The goal of the State and Local Cybersecurity Grant Program (SLCGP) is to assist state, local and tribal governments with managing and reducing systemic cyber risk. This goal can be achieved over the course of the four years of SLCGP funding as applicants focus their Cybersecurity Plans, priorities, projects, and implementation toward addressing the SLCGP objectives. Once CISA confirms that a recipient has met their objective requirements for each fiscal year, the recipient moves to the next set of program objective(s).
FY23 State and Local Cybersecurity Grant Program:
Our nation faces unprecedented cybersecurity risks, including increasingly sophisticated adversaries, widespread vulnerabilities in commonly used hardware and software, and broad dependencies on networked technologies for the day-to-day operation of critical infrastructure. Cyber risk management is further complicated by the ability of malicious actors to operate remotely, linkages between cyber and physical systems, and the difficulty of reducing vulnerabilities.
Considering the risk and potential consequences of cyber incidents, strengthening the cybersecurity practices and resilience of state, local and territorial (SLT) governments is an important homeland security mission and the primary focus of SLCGP. Through funding from the Infrastructure Investment and Jobs Act referred to as the Bipartisan Infrastructure Law (BIL) throughout this document, the SLCGP enables DHS to make targeted cybersecurity investments in SLT government agencies, thus improving the security of critical infrastructure and improving the resilience of the services SLT governments provide their communities.
The Fiscal Year (FY) 2023 SLCGP aligns with the National Cybersecurity Strategy by addressing three of the five pillars:
- Pillar One – Defend Critical Infrastructure,
- Pillar Two – Disrupt and Dismantle Threat Actors, and
- Pillar Four – Invest in a Resilient Future.
The FY 2023 SLCGP also addresses the 2020-2024 DHS Strategic Plan https://www.dhs.gov/publication/department-homeland-securitys-strategic-plan-fiscal-years-2020-2024 by helping DHS achieve Goal 3: Secure Cyberspace and Critical Infrastructure.
During FY 2022, applicants focused on Program Objective 1: Develop and establish appropriate governance structures, including by developing, implementing, or revising Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents, and ensure continuity of operations.
In FY 2023, applicants are required to focus on addressing the following program objectives in their applications:
- Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
- Objective 3: Implement security protections commensurate with risk.
- Objective 4: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.
For FY 2023, there are no new Cybersecurity Planning Committee and Cybersecurity Plan requirements. CISA considers the plans as living documents that states and territories may update and resubmit, if desired.
Cybersecurity Best Practices for Individual Projects:
- Implement multi-factor authentication
- Implement enhanced logging
- Data encryption for data at rest and in transit
- End use of unsupported/end of life software and hardware that are accessible from the internet
- Prohibit use of known/fixed/default passwords and credentials
- Ensure the ability to reconstitute systems (backups)
- Actively engage in bidirectional sharing between CISA and SLT entities in cyber relevant time frames to drive down cyber risk
- Migration to the .gov internet domain
FY22 State and Local Cybersecurity Grant Program:
Funding from the State and Local Cybersecurity Grant Program (SLCGP) helps eligible entities address cybersecurity risks and threats to information systems owned or operated by—or on behalf of—state, local and territorial (SLLT) governments. The Homeland Security Act of 2002, as amended by the Bipartisan Infrastructure Law requires grant recipients to develop a Cybersecurity Plan, establish a Cybersecurity Planning Committee to support development of the Plan, and identify projects to implement utilizing SLCGP funding. To support these efforts, recipients are highly encouraged to prioritize the following activities, all of which are statutorily required as a condition of receiving a grant:
- Developing the Cybersecurity Plan;
- Implementing or revising the Cybersecurity Plan;
- Paying expenses directly relating to the administration of the grant, which cannot exceed 5% of the amount of the grant award;
- Assisting with allowed activities that address imminent cybersecurity threats confirmed by DHS; and
- Other appropriate activities as noted in the funding notice.
Cybersecurity Planning Committee:
The Planning Committee is responsible for developing, implementing, and revising Cybersecurity Plans (including individual projects); formally approving the Cybersecurity Plan (along with the chief information officer, chief information security officer or an equivalent official); and assisting with determination of effective funding priorities (i.e., work with entities within the eligible entity's jurisdiction to identify and prioritize individual projects). To support these responsibilities, the Planning Committee must include the following entities:
- The eligible entity (i.e., state or territory);
- County, city, and town representation (if the eligible entity is a state);
- Institutions of public education within the eligible entity's jurisdiction;
- Institutions of public health within the eligible entity's jurisdiction; and
- As appropriate, representatives from rural, suburban, and high-population jurisdictions.
Funds may be used to hire personnel, however, the applicant must address how these functions will be sustained when the funds are no longer available in their application.
Cybersecurity planning committees in states, territories, and tribes must explain how they will address 16 cybersecurity elements. These elements include:
- How the applicant will manage, monitor, and track information systems, applications, and user accounts they own or operate.
- How the applicant will monitor, audit, and track network activity traveling to and from information systems, applications, and user accounts.
- How the applicant will enhance the preparation, response, and resiliency of information systems, applications, and user accounts against cybersecurity threats.
- How the applicant will implement continuous vulnerability assessments and threat mitigation to address cybersecurity threats to information systems, applications, and user accounts.
An eligible entity that receives a grant under this program and a local government that receives funds from a grant under this program must use the grant to:
- implement the Cybersecurity Plan of the eligible entity
- develop or revise the Cybersecurity Plan of the eligible entity
- pay expenses directly relating to the administration of the grant, which shall not exceed 5 percent of the amount of the grant;
- assist with activities that address imminent cybersecurity threats, as confirmed by the Secretary of Homeland Security, acting through the National Cyber Director, to the information systems owned or operated by, or on behalf of, the eligible entity or a local government within the jurisdiction of the eligible entity;
- fund any other appropriate activity determined by the Secretary of Homeland Security, acting through the National Cyber Director.
Any entity that receives funds from a grant under this program may not use the grant: