Cybersecurity Grant Program

Through the Infrastructure Investment and Jobs Act (IIJA) of 2021, Congress established the State and Local Cybersecurity Improvement Act, which established the State and Local Cybersecurity Grant Program (SLCGP), appropriating $1 billion to be awarded over four years.

Funding for each state is calculated using a formula determined by the federal Cybersecurity and Infrastructure Security Agency (CISA). Through separate notices of funding opportunities (NOFO), SLCGP and the Tribal Cybersecurity Grant Program (TCGP) combined will make $1 billion available over four years, including more than $400 million in FY 2023 and more than $300 million in FY 2024.

For states, a majority of grant funding is focused on local government cybersecurity:

  • At least 80% of grant funds must benefit local governments.
  • Of that 80% share, at least 25% must benefit rural areas.

These requirements can be met using a direct passthrough of funds and/or, with their consent, spent on cyber capabilities provided on behalf of local governments.

Grant funds can be used to meet four objectives:

  1. Develop and establish appropriate governance structures, including developing, implementing, or revising cybersecurity plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.
  2. Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
  3. Implement security protections commensurate with risk.
  4. Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.

Applying for FY 2024 Cybersecurity Grant Funds

CISA and FEMA will review each submission, then CISA will work with states and territories to address any missing content and approve final or revised cybersecurity plans and individual projects. This year, one requirement must be completed and submitted before states and territories are eligible for year three funds. Once approved, FEMA will remove any holds placed on funding, and eligible entities can execute projects and make sub-awards.

While not required, CISA strongly recommends:

  • Prioritizing projects that address critical infrastructure cybersecurity. State, local, and tribal (SLT) entities are strongly encouraged to include projects related to K - 12 education, water/wastewater, healthcare, energy, defense, and elections infrastructure.
  • Strongly encouraging Cybersecurity Planning Committee membership from critical infrastructure sectors and sub-sectors, including K - 12 education, water/wastewater, healthcare, energy, defense, and elections infrastructure.

Grant Application Now Open

Eligible entities can apply via the FEMA grant outcomes (GO) system below. To be eligible for FY 2024 SLCGP funding, each eligible entitiy is required to fulfill the FY 2022 NOFO requirements. Applications may include a completed or revised cybersecurity plan if applicable, capabilities assessment, and individual projects approved by the Cybersecurity Planning Committee and CIO, CISO, or equivalent.

State Cybersecurity Grant Program Plan Timeline
April 24, 2023State Cybersecurity Grant Program plan submitted.
May 22, 2023CISA approves state plan.
July 11, 2023FY 2023 Download this pdf file. NOFO released.
September 23, 2024FY 2024 NOFO released.
November 30, 2027Projected period of performance end date.

Additional information will be posted as it becomes available.

Cybersecurity Grant Program Resources

Below are resources local governments may find useful in preparing their submissions:

Updated October 18, 2024