Management Agency (FEMA)
Department of Homeland Security / FEMA / Public Assistance Division, Control Desk
6th Floor, 500 C St. SW,
Washington, DC 20523 US
Allen.wineland@fema.dhs.gov
Phone: 18003686498
Financial Information
Account Identification
70-0413-0-1-453
Obligations
(Formula Grants) FY 22$200,000,000.00; FY 23 FY 24 FY 21 - (Formula Grants) FY 22 FY 23 est $400,000,000.00; FY 24 FY 21 - (Formula Grants) FY 22 FY 23 FY 24 - (Formula Grants) FY 22 FY 23 FY 24 est $300,000,000.00; -
Range and Average of Financial Assistance
For FY 2023 SLCGP, these are the estimates: All 50 States, the District of Columbia, and the Commonwealth of Puerto Rico will receive a minimum of $4,082,282 each; Each of the four territories (American Samoa, Guam, the Northern Mariana Islands, and the U.S. Virgin Islands) will receive a minimum of $1,020,570; $79,310,190, 50% of the remaining amount, will be apportioned based on the ratio that the population of each state or territory bears to the population of all states and territories.
Regulations, Guidelines and Literature
The following 2 C.F.R. Part 200 requirements apply to this assistance listing: Subpart A, Acronyms and Definitions Subpart B, General Provisions Subpart C, Pre-Federal Award Requirements and Contents of Federal Awards Subpart D, Post-Federal Award Requirements Subpart E, Cost Principles Subpart F, Audit Requirements
Examples of Funded Projects
Fiscal Year 2023 Development and revision of the Cybersecurity Plan; Cybersecurity Assessment, Evaluations and Mitigation; and Cybersecurity Training and Exercise Activities.