State and Local Cybersecurity Grant Program (SLCGP)
A federal grant program to help state, local, tribal and territorial (SLTT) governments address cybersecurity threats and risks to their information systems.
The Infrastructure Investment and Jobs Act (IIJA) created a federal grant program to help state, local, tribal and territorial (SLTT) governments address cybersecurity threats and risks to their information systems. As state and local governments encounter more sophisticated and targeted threats, including critical infrastructure threats, now is the time to review your cybersecurity posture and plan for strategic security initiatives. Tenable helps states meet 13 of the 16 program requirements, including vulnerability management and prioritization, and protecting critical infrastructure.
Read the Solution Overview: Meeting State and Local Cybersecurity Grant Program (SLCGP) Requirements with Tenable Technologies.
What State and Local Governments Need to Know:
- $1 Billion over 4 years for SLTT cybersecurity grants
- A 16 point cybersecurity plan must be submitted before full funding will be released
- 80% of grant will be distributed to local governments
Resources for State and Local Governments
Tenable solutions help fulfill 13 of the 16 SLCGP requirements — from vulnerability management and prioritization to compliance and IT/OT convergence. Here's what you need to know about the grant program, and the resources available to states as they build their cybersecurity plan and prepare to apply.
- FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
- Meeting SLCGP Requirements with Tenable Technologies
- Delivering a Whole of State Approach with SLCGP Funding
- $1 Billion State and Local Cybersecurity Grant Program Now Open for Applicants
- How to Meet FY 2023 U.S. State and Local Cybersecurity Grant Program Objectives
- New U.S. SLCGP Cybersecurity Plan Requirement: Adopt Cybersecurity Best Practices Using CISA’s CPGs
- How State and Local Governments Can Bolster their Cyber Defenses
- Tenable for State and Local Government
- Protecting State and Local Governments Against Ransomware
- Meeting CISA’s Cybersecurity Performance Goals (CPGs) with Tenable
- Protecting Local Government Agencies with a Whole-of-State Cybersecurity Approach
How Tenable Helps Meet SLCGP Requirements
Continuous Vulnerability Management
Continuously track and assess known and unknown assets and their vulnerabilities with Tenable Vulnerability Management. Get an accurate view of all assets and vulnerabilities on your network that could be exploited
Protect Critical Infrastructure
Mitigate cybersecurity risk and threats related to critical infrastructure with Tenable OT Security. Unify IT and OT to eliminate blind spots and harden defenses for complete visibility and deep situational awareness.
Prioritize High Risk Vulnerabilities
Prioritize vulnerabilities by degree of risk so you can quickly find and fix high risk vulnerabilities first. Use risk scores and asset criticality metrics to quickly identify the vulnerabilities that pose the highest risk to your agency.
Maintain Compliance
FedRAMP and StateRAMP authorized vulnerability management solutions bring framework investments to scale and maturity, and ensure you demonstrate compliance with regulatory standards and frameworks such as NIST, CIS, DISA STIG, FISMA and more.
Want to learn more? Email [email protected] for additional information.
FAQ
- Only states (or groups of states) are eligible to apply for the grant and each state must allocate 80% of the funding to local, tribal and territorial governments.
- To receive the grant, states must submit a Cybersecurity Plan and create a planning committee to help develop and implement the cybersecurity plan.
- The cybersecurity plan consists of 16 specific requirements. To view specific plan and planning committee requirements, review Appendix B and C of the Notice of Funding Opportunity (NOFO), or the grant synopsis.
The Cybersecurity Plan is a statewide planning document that the Cybersecurity Planning Committee and the CIO/CISO equivalent must approve. The plan will be subsequently updated in FY24 and FY25. It must contain the following components:
- Incorporate, to the extent practicable, any existing plans to protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, SLTTs.
- Share how input and feedback from local governments and associations of local governments was incorporated.
- Include all of the specific [16] required elements (see Required Elements section of Appendix C of the NOFO)
- Describe, as appropriate and to the extent practicable, the individual responsibilities of the state and local governments within the state in implementing the Cybersecurity Plan.
- Assess each of the required elements from an entity-wide perspective.
- Outline, to the extent practicable, the necessary resources and a timeline for implementing the plan.
- Summary of associated projects.
- Metrics that the eligible entity will use to measure progress.
Tenable solutions help state and local governments meet 13 of the 16 Cybersecurity Plan requirements. This includes requirements around vulnerability management, prioritization, protecting critical infrastructure and compliance. Review Meeting SLCGP Requirements with Tenable Technologies to see how Tenable meets each specific requirement.
While the template is not required, CISA strongly recommends that states and territories use the provided template. If a state or territory uses its own template, all required elements must be included. For more information, review the FEMA FAQ.
According to CISA, “Plans will be reviewed and approved as they are received, and before the deadline if received before the deadline. The goal is to review and approve Cybersecurity Plans as soon as practical after submission so that the recipients can begin implementing approved projects as soon as possible at the time they are submitted.” For more information, view the FEMA FAQ.
The program’s ultimate goal is to award grants to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, SLTT governments. Funding can be used for:
- Developing, implementing or revising the Cybersecurity Plan.
- Assisting with allowed activities that address imminent cybersecurity threats confirmed by DHS.
- Paying expenses directly relating to grant administration, which cannot exceed 5% of the amount of the total award.
- Other appropriate activities as noted in the funding order.
- Funds can also be used to continue or expand existing efforts to improve cyber systems and meet required Cybersecurity Plan elements, as long as funds are not used to supplement state or local funds.
YAccording to CISA, the Cybersecurity Planning Committees must work collaboratively across the state to identify and prioritize individual projects that align with the state’s Cybersecurity Plan. Ultimately, the state determines where and how to pass-through funds, with the permission of applicable local governments if passing through items or services in lieu of funding. For more information, review the CISA FAQ. To review the State Administrative Agency contacts, review State Administrative Agency Contacts.
Local governments have the ability to either consent or opt out of the “in lieu of” services. The way in which consent is obtained is determined by the state or territory. Consent must be obtained in writing for all entities in which the state will provide an item, service, capability and/or activity in lieu of direct funding. For additional, information review section F in the SLCGP NOFO or FEMA FAQ.
No. Local governments are not required to provide consent; however, it is not an all-or-nothing requirement. If there are other local governments that consent, then the state can still provide the item, service, capability or activity. For more information, review the FEMA FAQ.
Allocations vary by state. To determine how much your state will receive in fiscal year (FY) 2023, review the SLCGP Allocations in Information Bulletin (IB) 489. Funding has not been determined for fiscal years 2024-2025; however each FY will have its own funding notice, allocation amounts and application periods.
- CISA FAQ
- Original FEMA FAQs
- Additional FEMA FAQs
- States can also contact [email protected] or [email protected].
- Email [email protected] for additional information or to learn how Tenable can help you meet SLCGP requirements.
Always-On Resources
Subscribe to the Tenable blog for the latest news, research and Cyber Exposure alerts.
Sign up NowListen to Tenable's podcasts for conversations related to Cyber Exposure, security research and more.
Listen NowLearn more about Tenable solutions, sign up for a trial or request a demo.
Try Now