Cybersecurity Grants

In the Bipartisan Infrastructure Law, also known as the Infrastructure Investment and Jobs Act (IIJA), Congress established the State and Local Cybersecurity Grant Program (SLCGP) to “award grants to eligible entities to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, state, local, or tribal governments.” 

The SLCGP provides funding to state, local, tribal and territorial (SLTT) governments to address cybersecurity risks and cybersecurity threats to SLTT-owned or operated information systems. All requirements and program guidance are established in the notice of funding opportunity (NOFO).

The overarching goal of the program is to assist SLTT governments in managing and reducing systemic cyber risks. To accomplish this, CISA has established four discrete, but interrelated objectives: 

• Governance and planning: Develop and establish appropriate governance structures, as well as plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.
• Assessment and evaluation: Identify areas for improvement in SLTT cybersecurity posture based on continuous testing, evaluation, and structured assessments.
• Mitigation: Implement security protections commensurate with risk (outcomes of Objectives 1 and 2), using the best practices as described in element 5 of the required 16 elements of the cybersecurity plans and those further listed in the NOFO.
• Workforce development: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with their responsibilities as suggested in the National Initiative for Cybersecurity Education.

A total of 4 years of funding were appropriated for the SLCGP. The funding began in federal fiscal year (FFY) 2022 and goes through FFY2025. Each funding year has a period of performance of 48 months.

The allocation formula in the Bipartisan Infrastructure Law includes a base level of funding for each state and territory. Allocations for states, the District of Columbia, and Puerto Rico include additional funds based on a combination of total population and rural population. Final allocations for each state and territory are included when notice of funding opportunities are published.

State Administrative Agencies (SAAs) for states and territories are the only eligible applicants for the federal grant funds. In Virginia, local governments will work with the Virginia Cybersecurity Planning Committee to receive subawards.

The Virginia Cybersecurity Planning Committee (VCPC) was created and has the authority to adopt a charter and bylaws pursuant to the Infrastructure Investment and Jobs Act (IIJA), Pub. L. No. 117- 58, § 70612 (2021), and Item 93(F) of Virginia’s 2022 Appropriation Act. 

VCPC is constituted under the IIJA and Item 93 as a “planning committee.” As a “planning committee,” VCPC is specifically charged with: 

• Assisting with the development, implementation, and revision of the Cybersecurity Plan;
• Approving the Cybersecurity Plan;
• Assisting with the determination of effective funding priorities;
• Coordinating with other committees and like entities with the goal of maximizing coordination and reducing duplication of effort;
• Creating a cohesive planning network that builds and implements cybersecurity preparedness initiatives using FEMA resources, as well as other federal, SLT, private sector, and faith-based community resources;
• Ensuring investments support closing capability gaps or sustaining capabilities; and
• Ensuring local government members, including representatives from counties, cities, and towns within the eligible entity provide consent on behalf of all local entities across the eligible entity for services, capabilities, or activities provided by the eligible entity through this program. 

The VCPC is not permitted to make decisions relating to information systems owned or operated by, or on behalf of, the state. 

The following projects were approved by the VCPC and will be implemented using SLCGP program year 1 funding: 

• Management and administration – Funding to provide for the administration, oversight and compliance of the grant award.
• Cyber threat indicator information sharing – Funding to establish a Virginia Information Sharing and Analysis Center (VA-ISAC).
• Cybersecurity plan and assessments – Funding to establish the Virginia Cybersecurity Plan and complete a cybersecurity plan capability assessment.
• *Application window now closed* Cybersecurity plan – Funding to conduct baseline assessments against the state-wide cybersecurity plan program objectives

Virginia's statewide cybersecurity plan, created by the VCPC, represents a continued commitment to improving and supporting a whole of state approach to cybersecurity. The plan also meets the requirement of the current U.S. Department of Homeland Security guidelines for the SLCGP.​

The Cybersecurity Plan includes actionable and measurable goals and objectives focused on: inventory and control of technology assets, software and data, threat monitoring, threat protection and prevention, data recovery and continuity, and understanding an organization’s cybersecurity maturity level. They are designed to support the Commonwealth in planning for effective security technologies and navigating the ever-changing cybersecurity landscape.​

Cybersecurity Plan Vision for Improving Cybersecurity​

Create a cybersecurity ecosystem supporting a whole of state approach for state and local governments to safeguard critical infrastructure, protect Virginians’ data, and ensure the continuity of essential services. ​

Cybersecurity Plan Mission​

To further establish and enhance the cybersecurity capabilities of state, local, and tribal government entities in Virginia by providing a framework of technology and services to effectively identify, mitigate, protect, detect, and respond to cyber threats. Through leveraging of shared capabilities, strategic planning, and common technology the Commonwealth of Virginia strives to efficiently and effectively protect the confidentiality, integrity, and availability of critical systems, data, and services that benefit Virginians.​

View the Cybersecurity Plan​

Eligible applications for this program must meet the definition of “local government” as defined in 6 U.S.C. § 101(13):

• County, municipality, city, town, township, local public authority, school district, special district, intrastate district, council of governments (regardless of whether the council of governments is incorporated as a nonprofit corporation under State law), regional or interstate government entity, or agency or instrumentality of a local government
• A public educational institution (e.g., elementary school, secondary school, or institution of higher education) is generally eligible to receive assistance under SLCGP if it is an agency or instrumentality of a state or local government under state and/or local law.
• Federally recognized tribe or authorized tribal organization
• Rural community, unincorporated town or village, or other public entity.

Ineligible applicants include: 

1. Nonprofit organizations; and
2. Private corporations
3. Private Educational Institutions 
   A private educational institution would not be eligible to receive SLCGP assistance because it is not an agency or instrumentality of a state or local government. “Assistance” means either funding, non-funding assistance (i.e., items, services, capabilities, or activities), or a combination of both.  
    
   The eligibility of charter schools depends on the function of the charter school – it will be eligible if, and only if, it is an agency or an instrumentality of the state or local government. This will be a determination for VITA and VDEM to make, based on state or local law. 

If you have questions or feel your jurisdiction needs help meeting any of the grant requirements, please contact cybercommittee@vita.virginia.gov. 

For more information about the federal grant program, visit: State and Local Cybersecurity Grant Program | CISA. For more information about Virginia’s program, visit: Grant Programs | Virginia IT Agency.

The SLCGP seeks to bring state and local government together to improve cybersecurity and therefore balances roles and authorities. For example, the SLCGP allows grants only to states and mandates statewide cybersecurity plans but also requires 80% of the grant funding be used to benefit localities. The SLCGP encourages shared services but also requires LCAs when a state will provide items, services, capabilities, and activities in lieu of subgrants of funding (unless state law authorizes the state to decide for localities). For this assessments project, Virginia is undertaking all of the grant administration and matching funding obligations and providing services (an assessment) to each participating entity. Accordingly, participating entities need to submit both an application and a LCA.

In order to apply for Phase 2 projects, you must have participated in the Cybersecurity Plan Capability Assessment Project, or complete a comparable assessment using this Phase 2 template.

A project area is a specific cybersecurity capability from 2022 Virginia Cybersecurity Plan. You will be able to submit applications in the following project areas:

• Installing and maintaining vulnerability management software
• Implementing secure remote network access, including zero trust network access and multifactor authentication
• Creating and maintaining an enterprise asset inventory of all technology assets (including hardware and software)
• Establishing and maintaining a data inventory and performing data sensitivity analysis for all systems supporting the organization's business
• Deploying endpoint detection and response for all workstations and servers
• Implementing firewalls for ingress and egress points, end point devices, and web applications

These project areas were approved by the Virginia Cybersecurity Planning Committee during its Oct. 30 meeting. You can review the data presented to the committee and the recommendation on Regulatory Town Hall. You can also read the minutes of the meeting.

A project execution type is a way of completing work associated with the above project areas. These project execution types were designed with the intention of keeping things as simple as possible for local governments and other qualified entities.

You'll submit one application for each project area, and within that application, you'll choose from the following project execution types:​​

In order you apply, you will need:

• Cybersecurity plan capability assessment is required for all project areas and project execution types. If you participated in the first SLCGP project, then this is already complete for you. If not, you'll need to complete the applicable highlighted rows in Cybergrant Assessment Template Phase2.

• Additional license purchase only project execution type applications will need your current software name, number of additional licenses needed, and cost per license.

• Pass-through funding project execution type applications will need to be prepared to address the following in the application:
• Project description
• Improvements expected
• Total funds requested
• Budget broken into the following categories:
  • Software
  • Hardware
  • Staff/Staff augmentation
• Anticipated timeframe
• Major milestones

No - Participation in the prior project (Cybersecurity Plan Capability Assessment project) is not required.

Decisions for phase 2 applications will be based on:

• Whether your organization meets the subrecipient eligibility criteria listed above

• Participation in the Cybersecurity Plan Capability Assessment -or- completion of an equivalent assessment

• Alignment of your organization's resources to support the project area and project execution type selected. For example, if you choose Firewall Implementation Only, your organization should have the knowledge, skills, and ability to maintain the firewall software once it is implemented.

Decisions throughout the SLCGP are focused on maximizing improvements to cybersecurity capabilities across the Commonwealth while complying with grant program requirements, such as the required set aside for rural localities.

We anticipate that projects could begin as early as May 2025 and should conclude by May 2026.

Yes! The findings from your assessment should provide insight into the areas you should apply as well as the best project execution type for your organization. However, we don't want to assume that you want to pursue all potential areas, and that the Phase 2 timing is appropriate for your organization.