DHS Announces New Grants to Bolster Cybersecurity Under Infrastructure Law

Grant applications due by Nov. 15, 2022

Last week, the U.S. Department of Homeland Security (DHS) announced a joint effort between the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) to provide new cybersecurity grants authorized and funded under the Bipartisan Infrastructure Law.

Cyber risk management is complex for a number of reasons: the ability of malicious actors to operate from anywhere in the world, the linkages between cyber and physical systems, and the difficulty of reducing vulnerabilities in cyber infrastructure are just a few. Given the risk and potential consequences of cyber incidents, strengthening the cybersecurity practices and resiliency of state, local and territorial and tribal governments has become an imperative.

The Infrastructure Investment and Jobs Act of 2021 (IIJA), the most significant investment in U.S. infrastructure in decades, addressed America’s urgent need for modernization. Included in the IIJA was the State and Local Cybersecurity Improvement Act, authored by Rep. Yvette Clark (D-N.Y.), that establishes the State and Local Cybersecurity Grant Program (SLCGP). With the passage of the IIJA, Congress provided $1 billion for the SLCGP to be awarded over four years, which means for the first time ever, the U.S. would have a cyber-focused program specifically geared toward state, local and territorial (SLT) governments across the country.

Designed to provide greater resiliency against cyberattacks and their aftermath, the SLCGP also seeks to assess and understand the severity of the unique challenges SLT government networks face, while arming SLT entities with the resources needed to improve critical infrastructure, including modernization initiatives that ensure alignment between information technology and operational technology cybersecurity objectives.

A key program objective is providing cyber-physical security solutions such as bolstering security access to government networks with multifactor authentication solutions that are provided by the security industry.

On Sept. 16, 2022, DHS issued a Fiscal Year 2022 (FY22) Notice of Funding Opportunity for SLCGP with applications due within 60 days. CISA will serve as the program’s subject matter expert in cybersecurity-related issues, determining allowable activities, and FEMA will handle eligibility reviews and provide both financial management and oversight.

Highlights:

1. DHS is providing $185 million in FY22 for targeted efforts to address cybersecurity risks and threats to information systems owned, or operated on behalf of, SLT governments.
2. CISA has developed goals and objectives for the SLCGP, including assessing and evaluating systems and capabilities and building a cybersecurity workforce. For example, Objective 2 specifies that SLT agencies understand their current cybersecurity posture and evaluate areas for improvement – asking that physical devices, systems, software platforms and applications be inventoried regularly. Objective 3 requires SLT agencies to adopt fundamental cybersecurity best practices and implement multifactor authentication, prioritizing privileged users and remote uses.
3. Eligible states and territories must establish a cybersecurity planning committee that coordinates, develops, and approves a cybersecurity plan. The plan is meant to guide development of cybersecurity capabilities and the committee is responsible for approving and prioritizing individual projects. Initial cybersecurity plans will only be approved for a two-year period. Subsequent cybersecurity plans will need to build on the investments from the previous year(s) and must be submitted for approval annually.
4. States and territories will use their state administrative agencies (SAAs) to receive the funds from the federal government and then distribute the funding to local governments in accordance with state law/procedure.
5. The application process for FY22 is now open through Nov. 15.

Details:

Eligibility

• All 56 states and territories, including any state of the United States, the District of Columbia, Puerto Rico, American Samoa, the Commonwealth of the Northern Mariana Islands, Guam and the U.S. Virgin Islands, are eligible to apply for SLCGP funds.
• The designated SAA for each state and territory is the only entity eligible to apply for SLCGP funding, and a large portion of amounts received must be passed through to local governments (see below).

Funding

• 1% for each state, the District of Columbia and Puerto Rico
• 0.25% for American Samoa, the Commonwealth of the Northern Mariana Islands, Guam and the U.S. Virgin Islands

State allocations include additional funds based on a combination of state population and rural population totals.

Awards made to the entity or multi-entity group for SLCGP carry additional pass-through requirements. The SAA must:

• Pass through at least 80% of the funds awarded under the SLCGP to local units of government, including at least 25% of funds to rural entities
• Pass-through within 45 calendar days of receipt of the funds

Eligible entities applying as a single entity must meet a 10% non-federal cost share requirement for the FY22 SLCGP.

• Recipient contribution can be cash (hard match) or third-party in-kind (soft match).
• Federal share applied toward the SLCGP budget at the project/activity level shall not exceed 90% of the total budget.
• Unless otherwise authorized by law, federal funds cannot be matched with other federal funds.

Spending

Eighty percent of total state allocations must support local entities, while 25% of the total state allocations must support rural entities; these amounts may overlap.

Allowable Uses:

• Planning
• Equipment
• Exercises
• Management and administration
• Indirect facilities and administrative costs
• Organization and training

Not Allowable Uses:

• To pay a ransom
• Cybersecurity insurance premiums
• Acquisition of land or construction/remodeling of physical facilities
• Purchase of Chinese telecommunications and video surveillance equipment prohibited by NDAA Section 889 (telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation, and telecommunications or video surveillance equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company or Dahua Technology Company, or any subsidiary or affiliate of such entities)

Leverage Grants for Success! Access SIA’s Grants Training Course

SIA’s Grants Training Course is a new tool that helps security integrators and manufacturers advise security teams protecting schools, transit systems, ports, airports, places of worship and government facilities about the availability and use of grant funds. Upon completion of this self-paced, on-demand e-learning course, security manufacturers and integrators will become better equipped to help end users identify and apply for security grants. Course participants will also become familiar with common grant program terminology and policies – critical information needed to advise grant applicants. Learn more and register for the course here.

Reference Links

• DHS – Fiscal Year 2022 – State and Local Cybersecurity Gram Program – Synopsis and Related Documents
• CISA – Fiscal Year 2022 State and Local Cybersecurity Grant Program – Fact Sheet
• FEMA – Prohibitions on Expending FEMA Award Funds for Covered Telecommunications Equipment or Services – Policy #405-143-1