Your browser does not support JavaScript!


State and Local Cybersecurity Grant Program (SLCGP) FAQs

What is the SLCGP?

In the Bipartisan Infrastructure Law, also known as the Infrastructure Investment and Jobs Act (IIJA), Congress established the State and Local Cybersecurity Grant Program (SLCGP) to “award grants to eligible entities to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, state, local, or tribal governments.” 

What is the purpose of the SLCGP?

The SLCGP provides funding to state, local, tribal and territorial (SLTT) governments to address cybersecurity risks and cybersecurity threats to SLTT-owned or operated information systems. All requirements and program guidance are established in the notice of funding opportunity (NOFO).

The overarching goal of the program is to assist SLTT governments in managing and reducing systemic cyber risks. To accomplish this, CISA has established four discrete, but interrelated objectives: 

  • Governance and planning: Develop and establish appropriate governance structures, as well as plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.
  • Assessment and evaluation: Identify areas for improvement in SLTT cybersecurity posture based on continuous testing, evaluation, and structured assessments.
  • Mitigation: Implement security protections commensurate with risk (outcomes of Objectives 1 and 2), using the best practices as described in element 5 of the required 16 elements of the cybersecurity plans and those further listed in the NOFO.
  • Workforce development: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with their responsibilities as suggested in the National Initiative for Cybersecurity Education.

How many years of appropriations were authorized for the SLCGP?

A total of 4 years of funding were appropriated for the SLCGP. The funding began in federal fiscal year (FFY) 2022 and goes through FFY2025. Each funding year has a period of performance of 48 months.

How are the federal funds allocated, applied for and distributed?

The allocation formula in the Bipartisan Infrastructure Law includes a base level of funding for each state and territory. Allocations for states, the District of Columbia, and Puerto Rico include additional funds based on a combination of total population and rural population. Final allocations for each state and territory are included when notice of funding opportunities are published.

State Administrative Agencies (SAAs) for states and territories are the only eligible applicants for the federal grant funds. In Virginia, local governments will work with the Virginia Cybersecurity Planning Committee to receive subawards.

What is the Virginia Cybersecurity Planning Committee?

The Virginia Cybersecurity Planning Committee (VCPC) was created and has the authority to adopt a charter and bylaws pursuant to the Infrastructure Investment and Jobs Act (IIJA), Pub. L. No. 117- 58, § 70612 (2021), and Item 93(F) of Virginia’s 2022 Appropriation Act. 

VCPC is constituted under the IIJA and Item 93 as a “planning committee.” As a “planning committee,” VCPC is specifically charged with: 

  • Assisting with the development, implementation, and revision of the Cybersecurity Plan;
  • Approving the Cybersecurity Plan;
  • Assisting with the determination of effective funding priorities;
  • Coordinating with other committees and like entities with the goal of maximizing coordination and reducing duplication of effort;
  • Creating a cohesive planning network that builds and implements cybersecurity preparedness initiatives using FEMA resources, as well as other federal, SLT, private sector, and faith-based community resources;
  • Ensuring investments support closing capability gaps or sustaining capabilities; and
  • Ensuring local government members, including representatives from counties, cities, and towns within the eligible entity provide consent on behalf of all local entities across the eligible entity for services, capabilities, or activities provided by the eligible entity through this program. 

The VCPC is not permitted to make decisions relating to information systems owned or operated by, or on behalf of, the state. 

What funding priorities and associated projects has the VCPC approved so far?

The following projects were approved by the VCPC and will be implemented using SLCGP program year 1 funding: 

  • Management and administration – Funding to provide for the administration, oversight and compliance of the grant award.
  • Cyber threat indicator information sharing – Funding to establish a Virginia Information Sharing and Analysis Center (VA-ISAC).
  • Cybersecurity plan and assessments – Funding to establish the Virginia Cybersecurity Plan and complete a cybersecurity plan capability assessment.
  • *Now accepting applications* Cybersecurity plan capability assessments application – Funding to conduct baseline assessments against the state-wide cybersecurity plan program objectives

What is the Virginia Cybersecurity Plan?

Virginia's statewide cybersecurity plan, created by the VCPC, represents a continued commitment to improving and supporting a whole of state approach to cybersecurity. The plan also meets the requirement of the current U.S. Department of Homeland Security guidelines for the SLCGP.

The Cybersecurity Plan includes actionable and measurable goals and objectives focused on: inventory and control of technology assets, software and data, threat monitoring, threat protection and prevention, data recovery and continuity, and understanding an organization’s cybersecurity maturity level. They are designed to support the Commonwealth in planning for effective security technologies and navigating the ever-changing cybersecurity landscape.

Cybersecurity Plan Vision for Improving Cybersecurity

Create a cybersecurity ecosystem supporting a whole of state approach for state and local governments to safeguard critical infrastructure, protect Virginians’ data, and ensure the continuity of essential services. 

Cybersecurity Plan Mission

To further establish and enhance the cybersecurity capabilities of state, local, and tribal government entities in Virginia by providing a framework of technology and services to effectively identify, mitigate, protect, detect, and respond to cyber threats. Through leveraging of shared capabilities, strategic planning, and common technology the Commonwealth of Virginia strives to efficiently and effectively protect the confidentiality, integrity, and availability of critical systems, data, and services that benefit Virginians.

View the Cybersecurity Plan

Who is eligible for grant funding through this program?

Eligible applications for this program must meet the definition of “local government” as defined in 6 U.S.C. § 101(13):

  • County, municipality, city, town, township, local public authority, school district, special district, intrastate district, council of governments (regardless of whether the council of governments is incorporated as a nonprofit corporation under State law), regional or interstate government entity, or agency or instrumentality of a local government
  • A public educational institution (e.g., elementary school, secondary school, or institution of higher education) is generally eligible to receive assistance under SLCGP if it is an agency or instrumentality of a state or local government under state and/or local law.
  • Federally recognized tribe or authorized tribal organization
  • Rural community, unincorporated town or village, or other public entity.

Ineligible applicants include: 

  1. Nonprofit organizations; and
  2. Private corporations
  3. Private Educational Institutions 
    A private educational institution would not be eligible to receive SLCGP assistance because it is not an agency or instrumentality of a state or local government. “Assistance” means either funding, non-funding assistance (i.e., items, services, capabilities, or activities), or a combination of both.  
    The eligibility of charter schools depends on the function of the charter school – it will be eligible if, and only if, it is an agency or an instrumentality of the state or local government. This will be a determination for VITA and VDEM to make, based on state or local law. 

If you have questions or feel your jurisdiction needs help meeting any of the grant requirements, please contact 

Where can I learn more about this program?

For more information about the federal grant program, visit: State and Local Cybersecurity Grant Program | CISA. For more information about Virginia’s program, visit: Grant Programs | Virginia IT Agency.

Why is a local consent agreement (LCA) needed for some grants/projects?

The SLCGP seeks to bring state and local government together to improve cybersecurity and therefore balances roles and authorities. For example, the SLCGP allows grants only to states and mandates statewide cybersecurity plans but also requires 80% of the grant funding be used to benefit localities. The SLCGP encourages shared services but also requires LCAs when a state will provide items, services, capabilities, and activities in lieu of subgrants of funding (unless state law authorizes the state to decide for localities). For this assessments project, Virginia is undertaking all of the grant administration and matching funding obligations and providing services (an assessment) to each participating entity. Accordingly, participating entities need to submit both an application and a LCA.