How should a municipality prepare for an audit by an Office of the Inspector General (“OIG”) for a program administered by a prior administration that focuses on due diligence and proper record keeping?

A municipality’s audit approach should not be impacted by the administration carrying out the audit. The audit approach should focus on cooperation with the Office of the Inspector General (“OIG”) auditors and transparency of past and current program activities. Consider the following good practices in preparation for an audit: 

• Maintain and organize project files in a central location prior to the arrival of the OIG;
• Provide office space for the audit teams to meet and conduct interviews;
• Assign a point person who will be available for the duration of the audit to assist the OIG with coordinating activities and any other needs of the audit team;
• Provide access to staff including employees from the previous administration that worked on the project being audited and personnel assigned to the project as a result of turnover;
• Be prepared to respond to the draft audit report promptly, so that your feedback can be considered prior to the audit report being finalized; and,
• Proactively demonstrate the steps your municipality took to enhance due diligence and record keeping.
• Review laws and regulations pertaining to the grant program.

In demonstrating a sufficient due diligence process in your grant program, municipalities can highlight the following good practices:

• Background checks on vendors and/or subrecipients to ensure they are not on the federal government excluded party list by running entities and individuals through the Sam.gov Exclusionary Search prior to award/or distribution of funding;[1]

• Due diligence of beneficiaries to ensure eligibility for the financial aid being provided;
• Risk assessments on contractors, vendors and subrecipients to show they possess the necessary capacity and level of integrity to carry out the scope of services;
• Self-certification requirements for vendors and/or subrecipients certifying that, among other things, they are not barred from receiving funds and are eligible, capable, and responsible in the management of federal funds; and
• Regular proactive program audits to ensure compliance with established due diligence practices and procedures.

To demonstrate good record keeping practices in grant programs, municipalities can highlight documentation that demonstrates:

• The decision-making process for providing grant funds, including determining the eligible use of funds;
• Grant agreements and subgrant agreements which include grant program requirements, terms and conditions, specifically with Federal regulations applicable to the grant;
• Project timelines, deliverables, and milestones, and key performance indicators;
• Detailed supporting documentation for invoices and proof of payments, or contracts;
• Procurement methodologies, including compliance with the Uniform Guidance;
• Risk assessments and supporting documentation for all subrecipients use of funds; and,
• Description of the central platform used for the electronic storage of all program documentation.
• Policy and procedure manuals relating to grant management, including procurement, payroll, and inventory control, as applicable.

Last Updated: March 1, 2023

Is it appropriate for a consultant or other entity who offered free grant application assistance to later be considered in a competitive bidding process? What steps should a municipality take to mitigate the risk or appearance of misconduct?

A consultant or other entity who provided free assistance with a grant application may be able to seek consideration in a competitive bidding process. The feasibility and process of hiring such a consultant is highly dependent on the type of grant in question, as well as the federal agency that is offering the grant.

The applicant must review the rules and regulations surrounding the grant, specifically the procurement guidelines from the Uniform Guidance §200.318 – §200.320 when procuring services under a federal award.[1] The procurement guidelines include, but are not limited to, the following:

• An applicant must have and use their own documented procurement procedures that comply with state and local laws and regulations, and with Uniform Guidance §200.318 – §200.327.
• An applicant must ensure the procurement is conducted in a manner providing full and open competition.
• An applicant must maintain oversight to ensure that contractors perform in accordance with the terms, conditions, and specifications of their contracts or purchase order.
• An applicant must maintain written standards of conduct covering conflicts of interest and governing the actions of its employees engaged in the selection, award, and administration of contracts.

It is also important to consider and follow any relevant procurement and conflict of interest policies, both from the granting agency and the applicant. An applicant should also consult its legal department to ensure compliance with all established policies and procedures.

Last Updated: March 1, 2023

Is expenditure reporting guidance regarding housing expected to change given the new housing guidance?

There is no indication whether Coronavirus State and Local Fiscal Recovery Funds (“CSLFRF”) expenditure categories will change with respect to upcoming reports. CSLFRF recipients should be prepared and on the lookout for newly issued guidance, however.

Treasury has not updated its list of expenditure categories since the Compliance and Reporting Guidance was updated prior to the April 2022 reporting deadline, which reflects the most recent updated guidance from the Final Rule. While Treasury has not stated if expenditure categories will be updated again in the future, municipalities should regularly monitor Treasury guidance in the event that expenditure category updates are made.

Treasury has released updated User Guides prior to each reporting deadline, and the most recent User Guide, for the July 2022 reporting deadline, indicates that an updated User Guide should accompany the upcoming October 2022 deadline.[1] Any updates to expenditure categories could be released in an updated Compliance and Reporting Guidance document or an upcoming User Guide. Recipients should regularly consult Treasury’s CSLFRF Recipient Compliance and Reporting Responsibilities page for any updates.[2]

Currently, the primary expenditure category relating to Affordable Housing is 2.15 – Long-term Housing Security: Affordable Housing. Other related expenditure categories include 2.2 – Household Assistance: Rent, Mortgage, and Utility Aid; 2.16 – Long-term Housing Security: Services for Unhoused Persons; 2.17 – Housing Support: Housing Vouchers and Relocation Assistance for Disproportionately Impacted Communities; and 2.18 – Housing Support: Other Housing Assistance.[3]

For more information on utilizing CSLFRF to boost affordable housing, please review Treasury’s July 2022 “Affordable Housing How-To Guide: How to Use State and Local Fiscal Recovery Funds For Affordable Housing Production and Preservation.”[4]  Any interested parties should check that the guidance remains current and should review the sources above for any updates over time.

Last Updated: March 1, 2023

Is it permissible to report expenditures incurred by a sub-recipient prior to the award date? If so, how should "term-start date" be defined?

At present and subject to future modifications, the U.S. Department of the Treasury’s (“Treasury”) Coronavirus State and Local Fiscal Recovery Funds (“CSLFRF”) reporting portal does not allow recipients to enter subrecipient expenditures incurred prior to the Subaward Award Date. The “Expenditure Start Date,” as utilized in the CSLFRF reporting portal, must occur after the Subaward Award Date, or the system will reject the entry. Treasury defines the Expenditure Start Date as the “start date for the range of time when the expenditure(s) occurred.”[1] Additionally, Treasury defines the Subaward Award Date as the “date the Recipient obligated funds to a Subrecipient.”[2] These dates may not necessarily be the same date.

Last Updated: March 3, 2023

When reporting CSLFRF expenditures, how should municipalities approach small projects that do not meet the $10 million threshold?

The U.S. Department of the Treasury’s (“Treasury”) Portal for Recipient Reporting: State and Local Fiscal Recovery Funds^[1] does not distinguish between small or large Coronavirus State and Local Fiscal Recovery Funds (“CSLFRF”) projects. Rather, after project and subaward information is entered into the system, recipients report expenditures under two categories: “Expenditures Greater than $50,000” and “Expenditures Less than $50,000.”[2]

The $10 million threshold is specific to projects with capital expenditures or infrastructure projects greater than $10 million. If projects do not meet these criteria, recipients are not required to respond to those specific programmatic compliance questions as outlined in Treasury’s Compliance and Reporting Guidance.[3] However, project data are still required to be entered into the portal for the project and other programmatic requirements may exist depending on the expenditure category of the project.

In general, recipients of CSLFRF Funds must report quarterly on the use of the funds.[4] For small projects that do not exceed ten million dollars in cost, recipients can likely use a simplified reporting method. Regardless of whether the simplified reporting method is used, the municipality must still report the following information for each small project:

• The name of the project;
• Project identification number;
• Project expenditure category;
• A brief description of the project;
• The total cost of the project; and
• The project’s status.[5]

In addition, the municipality must also report any sub-recipient or contractor information for each small project that was used to expend the funds.[6]

What is the process for selecting which SLCGP projects and recipients (e.g., local governments and rural areas) will receive funds?

The Infrastructure Investment and Jobs Act (“IIJA”) established the SLCGP (“State and Local Cybersecurity Grant Program”) to award funds to eligible entities to mitigate cybersecurity risks.[1] The SLCGP determines “eligible entities” as “states or territories.”[2] State and territory State Administrative Agencies (“SAA”) for these entities are the only eligible applicants.[3] Local and tribal governments are eligible subapplicants under the SLCGP pursuant to the underlying regulations.[4]

SAAs are responsible for managing the grant application and award. They are required to establish a Cybersecurity Planning Committee and develop a Cybersecurity Plan that addresses priorities for the entire jurisdiction.[5] The SAA, working with the Cybersecurity Planning Committee, must ensure at least 80 percent of the funds awarded under the SLCGP are passed through to local entities. Additionally, at least 25 percent of the funds must be passed through to rural communities. These amounts may overlap.

Local governments, including federally recognized tribes, are eligible to receive funds as subapplicants from their SAA. Generally, Cybersecurity Planning Committees work collaboratively with local, rural, and tribal governments across the state or territory to identify projects that align with the state or territory’s Cybersecurity Plan. The state must determine where and how to distribute subawards, with the permission of applicable local governments if passing through items or services in lieu of funding.[6] The Federal Emergency Management Agency (“FEMA”) provides additional details on each State’s SAA on their State Administrative Agency Contacts page.[7]

While each SAA establishes program priorities specific to their jurisdiction, the following overarching SLCGP objectives and Fiscal Year 2022 priorities apply:

SLCGP Objectives

• Implement cyber governance and planning;
• Assess and evaluate systems and capabilities;
• Mitigate prioritized issues; and
• Build a cybersecurity workforce.[8]

SLCGP Fiscal Year 2022 Priorities

• Establish a Cybersecurity Planning Committee;
• Develop a state-wide Cybersecurity Plan, unless the recipient already has a state-wide Cybersecurity Plan and uses the funds to implement or revise a state-wide Cybersecurity Plan;
• Conduct assessment and evaluations as the basis for individual projects throughout the life of the program; and
• Adopt key cybersecurity best practices.[9]

Last Updated: March 3, 2023

How should local governments keep in contact with state agencies regarding Cybersecurity Plans and funding status related to SLCGP?

In the Infrastructure Investment and Jobs Act (“IIJA”), Congress established The State and Local Cybersecurity Grant Program (“SLCGP”) to “award grants to eligible entities to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, state, territory, local, or tribal governments.”[1] The SLCGP will be administered through the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Federal Emergency Management Agency (“FEMA”).[2]

Local governments are eligible as subapplicants to their State Administrative Agency (“SAA”) and must work with their state's or territory’s Cybersecurity Planning Committee to receive subawards.[3] Local governments are defined by the law as: a county; municipality; city; town; township; local public authority; school district; special district; intrastate district; council of governments (regardless of status as a nonprofit corporation under State law); regional or interstate government entity; agency or instrumentality of a local government; Indian tribe or authorized tribal organization; Native village in Alaska or Alaska Regional Native Corporation; rural community; unincorporated town or village; or other public entity.[4]

Local governments seeking information regarding Cybersecurity Plans and funding status related to SLCGP should reference their state or territory’s SAA Point of Contact using this list.[5]

The SAA is responsible for managing grant applications and awards. Working with the Cybersecurity Planning Committee, the SAA must ensure that at least 80% of the federal funds awarded under the SLCGP are passed through to local entities. Receipt of funds occurs when the SAA accepts the award or 15 calendar days after the entity receives notice of the award, whichever comes first.[6] Cybersecurity Planning Committees must also work collaboratively across the state or territory to identify and prioritize individual projects that align with the state’s Cybersecurity Plan. It is up to the state, tribal, or territorial SAA to determine where and how to pass through funds. SAAs can pass through items or services in lieu of funding, with the permission of applicable local governments.[7]

States and territories must submit Cybersecurity Plans for review and approval as part of their grant applications.[8] The Cybersecurity Plan should (1) establish high-level goals and finite objectives to reduce specific cybersecurity risks across the eligible entity, and (2) serve as the overarching framework for achieving the SLCGP goal, with grant-funded projects working to achieve outcomes. As part of an entity-wide approach, regional approaches should also be considered. In developing the Cybersecurity Plan, the Cybersecurity Planning Committee should consider the following:

• Existing governance and planning documents and identification of any planning gaps that the Cybersecurity Plan should address;
• Existing assessments and evaluations (e.g., reports, after-action reports) conducted by State, Local, Territorial, and Tribal governments within the entity and any planning gaps that require additional assessments and/or evaluations; and
• Identification of potential SLCGP projects to address planning gaps and prioritize mitigation efforts.[9]

A complete list of requirements for the Cybersecurity Plan is available in Appendix C: Cybersecurity Plan of the Department of Homeland Security Notice of Funding Opportunity Fiscal Year 2022 State and Local Cybersecurity Grant Program.[10]

Last Updated: March 3, 2023

What funding opportunities and resources other than the State and Local Cybersecurity Grant Program (SLCGP) can be used towards Cybersecurity projects?

There are several sources of cybersecurity funding (i.e., local, state or tribal, regional, federal, and private sector funding sources) available for cybersecurity projects. Entities seeking funding opportunities for cybersecurity projects should become familiar with funding sources available in their jurisdictions, including at the state, tribal, regional, or local levels. In addition, entities should consider the following federal funding sources outside of the State and Local Cybersecurity Grant Program (“SLCGP”), including those authorized by the Infrastructure Investment and Jobs Act (“IIJA”).

The IIJA includes funding for new and existing cybersecurity programs that focus on strengthening cyber systems and defense against future attacks, some of which provide opportunities to state, local, tribal, and territorial entities, including but not limited to:

• U.S. Department of Homeland Security Cybersecurity Programs
  • Rural and Municipal Utility Advanced Cybersecurity Grant Program ($250 million)
  • Cyber Response and Recovery Fund ($100 million)
  • Department of Homeland Security (DHS) Science and Technology Directorate ($157.5 million)
  • CISA Risk Management Operations ($35 million)
  • Office of National Cyber Director ($21 million)
• U.S. Department of Energy Programs
  • Cybersecurity for the Energy Sector Research, Development, and Demonstration Program ($250 million)
  • Rural and Municipal Utility Advances Cybersecurity Grant and Technical Assistance Program ($250 million)
  • Energy Sector Operational Support for Cyber Resilience Program ($50 million)

The IIJA also includes several programs across various federal agencies which, while not cybersecurity-specific, allow for investment in cybersecurity measures as an eligible use to support program objectives, including but not limited to:

• U.S. Department of Commerce Programs
  • Broadband Equity, Access, and Deployment Program ($42.5 billion)
• U.S. Department of Transportation Programs
  • Port Infrastructure Development Program ($2.25 billion)
• U.S. Department of Energy Programs
  • State Energy Program ($500 million)
• U.S. Environmental Protection Agency Programs
  • Clean Water and Drinking Water State Revolving Funds ($11.7 billion)
  • Drinking Water State Revolving Fund ($11.7 billion)
• Department of Homeland Security Programs
  • State Homeland Security Grant Program ($415 million)
  • Urban Areas Security Initiative ($615 million)
• United States Department of Agriculture Programs
  • Cyber-Physical Systems Grant ($7 million)

In addition to the agencies and programs listed above, interested organizations may wish to contact the Cybersecurity and Infrastructure Security Agency (“CISA”) which offers a range of cybersecurity assessments at no cost to the requestor.[1] CISA assessments are provided upon request on a voluntary basis and can help any organization with managing risk and strengthen its cybersecurity. Once risks are identified after taking an assessment, interested parties should carefully review the eligibility parameters and policy guidelines for the programs listed to determine which sources of funding are appropriate to pursue.

Should a municipality consider conducting risk assessments as part of its audit strategy?

A municipality should consider conducting risk assessments as part of its audit strategy. Risk assessments can be used to evaluate the condition of a program and comply with federal program requirements. Risk assessments are required when a municipality is a recipient of federal funds and when it is acting as a pass-through entity.[1]  Risk assessments are likely not required when the municipality is a subrecipient of award funds.[2]

If a municipality is eligible for federal funding as a subrecipient, it should work with the pass-through entity to receive subawards. 2 CFR § 200.1 defines the term “pass-through entity” to include “a non-federal entity that provides a subaward to a subrecipient to carry out part of a [f]ederal program.”[3]

Municipalities and pass-through entities are encouraged to connect with each other and collaborate regarding compliance with program requirements.[4]

Conducting Risk Assessments

It is a good practice for municipalities receiving federal funding as subrecipients to conduct risk assessments so they are aware of their own risk for federal noncompliance ahead of the mandatory risk assessments awarding entities will conduct. Subrecipients that conduct such self-risk assessments may help facilitate a more comprehensive risk assessment by the awarding entity.

However, it is a federal requirement to perform a risk assessment when the municipality is going to pass the funds to a subrecipient. 2 CFR § 200.332 (b) requires all pass-through entities (the awarding entities) to conduct a risk assessment evaluating a subrecipient’s risk of noncompliance with federal statutes before the entity may award federal funds to a subrecipient. 2 CFR § 200.322 (b) outlines factors pass-through entities may consider in evaluating level of risk for non-compliance:[5]

• The subrecipient’s prior experience with the same or similar subawards
• The results of previous audits including whether the subrecipient receives a Single Audit in accordance with 2 CFR §200.501 (b), and the extent to which the same or similar subaward has been audited as a major program
• Whether the subrecipient has new personnel, or new or substantially changed systems
• The extent and results of [f]ederal awarding agency monitoring (e.g., if the subrecipient also receives [f]ederal awards directly from a federal awarding agency).[6]

Monitoring and Auditing Programs Following Risk Assessments

A risk assessment breaks down each aspect of a program to identify high-risk areas for operational fraud. These operational fraud risk areas should be monitored and audited to ensure compliance with program requirements.[7] Once a risk assessment is completed, the project oversight team, including auditors, will be able to monitor and audit key areas of focus, including but not limited to:

• Planning for the use of federal funds and compliance with federal regulations; 
• Financial, acquisition, and grant management policies and procedures;
• Organizational leadership, capacity, and expertise;
• Existing internal controls and any identified weaknesses;
• Findings and recommendations from prior state or federal audit;
• Program governance, administration, and oversight;
• Subrecipient internal control weakness;
• Barriers to tracking and reporting on the use and results of federal funding;
• State and federal procurement requirements;
• Potential conflicts of interest and ethics compliance;
• Health and safety;
• Information security and data protection; and
• Due diligence. 

What are the specific best practices that local governments should adopt within their Cybersecurity Plans for SLCGP?

When developing or updating Cybersecurity Plans for the State and Local Cybersecurity Grant Program (“SLCGP”),[1] local governments should review the plan requirements in the Notice of Funding Opportunity (“NOFO”)[2] and ensure they understand the required elements of these plans as listed in Appendix C.[3] Beyond these federal-level resources, local governments should consider the following non-exhaustive good practices for Cybersecurity Plan development.  Cybersecurity plans should: 

• Take a holistic approach to cybersecurity, integrating a diverse set of project types and focus areas, including planning, training, exercises, assessments, organization, equipment, and policy/legislation. The Plan should serve as an overarching framework that directs strategy for grant implementation.
• Identify specific goals and objectives to guide the cybersecurity program and reduce cybersecurity risks. Plans should also be aligned with the SLCGP’s objectives of Governance and Planning, Assessment and Evaluation, Mitigation, and Workforce Development.
• Include considerations for how the results of assessments and evaluations will be used to further strengthen cybersecurity and cyber resilience within the local government. In addition to accounting for the conduct of these assessments, local governments should identify next steps for addressing any identified gaps.
• Address the entire local government, including any constituent jurisdictions, departments, and agencies. This scope should be clearly stated as part of the Plan.
• Consider local governments’ existing plans, policies, pre-identified gaps, and pre-identified projects, all of which will help local governments develop their cybersecurity infrastructure.
• Include engagement with the local government’s Chief Information Office, Chief Information Security Officer, or equivalent. This individual should be thoroughly read into the planning process, including opportunities to provide feedback at interim phases of development, as they have plan approval responsibilities.
• Include information about the local government’s Cybersecurity Planning Committee, including the organizations that make up the Committee, how it is structured, and its role in cybersecurity planning and response. If not already established, this Committee should be included in the planning process.

Last Updated: March 3, 2023

What are short-term and long-term ways to minimize the likelihood of ransomware attacks?

As the frequency and impact of ransomware attacks increase over time, organizations should consider short- and long-term solutions to reduce the risk of ransomware attacks. In addition to complying with local, state, or tribal, and federal reporting requirements and statutes related to cyber incidents, organizations should consider the following non-exhaustive good practices for minimizing the impact of ransomware events.

Short-Term:

• Engage with information sharing organizations like the Multi-State Information Sharing and Analysis Center to support awareness around emerging trends and threat types.
• Engage with local information sharing organizations, such as regional Fusion Centers.[1]
• Regularly check for Cybersecurity & Infrastructure Security Agency (“CISA”) alerts and follow available CISA guidance, such as the Ransomware Guide.[2]
• Create an inventory of cyber assets that identifies relevant security procedures and risks.
• Regularly update and maintain software security procedures.
• Implement email security procedures to limit phishing and spoofing attempts, and pair them with staff training on basic cyber hygiene and good practices.
• Consider the impacts of ransomware events on third-party vendors and work with these entities to identify backups and formalize security procedures.
• Implement multi-factor authentication on applicable platforms.

Long-Term:

• Develop a cyber incident response plan to direct coordination during a ransomware incident or consider developing a ransomware annex to your cyber incident response plan identifying specific considerations for ransomware events.
• Using assessments and evaluations, identify training needs for all staff and technical staff to help mitigate the human-caused errors that lead to ransomware attacks.
• Conduct vulnerability assessments and penetration testing to identify potential access points and necessary hardening measures.
• Using assessments and evaluations, identify software gaps and create stronger defenses against common types of ransomwares.
• Align your organization with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and use the Ransomware Risk Management Profile[3] to gain an understanding of your organization’s readiness and capability gaps as it relates to ransomware events.

How does PRAC work with municipalities prior to a program’s start to help ensure compliance with requirements for federal pandemic funding?

The Pandemic Response Accountability Committee (“PRAC”) website includes many resources that municipalities can reference when establishing and improving their compliance programs, including Inspectors General contact information, a complaint hotline for reporting fraud, and other tools.

PRAC was established by the Coronavirus Aid, Relief, Economic Security Act (“CARES Act”)[1] to promote transparency and coordinate oversight of pandemic relief funds. PRAC currently oversees over $5 trillion in federal funding including:

• CARES Act,
• Paycheck Protection Program and Health Care Enhancement Act,
• Families First Coronavirus Response Act,
• Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020,
• Coronavirus Response and Relief Supplemental Appropriations Act, 2021, and
• American Rescue Plan Act (“ARP”) of 2021.[2]

The committee is comprised of 21 offices of the Federal Inspector General.[3]

PRAC acts as a resource to municipalities and the public; the PRAC website includes a page called “State and Local Oversight Professionals: Connect with us.”[4] On this page, municipalities will find helpful resources such as:

• A link to a reports library  that contains over 200 COVID-19 related audit reports prepared by state and local oversight agencies that provide valuable lessons learned in connection with the use of COVID-19 federal grant funds;
• A complaint hotline to report potential fraud, waste, abuse, or mismanagement of federal funding related to the pandemic response;
• A list of Federal Inspectors General and their contact information;
• An email address to communicate with PRAC if a municipality would like assistance coordinating with an investigative point of contact: prac-slhl [at] cigie.gov (prac-slhl[at]cigie[dot]gov); and
• An email address to communicate with PRAC if a municipality would like assistance coordinating oversight: pandemic.reports [at] cigie.gov (pandemic[dot]reports[at]cigie[dot]gov).

The PRAC website also includes a “State & Local Information”[5] page, that provides more tailored guidance per jurisdiction, including:

• A link to COVID-19 related information for each U.S. state and Puerto Rico, including  statistics on COVID-19 cases, available financial assistance, and vaccination and testing locations;
• Tools and resources for state and local oversight professionals; for example, PRAC provided the “Agile Products Toolkit”  to help oversight agencies address concerns of an increased risk of fraud and misuse given the amount of money and speed with which COVID-19 funds were dispersed; and
• Numerous links showing how state and local governments are spending grant funds; for example, PRAC highlighted how six local and state government agencies are using money to experiment with new pilot programs that tackle issues arising from the pandemic.

Municipalities can visit the PRAC homepage for more information on how PRAC can assist with program compliance.[6]

Last updated: March 3, 2023