The Department of Homeland Security (DHS) this week announced approximately $280 million in fiscal year (FY) 2024 grants are available for the State and Local Cybersecurity Grant Program (SLCGP). I did. DHS implements the SLCGP through the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA). While CISA provides expertise and guidance on cybersecurity issues, FEMA manages the grant award and distribution process. Award winners can use funding for a variety of cybersecurity improvements and capabilities, including cybersecurity planning and execution, hiring cyber talent, and improving critical services.
Now in its third year, the SLCGP provides funding to state, local, and territorial (SLT) governments to reduce cyber risk and build resilience to evolving cybersecurity threats. Established as part of the State and Local Cybersecurity Improvement Act and the Bipartisan Infrastructure Act, the SLCGP is a four-year project to help SLT governments develop capabilities to detect, protect against, and respond to cyber threats. approximately $1 billion in funding.
The program is designed to put funds where they are needed most: in the hands of local organizations. States and territories use their State Administrative Agencies (SAAs) to receive SLCGP funds from the federal government and distribute those funds to local governments based on state laws and procedures. This is the same way funds are distributed to local governments in the Homeland Security Grants program administered by FEMA.
“In today’s threat environment, any community can face sophisticated cyberattacks against critical systems such as hospitals, schools, and power grids,” Department of Homeland Security Secretary Alejandro N. Mayorkas said in a media statement. There are so many things that we actually face.” “The Department of Homeland Security State and Local Cybersecurity Grant Program provides key intergovernmental partners with the tools and support they need to increase resiliency and improve the safety of critical infrastructure.”
He continued, “Our message to communities everywhere is simple: Don’t underestimate the power or ruthlessness of nefarious cyber attackers. Through initiatives like state and local cybersecurity grant programs, Together we can fight these threats.”
“These cyber grants are investments in the security of our nation’s infrastructure and will help ensure communities across the country have the tools they need to defend against cyberattacks,” said CISA Director Jen Easterly. said. “CISA is proud to offer the SLCGP to help governments lay a solid foundation for building sustainable and resilient cybersecurity programs for the future.”
“FEMA is committed to helping our partners address and withstand cybersecurity threats to both their infrastructure and systems,” said FEMA Administrator Dean Criswell. “Thanks to funding from the Biden-Harris Administration, state, local, tribal, and territorial governments will be able to strengthen their ability to protect themselves from evolving cyber threats.”
DHS issued the SLCGP Notice of Funding Opportunity (NOFO) this month. The NOFO contains all requirements and details, including information on state and territory funding eligibility. SAAs established for states and territories will be the only entities that can apply for grants under the SLCGP, with local entities receiving sub-grants through the states. The law requires states to allocate at least 80 percent of their funds to local governments and a minimum of 25 percent of allocated funds to localities.
Applicants must submit an application that states at least one of the following program objectives in their application: The first objective is to develop and establish appropriate governance structures, including developing, implementing, and revising cybersecurity plans, to improve your ability to respond to cybersecurity incidents and ensure business continuity. Yes, the second objective focuses on understanding the current cybersecurity posture and field. Improve based on continuous testing, evaluation, and structured evaluation.
The third objective is to implement security protections that are commensurate with the risks. Meanwhile, the fourth goal is to ensure that your organization’s personnel have appropriate cybersecurity training commensurate with their responsibilities.
Applicants will also be required to carry out an assessment and evaluation on the basis of their individual projects throughout the duration of the program. This requirement is intended to help covered companies understand their current cybersecurity posture and areas for improvement.
As states, territories, and local governments increase their cybersecurity maturity, CISA recommends moving toward adopting more advanced best practices. Several cybersecurity best practices are provided in NOFO to assist you in developing and revising your SLT cyber planning efforts. This includes implementing multi-factor authentication and enabling enhanced logging. Use data encryption for data at rest and in transit. Terminate the use of unsupported/no longer supported software and hardware accessible from the Internet.
We also recommend limiting the use of known/fixed/default passwords and credentials. Allow the system to be reconfigured (backup). Commit to rapid two-way sharing between CISA and SLT entities to reduce cyber risk. and migrate to the (dot)gov internet domain.
The Cybersecurity Plan is a statewide planning document and must be approved by the Cybersecurity Planning Board and equivalent CIO/CISO. All applicants must submit an approved cybersecurity plan (amended if necessary) by January 30, 2025.
The summary must incorporate, to the extent practicable, existing plans for protecting against cybersecurity risks and cybersecurity threats the information systems owned or operated by or on behalf of the SLT. Mention how input and feedback from local authorities and local government associations has been incorporated, and include any specific required elements. It must also describe, as appropriate and to the extent practicable, the individual responsibilities of the state and local governments within the state in implementing the cybersecurity plan. Evaluate each necessary element from an enterprise-wide perspective. To the extent practicable, outline the resources and schedule needed to implement the plan. Overview of related projects. Metrics used by eligible entities to measure progress.
Eligible organizations can apply through the FEMA Grant Outcomes (FEMA GO) system. To be eligible for FY2024 SLCGP funding, each eligible entity must meet the FY2022 NOFO requirements. The application must include a completed or revised cybersecurity plan (if applicable), a competency assessment, and a cybersecurity planning committee and a chief information officer (CIO), chief information security officer (CISO), or equivalent. May include individual approved projects.
CISA and FEMA review each submission, and CISA then works with states and territories to address deficiencies and approve final or revised cybersecurity plans and individual projects. This year, states and territories must meet and submit one requirement before being eligible for the third year of funding. Once approved, FEMA removes the hold on funding and eligible entities can implement projects and make subawards.
Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in security, data storage, virtualization, and IoT.
