The Department of Homeland Security is looking for recipients for $279.9 million in grant funding to invest in cybersecurity for fiscal 2025, which begins Oct. 1.
The grants are part of the State and Local Cybersecurity Grant Program (SLCGP), which Congress established in the Infrastructure Investment and Jobs Act of 2021. (See Bipartisan Infrastructure Bill Offers Funding for Grid, EVs.)
The SLCGP, along with the Tribal Cybersecurity Grant Program (TCGP), provides about $1 billion in funding over four years. Both programs are intended to support state, local, territorial and tribal governments in reducing cyber risk and building resilience against cybersecurity threats. Entities may apply for the grants until 5 p.m. Dec. 3, 2024.
The DHS Cybersecurity and Infrastructure Security Agency (CISA) jointly administers SLCGP and TCGP with the Federal Emergency Management Agency (FEMA). CISA serves as the subject matter expert on cybersecurity issues, while FEMA administers grants and oversees the use of appropriated funds.
In a press release, CISA Director Jen Easterly said the programs would help “governments lay a solid foundation for building a sustainable and resilient cybersecurity program for the future.”
According to the Notice of Funding Opportunity (NOFO) issued by DHS, SLCGP applications can be submitted by designated State Administrative Agencies (SAA). States and territories will be responsible for distributing sub-awards to local entities. The IIJA requires local governments to receive at least 80% of awarded funds, with at least 25% to be distributed to rural areas.
Each state must receive at least 1% of the total available grant funding, according to the SLCGP fact sheet; this mandate also applies to the District of Columbia and Puerto Rico. American Samoa, Guam, the U.S. Virgin Islands and the Northern Mariana Islands each have a minimum allocation of 0.25%. Additional funds will be allocated “based on a combination of state population and rural population totals.”
To receive grants, states and territories must have a CISA-approved cybersecurity plan and a cybersecurity planning committee and charter. Plans must be submitted by Jan. 30, 2025. Entities that already have a CISA-approved plan do not need to revise it unless the agency notifies them that it does not meet requirements, but CISA indicated that “there are no additional plan requirements” in FY 2025.
CISA also reminded applicants that implementing the agency’s cybersecurity best practices is a “key requirement” of cybersecurity plans. The NOFO provided a list of practices for entities to incorporate:
-
- multifactor authentication;
-
- enhanced logging;
-
- encrypted data at rest and in transit;
-
- discontinued use of unsupported or end-of-life software and hardware that are accessible from the internet;
-
- restricted use of known, fixed, and default passwords and credentials;
-
- the ability to reconstitute systems from backups;
-
- rapid bidirectional information sharing between CISA and state, local and tribal entities; and
-
- migration to the .gov internet domain.
CISA said incorporating the recommended best practices will help entities reach the baseline outlined in its cyber performance goals.
“In the modern threat landscape, every community can — and too often does — face sophisticated cyberattacks on vital systems like hospitals, schools and electrical grids,” said Homeland Security Secretary Alejandro Mayorkas. “Our message to communities everywhere is simple: Do not underestimate the reach or ruthlessness of nefarious cyber actors. Through initiatives like the [SLCGP] we can confront these threats together.”
