What are best practices for local governments (particularly rural communities), to consider so that they have a greater chance of receiving SLCGP funding from state leadership?

The State and Local Cybersecurity Grant Program ("SLCGP") is a grant program established by the Infrastructure Investment and Jobs Act ("IIJA") to help state, local, territorial, and tribal ("SLTT") governments effectively manage and reduce systemic cyber risk.[1]

The Department of Homeland Security ("DHS") is responsible for implementing the SLCGP grant program through the Cybersecurity and Infrastructure Security Agency ("CISA") and the Federal Emergency Management Agency ("FEMA").[2] The implementation of the SLCGP will occur over the period of performance of 48 months spanning from September 1, 2022, to August 31, 2026.[3]

For fiscal year 2022, $185 million was appropriated by Congress.[4] State-by-state SLCGP allocations can be found on pages 10 through 13 of the notice of funding opportunity ("NOFO").[5] As to SLCGP, CISA provides the following:

The established SAA for states and territories will be the only entities that can apply for grant awards under the SLCGP. Local entities receive sub-awards through states. The legislation requires states to distribute at least 80% of funds to local governments, with a minimum of 25% of the allocated funds distributed to rural areas.[6]

Rural local governments will receive a guaranteed minimum of 25% of the 80% allocated funds.[7] A rural area is an "area encompassing a population of less than 50,000 people that has not been designated in the most recent decennial census as an "urbanized area" by the Secretary of Commerce."[8]

It is vital to note that DHS will implement the SLCGP through collaboration with CISA and FEMA.[9] CISA will operate as the subject-matter expert regarding cybersecurity related issues, whereas FEMA will function in a grant administration and oversight function regarding appropriated funds.[10] This includes SLCGP award, allocation disbursement to eligible entities, and overarching financial management funding implementation oversight.[11]

The State Administrative Agency (“SAA”) is the only entity eligible to apply for and submit the application for the Homeland Security Grant Program (“HSGP”) and its component programs.[12]

Please refer here for a complete listing of each state's respective SAA point of contact.[13]

Good Practices

Listed below is a non-exhaustive survey of good practices local governments and rural communities can consider creating successful outcomes and increase their awareness of the SLCGP and their state's respective efforts regarding this grant program.

First, Rural communities can take preemptive steps to be ready to act on the SLCGP funds that pass through to them. These steps could include, among others:

1. Increasing staff capacity for SLCGP implementation and being prepared to act on their respective state's Cybersecurity Plan
2. Ensuring adequate internal controls are in place for the smooth facilitation of federal funds
3. Assembling a grant team and ensuring all individuals know their respective roles in supporting the grant
4. Including staff with prior grant management experience on the designated SLCGP grant management team
5. Regularly review the grant agreement to ensure all requirements are being met
6. Account for indirect costs and follow the appropriate steps for their negotiated indirect cost rate agreement with the cognizant agency or contact FEMA if they do not have a current negotiated indirect cost rate and wish to charge the de minimis rate.[14]

Second Rural communities are encouraged to review their state's overarching Cybersecurity Plan as CISA notes that:

Local governments will be part of the eligible entity's Cybersecurity Plan. These plans are meant to guide development of cybersecurity capabilities across the state or territory. The plans are not meant to be agency specific.[15]

With local governments reviewing their state's respective Cybersecurity Plan per the above, the aim is for these local governments to obtain a better awareness of how their state is planning to execute its cybersecurity and, consequently, SLCGP projects as well as better understand how their SAA will be coordinating and engaging with said local governments.

Each state's SAA will be responsible for “managing the grant application and award,” and as such, rural communities need to communicate closely with their SAAs regarding the grant funding pass-through process.[16] Local governments and rural communities are considered subapplicants to their respective SAAs, and thus must work with their state's Cybersecurity Planning Committee to receive subawards.[17]

Rural communities are encouraged to work closely with the state's Cybersecurity Planning Committee(s).[18] It is ultimately up to the state to determine, with the permission of the relevant local governments, where and how to pass-through funds if passing through items or services in lieu of funding.[19]

There are several aspects of the SLCGP that State SAAs must ensure rural communities are aware of. States' adherence to these elements will promote the smooth facilitation of this grant program. The various elements are as follows:

• Establishment of and composition of the Planning Committee;
• Cybersecurity Plan(s) or request for exception;
• Proposed projects that are consistent with the Cybersecurity Plan(s), or will be consistent with the Cybersecurity Plan if requesting a grant to develop a Plan, and SLCGP program objectives and requirements;
• Proposed projects are feasible and effective as reducing the risks the project was designed to address; and
• Proposed projects will be completed within the period of performance.[20]

All local government information technology directors or chief information officers should coordinate with their respective state SAA as quickly as possible regarding the next steps for their state's plans for applying for the SLCGP.[21]

Resources

For further applicable grant information and resources regarding the SLCGP, please reference the following:

1. SAA Contacts are located here.[22]
2. DHS Notice of Funding Opportunity Fiscal Year 2022 State and Local Cybersecurity Grant Program is located here.[23]
3. CISA SLCGP Grant Program is located here.[24]
4. FEMA Fiscal Year 2022 SLCGP Fact Sheet is located here.[25]
5. CISA SLCGP Frequently Asked Questions are located here.[26]

Last Updated: March 9, 2023