How should local governments keep in contact with state agencies regarding Cybersecurity Plans and funding status related to SLCGP?

In the Infrastructure Investment and Jobs Act (“IIJA”), Congress established The State and Local Cybersecurity Grant Program (“SLCGP”) to “award grants to eligible entities to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, state, territory, local, or tribal governments.”[1] The SLCGP will be administered through the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Federal Emergency Management Agency (“FEMA”).[2]

Local governments are eligible as subapplicants to their State Administrative Agency (“SAA”) and must work with their state's or territory’s Cybersecurity Planning Committee to receive subawards.[3] Local governments are defined by the law as: a county; municipality; city; town; township; local public authority; school district; special district; intrastate district; council of governments (regardless of status as a nonprofit corporation under State law); regional or interstate government entity; agency or instrumentality of a local government; Indian tribe or authorized tribal organization; Native village in Alaska or Alaska Regional Native Corporation; rural community; unincorporated town or village; or other public entity.[4]

Local governments seeking information regarding Cybersecurity Plans and funding status related to SLCGP should reference their state or territory’s SAA Point of Contact using this list.[5]

The SAA is responsible for managing grant applications and awards. Working with the Cybersecurity Planning Committee, the SAA must ensure that at least 80% of the federal funds awarded under the SLCGP are passed through to local entities. Receipt of funds occurs when the SAA accepts the award or 15 calendar days after the entity receives notice of the award, whichever comes first.[6] Cybersecurity Planning Committees must also work collaboratively across the state or territory to identify and prioritize individual projects that align with the state’s Cybersecurity Plan. It is up to the state, tribal, or territorial SAA to determine where and how to pass through funds. SAAs can pass through items or services in lieu of funding, with the permission of applicable local governments.[7]

States and territories must submit Cybersecurity Plans for review and approval as part of their grant applications.[8] The Cybersecurity Plan should (1) establish high-level goals and finite objectives to reduce specific cybersecurity risks across the eligible entity, and (2) serve as the overarching framework for achieving the SLCGP goal, with grant-funded projects working to achieve outcomes. As part of an entity-wide approach, regional approaches should also be considered. In developing the Cybersecurity Plan, the Cybersecurity Planning Committee should consider the following:

• Existing governance and planning documents and identification of any planning gaps that the Cybersecurity Plan should address;
• Existing assessments and evaluations (e.g., reports, after-action reports) conducted by State, Local, Territorial, and Tribal governments within the entity and any planning gaps that require additional assessments and/or evaluations; and
• Identification of potential SLCGP projects to address planning gaps and prioritize mitigation efforts.[9]

A complete list of requirements for the Cybersecurity Plan is available in Appendix C: Cybersecurity Plan of the Department of Homeland Security Notice of Funding Opportunity Fiscal Year 2022 State and Local Cybersecurity Grant Program.[10]

Last Updated: March 3, 2023