State and Local Cybersecurity Grant Program

Last Updated 12/3/24

FY24 SLCGP

Overview

The FY24 State and Local Cybersecurity Grant Program (SLCGP) Notice of Funding Opportunity (NOFO) was published by DHS/FEMA on September 23, 2024. The FY24 SLCGP federal award for North Carolina is projected to be approx. $8,037,374.

Like previous year SLCGP programs, FY24 SLCGP requires a minimum of 80% of the total award to be passed through to local govt. entities, at least 25% of which must be passed through to rural entities (included in the 80% total local pass through).

Unlike previous year SLCGP awards, subrecipients in North Carolina are responsible for the required match/cost share for FY24 SLCGP.  The required match/cost share for FY24 SLCGP is 30% of total project costs.  Applicants who cannot cover the required match/cost share should not apply for FY24 SLCGP.

Below is a link to the FY24 SLCGP NOFO published by DHS/FEMA:

https://www.fema.gov/grants/preparedness/state-local-cybersecurity-grant-program/fy-24-nofo

Local government entities, community colleges, tribal governments, and state agencies in North Carolina are eligible to apply for FY24 SLCGP funding.  The maximum amount eligible applicants may apply for is $250,000 for FY24 SLCGP.  Eligible applicants are required to complete the FY24 SLCGP application via Salesforce. 

Any questions should be directed to the SLCGP email box: SLCGP@ncdps.gov.

Funding

North Carolina Emergency Management (NCEM), a division of NC Department of Public Safety (NCDPS), is charged with managing this grant for the state.

Eligible FY24 SLCGP applicants in North Carolina will be competing for approximately $8 million in federal grant funding under this award.  The maximum amount eligible applicants may apply for is $250,000 for FY24 SLCGP.

FY24 SLCGP requires a 30% non-federal cost share, or match.  Subrecipients are required to provide the entire 30% non-federal cost share for FY24 SLCGP.

Pass-Through Requirements and Eligible Applicants

Local government entities, community colleges, tribal governments, and state agencies in North Carolina are eligible to apply for FY24 SLCGP funding.

FY24 SLCGP requires a minimum 80% pass-through to local government entities, including a minimum 25% pass-through specifically to rural areas. Rural areas are defined in the FY24 SLCGP Notice of Funding Opportunity (NOFO) as communities with less than 50,000 population.

Local government entities are defined in N.C.G.S. 159-44 as: “counties; cities, towns, and incorporated villages; consolidated city-counties, as defined by G.S. 160B-2(1); sanitary districts; mosquito control districts; hospital districts; merged school administrative units described in G.S. 115C-513; metropolitan sewerage districts; metropolitan water districts; metropolitan water and sewerage districts; county water and sewer districts; regional public transportation authorities; and special airport districts.”

Community colleges are included in the definition of local government entities for purposes of FY24 SLCGP per N.C.G.S. 143-800(c)(1).

Federally recognized tribes are also included as eligible local government pass-through entities per the FY24 SLCGP NOFO.

Any remaining FY24 SLCGP funds not passed through to local government entities (including community colleges and tribes) are available for state agencies.

Match/Cost Share

Unlike previous year SLCGP awards, subrecipients in North Carolina are responsible for the required match/cost share for FY24 SLCGP.  The required match/cost share for FY24 SLCGP is 30% of total project costs.

For example, if an applicant submits a project costing $100,000, the applicant would be responsible for $30,000 of those costs, and they would only be applying for $70,000 of federal funding for the project ($70,000 federal funding / .70 * .30 = $30,000 subrecipient match/cost share). If an applicant is applying for the maximum $250,000 federal award for FY24 SLCGP, their required match/cost share would be $107,143 (rounded up), for total project costs of $357,143.

Applicants who cannot cover the required match/cost share should not apply for FY24 SLCGP.

Allowable Costs

Appendix D of the FY24 SLCCGP NOFO provides examples of projects that can be funded under this grant by POETE area (Planning, Organization, Equipment, Training and/or Exercises).

SLCGP funds may be used for a range of planning activities, such as those associated with the development, review, and revision of cybersecurity plans.  Allowable organizational activities may include program management, operational support and personnel costs related to cybersecurity; however, grantees must demonstrate that any personnel funded by this grant will be sustainable once the program ends or funds are no longer available.

Equipment may be purchased to address cybersecurity risks and cybersecurity threats to information systems owned or operated by grantees.  This includes software, licenses & user fees, but only for the duration of the period of performance (POP) of the grant award (may not extend before or beyond the POP).  Equipment must be listed on the FEMA Authorized Equipment List (AEL), under any FEMA grant program, to be allowable for SLCGP funding.

Training conducted using SLCGP funds should align to the grantee’s cybersecurity plan, address performance gaps identified through assessments, and contribute to building a capability that will be evaluated through exercises.

Exercises conducted with grant funding should be managed and conducted consistent with Homeland Security Exercise and Evaluation Program (HSEEP) guidance for exercise design, development, conduct, evaluation, and improvement.

Unallowable Costs

Per the FY24 SLCGP NOFO, grant funds may not be used to acquire land or to construct, remodel, or perform alterations of buildings or other physical facilities; however, this prohibition does not include “minor building modifications” necessary to install and connect grant-purchased equipment that do not substantially affect a building’s structure, layout, systems, or critical aspects of a building’s safety, or otherwise materially increase the value or useful life of a building.  Therefore, grant applications requesting funds to acquire land or to construct, remodel, or perform alterations of buildings or other physical facilities beyond “minor building modifications” as described above will be rejected.

Minor modifications may be permitted with appropriate FEMA Environmental Planning and Historic Preservation (EHP) review and compliance.

• Examples of allowable “minor modifications” with appropriate EHP review may include:
• Replacing or installing servers, communication, or network components onto existing racks and using existing cabling.
• Installation of new equipment cabling through existing conduit and no new holes in walls, ceilings, or floors.
• Tabletop equipment such as computers, monitors, and workstations.

Refer to paragraph D.13. of FY24 SLCGP NOFO for a detailed information on funding restrictions, and allowable v. unallowable costs.

Required Elements

The State Cybersecurity Planning Committee has developed a State Cybersecurity Plan that aligns with the 16 required elements specified in the FY24 SLCGP NOFO. All eligible applicants requesting FY24 SLCGP funding must align proposed projects with any/all of these required elements:

(Applicants must select any/all element(s) that support their project proposal)

1. Manage, monitor, and track information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state, and the information technology deployed on those information systems, including legacy information systems and information technology that are no longer supported by the manufacturer of the systems or technology.
2. Monitor, audit, and track network traffic and activity transiting or traveling to or from information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state.
3. Enhance the preparation, response, and resilience of information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state, against cybersecurity risks and cybersecurity threats.
4. Implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats on information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state.
5. Ensure that the state or local governments within the state, adopt and use best practices and methodologies to enhance cybersecurity, discussed further below.

• Implement multi-factor authentication
• Implement enhanced logging
• Data encryption for data at rest and in transit
• End use of unsupported/end of life software and hardware that are accessible from the internet
• Prohibit use of known/fixed/default passwords and credentials
• Ensure the ability to reconstitute systems (backups); and
• Migration to the .gov internet domain

Additional best practices that the Cybersecurity Plan can address include:

• The National Institute of Standards and Technology (NIST) Cybersecurity Framework
• NIST’s cyber chain supply chain risk management best practices; and
• Knowledge bases of adversary tools and tactics

6. Promote the delivery of safe, recognizable, and trustworthy online services by the state or local governments within the state, including through the use of the .gov internet domain.
7. Ensure continuity of operations of the state or local governments within the state, in the event of a cybersecurity incident, including by conducting exercises to practice responding to a cybersecurity incident.
8. Use the National Initiative for Cybersecurity Education (NICE) Workforce Framework for Cybersecurity developed by NIST to identify and mitigate any gaps in the cybersecurity workforces of the state or local governments within the state, enhance recruitment and retention efforts for those workforces, and bolster the knowledge, skills, and abilities of personnel of the state or local governments within the state, to address cybersecurity risks and cybersecurity threats, such as through cybersecurity hygiene training.
9. Ensures continuity of communication and data networks within the jurisdiction of the state between the state and local governments within the state in the event of an incident involving those communications or data networks.
10. Assess and mitigate, to the greatest degree possible, cybersecurity risks and cybersecurity threats relating to critical infrastructure and key resources, the degradation of which may impact the performance of information systems within the jurisdiction of the state.
11. Enhance capabilities to share cyber threat indicators and related information between the state, local governments within the state, and CISA.
12. Leverage cybersecurity services offered by the Department (See Appendix G for additional information on CISA resources and required services and membership).
13. Implement an information technology and operational technology modernization cybersecurity review process that ensures alignment between information technology and operational technology cybersecurity objectives.
14. Develop and coordinate strategies to address cybersecurity risks and cybersecurity threats. Local governments and associations of local governments within the state should be consulted. Cybersecurity Planning Committees should also consider consulting neighboring entities, including adjacent states and countries.
15. Ensure adequate access to, and participation in, the services and programs described in this subparagraph by rural areas within the state.
16. Distribute funds, items, services, capabilities, or activities to local governments.

Application Procedures

Eligible applicants are required to complete the FY24 SLCGP application via Salesforce. You will not be able to submit an FY24 SLCGP application unless/until you have created an account for your eligible organization and registered as a contact for that account in Salesforce.

This short video instructs individuals who need Salesforce access how to request a new user-ID, if they are not already a registered user in the system: https://www.youtube.com/watch?v=SQlzGM97xt8  

A tutorial video for how to complete the FY24 SLCGP application in Salesforce can be found [here].

Completed applications must be submitted by 11:59PM on January 31, 2025.

Applicants must complete and submit the FY24 SLCGP application form by the application deadline.

Eligible applicants may only submit one application with a single project for up to $250,000 of total FY24 SLCGP funding.

Incomplete/Improper Applications

Incomplete applications, and applications containing more than one project will be rejected. If an applicant attempts to submit more than one application, all applications submitted by that applicant will be rejected.

Properly Completed Applications

SLCGP is a competitive grant program. All properly completed applications submitted by eligible applicants will be reviewed and scored by the State Cybersecurity Planning Committee, and the top scoring applicants will receive funding.

Important Dates

SLCGP Education and Q&A Process

Because this is a competitive grant program, NCEM staff will not be able to provide direct assistance with application development or project formulation. All questions regarding FY24 SLCGP and the application process should be submitted to SLCGP@ncdps.gov, subject line FY24 SLCGP Question.

Q&A’s will be answered/updated on this website prior to the application deadline for the equal benefit of all applicants 

Questions & Answers

Special Post-Award Requirements

As a condition of receiving SLCGP funding, subrecipients are required to utilize Cybersecurity and Infrastructure Security Agency (CISA) Cyber Hygiene Services, specifically vulnerability scanning and web application scanning.

Additionally, subrecipients must complete an annual Nationwide Cybersecurity Review (NCSR) for each year of the period of performance (POP) of their award. The NCSR is also a requirement for Homeland Security Grant Program (HSGP) subrecipients, but subrecipients receiving both SLCGP and HSGP funding are only required to complete a single annual NCSR covering both awards.

NOTE: Participation in these services and memberships are NOT required to apply for SLCGP funding, only for subrecipients receiving SLCGP awards.

Related Content

• FY24 SLCGP NOFO
• Fiscal Year 2024 State and Local Cybersecurity Grant Program Fact Sheet
• Cyber Hygiene Services
• Nationwide Cybersecurity Review (NCSR)
• GYGO - Writing Competitive Grant Applications - 7/24/2024
• GYGO: Best Practices for Submitting Requests for Reimbursements (RFRs) for NCEM…
• Salesforce