The goal of the State and Local Cybersecurity Grant Program (SLCGP) is to assist state, local and tribal governments with managing and reducing systemic cyber risk. This goal can be achieved over the course of the four years of SLCGP funding as applicants focus their Cybersecurity Plans, priorities, projects, and implementation toward addressing the SLCGP objectives. Once CISA confirms that a recipient has met their objective requirements for each fiscal year, the recipient moves to the next set of program objective(s).
FY23 State and Local Cybersecurity Grant Program:
Our nation faces unprecedented cybersecurity risks, including increasingly sophisticated adversaries, widespread vulnerabilities in commonly used hardware and software, and broad dependencies on networked technologies for the day-to-day operation of critical infrastructure. Cyber risk management is further complicated by the ability of malicious actors to operate remotely, linkages between cyber and physical systems, and the difficulty of reducing vulnerabilities.
Considering the risk and potential consequences of cyber incidents, strengthening the cybersecurity practices and resilience of state, local and territorial (SLT) governments is an important homeland security mission and the primary focus of SLCGP. Through funding from the Infrastructure Investment and Jobs Act referred to as the Bipartisan Infrastructure Law (BIL) throughout this document, the SLCGP enables DHS to make targeted cybersecurity investments in SLT government agencies, thus improving the security of critical infrastructure and improving the resilience of the services SLT governments provide their communities.
The Fiscal Year (FY) 2023 SLCGP aligns with the National Cybersecurity Strategy by addressing three of the five pillars:
- Pillar One – Defend Critical Infrastructure,
- Pillar Two – Disrupt and Dismantle Threat Actors, and
- Pillar Four – Invest in a Resilient Future.
The FY 2023 SLCGP also addresses the 2020-2024 DHS Strategic Plan https://www.dhs.gov/publication/department-homeland-securitys-strategic-plan-fiscal-years-2020-2024 by helping DHS achieve Goal 3: Secure Cyberspace and Critical Infrastructure.
During FY 2022, applicants focused on Program Objective 1: Develop and establish appropriate governance structures, including by developing, implementing, or revising Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents, and ensure continuity of operations.
In FY 2023, applicants are required to focus on addressing the following program objectives in their applications:
- Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
- Objective 3: Implement security protections commensurate with risk.
- Objective 4: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.
For FY 2023, there are no new Cybersecurity Planning Committee and Cybersecurity Plan requirements. CISA considers the plans as living documents that states and territories may update and resubmit, if desired.
Cybersecurity Best Practices for Individual Projects:
- Implement multi-factor authentication
- Implement enhanced logging
- Data encryption for data at rest and in transit
- End use of unsupported/end of life software and hardware that are accessible from the internet
- Prohibit use of known/fixed/default passwords and credentials
- Ensure the ability to reconstitute systems (backups)
- Actively engage in bidirectional sharing between CISA and SLT entities in cyber relevant time frames to drive down cyber risk
- Migration to the .gov internet domain
FY22 State and Local Cybersecurity Grant Program:
Funding from the State and Local Cybersecurity Grant Program (SLCGP) helps eligible entities address cybersecurity risks and threats to information systems owned or operated by—or on behalf of—state, local and territorial (SLLT) governments. The Homeland Security Act of 2002, as amended by the Bipartisan Infrastructure Law requires grant recipients to develop a Cybersecurity Plan, establish a Cybersecurity Planning Committee to support development of the Plan, and identify projects to implement utilizing SLCGP funding. To support these efforts, recipients are highly encouraged to prioritize the following activities, all of which are statutorily required as a condition of receiving a grant:
- Developing the Cybersecurity Plan;
- Implementing or revising the Cybersecurity Plan;
- Paying expenses directly relating to the administration of the grant, which cannot exceed 5% of the amount of the grant award;
- Assisting with allowed activities that address imminent cybersecurity threats confirmed by DHS; and
- Other appropriate activities as noted in the funding notice.
Funds may be used to hire personnel, however, the applicant must address how these functions will be sustained when the funds are no longer available in their application.
Any entity that receives funds from a grant under this program may not use the grant: