The Fiscal Year 2024 State and Local Cybersecurity Grant Program (SLCGP) is issued by the U.S. Department of Homeland Security (DHS) and managed by the Federal Emergency Management Agency (FEMA). It aims to help state, local, and territorial (SLT) governments manage and reduce systemic cybersecurity risks. This program, funded under the Infrastructure Investment and Jobs Act (also referred to as the Bipartisan Infrastructure Law), allows DHS to make targeted investments to enhance the security of critical infrastructure and improve the resilience of services provided by SLT governments.

The main goal of the SLCGP is to assist SLT governments in managing and reducing systemic cyber risks by funding projects aligned with several key objectives: establishing appropriate cybersecurity governance structures, understanding current cybersecurity postures through continuous assessments, implementing appropriate security protections, and ensuring personnel are adequately trained in cybersecurity. Eligible applicants are required to develop, implement, or revise a Cybersecurity Plan, establish a Cybersecurity Planning Committee, and use the funds to improve or sustain the capabilities outlined in these plans.

The program has a total available funding of $279,873,562, with each U.S. state and territory receiving a baseline allocation. States and the District of Columbia, as well as Puerto Rico, receive a minimum of $3,047,666, while territories such as Guam and American Samoa receive a minimum of $761,916. The allocation is further divided based on population ratios, with a focus on ensuring that rural areas receive adequate support. A total of 56 awards are projected, and the period of performance is set to run from February 1, 2025, to January 31, 2029, allowing for extensions.

Eligibility for this grant is limited to the 56 U.S. states and territories, including the District of Columbia, Puerto Rico, and the U.S. territories. Only the governor-designated State Administrative Agency (SAA) is eligible to submit applications. Local governments may also receive subawards, but nonprofit and for-profit organizations are not eligible subrecipients. Public educational institutions may qualify as subrecipients if they are recognized as agencies or instrumentalities of state or local governments under local law.

Applications must address at least one of the program objectives, and applicants must register through SAM.gov to obtain a Unique Entity Identifier (UEI) before submission. Applications can be submitted starting September 23, 2024, with a deadline of December 3, 2024. Applicants must use FEMA’s Grants Outcomes System (FEMA GO) to submit the required documents. A Cybersecurity Plan and a Project Worksheet (PW) outlining budget details must also be provided as part of the submission.

To qualify for funding, applicants must meet a 30% cost-sharing requirement, which can be fulfilled using either cash or in-kind contributions. For multi-entity projects involving collaboration between different states or territories, the cost share is reduced to 20%. The program also allows for a waiver of the cost-sharing requirement for applicants facing economic hardship, such as high unemployment rates or areas under financial oversight. Requests for waivers must be supported by specific documentation demonstrating the need.

The application review process will evaluate submissions for completeness, adherence to guidelines, and feasibility. FEMA and the Cybersecurity and Infrastructure Security Agency (CISA) will conduct a federal review of compliance and budget. Additionally, applications involving emergency communications will need to comply with SAFECOM Guidance to ensure alignment with national emergency communication goals. The federal government will monitor awardees to ensure funds are used appropriately and goals are met, and awardees must submit both financial and programmatic performance reports annually.