Infrastructure Investment and Jobs Act State and Local Cybersecurity Grant Program

The Notice of Funding Opportunity (NOFO) FY-22 NOFO was released in September 2022 relating to the Infrastructure Investment and Jobs Act (IIJA) State and Local Cybersecurity Grant Program (SLCGP), which appropriated $1 billion over four years to be allocated to states to enhance their cybersecurity posture. 

 

North Carolina has an application pending for federal grant funding of approximately $5.3 million for FY-22.  The SLCGP requires an 80% passthrough to local entities and 25% passthrough specifically to rural communities, which is defined as communities with less than 50,000 residents.  North Carolina Emergency Management (NCEM), a division of the NC Department of Public Safety (NCDPS), is charged with managing this grant for the state.  The grant requires that recipients of the SLCGP funding provide a 10% match to receive funding. For the first year of this grant, NCEM will provide the required match for both state and local entities.

Applicant Requirements

As a condition of receiving SLCGP funding, the grant recipient is required to adhere to or sign up for the CISA Cyber Hygiene Services, specifically, vulnerability scanning and web application scanning.  Additionally, recipients must complete the Nationwide Cybersecurity Review (NCSR) administered by the MS-ISAC during the first year of the award/subaward period of performance and annually thereafter. The NCSR is also a requirement of any recipients of Homeland Security Grant Program (HSGP) funding. 

 

NOTE:  Participation in these services and memberships are NOT required for submission and approval of a grant.

 

Survey

To aid in the process of distributing SLCGP funds, we have created a short survey that will help identify priorities for future funding requests.  Please complete the survey at your earliest convenience on behalf of your county, municipality, or organization to gauge interest and focus for the grant outlined below. Pursuant to NCGS 132, the information collected in this survey contains sensitive security information, is for official use only, and is protected from public disclosure.

 

All eligible entities who anticipate submitting a request for funding should please complete the following  survey.  The Cybersecurity Planning Committee will review the results of the survey and begin planning on how to best utilize the grant funding to satisfy anticipated funding requests.  The Cybersecurity Planning Committee will review where economies of scale may be of benefit to the recipients of funding.

 

Cybersecurity Planning Committee and Plan Requirements

The grant requires that each state create a Cybersecurity Planning Committee with a Charter and that the Cybersecurity Planning Committee create a Cybersecurity Plan (in process) for the state that includes the following. The charter has been completed and the plan is in process. We anticipate that the State’s application will be approved in a timely manner.  Once our application is approved, we will open a state application period for eligible entities to apply for funding. All state, local and tribal entities are eligible to request funding for projects that align with any of the 16 required elements listed below. 

SLCGP Cybersecurity Plan Requirements

  1. Manage, monitor, and track information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state, and the information technology deployed on those information systems, including legacy information systems and information technology that are no longer supported by the manufacturer of the systems or technology.
  2. Monitor, audit, and track network traffic and activity transiting or traveling to or from information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state.
  3. Enhance the preparation, response, and resilience of information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state, against cybersecurity risks and cybersecurity threats.
  4. Implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats on information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state.
  5. Ensure that the state or local governments within the state, adopt and use best practices and methodologies to enhance cybersecurity, discussed further below.
    • Implement multi-factor authentication;
    • Implement enhanced logging;
    • Data encryption for data at rest and in transit;
    • End use of unsupported/end of life software and hardware that are accessible from the internet;
    • Prohibit use of known/fixed/default passwords and credentials;
    • Ensure the ability to reconstitute systems (backups); and
    • Migration to the .gov internet domain.
    • Additional best practices that the Cybersecurity Plan can address include:
      • The National Institute of Standards and Technology (NIST) Cybersecurity Framework;
      • NIST’s cyber chain supply chain risk management best practices; and
      • Knowledge bases of adversary tools and tactics.
  6. Promote the delivery of safe, recognizable, and trustworthy online services by the state or local governments within the state, including through the use of the .gov internet domain.
  7. Ensure continuity of operations of the state or local governments within the state, in the event of a cybersecurity incident, including by conducting exercises to practice responding to a cybersecurity incident.
  8. Use the National Initiative for Cybersecurity Education (NICE) Workforce Framework for Cybersecurity developed by NIST to identify and mitigate any gaps in the cybersecurity workforces of the state or local governments within the state, enhance recruitment and retention efforts for those workforces, and bolster the knowledge, skills, and abilities of personnel of the state or local governments within the state, to address cybersecurity risks and cybersecurity threats, such as through cybersecurity hygiene training.
  9. Ensures continuity of communication and data networks within the jurisdiction of the state between the state and local governments within the state in the event of an incident involving those communications or data networks.
  10. Assess and mitigate, to the greatest degree possible, cybersecurity risks and cybersecurity threats relating to critical infrastructure and key resources, the degradation of which may impact the performance of information systems within the jurisdiction of the state.
  11. Enhance capabilities to share cyber threat indicators and related information between the state, local governments within the state, and CISA.
  12. Leverage cybersecurity services offered by the Department (See Appendix G for additional information on CISA resources and required services and membership).
  13. Implement an information technology and operational technology modernization cybersecurity review process that ensures alignment between information technology and operational technology cybersecurity objectives.
  14. Develop and coordinate strategies to address cybersecurity risks and cybersecurity threats. Local governments and associations of local governments within the state should be consulted. Cybersecurity Planning Committees should also consider consulting neighboring entities, including adjacent states and countries.
  15. Ensure adequate access to, and participation in, the services and programs described in this subparagraph by rural areas within the state.
  16. Distribute funds, items, services, capabilities, or activities to local governments.

 

This is NOT the official application for funding.  Detailed instructions on the application process will follow once the State application is approved by the Department of Homeland Security. 

If you have questions Please see the FAQ’s, or contact your Area Coordinator.

Visit CISA Cyber Grants for more information on grant opportunities.