Program

COVID-19 Federal Assistance e311

Topics

Federal Funding Streams, Fund Planning & Allocation

Funding Source

Infrastructure Investments and Jobs Act

What is the process for selecting which SLCGP projects and recipients (e.g., local governments and rural areas) will receive funds?

The Infrastructure Investment and Jobs Act (“IIJA”) established the SLCGP (“State and Local Cybersecurity Grant Program”) to award funds to eligible entities to mitigate cybersecurity risks.[1] The SLCGP determines “eligible entities” as “states or territories.”[2] State and territory State Administrative Agencies (“SAA”) for these entities are the only eligible applicants.[3] Local and tribal governments are eligible subapplicants under the SLCGP pursuant to the underlying regulations.[4]

SAAs are responsible for managing the grant application and award. They are required to establish a Cybersecurity Planning Committee and develop a Cybersecurity Plan that addresses priorities for the entire jurisdiction.[5] The SAA, working with the Cybersecurity Planning Committee, must ensure at least 80 percent of the funds awarded under the SLCGP are passed through to local entities. Additionally, at least 25 percent of the funds must be passed through to rural communities. These amounts may overlap.

Local governments, including federally recognized tribes, are eligible to receive funds as subapplicants from their SAA. Generally, Cybersecurity Planning Committees work collaboratively with local, rural, and tribal governments across the state or territory to identify projects that align with the state or territory’s Cybersecurity Plan. The state must determine where and how to distribute subawards, with the permission of applicable local governments if passing through items or services in lieu of funding.[6] The Federal Emergency Management Agency (“FEMA”) provides additional details on each State’s SAA on their State Administrative Agency Contacts page.[7]

While each SAA establishes program priorities specific to their jurisdiction, the following overarching SLCGP objectives and Fiscal Year 2022 priorities apply:

SLCGP Objectives

  • Implement cyber governance and planning;
  • Assess and evaluate systems and capabilities;
  • Mitigate prioritized issues; and
  • Build a cybersecurity workforce.[8]

SLCGP Fiscal Year 2022 Priorities

  • Establish a Cybersecurity Planning Committee;
  • Develop a state-wide Cybersecurity Plan, unless the recipient already has a state-wide Cybersecurity Plan and uses the funds to implement or revise a state-wide Cybersecurity Plan;
  • Conduct assessment and evaluations as the basis for individual projects throughout the life of the program; and
  • Adopt key cybersecurity best practices.[9]

Last Updated: March 3, 2023

[1]  FEMA, “Fiscal Year 2022 State and Local Cybersecurity Grant Program FAQs,” available at: https://www.fema.gov/fact-sheet/fiscal-year-2022-state-and-local-cybersecurity-grant-program-faqs.

[2] Id.

[3] Id.

[4] Id.

[5] Id.

[6] Id.

[7] FEMA, “State Administrative Agency (SAA) Contacts”, available at: https://www.fema.gov/grants/preparedness/about/state-administrative-agency-contacts.

[8] FEMA, “Fiscal Year 2022 State and Local Cybersecurity Grant Program Fact Sheet”, available at: https://www.fema.gov/fact-sheet/fiscal-year-2022-state-and-local-cybersecurity-grant-program-fact-sheet.

[9] FEMA, “NOFO Fiscal Year 2022 State and Local Cybersecurity Grant Program”, available at: https://www.fema.gov/fact-sheet/department-homeland-security-notice-funding-opportunity-fiscal-year-2022-state-and-local.