As our nation works towards a common goal of strengthening its critical infrastructure by deploying advanced cybersecurity, federal grants are one of the sources available to state and local governments, Tribal nations, and electric utilities to fund their planning and deployment priorities. In 2022, the federal government (Department of Homeland Security) provided $1 billion in cybersecurity grants to state and local governments (and territories) through the State and Local Cybersecurity Grant Program (SLCGP). SLCGP funds cybersecurity planning, training, and mitigation initiatives, such as implementing security technologies, hiring cybersecurity professionals, and conducting vulnerability assessments. The first round of SLCGP allocations to states in FY 2022, $185 million, has been distributed and states are authorized to spend. Congress also appropriated $400 million for FY 23, $300 million for FY 2024, and $100 million for FY 2025. The deadline for States to apply for FY 23 grant is October 6, 2023. A total of $374,981,324 is available for FY23 to 56 states and territories.
Use of funds
Software, service, and equipment costs are allowable if intended to be used to address cybersecurity risks and threats. States may spend their portion of the funds on ransomware protections, data backups, basic cybersecurity protections, risk management frameworks as well as training and awareness. In addition to eligible equipment costs, funds may be used to purchase maintenance contracts or agreements, warranty coverage, licenses, and user fees in support of a system or equipment.
All of the 56 states and territories are eligible for the program though Florida did not participate in FY 23. States are required to pass down 80% of total funding to local and tribal governments which will then apply directly to their state’s Cybersecurity Planning Committee for funding.
Cybersecurity projects included
- Implementing multi-factor authentication (MFA)
- Implementing enhanced logging
- Data encryption for data at rest and in transit
- End use of unsupported/end-of-life software and hardware that are accessible from the internet
- Prohibiting the use of known/fixed/default passwords and credentials
- Ensuring the ability to reconstitute systems (backups).
A Cybersecurity Risk Assessment is a prerequisite for a SLCGP grant because risk assessment remediation priorities are addressed in each entity’s grant application. The Cybersecurity and Infrastructure Security Agency (CISA) provides risk assessment tools and services at no cost and without commitment to sharing outcomes.
In addition to the above funding, The Tribal Cybersecurity Grant Program (TCGP) is a separate $30 million grant for Tribal nations. Under TCGP, federally recognized Tribal nations are the only eligible entities and do not apply for funding through states. Details and application dates have not yet been announced by the Department of Homeland Security.
How will federal funds allocated to states be distributed to local governments and Tribal Nations?
SLCGP grants are funded from the Department of Homeland Security directly to State Administrative Agencies (SAAs), which are often the agencies responsible for emergency services and information technology. SAAs are the decision-makers on how 80% of the grants will be subgranted to local and rural governments. States may subgrant to local governments both cybersecurity products and services provided by or procured through the state.
State cybersecurity planning, advisory groups, and advisory meetings
Every state applicant of SLGCP funds is required to develop a statewide plan and a statewide advisory group. The advisory groups will also be influential in the selection of products and services procured by state and local governments.
Although much of the cybersecurity funding conversation is happening at the federal and state level, local government and Tribal nation information security leaders are also creating and implementing cybersecurity plans and convening official and advisory meetings.
Grants for rural and municipal electric utilities cybersecurity
Cisco customers will soon be apply and compete for $250 million in funding from the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program (RMUC). This funding is over five years to help utilities improve incident response, enhance their workforce cybersecurity skills, and strengthen their systems, assets, and processes. The RMUC Program will offer technical and financial support to help municipal and rural utilities enhance operational capabilities, deploy cyber platforms, and increase their access to cybersecurity support services. The Department of Energy completed the Request for Information process and a Notice of Funding Opportunity is forthcoming at a date to be announced.
Time to engage
Year one of four years of grants for cybersecurity planning and mitigation is already in the hands of states and will be subgranted to local governments, including rural local governments and Tribal nations. So they’re already busy preparing or competing for grants for planning, training, deployment, and operations. FY 2023 grant applications from states and territories are due October 6, 2023.
That’s why now is the time to act. Our public funding team at Cisco is here to help state, local, and Tribal Nation governments understand their pain points and their plans. We encourage you to become an active part of the outcome conversation and engage your Cisco Public Funding Advisor for support. The application process can be cumbersome, but we at the Cisco Public Funding Office are glad to help.