With the November 2022 deadline for state governments to apply for the $1 billion State and Local Cybersecurity Grant Program (SLCGP) behind us, states are now facing the task of meeting the requirements necessary to receive government funding. Outside of South Dakota and Florida, all eligible entities have submitted funding applications. Before diving into the current funding status and requirements, let’s take a moment to recap the SLCGP.
What is the State and Local Cybersecurity Grant Program?
Through the Infrastructure Investment and Jobs Act (IIJA) of 2021, Congress established the State and Local Cybersecurity Improvement Act on September 16, 2022, which established the State and Local Cybersecurity Grant Program (SLCGP) appropriating $1 billion to be awarded over the span of four years.
Funding from the program helps these entities address the growing cyber risks and threats to the information systems owned and/or operated by state, local, and territorial governments.
Program Goals
The program aims to help state and local governments manage and reduce systemic cyber risks through four objectives established by CISA:
- governance and planning
- assessment and evaluation
- mitigation
- workforce development
These four objectives will work to develop appropriate governance structures and plans, identify areas for improvement, implement security protections, and ensure personnel are trained in cybersecurity.
Who Exactly is Eligible?
Only State Administrative Agencies (SAAs) for states and territories are qualified to apply for the program. Furthermore, multiple eligible entities can seek aid jointly as a multi-entity group. This implies that two or more SAAs can jointly apply for projects but must still submit separate applications.
Local and rural governments are eligible though their state governments are sub-applicants to their SAA and must work with their state/territory’s Cybersecurity Planning Committee (a requirement of the grant program) to receive funds. As defined by law, local governments include counties, municipalities, public authorities, school districts, special districts, councils of governments, and other public entities. This also includes Indian tribes, Alaska Native villages, and rural communities. While rural areas are defined as areas with a population of less than 50,000 that have not been designated as an “urbanized area” by the most recent census.
How Will Funds Be Administered?
CISA has stated that the grant program was designed to put funding where it is most needed; local entities. According to the legislation, states must allocate at least 80% of the funds to local governments, and at least 25% of the funds must be distributed to rural areas.
Total funds will be distributed over four years in the following way;
Fiscal Year (FY) 2022: $200 million total. $185 million for SLCGP, $8.5 million to the Department of Homeland Security (DHS) for administering the grant, $6 million for the Tribal Cybersecurity Grant Program (Tribal Government grant funding), and $500,000 for the DHS Inspector General to evaluate grant programs.
Fiscal Year (FY) 2023: $400 million; FY 2024: $300 million; FY 2025: $100 million
Program Requirements
After eligible entities apply for funding, applicants must build a Cybersecurity Planning Committee and create a Cybersecurity Plan to receive funds. State applicants who applied before the November 2022 deadline must meet these requirements by September 30, 2023, to receive funding. Specific details on the parameters for each program requirement can be found here.
2023 Updates
As stated earlier, all but two of the eligible entities have applied for the grant program. Trent Frazier, deputy assistant director for Stakeholder Engagement at CISA, told Government Technology concerning the two-state entities that have not applied for funding, “We will certainly invite them to apply again in year two.”
From here, all other state entities are now tasked with meeting the requirements of building a Cybersecurity Planning Committee and creating a Cybersecurity Plan. Eleven of these entities have submitted their requirements and are either under review or have begun to receive funding. All applicants have until September 30, 2023, to submit their requirements for approval. Funding currently being dispersed will be part of 2022, aka “year one” allocated funding, which is $185 million of the total $1 billion allocated over four years.