DHS to Boost State and Local Cybersecurity Programs with $1 Billion in Grant Funding

The SLCGP was established in 2021 as part of the Infrastructure Investment and Jobs Act (IIJA). Under the provisions of the IIJA, the program provides $1 billion in funding to state, local, tribal and territorial (SLTT) partners over four years, with $185 million available for FY 2022, to support SLTT efforts to address cyber risk to their information systems. SLTT governments can utilize this funding to ensure they are well-equipped to address cybersecurity risks, strengthen the cybersecurity of their critical infrastructure, and ensure resilience against persistent cyber threats to the services SLTT governments provide their communities.

Only state and territorial governments are eligible as direct grant recipients through this Notice. However, states and territories are required to pass on 80 percent of all funds they receive to units of local government. Additionally, 25 percent of allocated funds must be distributed to rural areas. The funds made available to states through the SLCGP will be distributed by a state or territorial agency designated by each respective governor. Formula funding allocations for each state for FY 2022 have already been determined by FEMA through the combination of a baseline minimum for each state or territory adjusted for population.

A key element of many projects funded in FY 2022 will likely be cybersecurity planning. Per the Notice, states must have a Cybersecurity Plan and a Cybersecurity Planning Committee to receive funds. A Cybersecurity Plan is described by the Notice as a statewide planning document approved by the Cybersecurity Planning Committee that will describe plans to protect against cyber threats, the individual responsibilities of state and local governments to implement cybersecurity best practices, the timeline for implementing the plans, and measures of progress and effectiveness of protections. The Cybersecurity Planning Committees must be made up of state, local, educational and public health experts with professional backgrounds in cybersecurity.

Applications for funding will be accepted until November 15, 2022. Once a state or territory is awarded funding, they will have 45 days after accepting their grant to pass awards along to local communities. The expected performance period for these grants is September 1, 2023, to September 31, 2026.

As cyberattacks become ever more prevalent, the funding in the SLCGP will be crucial to bolster protections to state and local systems and upgrading legacy technologies to be more resilient against cyber threats. The historic funding in the SLCGP and TCGP will provide opportunities for states and localities to enhance their cybersecurity programs with new technologies to protect their citizens. It will be crucial for those local governments and members of the cybersecurity industry poised to take advantage of these new programs to have a thorough understanding of the grant application process, state administrative procedures, cybersecurity planning process, and other related points. Members of the cybersecurity industry that can provide capabilities to states and localities to improve their cybersecurity posture will want to engage with state administrative agencies and local government stakeholders sooner rather than later to capitalize on the funding opportunities presented by this federal investment. Pillsbury’s top-rated cybersecurity, public policy, and state and local government strategies teams are working together with stakeholders and federal agency contacts to prepare for these historic investments.