Program

COVID-19 Federal Assistance e311

Topics

Federal Funding Streams, Fund Planning & Allocation

Funding Source

FEMA

Can a city’s partial or existing cybersecurity plan be integrated into the cybersecurity plan required of eligible entities under the State and Local Cybersecurity Grant Program?

Yes, a city’s partial or existing cybersecurity plan can be integrated into the cybersecurity plan eligible entities are required to submit under the State and Local Cybersecurity Grant Program (“SLCGP”). The SLCGP defines the term “eligible entity” to include “states or tribal governments”.[1]

To receive funding under SLCGP, eligible entities, such as states or territories, must submit a cybersecurity plan that includes certain required elements, as outlined 6 U.S.C. § 665g. [2] These required elements incorporate the development of cybersecurity capabilities across the state or territory and are not specific to local governments.[3]  However, if the eligible entity is a state, input and feedback from local governments and associations of local governments should be incorporated.[4]

Cities are only eligible for SLCGP funding as subapplicants and should work with the eligible entity’s Cybersecurity Planning Committee to receive subawards.[5] Accordingly, cities are not required, under the SLCGP, to integrate their partial or existing cybersecurity plans into the eligible entity’s final cybersecurity plan but may do so.   

Though not required, cities and eligible entities are encouraged to connect and collaborate regarding the integration of partial or existing cybersecurity plans into the eligible entities’ required plans.

The Department of Homeland Security recommends that eligible entities take the following steps in crafting their SLCGP cybersecurity plans:

  • review existing governance and planning documents;
  • review existing assessments and evaluations (e.g., reports, after action reports) conducted by state, local, tribal, and territory governments;  
  • identify any governance, planning, assessment, or evaluation gaps that should be addressed by the cybersecurity plan; and
  • identify potential SLCGP projects to address identified gaps and prioritize mitigation efforts.[6]

Like eligible entities under SLCGP, cities are also encouraged to review the above guidance from the Department of Homeland Security as they craft and/or update their own cybersecurity plans. 

Last Updated: November 9, 2022

 

[1] 6 U.S. Code § 665g(a)(4).

[2] Id at Section 665g (e)(2).

[3] FEMA, “Fiscal Year 2022 State and Local Cybersecurity Grant Program FAQs,” available at: https://www.fema.gov/fact-sheet/fiscal-year-2022-state-and-local-cybersecurity-grant-program-faqs.

[4] 6 U.S. Code § 665g(e)(2)(A)(ii).

[5] FEMA, “Fiscal Year 2022 State and Local Cybersecurity Grant Program FAQs,” available at: https://www.fema.gov/fact-sheet/fiscal-year-2022-state-and-local-cybersecurity-grant-program-faqs.

[6] FEMA, The Department of Homeland Security Notice of Funding Opportunity Fiscal Year 2022 State and Local Cybersecurity Grant Program, at Appendix C, available at: https://www.fema.gov/fact-sheet/department-homeland-security-notice-funding-opportunity-fiscal-year-2022-state-and-local.