State and Local Cybersecurity Grant Program (SLCGP)
On Sept. 16, 2022, the Department of Homeland Security (DHS) announced a first-of-its-kind cybersecurity grant program specifically for state, local, and territorial (SLT) governments across the country.
VITA, in partnership with the State Administrative Agency (SAA) for the Commonwealth, the Virginia Department of Emergency Management, has applied and been approved for all available program years.
Virginia participation in the SLCGP is focused on:
-
Achieving improvements for as many qualified entities as possible
-
Making it straightforward for qualified entities to participate while meeting all requirements outlined in the Notice of Funding Opportunities associated with the federal grant program.
These two focus areas resulted in a program design that:
-
Provides opportunities for qualified entities to participate without taking on the burden of federal grant management requirements
-
Creates project execution types that provide the resources needed to implement and maintain improvements for qualified entities that may not have the staff to support
-
Involves applications that are relatively simple
While Virginia's approach to the SLCGP is different from many grant programs, it remains dedicated to managing and reducing systemic cyber risk through the objectives outlined in SLCGP Notices of Funding Opportunity.
For more information on the federal SLCGP program, visit https://www.cisa.gov/cybergrants/slcgp.
Virginia Cybersecurity Planning Committee (VCPC)
The VCPC, a requirement of the SLCGP, is comprised of cybersecurity and IT leaders from state and local government, and the private sector. All VCPC members are appointed by Governor Youngkin.
Purpose
The VCPC is responsible for creating and maintaining Virginia’s Cybersecurity Plan. They also assist with determining funding priorities and aligning investments with closing capability gaps or sustaining capabilities.
Relevant Legislation
Learn More
Cybersecurity Plan
Virginia's statewide cybersecurity plan, created by the VCPC, represents a continued commitment to improving and supporting a whole of state approach to cybersecurity. The plan also meets the requirement of the current U.S. Department of Homeland Security guidelines for the SLCGP.
The Cybersecurity Plan includes actionable and measurable goals and objectives focused on: inventory and control of technology assets, software and data, threat monitoring, threat protection and prevention, data recovery and continuity, and understanding an organization’s cybersecurity maturity level. They are designed to support the Commonwealth in planning for effective security technologies and navigating the ever-changing cybersecurity landscape.
Cybersecurity Plan Vision for Improving Cybersecurity
- Create a cybersecurity ecosystem supporting a whole of state approach for state and local governments to safeguard critical infrastructure, protect Virginians’ data, and ensure the continuity of essential services.
Cybersecurity Plan Mission
- To further establish and enhance the cybersecurity capabilities of state, local, and tribal government entities in Virginia by providing a framework of technology and services to effectively identify, mitigate, protect, detect, and respond to cyber threats. Through leveraging of shared capabilities, strategic planning, and common technology the Commonwealth of Virginia strives to efficiently and effectively protect the confidentiality, integrity, and availability of critical systems, data, and services that benefit Virginians.
View the 2022 Virginia Cybersecurity Plan.
State Cost Share
Each program year of the SLCGP requires a cost share:
Program Year | Cost Share |
---|---|
Federal FY 2022 | 10% |
Federal FY 2023 | 20% |
Federal FY 2024 | 30% |
Federal FY 2025 | 40% |
This cost share is required for all spending from the grant, whether for local passthrough grants, statewide projects or management and administration.
In 2022, the Virginia General Assembly appropriated state cost share funds of more than $4.9 million. These funds are being used to minimize and/or eliminate the need for qualified entities to provide cost share funds to participate in SLCGP projects.
Projects
Now Accepting Applications
The State and Local Cybersecurity Grant Program (SLCGP) is accepting applications for Phase 2 projects, in the areas of:
- Vulnerability
- Secure Remote Network Access
- Asset Inventory
- Data Inventory
- Endpoint Detection and Response
- Firewalls
Ongoing Projects
-
Cyber threat indicator information sharing - funding a security operations center
-
Cybersecurity plan and assessments - funding to establish the Virginia Cybersecurity Plan and complete a cybersecurity plan capability assessment
-
Management and administration - funding to provide for the administration, oversight and compliance of the grant award
Completed Projects
-
Cybersecurity Plan Capability Assessment Project - funding to conduct baseline assessments against the state-wide cybersecurity plan program objectives
FAQs
FAQs: State and Local Cybersecurity Grant Program
To learn more about the State and Local Cybersecurity Grant Program (SLCGP), visit frequently asked questions (FAQs).
Stay Connected
-
Join the VDEM listserv for this grant:
-
Visit Virginia Department of Emergency Management (govdelivery.com), enter your email address, and then select the "State and Local Cybersecurity Grants Program" from the list (near the bottom). All notifications and reminders for grant applications will be shared via this email list.
-
-
Attend a Virginia Cybersecurity Planning Committee (VCPC) meeting or review past meeting materials:
-
VCPC meetings provide the public venue for oversight of the SLCGP, where attendees learn more about the strategic direction of the program.
-
Visit Virginia Regulatory Town Hall - Meetings to view past meeting materials and see upcoming meeting dates, times, locations and electronic access information.
-
To register for meeting notifications, sign up here: Virginia Regulatory Town Hall - Public user registration
-
-
Contact the cybercommittee@vita.virginia.gov with any questions
State and Local Cybersecurity Grant Program (SLCGP) FAQs
last updated: January 8, 2025
In the Bipartisan Infrastructure Law, also known as the Infrastructure Investment and Jobs Act (IIJA), Congress established the State and Local Cybersecurity Grant Program (SLCGP) to “award grants to eligible entities to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, state, local, or tribal governments.”
The SLCGP provides funding to state, local, tribal and territorial (SLTT) governments to address cybersecurity risks and cybersecurity threats to SLTT-owned or operated information systems. All requirements and program guidance are established in the notice of funding opportunity (NOFO).
The overarching goal of the program is to assist SLTT governments in managing and reducing systemic cyber risks. To accomplish this, CISA has established four discrete, but interrelated objectives:
- Governance and planning: Develop and establish appropriate governance structures, as well as plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.
- Assessment and evaluation: Identify areas for improvement in SLTT cybersecurity posture based on continuous testing, evaluation, and structured assessments.
- Mitigation: Implement security protections commensurate with risk (outcomes of Objectives 1 and 2), using the best practices as described in element 5 of the required 16 elements of the cybersecurity plans and those further listed in the NOFO.
- Workforce development: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with their responsibilities as suggested in the National Initiative for Cybersecurity Education.
A total of 4 years of funding were appropriated for the SLCGP. The funding began in federal fiscal year (FFY) 2022 and goes through FFY2025. Each funding year has a period of performance of 48 months.
The allocation formula in the Bipartisan Infrastructure Law includes a base level of funding for each state and territory. Allocations for states, the District of Columbia, and Puerto Rico include additional funds based on a combination of total population and rural population. Final allocations for each state and territory are included when notice of funding opportunities are published.
State Administrative Agencies (SAAs) for states and territories are the only eligible applicants for the federal grant funds. In Virginia, local governments will work with the Virginia Cybersecurity Planning Committee to receive subawards.
The Virginia Cybersecurity Planning Committee (VCPC) was created and has the authority to adopt a charter and bylaws pursuant to the Infrastructure Investment and Jobs Act (IIJA), Pub. L. No. 117- 58, § 70612 (2021), and Item 93(F) of Virginia’s 2022 Appropriation Act.
VCPC is constituted under the IIJA and Item 93 as a “planning committee.” As a “planning committee,” VCPC is specifically charged with:
- Assisting with the development, implementation, and revision of the Cybersecurity Plan;
- Approving the Cybersecurity Plan;
- Assisting with the determination of effective funding priorities;
- Coordinating with other committees and like entities with the goal of maximizing coordination and reducing duplication of effort;
- Creating a cohesive planning network that builds and implements cybersecurity preparedness initiatives using FEMA resources, as well as other federal, SLT, private sector, and faith-based community resources;
- Ensuring investments support closing capability gaps or sustaining capabilities; and
- Ensuring local government members, including representatives from counties, cities, and towns within the eligible entity provide consent on behalf of all local entities across the eligible entity for services, capabilities, or activities provided by the eligible entity through this program.
The VCPC is not permitted to make decisions relating to information systems owned or operated by, or on behalf of, the state.
The following projects were approved by the VCPC and will be implemented using SLCGP program year 1 funding:
- Management and administration – Funding to provide for the administration, oversight and compliance of the grant award.
- Cyber threat indicator information sharing – Funding to establish a Virginia Information Sharing and Analysis Center (VA-ISAC).
- Cybersecurity plan and assessments – Funding to establish the Virginia Cybersecurity Plan and complete a cybersecurity plan capability assessment.
- *Application window now closed* Cybersecurity plan – Funding to conduct baseline assessments against the state-wide cybersecurity plan program objectives
Virginia's statewide cybersecurity plan, created by the VCPC, represents a continued commitment to improving and supporting a whole of state approach to cybersecurity. The plan also meets the requirement of the current U.S. Department of Homeland Security guidelines for the SLCGP.
The Cybersecurity Plan includes actionable and measurable goals and objectives focused on: inventory and control of technology assets, software and data, threat monitoring, threat protection and prevention, data recovery and continuity, and understanding an organization’s cybersecurity maturity level. They are designed to support the Commonwealth in planning for effective security technologies and navigating the ever-changing cybersecurity landscape.
Cybersecurity Plan Vision for Improving Cybersecurity
Create a cybersecurity ecosystem supporting a whole of state approach for state and local governments to safeguard critical infrastructure, protect Virginians’ data, and ensure the continuity of essential services.
Cybersecurity Plan Mission
To further establish and enhance the cybersecurity capabilities of state, local, and tribal government entities in Virginia by providing a framework of technology and services to effectively identify, mitigate, protect, detect, and respond to cyber threats. Through leveraging of shared capabilities, strategic planning, and common technology the Commonwealth of Virginia strives to efficiently and effectively protect the confidentiality, integrity, and availability of critical systems, data, and services that benefit Virginians.
Eligible applications for this program must meet the definition of “local government” as defined in 6 U.S.C. § 101(13):
- County, municipality, city, town, township, local public authority, school district, special district, intrastate district, council of governments (regardless of whether the council of governments is incorporated as a nonprofit corporation under State law), regional or interstate government entity, or agency or instrumentality of a local government
- A public educational institution (e.g., elementary school, secondary school, or institution of higher education) is generally eligible to receive assistance under SLCGP if it is an agency or instrumentality of a state or local government under state and/or local law.
- Federally recognized tribe or authorized tribal organization
- Rural community, unincorporated town or village, or other public entity.
Ineligible applicants include:
- Nonprofit organizations; and
- Private corporations
- Private Educational Institutions
A private educational institution would not be eligible to receive SLCGP assistance because it is not an agency or instrumentality of a state or local government. “Assistance” means either funding, non-funding assistance (i.e., items, services, capabilities, or activities), or a combination of both.
The eligibility of charter schools depends on the function of the charter school – it will be eligible if, and only if, it is an agency or an instrumentality of the state or local government. This will be a determination for VITA and VDEM to make, based on state or local law.
If you have questions or feel your jurisdiction needs help meeting any of the grant requirements, please contact cybercommittee@vita.virginia.gov.
For more information about the federal grant program, visit: State and Local Cybersecurity Grant Program | CISA. For more information about Virginia’s program, visit: Grant Programs | Virginia IT Agency.
The SLCGP seeks to bring state and local government together to improve cybersecurity and therefore balances roles and authorities. For example, the SLCGP allows grants only to states and mandates statewide cybersecurity plans but also requires 80% of the grant funding be used to benefit localities. The SLCGP encourages shared services but also requires LCAs when a state will provide items, services, capabilities, and activities in lieu of subgrants of funding (unless state law authorizes the state to decide for localities). For this assessments project, Virginia is undertaking all of the grant administration and matching funding obligations and providing services (an assessment) to each participating entity. Accordingly, participating entities need to submit both an application and a LCA.
In order to apply for Phase 2 projects, you must have participated in the Cybersecurity Plan Capability Assessment Project, or complete a comparable assessment using this Phase 2 template.
A project area is a specific cybersecurity capability from 2022 Virginia Cybersecurity Plan. You will be able to submit applications in the following project areas:
- Installing and maintaining vulnerability management software
- Implementing secure remote network access, including zero trust network access and multifactor authentication
- Creating and maintaining an enterprise asset inventory of all technology assets (including hardware and software)
- Establishing and maintaining a data inventory and performing data sensitivity analysis for all systems supporting the organization's business
- Deploying endpoint detection and response for all workstations and servers
- Implementing firewalls for ingress and egress points, end point devices, and web applications
These project areas were approved by the Virginia Cybersecurity Planning Committee during its Oct. 30 meeting. You can review the data presented to the committee and the recommendation on Regulatory Town Hall. You can also read the minutes of the meeting.
A project execution type is a way of completing work associated with the above project areas. These project execution types were designed with the intention of keeping things as simple as possible for local governments and other qualified entities.
You'll submit one application for each project area, and within that application, you'll choose from the following project execution types:
Project Execution Type | Select if you ... |
---|---|
Additional license purchase only |
|
Contract only |
|
Implementation |
|
Full service |
|
Pass-through funding project |
|
In order you apply, you will need:
-
Cybersecurity plan capability assessment is required for all project areas and project execution types. If you participated in the first SLCGP project, then this is already complete for you. If not, you'll need to complete the applicable highlighted rows in Cybergrant Assessment Template Phase2.
-
Additional license purchase only project execution type applications will need your current software name, number of additional licenses needed, and cost per license.
- Pass-through funding project execution type applications will need to be prepared to address the following in the application:
- Project description
- Improvements expected
- Total funds requested
- Budget broken into the following categories:
- Software
- Hardware
- Staff/Staff augmentation
- Anticipated timeframe
- Major milestones
No - Participation in the prior project (Cybersecurity Plan Capability Assessment project) is not required.
Decisions for phase 2 applications will be based on:
-
Whether your organization meets the subrecipient eligibility criteria listed above
-
Participation in the Cybersecurity Plan Capability Assessment -or- completion of an equivalent assessment
-
Alignment of your organization's resources to support the project area and project execution type selected. For example, if you choose Firewall Implementation Only, your organization should have the knowledge, skills, and ability to maintain the firewall software once it is implemented.
Decisions throughout the SLCGP are focused on maximizing improvements to cybersecurity capabilities across the Commonwealth while complying with grant program requirements, such as the required set aside for rural localities.
We anticipate that projects could begin as early as May 2025 and should conclude by May 2026.
Yes! The findings from your assessment should provide insight into the areas you should apply as well as the best project execution type for your organization. However, we don't want to assume that you want to pursue all potential areas, and that the Phase 2 timing is appropriate for your organization.