Resource-strapped security teams working at state and local governments have a mighty option when it comes to dealing with budget constraints: the State and Local Cybersecurity Grant Program (SLCGP).
In 2023, CISA and FEMA released $347.9 million in funding through the grant to many recipients through State and Local Cybersecurity Grant Program*—the first explicitly cybersecurity-focused grant available to state and local governments. According to CISA, the grant program will make $1 billion in funding available to support cybersecurity projects over the course of four years, starting from 2022. $300 million in funding will be available in FY2024.
That’s a whole lot of cash. Clearly, there’s a major opportunity for state and local security departments to get in on—and they should get in on it fast. But the availability of an opportunity is not a guarantee of receiving it. As is the case with a majority of grant programs, the SLCGP comes with an application.
We know what you’re thinking—more paperwork? Really?
While the SLCGP application can appear daunting (or even worse, way too much like filing your taxes), applying for cybersecurity federal funding doesn’t have to feel like an impossible Ninja Warrior obstacle course. For teams that want to get a headstart, we created a quick-hit four-step guide to ace the state and local cybersecurity grant program application.
You don’t want to put the cart before the horse. The first part of acing any grant application is ensuring that you even qualify. Fulfilling CISA’s requirements is a major part of qualification for the SLCGP. Applying without meeting them is like walking around with egg on your face — so let’s cover what you need to know.
The specifics of these requirements may change year to year. However, according to the most recent application (FY22), the requirements are as follows:
1. A CISA-approved cybersecurity plan. Eligible entities are required to submit cybersecurity plans for review and approval as part of the SLCGP grant application. Good news, if you previously submitted an approved plan in FY22, you need not submit a plan again as the approval covers a two-year time period.
New applicants must submit a cybersecurity plan with their grant application. We recommend that your cybersecurity plan adopt key cybersecurity best practices outlined by CISA for the best results.
The plan should also detail your organization’s short- and long-term cybersecurity goals, and how federal funding would specifically benefit those goals. CISA further recommends that these plans be strategic in nature and cover a two-to-three-year time period.
2. A CISA-approved cybersecurity planning committee. Eligible entities are also required to submit a cybersecurity planning committee detailing members and responsibilities with their applications. This committee is responsible for coordinating, developing, and approving cybersecurity plans.
The committee is also responsible for prioritizing individual cybersecurity projects, which should be described as part of your grant application.
Templates for defining a cybersecurity plan and cybersecurity planning committee are available through CISA’s Infrastructure Resilience Planning Framework. Once security teams ensure those initial requirements are appropriately in place, they can begin their SLCGP application journey with this essential first step: identifying existing strengths and weaknesses.
Knowing where your security program is flourishing and where it is lacking will provide your teams with the context they need to create specific and actionable cybersecurity plans. It also helps you identify where you actually need funding and how you could use it, so you don’t feel like you’re just throwing money at the wall.
Additionally, the grant-making agencies (in this case, CISA and FEMA) will expect applicants to have an acute and accurate understanding of their existing needs in light of the current threat landscape.
When identifying strengths and weaknesses, here are some examples of questions that state and local governments should consider:
Performing this strengths and weaknesses audit equips state and local government IT teams with the knowledge they need to make their case for federal funding.
Be as specific as possible when detailing what your organization plans to do with the funds should they successfully be acquired. These plans should be highly detailed and express in both qualitative and quantitative terms how your organization could benefit from federal funding, and what those federal funds would be used for over an explicitly set period of time.
Basically, you need a road map for how, when, and where you want to use your money.
Your grant plan should stipulate the exact use case your organization intends to fulfill with the funding amount requested (“Our organization plans to use X amount of funds received to cover the costs of…”). While grant applications are not available to the public due to the fact that they contain sensitive state and local information, both CISA and FEMA clearly outline what prospective applicants should include in their submission.
For example, CISA stipulates the following use cases as legitimate applications for federal funding through the grant:
A more detailed description of a grant plan could include:
It’s critical to keep in mind SLCGP does not cover ransom for successful cyberattacks nor is it applicable in securing cyber insurance or paying cyber insurance premiums. If planning on hiring cybersecurity personnel with SLCGP funds, organizations must also stipulate how they plan to cover costs when funding is no longer available.
For more information on the nature and structure of federal grants, you can view grants.gov’s grant lifecycle.
The SLCGP prioritizes entities that show a clear dedication to continuous cybersecurity posture improvement. Documenting how your existing cybersecurity tools and strategies fulfill your organization’s commitment to good cyber hygiene can help make a convincing case for the allocation of more funding.
There are a few cybersecurity tools and strategies that state and local governments should ensure they’re making use of:
Cloud SIEMs. Leveraging a cloud SIEM is an easy way for state and local government teams to demonstrate they’re currently doing their due diligence with the cybersecurity budget they have available. These tools are also helpful in documenting a history of cybersecurity practices via the event logs they capture.
Cybersecurity training and awareness programs. By documenting a cybersecurity training and awareness program within the submitted cybersecurity plan, organizations can demonstrate their dedication to teaching all government employees about phishing, social engineering attacks, and other critical security protocols. Additionally, a robust cybersecurity training and awareness program is a concrete demonstration of a strong culture of cybersecurity, a major benefit in the SLCGP application.
NIST controls and frameworks. The recommendations outlined in NIST 800-171 and 800-53 requirements are relevant to state and local governments in particular. Addressing how your organization is currently meeting those recommendations—and how funding could help your teams better meet them—can make a strong case for your application.
As threat actors become more capable and targeted, relying on state and local resources alone can often leave organizations with considerable cybersecurity gaps. The State and Local Government Cybersecurity Grant Program can help resource-strapped IT teams overcome challenges and meet their cybersecurity goals with greater ease. That is, if they can write a good grant application.
Grant applications don’t have to be major bureaucratic headaches. With a keen understanding of what matters to grant-makers and a solid plan for funding granted, your organization can benefit from this federal program in no time.
We mentioned earlier that your grant application needs to include a detailed cybersecurity plan. Learn more about how local governments can build one out here.
*https://www.cisa.gov/state-and-local-cybersecurity-grant-program