588

Our nation faces unprecedented cybersecurity risks, including increasingly sophisticated adversaries, widespread vulnerabilities in commonly used hardware and software, and broad dependencies on networked technologies for the day-to-day operation of critical infrastructure. Cyber risk management is further complicated by the ability of malicious actors to operate remotely, linkages between cyber and physical systems, and the difficulty of reducing vulnerabilities. The potential consequences of cyber incidents threaten national security. Strengthening cybersecurity practices and resilience of state, local, and territorial (SLT) governments is an important homeland security mission and the primary focus of the State and Local Cybersecurity Grant Program (SLCGP). Through funding from Infrastructure Investment and Jobs Act (IIJA), also known as the Bipartisan Infrastructure Law (BIL), the SLCGP enables DHS to make targeted cybersecurity investments in SLT government agencies, thus improving the security of critical infrastructure and improving the resilience of the services SLT governments provide their community. The FY 2022 SLCGP aligns with the 2020-2024 DHS Strategic Plan by helping DHS achieve Goal 3: Secure Cyberspace and Critical Infrastructure, Objective 3.3. Assess and Counter Evolving Cybersecurity Risks. The FY 2022 SLCGP also supports the 2022-2026 FEMA Strategic Plan which outlines a bold vision and three ambitious goals, including Goal 3: Promote and Sustain a Ready FEMA and Prepared Nation, Objective 3.2: Posture FEMA to meet current and emergent threats.

Section 2220A of the Homeland Security Act of 2002, as amended (Pub. L. No. 107-296) (6 U.S.C. § 665g)

N/A

N/A

The goal of SLCGP is to assist SLT governments with managing and reducing systemic cyber risk. For Fiscal Year (FY) 2022, applicants are required to address how the following program objectives will be met in their applications: • Objective 1: Develop and establish appropriate governance structures, including developing, implementing, or revising cybersecurity plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations. • Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments. • Objective 3: Implement security protections commensurate with risk. • Objective 4: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.

Yes

The Homeland Security Act of 2002, as amended by the Bipartisan Infrastructure Law requires grant recipients to develop a Cybersecurity Plan, establish a Cybersecurity Planning Committee to support development of the Plan, and identify projects to implement utilizing SLCGP funding. To support these efforts, recipients are highly encouraged to prioritize the following activities using FY 2022 SLCGP funds, all of which are statutorily required as a condition of receiving a grant: • Establish a Cybersecurity Planning Committee; • Develop a state-wide Cybersecurity Plan, unless the recipient already has a state-wide Cybersecurity Plan and uses the funds to implement or revise a state-wide Cybersecurity Plan; • Conduct assessment and evaluations as the basis for individual projects throughout the life of the program; and • Adopt key cybersecurity best practices.

Government Organizations;

Only State Administrative Agencies (SAAs) (on behalf of state and local units of government) and Tribal governments with identified projects in Appendix A of this funding notice are eligible to apply.

N/A

Project Grants

Public Safety

N/A

N/A

N/A

N/A

By submitting an application, applicants agree to comply with the requirements of this funding notice and the terms and conditions of the award, should they receive an award.

March 15, 2023 5 p.m. CST

N/A

N/A

N/A

Eligible entities, if applying as a single applicant, must meet a 10% cost share requirement for the FY 2022 SLCGP. The recipient contribution can be cash (hard match) or third-party in-kind (soft match). Eligible applicants shall agree to make available non-federal funds to carry out an SLCGP award in an amount not less than 10% of activities under the award. For FY 2022, in accordance with 48 U.S.C. § 1469a, cost share requirements are waived for the insular areas of the U.S. territories of American Samoa, Guam, the U.S. Virgin Islands, and the Commonwealth of the Northern Mariana Islands. DHS/FEMA administers cost-matching requirements in accordance with 2 C.F.R. § 200.306.To meet matching requirements, the recipient contributions must be verifiable, reasonable, allocable and necessary, and otherwise allowable under the grant program, and in compliance with all applicable federal requirements and regulations. Unless otherwise authorized by law, the non-federal cost share requirement cannot be matched with other federal funds. For example, if the federal award were at a 90% cost share and the total approved budget cost was $100,000, then: •Federal share is 90% of $100,000 = $90,000 •Recipient share is 10% of $100,000 = $10,000 However, with this example, if the total cost ended up being $120,000, the federal share would remain at $90,000 due to the statutory formula even if it means the federal share ends up being lower than 90%. Any cost overruns will not be matched by this grant program and will be incurred by the recipient. With this example, if the total cost ended up being $80,000, then the 90% federal share would decrease to $72,000, and the recipient cost share would be $8,000. Additionally, by statute, the cost share applies to each individual activity funded by the grant award rather than just to the cumulative total. Recipients must ensure that each activity’s cost share is met. DHS interprets “activity” to mean all items approved as part of a submitted “Project Worksheet.”

Each grant recipient is required to collect data to allow DHS to measure performance of the awarded grant in support of the SLCGP metrics, which will be described in each Cybersecurity Plan. The statute requires that “not later than one year after the date on which an eligible entity receives a grant…for the purpose of implementing [its] Cybersecurity Plan…, including an eligible entity that comprises a multi-entity group that receives a grant for that purpose, and annually thereafter until one year after the date on which funds from the grant are expended or returned, the eligible entity shall submit to the Secretary a report that, using the metrics described in the Cybersecurity Plan of the eligible entity, describes the progress of the eligible entity in: • Implementing the Cybersecurity Plan; • Reducing cybersecurity risks to, and identifying, responding to, and recovering from cybersecurity threats to, information systems owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a state, local governments within the jurisdiction of the eligible entity.” If an eligible entity does not have a Cybersecurity Plan in place and receives an award, then the statute requires that not later than one year after the date on which the eligible entity receives a grant, and annually thereafter until one year after the date on which funds from the grant are expended or returned, the eligible entity shall submit to the Secretary a report describing how the eligible entity obligated and expended grant funds to: • Develop or revise a Cybersecurity Plan; or • Assist with activities that address imminent cybersecurity threats, as confirmed by the Secretary, acting through the CISA Director, to the information systems owned or operated by, or on behalf of, the eligible entity or a local government within the jurisdiction of the eligible entity. In order to measure performance, DHS may request information throughout the period of performance. In its final performance report submitted at closeout, the recipient must submit sufficient information to demonstrate it has met the performance goals as stated in its award. DHS will measure the recipient’s performance of the grant by comparing the number of activities and projects needed and requested in its investment justification with the number of activities and projects acquired and delivered by the end of the period of performance using the following programmatic metrics: • Percentage of entities with CISA approved state-wide Cybersecurity Plans • Percentage of entities with statewide cybersecurity planning committees that meet the Homeland Security Act of 2002 and this SLCGP Notice of Funding Opportunity (NOFO) requirements • Percentage of entities conducting annual table-top and full-scope exercises to test cybersecurity plans; Percent of the entities' SLCGP budget allocated to exercises; or Average dollar amount expended on exercise planning for entities Percentage of entities conducting an annual cyber risk assessment to identify cyber risk management gaps and areas for improvement • Percentage of entities performing phishing training; Percent of entities conducting awareness campaigns; Percent of entities providing role-based cybersecurity awareness training to employees • Percentage of entities adopting the Workforce Framework for Cybersecurity (NICE Framework) as evidenced by established workforce development and training plans • Percentage of entities with capabilities to analyze network traffic and activities related to potential threats • Percentage of entities implementing multi-factor authentication (MFA) for all remote access and privileged accounts • Percentage of entities with programs to anticipate and discontinue use of end of life software and hardware • Percentage of entities prohibiting the use of known/fixed/default passwords and credentials • Percentage of entities operating under the “.gov” internet domain • Number of cybersecurity gaps or issues addressed annually by entities

N/A

FEMA grant recipients are subject to audit oversight from multiple entities including the DHS OIG, the GAO, the pass-through entity, or independent auditing firms for single audits, and may cover activities and costs incurred under the award. Auditing agencies such as the DHS OIG, the GAO, and the pass-through entity (if applicable), and FEMA in its oversight capacity, must have access to records pertaining to the FEMA award. Recipients and subrecipients must retain award documents for at least three years from the date the final FFR is submitted, and even longer in many cases subject to the requirements of 2 C.F.R. § 200.334. In the case of administrative closeout, documents must be retained for at least three years from the date of closeout, or longer subject to the requirements of 2 C.F.R. § 200.334. If documents are retained longer than the required retention period, the DHS OIG, the GAO, and the pass-through entity, as well as FEMA in its oversight capacity, have the right to access these records as well. See 2 C.F.R. §§ 200.334, 200.337. Additionally, non-federal entities must comply with the single audit requirements at 2 C.F.R. Part 200, Subpart F. Specifically, non-federal entities, other than for-profit subrecipients, that expend $750,000 or more in federal awards during their fiscal year must have a single or program-specific audit conducted for that year in accordance with Subpart F. 2 C.F.R. § 200.501. A single audit covers all federal funds expended during a fiscal year, not just FEMA funds. The cost of audit services may be allowable per 2 C.F.R. § 200.425, but non-federal entities must select auditors in accordance with 2 C.F.R. § 200.509, including following the proper procurement procedures. For additional information on single audit reporting requirements, see section F of this funding notice under the header “Single Audit Report” within the subsection “Additional Reporting Requirements”. The objectives of single audits are to: • Determine whether financial statements conform to generally accepted accounting principles (GAAP); • Determine whether the schedule of expenditures of federal awards is presented fairly; • Understand, assess and test the adequacy of internal controls for compliance with major programs; and • Determine whether the entity complied with applicable laws, regulations and contracts or grants. For single audits, the auditee is required to prepare financial statements reflecting its financial position, a schedule of federal award expenditures, and a summary of the status of prior audit findings and questioned costs. The auditee also is required to follow up and take appropriate corrective actions on new and previously issued but not yet addressed audit findings. The auditee must prepare a corrective action plan to address the new audit findings. 2 C.F.R. §§ 200.508, 200.510, 200.511. Non-federal entities must have an audit conducted, either single or program-specific, of their financial statements and federal expenditures annually or biennially pursuant to 2 C.F.R. § 200.504. Non-federal entities must also follow the information submission requirements of 2 C.F.R. § 200.512, including submitting the audit information to the Federal Audit Clearinghouse within the earlier of 30 calendar days after receipt of the auditor’s report(s) or nine months after the end of the audit period. The audit information to be submitted include the data collection form described at 2 C.F.R. § 200.512(c) and Appendix X to 2 C.F.R. Part 200 as well as the reporting package described at 2 C.F.R. § 200.512(b). The non-federal entity must retain one copy of the data collection form and one copy of the reporting package for three years from the date of submission to the Federal Audit Clearinghouse. 2 C.F.R. § 200.512; see also 2 C.F.R. § 200.517 (setting requirements for retention of documents by the auditor and access to audit records in the auditor’s possession). FEMA, the DHS OIG, the GAO, and the pass-through entity (if applicable), as part of monitoring or as part of an audit, may review a non-federal entity’s compliance with the single audit requirements. In cases of continued inability or unwillingness to have an audit conducted in compliance with 2 C.F.R. Part 200, Subpart F, FEMA and the pass-through entity, if applicable, are required to take appropriate remedial action under 2 C.F.R. § 200.339 for noncompliance, pursuant to 2 C.F.R. § 200.505.

FEMA requires that non-federal entities maintain the following documentation for federally funded purchases: • Specifications; • Solicitations; • Competitive quotes or proposals; • Basis for selection decisions; • Purchase orders; • Contracts; • Invoices; and • Canceled checks. Non-federal entities should keep detailed records of all transactions involving the grant. FEMA may at any time request copies of any relevant documentation and records, including purchasing documentation along with copies of cancelled checks for verification. See, e.g., 2 C.F.R. §§ 200.318(i), 200.334, 200.337. In order for any cost to be allowable, it must be adequately documented per 2 C.F.R. § 200.403(g). Non-federal entities who fail to fully document all purchases may find their expenditures questioned and subsequently disallowed.

N/A

N/A

$0-$4,402,758

N/A

https://www.fema.gov/grants/preparedness/state-local-cybersecurity-grant-program

N/A

2200 S Dirksen Parkway Springfield, IL 62703

N/A

N/A

N/A

FY 2023 : $4,402,758