By: Amanda Day, Grants Development Consultant (State and Local Government)
Cybercrimes against local governments, public safety agencies, and schools are becoming more frequent and destructive. As a result, these attacks can lead to monetary loss and the theft of critical data. Criminals are targeting large cities, county governments, and even small towns in rural areas of the country. In response to the increase in these attacks, the Federal government is encouraging local leaders to take action by utilizing federal and state grant funds to prepare for and prevent ransomware attacks and hackers.
In the past several years, the Department of Homeland Security has prioritized cybersecurity in its Homeland Security Grant Programs, but the first mention of cybersecurity as an eligible expense came in 2010. Grant programs like the State Homeland Security Program (SHSP), the Urban Areas Security Initiative (UASI), and Operation Stonegarden (OPSG) were some of the first to include cybersecurity technology as an eligible use of funds. Since then, several other agencies have followed suit, understanding how important protecting our critical infrastructure is. And now the Environmental Protection Agency, the Department of Justice, and the Department of Transportation have all begun to include cybersecurity expenses in their funding guidelines. Additionally, with the passage of the Bipartisan Infrastructure Law in 2021, the State and Local Cybersecurity Program (SLCGP) has been announced and specifically funds cybersecurity at state and local levels. The funds will be used to improve our nation’s cybersecurity posture and protect critical infrastructure from malware, ransomware, and other threats.
The State and Local Cybersecurity Grant Program (SLCGP) is a one-billion-dollar program aimed at assisting states, local governments, and tribes in securing their cyberspace. These funds will be administered over a four-year period from 2022 to 2025, starting with $185 million in funding the first year. Each state and territory will be awarded funds based on baseline minimums and population guidance from the Homeland Security Act of 2002. Funding will be spread out over the next four years, with the majority being made available in 2023 and 2024. States will be passing the bulk of funding on to local governments, keeping twenty percent at the state level for their own projects, and passing down eighty percent to local governments.
When we talk about how local governments will access those funds, there are a few ways states can choose to pass down funding. First, states may choose to subgrant funds to local entities to purchase their own cybersecurity solutions, basically handing over the cash and trusting that local governments will correctly manage the funds. Second, states could make purchases on behalf of their local governments and make them available. And the final option would be a combination of both.
Although there are some guidelines as to what the funds will cover, we know that states will have quite a bit of latitude to decide what kinds of projects they’ll prioritize this can include:
- Developing a cybersecurity plan or revising a Cybersecurity Plan
- Implementing a Cybersecurity Plan
- Assisting with activities that address imminent cybersecurity threats
- Funding any other appropriate activity determined by the Department of Homeland Security
- Hiring personnel.
For the first year of the program, eligible applicants are required to address the four following program objectives:
Objective #1
Develop and establish appropriate governance structures, including developing, implementing, or revising cybersecurity plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations
Objective #2
Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments
Objective #3
Implement security protections commensurate with risk
Objective #4
Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.
In order to accomplish these goals, each state must form a Cybersecurity Planning Committee to oversee the state-level process and approve local plans and applications when the states release their own guidance. These planning committees MUST include representatives from the state or territory, local governments, public schools, and representatives from public health institutions. Representation from rural, suburban, and urban areas must also be included. After the planning committee develops the state’s Cybersecurity Plan, it must be approved by the state's CIO or CISO before being submitted.
The good news is that almost all states and territories applied for their funds before the November 15th, 2022, deadline. However, only a handful of states were able to submit a completed Cybersecurity Plan with that application. Several states have applied for an extension and will have until September 30th of this year to submit a completed plan. The window for states to apply for the 2023 round of funding is anticipated in late spring of this year. As far as local deadlines go, they will vary in every state and territory. So far, we’ve seen application windows open in Missouri, Georgia, and Kentucky, but as states continue to finalize and submit their plans, we expect to see more guidance and deadlines released.
Resources for the State and Local Cybersecurity Grant Program can be found at:
https://www.fema.gov/fact-sheet/department-homeland-security-notice-funding-opportunity-fiscal-year-2022-state-and-local
https://www.cisa.gov/cybergrants
https://www.fema.gov/grants/preparedness/about/state-administrative-agency-contacts
SF Grants page to highlight: State and Local Cybersecurity Grant Program (SLCGP):
https://grants.lightning.force.com/lightning/r/Grant__c/a0B0b00000PHsnDEAT/view