State and Local Cybersecurity Grant Program (SLCGP)

• Only states (or groups of states) are eligible to apply for the grant and each state must allocate 80% of the funding to local, tribal and territorial governments.
• To receive the grant, states must submit a Cybersecurity Plan and create a planning committee to help develop and implement the cybersecurity plan.
• The cybersecurity plan consists of 16 specific requirements. To view specific plan and planning committee requirements, review Appendix B and C of the Notice of Funding Opportunity (NOFO), or the grant synopsis.

The Cybersecurity Plan is a statewide planning document that the Cybersecurity Planning Committee and the CIO/CISO equivalent must approve. The plan will be subsequently updated in FY24 and FY25. It must contain the following components:

• Incorporate, to the extent practicable, any existing plans to protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, SLTTs.
• Share how input and feedback from local governments and associations of local governments was incorporated.
• Include all of the specific [16] required elements (see Required Elements section of Appendix C of the NOFO)
• Describe, as appropriate and to the extent practicable, the individual responsibilities of the state and local governments within the state in implementing the Cybersecurity Plan.
• Assess each of the required elements from an entity-wide perspective.
• Outline, to the extent practicable, the necessary resources and a timeline for implementing the plan.
• Summary of associated projects.
• Metrics that the eligible entity will use to measure progress.

Tenable solutions help state and local governments meet 13 of the 16 Cybersecurity Plan requirements. This includes requirements around vulnerability management, prioritization, protecting critical infrastructure and compliance. Review Meeting SLCGP Requirements with Tenable Technologies to see how Tenable meets each specific requirement.

While the template is not required, CISA strongly recommends that states and territories use the provided template. If a state or territory uses its own template, all required elements must be included. For more information, review the FEMA FAQ.

According to CISA, “Plans will be reviewed and approved as they are received, and before the deadline if received before the deadline. The goal is to review and approve Cybersecurity Plans as soon as practical after submission so that the recipients can begin implementing approved projects as soon as possible at the time they are submitted.” For more information, view the FEMA FAQ.

The program’s ultimate goal is to award grants to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, SLTT governments. Funding can be used for:

• Developing, implementing or revising the Cybersecurity Plan.
• Assisting with allowed activities that address imminent cybersecurity threats confirmed by DHS.
• Paying expenses directly relating to grant administration, which cannot exceed 5% of the amount of the total award.
• Other appropriate activities as noted in the funding order.
• Funds can also be used to continue or expand existing efforts to improve cyber systems and meet required Cybersecurity Plan elements, as long as funds are not used to supplement state or local funds.

YAccording to CISA, the Cybersecurity Planning Committees must work collaboratively across the state to identify and prioritize individual projects that align with the state’s Cybersecurity Plan. Ultimately, the state determines where and how to pass-through funds, with the permission of applicable local governments if passing through items or services in lieu of funding. For more information, review the CISA FAQ. To review the State Administrative Agency contacts, review State Administrative Agency Contacts.

Local governments have the ability to either consent or opt out of the “in lieu of” services. The way in which consent is obtained is determined by the state or territory. Consent must be obtained in writing for all entities in which the state will provide an item, service, capability and/or activity in lieu of direct funding. For additional, information review section F in the SLCGP NOFO or FEMA FAQ.

No. Local governments are not required to provide consent; however, it is not an all-or-nothing requirement. If there are other local governments that consent, then the state can still provide the item, service, capability or activity. For more information, review the FEMA FAQ.

Allocations vary by state. To determine how much your state will receive in fiscal year (FY) 2023, review the SLCGP Allocations in Information Bulletin (IB) 489. Funding has not been determined for fiscal years 2024-2025; however each FY will have its own funding notice, allocation amounts and application periods.

• CISA FAQ
• Original FEMA FAQs
• Additional FEMA FAQs
• States can also contact [email protected] or [email protected].
• Email [email protected] for additional information or to learn how Tenable can help you meet SLCGP requirements.