The federal government has earmarked a $1 billion pot of grant money for state, local and territorial governments to defend themselves against cyber intruders.
Lower-level government agencies and public sector entities, typically lacking the necessary resources to fully combat cyber crime, have become prime targets for hackers in extortion plots to steal money and exfiltrate data. The new funding, which springs from the 2021 State and Local Cybersecurity Improvement Act, is intended to assist state, local and territorial governments to enact plans and programs tailored for their own needs.
Grants Target State, Local and Tribal Entities
The State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) helps eligible entities address cybersecurity risks and threats to information systems owned or operated by (or on behalf of) state, local and territorial governments. Through two distinct Notice of Funding Opportunities, the money will be allocated over four years to support projects throughout the performance period.
Some $185 million has been reserved for this year, with the territorial grant money released after the state and local funding, as will be the case throughout the four years. States with plans approved by the Cybersecurity and Infrastructure Security Agency (CISA) could land at least $2 million for cybersecurity projects. At the state level, governments are required to distribute at least 80% of their grant funding to local and rural communities and at least 3% to tribal governments.
It’s not clear if the money will be made available before the midterm elections.
The Department of Homeland Security (DHS) will implement the state and local grant program through CISA and the Federal Emergency Management Agency (FEMA). CISA will serve as the subject-matter expert in cybersecurity related issues. FEMA will provide grant administration and oversight for appropriated funds, including award and allocation of funds to eligible entities, financial management and oversight of funds execution.
How to Apply for a Grant
Eligible entities can submit an application via Grants.gov. CISA and FEMA will review each submission, and CISA will approve final Cybersecurity Plans and individual projects. Once approved, FEMA will remove any holds that they placed on funding and eligible entities can execute projects and make sub-awards.
"Our goal is to mitigate hacks into rail systems or power grids, so that families don't have any trouble getting to work and heating their homes," White House senior adviser and Infrastructure Coordinator Mitch Landrieu told reporters in a briefing.
Applicants must apply for a grant in the next 60 days, and may use the federal dollars toward new or existing cybersecurity programs. Local entities receive sub-awards through states. The legislation requires states to distribute at least 80% of funds to local governments, with a minimum of 25% of the allocated funds distributed to rural areas.
The Cybersecurity Plan is a statewide planning document that must be approved by the Cybersecurity Planning Committee and the CIO/CISO equivalent. The Plan will be subsequently updated in FY24 and 25.
It must contain the following components:
- Incorporate, to the extent practicable, any existing plans to protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, SLTs.
- Explain how input and feedback from local governments and associations of local governments was incorporated.
- Include all of the specific required elements.
- Describe, as appropriate and to the extent practicable, the individual responsibilities of the state and local governments within the state in implementing the Cybersecurity Plan.
- Assess each of the required elements from an entity-wide perspective.
- Outline, to the extent practicable, the necessary resources and a timeline for implementing the plan.
- Produce summary of associated projects.
- Submit metrics that the eligible entity will use to measure progress.