Cybersecurity Funding from the Infrastructure Investments and Jobs Act (IIJA): Where are we now?
Cybersecurity Funding from the Infrastructure Investments and Jobs Act (IIJA): Where are we now?

Amanda Day, Grants Development Consultant (State and Local Government)

On November 6, 2021, the U.S. Congress passed the Infrastructure Investment and Jobs Act (IIJA). The IIJA is sometimes referred to as the “Bipartisan Infrastructure Deal” because it was supported by both Democrats and Republicans in Congress. A total of $1.2 trillion in funding was made available for nearly 400 new and existing programs. This legislation supports various infrastructure-related programs and projects like transportation, clean water, broadband, and electric vehicle charging infrastructure, among other initiatives. Included in the IIJA are grants aimed at improving the cybersecurity posture of state, local, and tribal governments.

Cybersecurity attacks continue to increase and can compromise sensitive data and cause disruptions in critical government functions, education, utilities, and transportation infrastructure. For entities looking to improve their cybersecurity, the IIJA has created several cybersecurity-focused programs to offset the cost of implementing necessary hardware and software. However, cybersecurity is not just about the technology involved; included in the IIJA is funding for workforce cybersecurity training. A skilled and knowledgeable workforce is essential to the success of implemented cybersecurity protections.

There are three main cybersecurity funding programs: The State and Local Cybersecurity Grant Program (SLCG), the Tribal Cybersecurity Program (TCGP), and the Rural and Municipal Utility Advanced Cybersecurity Grant (RMUC).

The State and Local Cybersecurity Grant Program (SLCGP) is a four-year program that will provide state and local governments with $1 billion in funding for cybersecurity and cybersecurity training. Administered by the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA), grant funds will be used to improve the nation’s cybersecurity posture and protect critical infrastructure from malware, ransomware, and other threats.


The SLCGP Objectives are:

  1. Develop and establish appropriate governance structures
  2. Assess and evaluate cybersecurity needs
  3. Implement security protections
  4. Develop a workforce trained in cybersecurity

IIJA allocated funds are available to 56 states and territories from 2022-2025. In turn, states and territories must pass down 80% of these funds to local applicants, 25% of which must go to rural areas of the state. Eligible sub-applicants to the SLCGP include counties, municipalities, public school districts, and Tribal governments. States have the flexibility to decide whether to subgrant funds directly to eligible local entities or to spend the funds at the state level on behalf of local governments, essentially, making “bulk” purchases. By making bulk purchases, states can often negotiate better prices from vendors. This allows them to stretch the allocated funds further and potentially get more value from their yearly grant awards.

States and territories applied for the first year of funds in November of 2022. Along with the application for funding , states were also required to form a Cybersecurity Planning Committee to create and submit a cybersecurity plan to the Cybersecurity & Infrastructure Security Agency (CISA). The Planning Committee is also responsible for developing, implementing, and revising Cybersecurity Plans. The deadline for states to submit completed plans was September 30, 2023. After the application to DHS is approved and CISA approves the cybersecurity plan, funds will be released to the state. Deadlines for local applicants will vary by state as each creates its own SLCGP grant program. Several states have already announced the notice of funding for the FY22 funds, including Georgia, Oklahoma, Washington, New Jersey, and Colorado. In these states, interested applicants can find details about available funding opportunities and application procedures on their respective state government websites. The application deadline for states and territories to apply for FY23 funds was October 6th.  To date, the state of Kentucky is the only state to open both application windows.

Announced with the State and Local Cybersecurity Grant Program (SLCGP) is the Tribal Cybersecurity Grant Program (TCGP). The primary focus of the TCGP is to strengthen the cybersecurity practices and resilience of tribal governments.  Over the next four years, a total of $30 million will be available to Native American Tribes and Alaska Natives. For this notice of funding, years one and two have been combined into a total of $18.2 million. Tribal governments have until January 10, 2024, to complete the required cybersecurity plan and DHS application.

The final cybersecurity-focused grant opportunity is the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program (RMUC). The RMUC is administered by the U.S. Department of Energy (DoE) and provides financial and technical support to municipal and rural electric utilities, recognizing the role they play in providing essential services to communities. Cybersecurity is crucial in these sectors as disruptions could impact the public safety and well-being of citizens. Over five years, a total of $250 million in funding will aid electric utilities in improving incident response, enhancing workforce cybersecurity skills, and strengthening infrastructure. The RMUC program will be implemented in three phases: the Commitment Phase, Planning Phase, and Implementation Phase. The deadline for the first phase of this program is November 29, 2023. Future deadlines will be announced in future months.

With this unprecedented funding in cybersecurity, the federal government is acknowledging that there is an increasing need for enhanced cybersecurity measures. The goal of this funding is to bolster defenses against two key adversaries: hackers and cyber-criminals:

  • Hackers can include state-sponsored actors, and others who aim to breach systems for various purposes.
  • Cyber-criminals engage in illegal activities, such as data theft and ransomware attacks for financial gain.

Cybersecurity is an ongoing process that requires continuous monitoring and adaptation to new threats. These historic investments are critical for safeguarding national security, public safety, the protection of our digital infrastructure, and represent a significant step in enhancing protections, securing data, and preventing cyber-attacks from foreign and domestic sources.