IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

What’s Next for State, Local Cybersecurity Grants?

Fifty-four of the 56 entities eligible for year one federal grants applied, and 10 have fulfilled the second part of the process by submitting their cybersecurity plans. A notice of funding opportunity is expected year two in the spring.

Digital dollar sign
Shutterstock/Illus_man
States had until mid-November to apply for their — and their local government partners’ — share of nearly $200 million worth of federal cybersecurity grants. Now that applications are in, what’s next?

Most — but not all — eligible entities applied for the State and Local Cybersecurity Grant Program (SLCGP), and under a fifth have completed both of the two key parts needed before they can receive funds, said Trent Frazier, deputy assistant director for Stakeholder Engagement at the Cybersecurity and Infrastructure Security Agency (CISA), who spoke as part of a FedInsider panel this week. CISA is reviewing the applications alongside FEMA.

The four-year grant program keeps progressing, too, and the notice of funding opportunity for the second year’s round of awards is due out in late spring, to the tune of $400 million, Frazier said.

But it hasn’t been all smooth sailing, and some entities report struggles handling grant applications and concerns about what happens once the program’s four years are up.

WHERE STATES STAND ON YEAR 1


States, territories and the District of Columbia could all apply for SLCGP funds, but not everyone chose to take advantage, Frazier said. Out of 56 eligible entities, 54 applied.

“Two opted not to apply for their allocation in year one, on principle,” Frazier said. “We will certainly invite them to apply again in year two.”

The federal government has pre-determined how much money each applicant would receive once their submissions are approved. At least $2.19 million is allocated for agencies in each state, with CISA stating that additional amounts are available “based on a combination of total population and rural population” in the jurisdictions.

Screen shot of Trent Frazier's head and shoulders as he looks at the camera. He's in an office and flags for CISA and the USA are visible in the background.
Trent Frazier, deputy assistant director for Stakeholder Engagement at CISA.

Screenshot
The grant program requires states to both create a cybersecurity planning committee comprising a diverse array of stakeholders and a statewide cybersecurity plan to guide how the funds are spent. States that had created their committees could apply, but the money would be under an administrative hold until they’d also provided their cybersecurity plans, Frazier said.

Those plans are due by September 2023, said Bess Mitchell, chief of CISA’s Grant Operations Branch, during the discussion.

GETTING THE PLANS RIGHT


Thus far, 10 plans have been submitted and are currently under review, Frazier said.

“We're really looking for those plans to articulate how the states or territories will use investments to support either closing identified capability gaps or sustaining capabilities that are necessary to mitigate identified risks, within and across the jurisdiction,” Frazier said. “We expect plans will be fairly divergent across the states and territories based on how they are evaluating risks within their respective jurisdictions.”

Entities do not need to use all the money within the four-year span of the SLCGP, Frazier said. Instead, each time entities receive an award under the SLCGP, they have four years from that receipt date in which to use it.

CISA has cybersecurity coordinators and advisers distributed across the country who can answer technical and grant-related questions for planning committees as they develop their proposals. Such assistance can help ensure plans are “already ready for approval” by the time they’re submitted, Frazier said.

APPLICANT HURDLES


Despite the support, entities have hit challenges when applying for the funding.

“[The Multi-State Information Sharing and Analysis Center (MS-ISAC)] did mention that stakeholders have reported difficulties in applying for the grants, including not having sufficient staff to be able to even write the grant proposals in the first place,” said Marisol Cruz Cain, director of the information and cybersecurity team for the Government Accountability Office (GAO).

Head and shoulders view of Marisol Cruz Cain, in front of a "GAO" background.
Marisol Cruz Cain, director of Information and Cybersecurity Team for the Government Accountability Office

Screenshot
Frazier said, however, that local entities can sidestep the burden of handling grants, contracting for services and other administrative tasks if planning committees pursue shared services. Under this approach, states would acquire the services — and take on the associated administrative work — then make the offerings available for many different local partners to use.

“Where possible, make the state do the hard work,” Frazier said.

Outside resources can also help with grant applications, said Hong Sae, CIO of Roseville, Calif.

“A lot of people don’t have a lot of experience in grant applications,” he said. “There are many agencies out there that can help out. Larger agencies, municipal school districts, county health agencies or even special districts, too. They have a lot of grant writers out there that you can partner with.”

But grant writing appears to be an issue for some states as well, Cruz Cain said, and officials are concerned about maintaining cybersecurity practices when the grants end.

“Most CIOs and CISOs reported to the MS-ISAC that they lack the grant experience themselves,” Cruz Cain said. “So there's significant concerns about what's going to happen after the four years of getting the grants, securing them, and then what happens to their basic cyber hygiene when it goes away.”

While there’s no guarantee that the SLCGP will be renewed, Frazier suggested it’s possible. Between the second and third year of the program, CISA will report to Congress on the effectiveness of the program as well as “if we think this needs to continue.”

Mitchell anticipated other opportunities as well.

“I think even after this particular program, maybe sunsets after the next four years, I do believe that cybersecurity and these efforts will continue to be a focus of federal grant programs moving forward,” she said.

YEAR 2


The second year of the SLCGP is approaching and is set to disburse $400 million.

When the second year notice of funding opportunity goes out in the spring, “what you'll see is, that program will largely mirror a lot of the components of the year one notice of funding opportunity, because again, the intent is to build resiliency over time,” Frazier said.

GAO will also be reviewing SLCGP, with a report expected out in late 2023 or early 2024, Cruz Cain said. The report will consider factors like the amount of money awarded, its allocation among state and local entities, the impact made so far and CISA’s level of successes at easing the application processes.
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.