Funding from the State and Local Cybersecurity Grant Program (SLCGP) helps eligible entities address cybersecurity risks and threats to information systems owned or operated by—or on behalf of—state, local and territorial (SLLT) governments. The Homeland Security Act of 2002, as amended by the Bipartisan Infrastructure Law requires grant recipients to develop a Cybersecurity Plan, establish a Cybersecurity Planning Committee to support development of the Plan, and identify projects to implement utilizing SLCGP funding. To support these efforts, recipients are highly encouraged to prioritize the following activities, all of which are statutorily required as a condition of receiving a grant:
- Developing the Cybersecurity Plan;
- Implementing or revising the Cybersecurity Plan;
- Paying expenses directly relating to the administration of the grant, which cannot exceed 5% of the amount of the grant award;
- Assisting with allowed activities that address imminent cybersecurity threats confirmed by DHS; and
- Other appropriate activities as noted in the funding notice.
Cybersecurity Planning Committee:
The Planning Committee is responsible for developing, implementing, and revising Cybersecurity Plans (including individual projects); formally approving the Cybersecurity Plan (along with the chief information officer, chief information security officer or an equivalent official); and assisting with determination of effective funding priorities (i.e., work with entities within the eligible entity's jurisdiction to identify and prioritize individual projects). To support these responsibilities, the Planning Committee must include the following entities:
- The eligible entity (i.e., state or territory);
- County, city, and town representation (if the eligible entity is a state);
- Institutions of public education within the eligible entity's jurisdiction;
- Institutions of public health within the eligible entity's jurisdiction; and
- As appropriate, representatives from rural, suburban, and high-population jurisdictions.
Funds may be used to hire personnel, however, the applicant must address how these functions will be sustained when the funds are no longer available in their application.
Cybersecurity planning committees in states, territories, and tribes must explain how they will address 16 cybersecurity elements. These elements include:
- How the applicant will manage, monitor, and track information systems, applications, and user accounts they own or operate.
- How the applicant will monitor, audit, and track network activity traveling to and from information systems, applications, and user accounts.
- How the applicant will enhance the preparation, response, and resiliency of information systems, applications, and user accounts against cybersecurity threats.
- How the applicant will implement continuous vulnerability assessments and threat mitigation to address cybersecurity threats to information systems, applications, and user accounts.
An eligible entity that receives a grant under this program and a local government that receives funds from a grant under this program must use the grant to:
- implement the Cybersecurity Plan of the eligible entity
- develop or revise the Cybersecurity Plan of the eligible entity
- pay expenses directly relating to the administration of the grant, which shall not exceed 5 percent of the amount of the grant;
- assist with activities that address imminent cybersecurity threats, as confirmed by the Secretary of Homeland Security, acting through the National Cyber Director, to the information systems owned or operated by, or on behalf of, the eligible entity or a local government within the jurisdiction of the eligible entity;
- fund any other appropriate activity determined by the Secretary of Homeland Security, acting through the National Cyber Director.
None is available.
Any entity that receives funds from a grant under this program may not use the grant: