What Districts Need to Know: State, Local, Cybersecurity Grant Program
October 5, 2022 | Cole Karr
Federal cyber and emergency management agencies have announced the first opening of the $1 billion State, Local, and Cybersecurity Grant Program.
The notice of funding opportunity outlines that the Federal Emergency Management Agency (FEMA) will administer the grant with the Cybersecurity and Infrastructure Security Agency (CISA) providing expert guidance. The program is the first of its kind and was established under the Infrastructure Investment and Jobs Act (IIJA).
States, territories, and tribal governments will submit to the Department of Homeland Security (DHS) requests for funding under the program by November 15, 2022. Grantees are required to submit a compliant plan (see below), or otherwise be obligated to submit a plan in 2023. DHS should award the states within 60 days.
States will have 45 days within accepting the DHS funding to disburse 80 percent of the dollars they receive to local governments. Of the required 80 percent pass-through requirement, at least 25 percent must be invested in rural communities, defined as an area encompassing a population of less than 50,000 people that has not been designated in the most recent decennial census as an “urbanized area”. As defined in the law, special districts are eligible to apply and receive, as sub-grantees, funds from their approved state programs.
Unlike many other major IIJA programs, the State, Local, and Cybersecurity Grant Program is not covered under the Biden Administration’s Justice40 initiative, a directive under which 40 percent of federal investments of certain programs must be awarded disadvantaged/underserved communities.
Without disruptions in the timelines, DHS funds are scheduled to be dispersed to states by January 15, 2023, with eligible local governments (sub-grantees) receiving funds for eligible programs by end of February 2023.
As noted, states are required to establish a Cybersecurity Planning committee to produce a compliant Cybersecurity Plan for the coming year. It is important for special districts stakeholders to be involved in state-level discussions regarding its individual program development, and to engage with their state’s committee.
Eligible State Cybersecurity Plans
A state’s Cybersecurity Planning Committee will identify and prioritize state-wide efforts, including opportunities to consolidate projects to increase efficiencies. This committee will approve the required Cybersecurity Plan, which must contain the following elements:
- Incorporation of existing plans to protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, state and local governments.
- Statement on how and feedback from local governments and associations of local governments was incorporated.
- Inclusion of all the specific required elements as outlined in the Notice of Funding Opportunity.
- Descriptions of state and local governments’ individual responsibilities within the state implementing the Cybersecurity Plan.
- Assessments of each of the required elements from an entity-wide perspective.
- Identification of necessary resources and a timeline for implementing the plan.
- Summary of associated projects with the plan.
- A plan to measure progress and outcomes.
Seating of State Cybersecurity Planning Committees
The Cybersecurity Planning Committee can be recycled from a previous, yet similar, type of committee if a state has one. Each state has discretion to seat its committee if it can certify that it meets requirements for the committee’s composition.
For states, each Cybersecurity Planning Committee membership must include at least one representative from relevant stakeholders, including:
- The State
- Representatives from counties, cities, and towns
- Public education entities
- Public health entities
- Rural, suburban, and high population “jurisdictions”
States must confirm that at least one-half of the representatives of the committee have professional experience relating to cybersecurity or information technology. The qualifications related to “professional experience” will be determined by each state. States will also have flexibility to identify specific public health and public education agencies represented on their committees.
Engaging with State Process
Eligible projects and programs for special districts will be dependent on each state’s Cybersecurity Plan. This plan will need to be updated in the following two fiscal years. For full understanding of eligible projects and to participation in plan development, special districts and their stakeholders are recommended to engage with the state agency coordinating the committee process – typically agencies charged with emergency management and planning.
Grants Information for Special Districts
NSDC provides members with notifications of major grant opportunities on the horizon, such as the State, Local, Cybersecurity Grant Program and more. Members receive weekly updates of open and announced grant opportunities of general interest to the nation’s special districts. Learn more about these and other benefits of NSDC membership on our Membership page and contact us for more information.