Receive Federal Funding for your Cybersecurity Initiatives

 

Introducing the State and Local Cybersecurity Grant Program

So many cybersecurity issues to address, so little funding and time to do it with, right? Well, the big boys in Washington are stepping in to help!

Via the State and Local Cybersecurity Grant Program (SLCGP), the Federal government is providing funding for States, Local Governments (such as counties and municipalities), rural areas, tribes and territories to address the ever-burgeoning cybersecurity threats out there.

If you haven’t heard of this, read on to learn how to get a piece of that $375 million dollar pie.

$375 million dollars

Is the amount the Department of Homeland Security has allocated for this fiscal year. Approximately $300 million remain as of September 2024.

Given the nature and quantity of how much information local governments have access to, the Department of Homeland Security (the parent agency of this offering) sees the benefit of mitigating their own ‘supply chain’ risk of that information falling into the wrong hands and wants to help with getting these organizations secured. They’ve charged their sub-agencies of the Federal Emergency Management Agency (FEMA) and the Cybersecurity and Infrastructure Security Agency (CISA) with administering the funding program with separate responsibilities:

  1. CISA knows their way around security and provides the best practices, as well as determining whether the project falls under the cybersecurity umbrella they are promoting.

  2. FEMA ensures that the applying organization is eligible for the program and issues the funding awards.

As with anything from the Federal government, there is a decent bit of paperwork to do in order to qualify for this funding and it sure is confusing to even know where to start. Yeah, we know how dissuading that is for darn near everyone. That’s why we made this start-up guidance! The good news is that it the entire process is not as arduous as many other programs and has multiple responsive contacts at each step of the process.

Most of this paperwork is for the State and Territorial governments to do, whom CISA and FEMA work with.

Local governments will essentially be applying to the State/Territorial government’s sub-agency for this, known as the State Administrative Agency, who will handle initial qualifications and vetting of the applicant, garnering adherence to the cybersecurity framework they’ve developed and then facilitating the CISA/FEMA communications.

 

What does the Program cover?

Want to know more about how it works and what is covered (fact: most of what you want and need is covered!!)?

We’ve got the quick questions you want answered here (excerpted from the CISA Frequently Asked Questions page; note that “SLTT” abbreviation stands for State, Local, Territorial and Tribal government entities):

Are SLTT entities required to adopt a specific cybersecurity framework? 

No. SLTT entities are not required to adopt a specific framework but are strongly encouraged to review existing frameworks.

Are there specific best practices that SLTT entities will have to adopt? 

Yes. Cybersecurity Plans must address how the best practices listed below and the 16 required elements will be implemented across SLTT entities.

Adoption is not required immediately, nor by all SLTT entities. Instead, the Cybersecurity Plan should detail the implementation approach over time and how the following will be consistent with the program goal and objectives. In addition to the 16 required elements, the Cybersecurity Plan must discuss the below seven best practices:

  • Multi-factor authentication; 

  • Enhanced logging; 

  • Data encryption for data at rest and in transit; 

  • End use of unsupported/end of life software and hardware that are accessible from the Internet;

  • Prohibit use of known/fixed/default passwords and credentials;

  • The ability to reconstitute systems (backups); and 

  • Migration to the .gov internet domain.  

What can the grant funds be used for? 

Eligible entities can use grant funds for:  

  • Developing the Cybersecurity Plan;

  • Implementing or revising the Cybersecurity Plan;

  • Paying expenses directly relating to the administration of the grant, which cannot exceed 5% of the amount of the grant award;

  • Assisting with allowed activities that address imminent cybersecurity threats confirmed by DHS; and 

  • Other appropriate activities as noted in the funding notice. 

Are there any specific things the funds cannot be used for?

Funds cannot be used for: 

  • Supplanting state or local funds;

  • Recipient cost-sharing contributions;

  • Payment of a ransom from cyberattacks;

  • Recreational or social purposes, or for any purpose that does not address cybersecurity risks or cybersecurity threats on SLTT information systems;  

  • Lobbying or intervention in federal regulatory or adjudicatory proceedings;

  • Suing the federal government or any other government entity; 

  • Acquiring land or constructing, remodeling or altering buildings or other physical facilities; or

  • Cybersecurity Insurance; or

  • Any purpose that does not address cybersecurity risks or cybersecurity threats on information systems owned or operated by, or on behalf of, the eligible entity or a local government within the jurisdiction of the eligible entity.

Can personnel be hired with grant funds?  

Yes, if aligned to the Cybersecurity Plan. Applicants must address how these functions will be sustained when the funds are no longer available in their application.

What equipment or software should be purchased?

Applicants should determine what equipment is most appropriate for their needs based on their Cybersecurity Plan to mitigate cybersecurity risks or gaps. 

Is equipment installation considered construction (e.g., installation of fiber optics in a wall or ground)? 

Certain equipment installations are not considered to be construction projects, but this will depend on the specific details of each project. If applicable, an Environmental Planning and Historic Preservation review will be required. Most equipment installations (e.g., generators) will be considered to be “construction” and therefore will not be permitted.


  1. The complete FAQ is hosted here: https://www.cisa.gov/state-and-local-cybersecurity-grant-program-frequently-asked-questions

  2. Ready for the deep dive? CISA provides the larger scope details and steps in their Fiscal Year 2024 guide, available here: https://www.cisa.gov/sites/default/files/2024-09/FY24%20SLCGP%20NOFO%20FAQs_508%20Compliant_09.23.2024.pdf

 

How do Local Governments Apply for the Grant?

Applying to your State Administrative Agency’s contact is the first step; they’ll provide the package of what will need doing and how to get started on it. We’ve taken the liberty of providing the contacts for each state and territory further below.

Development of a Cybersecurity Plan is the big idea of what they’ll want, as this Plan will be used to dictate what the agencies applying for funding should be doing and what funding may be allowed to pass through down to them for implementation of those projects and initiatives outlined therein.

In terms of the needed documentation, most of them are essentially cybersecurity posture and policy documentation that has already been created or that should be done as part of creating a proper cybersecurity foundation for the future, coupled with oversight and review planning.

Note: If you need help with drafting a Cybersecurity Plan, reviewing and adopting a framework provided by the State Administrative Agency is a practical method to jump start what you need to get going. They already have them; no reason to develop your own from scratch when you could simply modify one of theirs to suit your specific needs. If there is a preference for translating some of this or other assistance, Tangent can help!


Start by sending them an email inquiring about how they’d like you to get started with the SLCGP and for their state/territory-specific startup package.

Want a script to get you started? You got it.

“Hello <FirstNameOfSAAContactHere>,

My name is <YourName> of <MunipalityNameHere>; I’m interested in applying for the ‘State and Local Cybersecurity Grant Program (SLCGP)’ in order to pursue some cybersecurity initiatives we’re planning here.

When time permits, please let me know of the specific documentation needed for me to get together and any application forms to sign off on and I’ll get those processed and back to you.

Thank you!”

 

State Administrative Agency Contact List

Below is a list of the State Administrative Agency contacts for each territory and state as of September 2024.

The latest contact list can be found here at the FEMA website: https://www.fema.gov/grants/preparedness/state-local-cybersecurity-grant-program

State/Territory Website Contact
Alabama Alabama Office of Information Technology Daniel Urguhart
334-242-3800
daniel.urquhart@oit.alabama.gov
Alaska Alaska Division of Homeland Security & Emergency Management Bryan J. Fisher
907-428-7096
b.fisher@alaska.gov
American Samoa American Samoa Department of Homeland Security Samana Semo Ve'ave'a
684-699-3800
s.veavea@asdhs.as.gov
Arizona Arizona Department of Homeland Security Susan Dzbanko
(602) 319-8837
sdzbanko@azdohs.gov
Arkansas Arkansas Division of Emergency Management Kathy Smith
501-683-6728
Kathy.smith@adem.arkansas.gov
California California Office of Emergency Services Alissa Adams
916-761-5544
alissa.adams@caloes.ca.gov
Colorado Colorado Department of Public Safety, Division of Homeland Security & Emergency Management Kevin R. Klein
720-852-6600
kevin.klein@state.co.us
Connecticut Department of Emergency Services & Public Protection Ian Alexander
860-685-8461
ian.alexander@ct.gov
Delaware Delaware Emergency Management Agency A.J. Schall
302-659-2320
a.j.schall@delaware.gov
District of Columbia District of Columbia Homeland Security & Emergency Management Agency Clint Osborn
202-727-6161
Clint.osborn@dc.gov
Florida Florida Division of Emergency Management Linda J. McWhorter
850-815-4301
linda.mcwhorter@em.myflorida.com
Georgia Georgia Emergency Management & Homeland Security Agency James Stallings
404-635-7008
james.stallings@gema.ga.gov
Guam Guam Homeland Security, Office of Civil Defense Esther Aguigui
671-475-9600
Esther.aguigui@ghs.guam.gov
Hawaii Hawaii Office of Homeland Security Frank J. Pace
(808) 369-3570
frank.j.pace@hawaii.gov
Idaho Idaho Office of Emergency Management Matt McCarter
(208) 258-6517
mmccarter@imd.idaho.gov
Illinois Illinois Emergency Management Agency Robert Evans
217-557-4788 Bob.P.Evans@illinois.gov
Indiana Indiana Department of Homeland Security Kim Snyder
(317) 234-8929
kisnyder@dhs.in.gov
Iowa Iowa Homeland Security & Emergency Management Department Bonnie Rieder
515-314-0829
Bonnie.Rieder@iowa.gov
Kansas Kansas Information Security office Erin McGinnis
785-221-5041
Erin.mcGinnis@ks.gov
Kentucky Kentucky Office of Homeland Security David Carter
502-564-8734
Davidj.Carter@ky.gov
Louisiana Governor’s Office of Homeland Security & Emergency Preparedness Casey Tingle
(225)-358-5300
Casey.Tingle@la.gov
Maine Maine Emergency Management Agency Joe Legee
207-624-4400
Joe.Legee@maine.gov
Maryland Maryland Department of Emergency Management Marcia Deppen
302-584-5948
marcia.deppen@maryland.gov
Massachusetts Executive Office of Public Safety & Security Kevin Stanton
781-535-0056
kevin.stanton@mass.gov
Michigan Michigan State Police Department / Emergency Management & Homeland Security Division Kim Richmond
(517) 284-3952
richmondk@michigan.gov
Minnesota Minnesota Department of Public Safety, Division of Homeland Security & Emergency Management Michelle Turbeville
(651) 398-0930
michelle.turbeville@state.mn.us
Mississippi Mississippi Office of Homeland Security Agency Baxter Kruger
601-346-1500
bkruger@dps.ms.gov
Missouri Missouri Office of Homeland Security / Department of Public Safety Sandra K. Karsten
573-751-5432
karsten@dps.mo.gov
Montana Montana Disaster & Emergency Services Burke Honzel
(406) 324-4771
bhonzel@mt.gov
Nebraska Nebraska Emergency Management Agency Sean Runge
402-471-7419
sean.runge@nebraska.gov
Nevada Nevada Division of Emergency Management Suz Coyote
775-687-0327 scoyote@dem.nv.gov
New Hampshire New Hampshire Department of Safety Kelly A. Chapman
603-892-5776
Kelly.A.Chapman@DOS.NH.GOV
New Jersey New Jersey Department of Homeland Security & Preparedness Michael Geraghty
609.963.6900 ext. 6720
mgeraghty@cyber.nj.gov
New Mexico New Mexico Department of Homeland Security & Emergency Management Valli Wasp
(505) 231-4995 valli.wasp1@dhsem.nm.gov
New York New York State Division of Homeland Security & Emergency Services Eric Abramson
(866) 837-9133
eric.abramson@dhses.ny.gov
North Carolina North Carolina Department of Public Safety Derek Dorazio
919-825-2332
derek.dorazio@ncdps.gov
North Dakota North Dakota Department of Emergency Services Darin Hanson
701-328-8100
dthanson@nd.gov
Northern Mariana Islands Commonwealth of the Northern Mariana Island Homeland Security & Emergency Management Franklin R. Babauta
670-237-8000
franklin.babauta@cnmihsem.gov.mp
Ohio Ohio Emergency Management Agency Geoffrey Martin
(614) 799-3836
gsmartin@dps.ohio.gov
Oklahoma Oklahoma Office of Homeland Security Christina Daron
405-425-7591
Christina.daron@okohs.ok.gov
Oregon Oregon Office of Emergency Management Kevin Jeffries
(503) 378-3661
Kevin.jeffries@oem.oregon.gov
Pennsylvania Pennsylvania Emergency Management Agency Emina Kunovac
717-651-2027
SLCGP-PA@PA.GOV
Puerto Rico Puerto Rico Office for Public Security Affairs Alexis Torres
787-903-5602 ext. 6036
alexis.torres@dsp.pr.gov
Rhode Island Rhode Island Emergency Management Agency Marc R. Pappas
401-462-7131
Marc.Pappas@ema.ri.gov
South Carolina South Carolina Law Enforcement Division Robert Connell
(803) 896-7021
rconnell@sled.sc.gov
South Dakota South Dakota Department of Public Safety June Snyder
(605) 773-3450
June.Snyder@state.sd.us
Tennessee Tennessee Emergency Management Agency Gary Baker
(615) 741-7073
gary.baker@tn.gov
Texas Texas Office of the Governor, Homeland Security Grants Division Robert Cottle
(512) 463-8317
Robert.Cottle@gov.texas.gov
US Virgin Islands Virgin Islands Territorial Emergency Management Agency Florecita Brunn
(340) 715-6803
florecita.brunn@vitema.vi.gov
Utah Utah Department of Public Safety, Division of Emergency Management Tanner Patterson
(801) 598-1610
tpatterson@utah.gov
Vermont Vermont Department of Public Safety – Homeland Security Unit Jennifer L. Morrison (802) 244-8718
Jennifer.Morrison@vermont.gov
Virginia Virginia Department of Emergency Management Robbie Coates
804-516-5774
robert.coates@vdem.virginia.gov
Washington Washington State Military Department – Emergency Management Division Sierra Wardell
(253) 512-7121
sierra.wardell@mil.wa.gov
West Virginia West Virginia Division of Emergency Management David Hoge
(304) 558-5380
David.k.hoge@wv.gov
Wisconsin Wisconsin Emergency Management – Department of Military Affairs Marc Couturier
608-590-9112
marc.couturier@widma.gov
Wyoming Wyoming Office of Homeland Security Ashley Paulsrud
(307) 777-4707
Ashley.paulsrud@wyo.gov
Next
Next

Disabling Microsoft Office 365’s Exchange Web Services (EWS) Throttling