State and Local Cybersecurity Grant Program
Last Updated 11/3/2025
FY 2025 SLCGP
FY 2025 SLCGP Application Information
Application period: November 1 – 30, 2025.
Applications close at 11:59 pm on November 30, 2025.
To apply for FY25 SLCGP (NOFO) funding, local NC government entities, including NC community colleges, must complete an application through our new Salesforce grants management portal beginning November 1, 2025, and ending at 11:59 pm on November 30, 2025. Late and/or incomplete applications will not be accepted.
There is no cap on the amount of FY25 SLCGP funding for which applicants may apply, not to exceed the amount of the entire $2,638,773 federal award for North Carolina, but eligible applicants can only submit one application with one project for FY25 SLCGP. Incomplete applications, and applications containing more than one project will be rejected. If an applicant attempts to submit more than one application, all applications submitted by that applicant will be rejected.
The required match/cost share for FY25 SLCGP is 40% of total project costs. Applicants who cannot cover the required match/cost share for their projects should not apply for FY25 SLCGP.
This short video instructs individuals on how to register in Salesforce for a user account if they do not already have one.
Guide to components of the application in Salesforce (FY25 SLCGP Application Guide): This guide presents the screens you will encounter while completing your FY25 SLCGP application in Salesforce. It is for information only. It cannot be submitted as your FY25 SLCGP application. All applications must be submitted in Salesforce.
FY25 SLCGP Virtual Information Sessions
On November 17, 2025, from 10:30 am – noon, there will be a question & answer session for technical assistance to help applicants complete and submit FY25 SLCGP applications in Salesforce. Applicants can drop in anytime during this virtual session for technical assistance with their applications.
Overview
The FY25 State and Local Cybersecurity Grant Program (SLCGP) Notice of Funding Opportunity (NOFO) was published by DHS/FEMA on August 13, 2025. The FY25 SLCGP federal award for North Carolina is projected to be approx. $2,638,773.
Like previous year SLCGP programs, FY25 SLCGP requires a minimum of 80% of the total award to be passed through to local govt. entities, at least 25% of which must be passed through to rural entities (included in the 80% total local pass through). Any funds not passed through to local govt. entities are available for state projects.
As was the case with FY24 SLCGP, subrecipients in North Carolina are responsible for the required match/cost share for FY25 SLCGP. The required match/cost share for FY25 SLCGP is 40% of total project costs. Applicants who cannot cover the required match/cost share for their projects should not apply for FY25 SLCGP.
Below is a link to the FY25 SLCGP NOFO published by DHS/FEMA:
https://www.fema.gov/grants/preparedness/state-local-cybersecurity-gran…
Local government entities, community colleges, and tribal governments in North Carolina are eligible to apply for FY25 SLCGP funding. There is no cap on the amount for which eligible applicants may apply for FY25 SLCGP, not to exceed the amount of the entire $2,638,773 federal award for North Carolina, but applicants should keep in mind the 40% match/cost share requirement when applying. Eligible applicants are required to complete the FY25 SLCGP application via Salesforce.
Eligible applicants can only submit one application with one project for FY25 SLCGP. Incomplete applications, and applications containing more than one project will be rejected. If an applicant attempts to submit more than one application, all applications submitted by that applicant will be rejected.
Any questions should be directed to the SLCGP email box: SLCGP@ncdps.gov.
Funding
North Carolina Emergency Management (NCEM), a division of NC Department of Public Safety (NCDPS), is responsible for managing this grant for the state.
There is no cap on the amount of funding for which eligible applicants may apply for FY25 SLCGP, not to exceed the amount of the entire $2,638,773 federal award for North Carolina. Any FY25 SLCGP funds not passed through to local govt. entities are available for state projects.
FY25 SLCGP requires a 40% non-federal cost share, or match. Subrecipients are required to provide the entire 40% non-federal match/cost share for FY25 SLCGP.
Pass-Through Requirements and Eligible Applicants
Local government entities, community colleges, tribal governments, and state agencies in North Carolina are eligible to apply for FY25 SLCGP funding.
FY25 SLCGP requires a minimum 80% pass-through to local government entities, including a minimum 25% pass-through specifically to rural areas. Rural areas are defined in the FY25 SLCGP Notice of Funding Opportunity (NOFO) as communities with less than 50,000 population.
Local government entities are defined in N.C.G.S. 159-44 as: “counties; cities, towns, and incorporated villages; consolidated city-counties, as defined by G.S. 160B-2(1); sanitary districts; mosquito control districts; hospital districts; merged school administrative units described in G.S. 115C-513; metropolitan sewerage districts; metropolitan water districts; metropolitan water and sewerage districts; county water and sewer districts; regional public transportation authorities; and special airport districts.”
Community colleges are included in the definition of local government entities for purposes of FY25 SLCGP per N.C.G.S. 143-800(c)(1).
Federally recognized tribes are also included as eligible local government pass-through entities per the FY25 SLCGP NOFO.
Any remaining FY25 SLCGP funds not passed through to local government entities (including community colleges and tribes) are available for state agencies.
Match/Cost Share
As was the case with the FY24 awards, subrecipients in North Carolina are responsible for the required match/cost share for FY25 SLCGP. The required match/cost share for FY25 SLCGP is 40% of total project costs.
For example, if an applicant submits a project costing $100,000, the applicant would be responsible for $40,000 of those costs, and they would only be applying for $60,000 of federal funding for the project ($60,000 federal funding / .60 * .40 = $40,000 subrecipient match/cost share).
Applicants who cannot cover the required match/cost share for their projects should not apply for FY25 SLCGP.
Allowable Costs
Appendix D of the FY25 SLCCGP NOFO provides examples of projects that can be funded under this grant by POETE area (Planning, Organization, Equipment, Training and/or Exercises).
SLCGP funds may be used for a range of planning activities, such as those associated with the development, review, and revision of cybersecurity plans. Allowable organizational activities may include program management, operational support and personnel costs related to cybersecurity; however, grantees must demonstrate that any personnel funded by this grant will be sustainable once the program ends or funds are no longer available.
Equipment may be purchased to address cybersecurity risks and cybersecurity threats to information systems owned or operated by grantees. This includes software, licenses & user fees, but only for the duration of the period of performance (POP) of the grant award (may not extend before or beyond the POP). Equipment must be listed on the FEMA Authorized Equipment List (AEL), under any FEMA grant program, to be allowable for SLCGP funding.
Training conducted using SLCGP funds should align to the grantee’s cybersecurity plan, address performance gaps identified through assessments, and contribute to building a capability that will be evaluated through exercises.
Exercises conducted with grant funding should be managed and conducted consistent with Homeland Security Exercise and Evaluation Program (HSEEP) guidance for exercise design, development, conduct, evaluation, and improvement.
Unallowable Costs and EHP
Per the FY25 SLCGP NOFO, grant funds may not be used to acquire land or to construct, remodel, or perform alterations of buildings or other physical facilities; however, this prohibition does not include “minor building modifications” necessary to install and connect grant-purchased equipment that do not substantially affect a building’s structure, layout, systems, or critical aspects of a building’s safety, or otherwise materially increase the value or useful life of a building. Therefore, grant applications requesting funds to acquire land or to construct, remodel, or perform alterations of buildings or other physical facilities beyond “minor building modifications” as described above will be rejected.
Minor modifications may be permitted with appropriate FEMA Environmental Planning and Historic Preservation (EHP) review and compliance.
Examples of allowable “minor modifications” with appropriate EHP review may include:
· Replacing or installing servers, communication, or network components onto existing racks and using
existing cabling.
· Installation of new equipment cabling through existing conduit and no new holes in walls, ceilings, or floors.
· Tabletop equipment such as computers, monitors, and workstations.
See SLCGP Minor Modifications to Facilities with EHP Review for more information.
Refer to Section 3.G. of FY25 SLCGP NOFO for a detailed information on funding restrictions, and allowable v. unallowable costs.
Required Elements
The State Cybersecurity Planning Committee has developed a State Cybersecurity Plan that aligns with the 16 required elements specified in the FY24 SLCGP NOFO. All eligible applicants requesting FY25 SLCGP funding in NC must align proposed projects with any/all of these required elements from the FY24 SLCGP NOFO:
(Applicants must select any/all element(s) that support their project proposal)
1. Manage, monitor, and track information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state, and the information technology deployed on those information systems, including legacy information systems and information technology that are no longer supported by the manufacturer of the systems or technology.
2. Monitor, audit, and track network traffic and activity transiting or traveling to or from information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state.
3. Enhance the preparation, response, and resilience of information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state, against cybersecurity risks and cybersecurity threats.
4. Implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats on information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state.
5. Ensure that the state or local governments within the state, adopt and use best practices and methodologies to enhance cybersecurity, discussed further below.
- Implement multi-factor authentication
- Implement enhanced logging
- Data encryption for data at rest and in transit
- End use of unsupported/end of life software and hardware that are accessible from the internet
- Prohibit use of known/fixed/default passwords and credentials
- Ensure the ability to reconstitute systems (backups); and
- Migration to the .gov internet domain
Additional best practices that the Cybersecurity Plan can address include:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework
- NIST’s cyber chain supply chain risk management best practices; and
- Knowledge bases of adversary tools and tactics
6. Promote the delivery of safe, recognizable, and trustworthy online services by the state or local governments within the state, including through the use of the .gov internet domain.
7. Ensure continuity of operations of the state or local governments within the state, in the event of a cybersecurity incident, including by conducting exercises to practice responding to a cybersecurity incident.
6. Use the National Initiative for Cybersecurity Education (NICE) Workforce Framework for Cybersecurity developed by NIST to identify and mitigate any gaps in the cybersecurity workforces of the state or local governments within the state, enhance recruitment and retention efforts for those workforces, and bolster the knowledge, skills, and abilities of personnel of the state or local governments within the state, to address cybersecurity risks and cybersecurity threats, such as through cybersecurity hygiene training.
7. Ensures continuity of communication and data networks within the jurisdiction of the state between the state and local governments within the state in the event of an incident involving those communications or data networks.
8. Assess and mitigate, to the greatest degree possible, cybersecurity risks and cybersecurity threats relating to critical infrastructure and key resources, the degradation of which may impact the performance of information systems within the jurisdiction of the state.
9. Enhance capabilities to share cyber threat indicators and related information between the state, local governments within the state, and CISA.
10. Leverage cybersecurity services offered by CISA.
11. Implement an information technology and operational technology modernization cybersecurity review process that ensures alignment between information technology and operational technology cybersecurity objectives.
12. Develop and coordinate strategies to address cybersecurity risks and cybersecurity threats. Local governments and associations of local governments within the state should be consulted. Cybersecurity Planning Committees should also consider consulting neighboring entities, including adjacent states and countries.
13. Ensure adequate access to, and participation in, the services and programs described in this subparagraph by rural areas within the state.
14. Distribute funds, items, services, capabilities, or activities to local governments.
Other Requirements from DHS/FEMA:
- Sub-applicants must submit short bios and resumes. This submission should include the type of entity, organizational leadership, and list of board members (if applicable) along with the names and business addresses of the individuals. Sensitive personally identifiable information (PII) such as personal addresses, phone numbers, etc. should not be included with this information. Sub-applicants will upload this information with their application in Salesforce.
- Sub-applicants should not have foreign nationals or noncitizens included. If a sub-applicant has foreign nationals, they must be properly vetted and must adhere to all government statues, polices, and procedures.
- If awarded funds, subrecipients may be required to provide their mission statement and purpose, along with the amount allocated and the specific role or activity being reimbursed. Subrecipients may also be required to provide information on whether their work or mission involves supporting immigrants [DHS/FEMA uses the term “aliens” instead of immigrants] - regardless of whether FEMA funds support such activities - and whether any FEMA funding was used for an activity involving support to immigrants. Additionally, subrecipients may also be required to disclose if they have any “Diversity, Equity & Inclusion” (DEI) practices.
Application Procedures
Eligible applicants are required to complete the FY25 SLCGP application via Salesforce. You will not be able to submit an FY25 SLCGP application unless/until you have created an account for your eligible organization and registered as a contact for that account in Salesforce.
This short video instructs individuals who need Salesforce access how to request a new user-ID, if they are not already a registered user in the system: https://www.youtube.com/watch?v=SQlzGM97xt8
Completed applications must be submitted by 11:59 pm on November 30, 2025.
Applicants must complete and submit their FY25 SLCGP application in Salesforce by the application deadline.
For FY25 SLCGP, there is no cap on the amount of federal funding for which applicants can apply, not to exceed the amount of the entire $2,638,773 federal award for North Carolina, but applicants can only submit one application with one project. A strict 40% match/cost share of non-federal funds will be required.
Incomplete/Improper Applications
Incomplete applications, and applications containing more than one project will be rejected. If an applicant attempts to submit more than one application, all applications submitted by that applicant will be rejected. If you have inadvertently created more than one application in Salesforce, make sure to withdraw the extraneous applications before the deadline of November 30, 2025, at 11:59 pm.
Properly Completed Applications
SLCGP is a competitive grant program. All properly completed applications submitted by eligible applicants will be reviewed and scored by the State Cybersecurity Planning Committee, and the top scoring applicants will receive funding.
Important Dates
Application Period | November 1, 2025 – November 30, 2025 |
Application Deadline | November 30, 2025, by 11:59 pm |
Anticipated Period of Performance for subrecipients (estimated) | September 1, 2025 – March 31, 2029 |
Anticipated Grant Awards to subrecipients (estimated) | Estimated Spring 2026 or later (delayed by federal govt. shutdown) |
SLCGP Education and Q&A Process
Because this is a competitive grant program, NCEM staff will not be able to provide direct assistance with application development or project formulation. All questions regarding FY25 SLCGP and the application process should be submitted to SLCGP@ncdps.gov, subject line FY25 SLCGP Question.
Q&A’s will be answered/updated on this website prior to the application deadline for the equal benefit of all applicants (see Questions & Answers below).
Special Post-Award Requirements
As a condition of receiving SLCGP funding, subrecipients are required to utilize Cybersecurity and Infrastructure Security Agency (CISA) Cyber Hygiene Services, specifically vulnerability scanning and web application scanning.
NOTE: Participation in this service and membership is NOT required to apply for SLCGP funding, only for subrecipients receiving SLCGP awards.
Also of note, the Nationwide Cybersecurity Review (NCSR) is not required for FY25 SLCGP award recipients.
November 17, 2025, from 10:30 am – noon, there will be a question & answer session for technical assistance to help applicants complete and submit FY25 SLCGP applications in Salesforce. Applicants can drop in anytime during this virtual session for technical assistance with their applications.
Related Content
- FY25 SLCGP Application Guide
- FY25 SLCGP NOFO
- Fiscal Year 2025 State and Local Cybersecurity Grant Program Fact Sheet
- Fiscal Year 2025 State and Local Cybersecurity Grant Program Key Changes
- SLCGP Minor Modifications to Facilities with EHP Review
- Cyber Hygiene Services
- GYGO: Best Practices for Submitting Requests for Reimbursements (RFRs) for NCEM…
- Salesforce
- Questions and Answers - Frequently asked questions & answers can be found at FAQ's