State and Local Cybersecurity Grant Program

FY23 SLCGP

The FY23 State and Local Cybersecurity Grant Program (SLCGP) Notice of Funding Opportunity (NOFO) was published by DHS/FEMA in Sept. 2023.  The FY23 SLCGP Federal Award for North Carolina is projected to be approx. $10.8 million.  State match/cost share is projected to be another $2.7 million for a total of approx. $13.5 million (less management & administration costs) to be awarded to state, tribal and local govt. entities.  Much like the FY22 SLCGP program, the FY23 SLCGP program requires a minimum of 80% of the total award to be passed through to local govt. entities, at least 25% of which must be passed through to rural entities (included in the 80% total local pass through).  As with the FY22 SLCGP program, the state (through NCDPS/NCEM) will provide the 20% required match. Per the FY23 SLCGP NOFO, grant funds may not be used for construction, renovation, remodel or to perform alterations of buildings or other facilities.  Therefore, grant applications requesting funds for any of these activities/items will be rejected.  For more information refer to the FY23 SLCGP NOFO, Section 13 “Funding Restrictions and Allowable Costs.” Below is a link to the FY23 SLCGP NOFO published by DHS/FEMA:

USDHS SLCGP NOFO 

An Informational Webinar was held on January 8, 2024 and can be viewed here.

Any questions should be directed to the SLCGP email box: SLCGP@ncdps.gov.
 

Funding

As a part of North Carolina’s approved application for FY23 State and Local Cybersecurity Grant Program (SLCGP), the state will receive approximately $10.8 million in federal grant funding under this award. North Carolina Emergency Management (NCEM), a division of the NC Department of Public Safety (NCDPS), is charged with managing this grant for the state.

FY23 SLCGP requires a 20% non-federal cost share, or match, raising the total amount of funding to approximately $13.5 million. NCEM will provide the entire 20% non-federal cost share for the FY23 SLCGP. Required non-federal cost shares may be passed on to individual subrecipients if the state receives an SLCGP award in FY24 or any future years.

Pass-Through Requirements and Eligible Applicants

Local government entities, community colleges, tribal governments, and state agencies in North Carolina are eligible to apply for FY23 SLCGP funding.

FY23 SLCGP requires a minimum 80% pass-through to local government entities, including a minimum 25% pass-through specifically to rural areas. Rural areas are defined in the FY23 SLCGP Notice of Funding Opportunity (NOFO) as communities with less than 50,000 population.

Local government entities are defined in N.C.G.S. 159-44 as: “counties; cities, towns, and incorporated villages; consolidated city-counties, as defined by G.S. 160B-2(1); sanitary districts; mosquito control districts; hospital districts; merged school administrative units described in G.S. 115C-513; metropolitan sewerage districts; metropolitan water districts; metropolitan water and sewerage districts; county water and sewer districts; regional public transportation authorities; and special airport districts.”

Community colleges are included in the definition of local government entities for purposes of FY23 SLCGP per N.C.G.S. 143-800(c)(1).

Federally recognized tribes are also included as eligible local government pass-through entities per the FY23 SLCGP NOFO.

Any remaining FY23 SLCGP funds not passed through to local government entities (including community colleges and tribes) are available for state agencies.

Application Procedures

Eligible applicants are required to complete the application on the secure MS Forms application at this link. Assistance with completing the application can be found here.

If you would like to view the entire application, a sample PDF is available. The PDF can be used as a guide in compiling the necessary information you will need to complete your online 2023 SLCGP Grant application.

Completed applications must be submitted by 5PM on January 31, 2024.

Applicants must complete and submit the FY23 SLCGP application form (linked above) by the application deadline.

Eligible applicants may only submit one application with a single project for up to $200,000 of total FY23 SLCGP funding.

Voluntary Match/Cost Share

Applicants are not required to provide any match or cost share for FY23 SLCGP funds; however, applicants are permitted to provide a voluntary match/cost share if they want to increase project costs but the maximum amount applicants may apply for is $200,000.

Applicants should explain any voluntary match/cost share in the Project and Budget Narrative blocks of the application.

Incomplete/Improper Applications

Incomplete applications, and applications containing more than one project will be rejected. If an applicant attempts to submit more than one application, all applications submitted by that applicant will be rejected.

Properly Completed Applications

SLCGP is a competitive grant program. All properly completed applications submitted by eligible applicants will be reviewed and scored by the State Cybersecurity Planning Committee, and the top scoring applicants will receive funding.

Important Dates

Application Period December 15, 2023 – January 31, 2024
Application Deadline January 31 2024, by 5:00 PM
Anticipated Period of Performance for subrecipients (estimated) December 1, 2023 – February 2, 2027
Anticipated Grant Awards to subrecipients (estimated) By May 31, 2024

SLCGP Education and Q&A Process

Because this is a competitive grant program, NCEM staff will not be able to provide direct assistance with application development or project formulation. All questions regarding the application process should be directed to the SLCGP@ncdps.gov mailbox.

Questions regarding SLCGP and the application process should be submitted to SLCGP@ncdps.gov, subject line SLCGP Question, by January 15, 2024. Q&A’s will be posted on the NCEM website at least one week prior to the application deadline.

A public FY23 SLCGP applicant webinar was held on January 8, 2024. The purpose of the webinar was to provide information about the FY23 SLCGP program and application process, as well as to answer questions from applicants.

Required Elements

The State Cybersecurity Planning Committee has developed a State Cybersecurity Plan that aligns with the 16 required elements specified in the FY23 SLCGP NOFO. All eligible applicants requesting FY23 SLCGP funding must align proposed projects with any/all of these required elements:

(Applicants must select any/all element(s) that support their project proposal)

  1. Manage, monitor, and track information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state, and the information technology deployed on those information systems, including legacy information systems and information technology that are no longer supported by the manufacturer of the systems or technology.
  2. Monitor, audit, and track network traffic and activity transiting or traveling to or from information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state.
  3. Enhance the preparation, response, and resilience of information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state, against cybersecurity risks and cybersecurity threats.
  4. Implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats on information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state.
  5. Ensure that the state or local governments within the state, adopt and use best practices and methodologies to enhance cybersecurity, discussed further below.
  • Implement multi-factor authentication
  • Implement enhanced logging
  • Data encryption for data at rest and in transit
  • End use of unsupported/end of life software and hardware that are accessible from the internet
  • Prohibit use of known/fixed/default passwords and credentials
  • Ensure the ability to reconstitute systems (backups); and
  • Migration to the .gov internet domain

Additional best practices that the Cybersecurity Plan can address include:

  • The National Institute of Standards and Technology (NIST) Cybersecurity Framework
  • NIST’s cyber chain supply chain risk management best practices; and
  • Knowledge bases of adversary tools and tactics
  1. Promote the delivery of safe, recognizable, and trustworthy online services by the state or local governments within the state, including through the use of the .gov internet domain.
  2. Ensure continuity of operations of the state or local governments within the state, in the event of a cybersecurity incident, including by conducting exercises to practice responding to a cybersecurity incident.
  3. Use the National Initiative for Cybersecurity Education (NICE) Workforce Framework for Cybersecurity developed by NIST to identify and mitigate any gaps in the cybersecurity workforces of the state or local governments within the state, enhance recruitment and retention efforts for those workforces, and bolster the knowledge, skills, and abilities of personnel of the state or local governments within the state, to address cybersecurity risks and cybersecurity threats, such as through cybersecurity hygiene training.
  4. Ensures continuity of communication and data networks within the jurisdiction of the state between the state and local governments within the state in the event of an incident involving those communications or data networks.
  5. Assess and mitigate, to the greatest degree possible, cybersecurity risks and cybersecurity threats relating to critical infrastructure and key resources, the degradation of which may impact the performance of information systems within the jurisdiction of the state.
  6. Enhance capabilities to share cyber threat indicators and related information between the state, local governments within the state, and CISA.
  7. Leverage cybersecurity services offered by the Department (See Appendix G for additional information on CISA resources and required services and membership).
  8. Implement an information technology and operational technology modernization cybersecurity review process that ensures alignment between information technology and operational technology cybersecurity objectives.
  9. Develop and coordinate strategies to address cybersecurity risks and cybersecurity threats. Local governments and associations of local governments within the state should be consulted. Cybersecurity Planning Committees should also consider consulting neighboring entities, including adjacent states and countries.
  10. Ensure adequate access to, and participation in, the services and programs described in this subparagraph by rural areas within the state.
  11. Distribute funds, items, services, capabilities, or activities to local governments.

Special Post-Award Requirements

As a condition of receiving SLCGP funding, subrecipients are required to utilize Cybersecurity and Infrastructure Security Agency (CISA) Cyber Hygiene Services, specifically vulnerability scanning and web application scanning.

Additionally, subrecipients must complete an annual Nationwide Cybersecurity Review (NCSR) for each year of the period of performance (POP) of their award. The NCSR is also a requirement for Homeland Security Grant Program (HSGP) subrecipients, but subrecipients receiving both SLCGP and HSGP funding are only required to complete a single annual NCSR covering both awards.

NOTE: Participation in these services and memberships are NOT required to apply for SLCGP funding, only for subrecipients receiving SLCGP awards.

Questions and Answers

Frequently asked questions and answers can be found at FAQ's

Questions about the program may be emailed to SLCGP@ncdps.gov