The SLCGP Is Another Year Older. Here’s What You Need to Know About Federal Cyber Grants

Updating primitive hardware and software. Improving endpoint detection. Adding critical identity and access controls. Patching key security systems.

These are some of the things that state and local government chief information security officers (CISOs) have done with the funding they received from the first year of the cybersecurity grant program tied to President Biden’s bipartisan infrastructure act. And applicants for Year 2 of the federal program are currently waiting to hear whether they’ll get funding.

They can do more than just wait. There’s a lot to be learned from the program’s shaky start – and good reason for these entities to begin planning for the next phase.

Adopt a whole-of-state cybersecurity strategy to pool disparate resources, strengthen your cyber posture, and serve the public interest.

To say the $1 billion State and Local Cybersecurity Grant Program (SLCGP), which kicked off in 2022, has gone smoothly might be an overstatement: There’s been occasional confusion over qualifying requirements and timelines; tribes, to their chagrin, were not included in the first year of the program; and many in the field wonder whether the program will extend beyond its current four-year lifespan.

Despite all that, industry watchers remain sanguine, saying the SLCGP is proceeding as expected. States and U.S. territories applied for $185 million in funding in 2022, and in 2023, with $380 million up for grabs, 48 states and six territories met the September deadline for submitting detailed cybersecurity plans to the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Emergency Management Agency (FEMA), which oversee the program. Those plans are currently under review.

While those who submitted proposals in recent months may feel they can turn to other things while they wait, now is actually a wise time to start envisioning plans for Year 3. This coming year, SLCGP funds will start to drop ($300 million will be available for FY 2024, $100 million for FY 2025), making competition fierce. The sooner state and local governments and their security chiefs can assess the SLCGP’s benefits, as the program enters its adolescent phase, the more effective they’ll be in planning for the coming mature phase and, quite possibly, the period beyond, when such funds might no longer be available. In that event, the organizations that prepared earliest will have the best shot at protecting their networks and constituents.

How the SLCGP is working

Currently, states receiving SLCGP funding must ensure that at least 80% of it gets passed through to local entities. In addition, at least 25% of the total funds made available under the grant must be passed through to rural communities. Each state publishes its own procedures and deadlines for local governments to apply for the grant money.

This program is making our nation more resilient.

Tribal nations are a little different. They were due to submit their cybersecurity plans early this month through the newly established Tribal Cybersecurity Grant Program (TCGP), an offshoot of the SLCGP. About $8 million was set aside for tribes under that program. The larger the tribe, the more they’ll qualify to receive.

Paula Starr, CIO for the Cherokee Nation, says her team is actively pursuing about $1 million in TCGP funding with mixed feelings. One the one hand, they need the money. The Cherokee Nation, which oversees agencies providing services to about 460,000 tribal citizens – many in rural communities – has been bolstering its cybersecurity posture on thin budgets. So the federal funds could be huge, she says.

But she wishes the tribes had been considered from the beginning, along with everyone else.

“I would love to see tribal nations, in the future, receive the same opportunities as states, counties, and municipalities across the country for additional funding opportunities that would help Indian Country further address cybersecurity needs and provide the kind of cybersecurity protection that tribal nations and their citizens deserve,” she says.

Defending SLCGP glitches

When asked about the lag in funding the tribes, Alaina Clark, CISA’s assistant director for stakeholder engagement, defended the program, saying it encourages states, tribes, and territories to submit strategic cybersecurity plans that are unique to their needs, and, if approved, they’ll receive funding for projects.

You want to have continuity beyond the lifecycle of these grants, so we’ll have to make the case to Congress at some point that this can’t just be a one-time funding investment.

“We are proud of the work to create a new program that brings resources in a focused manner where they can have the greatest impact,” says Clark. “This program is making our nation more resilient as states develop statewide cybersecurity plans and best practices.”

Alex Whitaker, director of government affairs for the National Association of State Chief Information Officers (NASCIO), says that so far, with the exception of a few issues around the tribes and how money would filter to states and local governments, the program has been proceeding “fairly well.”

[Listen also: Getting down to basics – here’s your step-by-step guide to accessing SLCGP funds, and why it’s easier than you might think]

A longer-term concern, he says, is that SLCGP only runs through 2026, so it’s hard to say whether states, local governments, tribes, and territories will be able continue funding-related efforts after that time. In fact, one state CIO told NASCIO they were reluctant to launch a new program for local governments because it would have to be terminated if SLCGP funding becomes unavailable.

“You want to have continuity beyond the lifecycle of these grants,” he says, “so we’ll have to make the case to Congress at some point that this can’t just be a one-time funding investment.”

Another issue that sometimes comes up is that the amount of cybersecurity funding provided through the SLCGP isn’t all that large, especially considering how much time and effort security teams invest in chasing it. But CISOs like Ryan Murray from the state of Arizona typically pursue multiple federal grants and partner with other states to help fund their cybersecurity efforts. Every little bit helps, they figure.

How to secure SLCGP benefits for the long term

Savvy security chiefs streamline processes and reduce time commitments with best practices, which they’ll likely apply when they go after grants during the next opportunity this fall. Those include:

• Continually updating cybersecurity plans: Since each year requires submitting an updated plan about a month after the application process opens up, waiting until the last minute to create it makes no sense. Just as incident response plans need to be periodically updated, cybersecurity proposals for the SLCGP should be regularly monitored and assessed. That means appointing staffers and implementing procedures now to update plans throughout the year.
• Talking to locals: To meet the requirement of passing funding through to local governments, states need to converse with county and other leaders about what they need to do to qualify for the money.
• Evolving your whole-of-state (WOS) plans—or establishing them in the first place: Once you’ve started communicating more with locals, your chances are greater of getting buy-in on a new WOS strategy or editing and improving the one you have. Government entities that don’t join forces miss a huge opportunity to collaborate, exchange data, and equitably shoulder the burden of workforce shortages.
• Thinking broadly: Taking a page from Arizona’s book, states, tribes, and territories need to recognize that grants don’t have to be one-off efforts. With a sustainable model in place, it’s possible to go after other federal funding opportunities.

[Read also: A practical guide to building a whole-of-state cybersecurity strategy]

Most government applicants for SLCGP funds expect to put the money to good use, says Whitaker. The NASCIO 2023 State of CIO Survey, for example, found applicants will use the funds to improve cybersecurity training, endpoint detection, risk assessments, support for .gov migration, and adoption of multifactor authentication (MFA).

That aligns with what Jon James, CISO for the Cherokee Nation, has in mind for agencies he supports.

James says that until a few years ago, hackers largely ignored the tribes. But as they stepped up attacks against government and healthcare networks, they discovered tribal nations had those too – and they were lightly defended. As a result, they started launching more attacks against the tribes.

[Read also: RaaS class – as hackers step up ransomware-as-a-service attacks, CISOs are finding more effective and creative ways to fight back]

Today, after implementing a “full-blown cybersecurity program,” he says, the Cherokee Nation is in a much better place. But he warns that none of the tribes can afford to sit back and relax. They must pursue every opportunity, including grants like the TCGP, to upgrade their security posture, he says.

“It’s important that tribes recognize we are targets too,” he says. “We have to strengthen our overall security posture, reduce risks, and gain better visibility and control over our endpoints and network infrastructure vulnerabilities.”