What are the specific best practices that local governments should adopt within their Cybersecurity Plans for SLCGP?

When developing or updating Cybersecurity Plans for the State and Local Cybersecurity Grant Program (“SLCGP”),[1] local governments should review the plan requirements in the Notice of Funding Opportunity (“NOFO”)[2] and ensure they understand the required elements of these plans as listed in Appendix C.[3] Beyond these federal-level resources, local governments should consider the following non-exhaustive good practices for Cybersecurity Plan development.  Cybersecurity plans should: 

• Take a holistic approach to cybersecurity, integrating a diverse set of project types and focus areas, including planning, training, exercises, assessments, organization, equipment, and policy/legislation. The Plan should serve as an overarching framework that directs strategy for grant implementation.
• Identify specific goals and objectives to guide the cybersecurity program and reduce cybersecurity risks. Plans should also be aligned with the SLCGP’s objectives of Governance and Planning, Assessment and Evaluation, Mitigation, and Workforce Development.
• Include considerations for how the results of assessments and evaluations will be used to further strengthen cybersecurity and cyber resilience within the local government. In addition to accounting for the conduct of these assessments, local governments should identify next steps for addressing any identified gaps.
• Address the entire local government, including any constituent jurisdictions, departments, and agencies. This scope should be clearly stated as part of the Plan.
• Consider local governments’ existing plans, policies, pre-identified gaps, and pre-identified projects, all of which will help local governments develop their cybersecurity infrastructure.
• Include engagement with the local government’s Chief Information Office, Chief Information Security Officer, or equivalent. This individual should be thoroughly read into the planning process, including opportunities to provide feedback at interim phases of development, as they have plan approval responsibilities.
• Include information about the local government’s Cybersecurity Planning Committee, including the organizations that make up the Committee, how it is structured, and its role in cybersecurity planning and response. If not already established, this Committee should be included in the planning process.

Last Updated: March 3, 2023