2022 State and Local Cybersecurity Grant Program
Last Updated 12/14/2023
2022 SLCGP
2022 State and Local Cybersecurity Grant Program (SLCGP) Awardee Guidance
FY22 SLCGP applications are no longer being accepted since the application period has closed.
FY22 SLCGP awardees have been notified. Applicants who were not selected for an FY22 SLCGP award have also been notified of the decision.
FY22 SLCGP Cost Report Forms in Development
FY22 SLCGP cost report forms needed for subrecipients to submit reimbursement requests are currently in development. Delay is due to the transition to the new North Carolina Financial System (NCFS). Cost report forms will be sent directly to al FY22 subrecipients once prepared. A virtual information session will be scheduled to assist FY22 SLCGP subrecipients with the reimbursement request process once the cost report forms become available. Check back on this website for updates.
Sensitive Information
If any grant documents include or contain “security features of electronic data processing systems, information technology systems, telecommunications networks, or electronic security systems, including hardware or software security, passwords, or security standards, procedures, processes, configurations, software, and codes” that the subrecipient certifies is not subject to public release per N.C.G.S. 132-6.1(c), it is recommended that the subrecipient submit their data via encrypted email and/or password protected PDF file.
Consult your IT professionals for guidance on email encryption and/or password protection if needed to protect any sensitive information contained in your documentation. Please send all documentation to SLCGP@NCDPS.gov
This website was updated September 29, 2023 and will be updated again when we open the FY23 SLCGP application period later this year.
Funding
As a part of North Carolina’s approved application for FY22 State and Local Cybersecurity Grant Program (SLCGP), the state will receive approximately $5.3 million in federal grant funding under this award. North Carolina Emergency Management (NCEM), a division of the NC Department of Public Safety (NCDPS), is charged with managing this grant for the state.
FY22 SLCGP requires a 10% non-federal cost share, or match, raising the total amount of funding to almost $6 million. NCEM will provide the entire 10% non-federal cost share for the FY22 SLCGP. Required non-federal cost shares may be passed on to individual subrecipients if the state receives an SLCGP award in FY23 or any future years.
Pass-Through Requirements and Eligible Applicants
Local government entities, community colleges, tribal governments, and state agencies in North Carolina are eligible to apply for FY22 SLCGP funding.
FY22 SLCGP requires a minimum 80% pass-through to local government entities, including a minimum 25% pass-through specifically to rural areas. Rural areas are defined in the FY22 SLCGP Notice of Funding Opportunity (NOFO) as communities with less than 50,000 population.
Local government entities are defined in N.C.G.S. 159-44 as: “counties; cities, towns, and incorporated villages; consolidated city-counties, as defined by G.S. 160B-2(1); sanitary districts; mosquito control districts; hospital districts; merged school administrative units described in G.S. 115C-513; metropolitan sewerage districts; metropolitan water districts; metropolitan water and sewerage districts; county water and sewer districts; regional public transportation authorities; and special airport districts.”
Community colleges are included in the definition of local government entities for purposes of FY22 SLCGP per N.C.G.S. 143-800(c)(1).
Federally recognized tribes are also included as eligible local government pass-through entities per the FY22 SLCGP NOFO.
Any remaining FY22 SLCGP funds not passed through to local government entities (including community colleges and tribes) are available for state agencies.
Application Procedures
Eligible applicants are required to complete the FY22 SLCGP application form.
Watch the FY22 SLCGP Subrecipient Information Session for more information.
Completed applications must be submitted by 5PM on 30 April 2023 to: SLCGP@ncdps.gov.
Applicants must complete and submit the FY22 SLCGP application form (linked above) by the application deadline. Applicants should download the form and then fill it out using free Adobe Acrobat Reader, Adobe Acrobat Pro, or comparable PDF program to utilize all functionality of the form. Important tool tips with application instructions when the cursor hovers over the blocks on the form may not appear if the form is opened up in a browser instead of Adobe or comparable PDF program.
Eligible applicants may only submit one application with a single project for up to $100,000 of total FY22 SLCGP funding.
Voluntary Match/Cost Share
Applicants are not required to provide any match or cost share for FY22 SLCGP funds; however, applicants are permitted to provide a voluntary match/cost share if they want to increase project costs.
Applicants should explain any voluntary match/cost share in the Project and Budget Narrative blocks of the application.
Incomplete/Improper Applications
Incomplete applications, and applications containing more than one project will be rejected. If an applicant attempts to submit more than one application, all applications submitted by that applicant will be rejected. Applicants will be responsible for amounts that exceed the $100,000 maximum funding amount, including any voluntary match/cost share requirements that exceed $100,000.
Properly Completed Applications
SLCGP is a competitive grant program. All properly completed applications submitted by eligible applicants will be reviewed and scored by the State Cybersecurity Planning Committee, and the top scoring applicants will receive funding.
Sensitive Information
If the application includes or contains “security features of electronic data processing systems, information technology systems, telecommunications networks, or electronic security systems, including hardware or software security, passwords, or security standards, procedures, processes, configurations, software, and codes” that the applicant certifies is not subject to public release per N.C.G.S. 132-6.1(c), it is recommended that the applicant submit their application via encrypted email and/or password protected PDF file.
Consult your IT professionals for guidance on email encryption and/or password protection if needed to protect any sensitive information contained in your application.
Important Dates
Application Period | 17 March 2023 - 30 April 2023 |
Application Deadline | 30 April 2023, by 5:00 PM |
Anticipated Period of Performance for subrecipients (estimated) | 1 July 2023 – 30 June 2026 |
Anticipated Grant Awards to subrecipients (estimated) | By 31 August 2023 |
SLCGP Education and Q&A Process
Because this is a competitive grant program, NCEM staff will not be able to provide direct assistance with application development or project formulation. All questions regarding the application process should be directed to the SLCGP@ncdps.gov mailbox.
Questions regarding SLCGP and the application process should be submitted to SLCGP@ncdps.gov, subject line SLCGP Question, by 15 April 2023. Q&A’s will be posted on the NCEM website at least one week prior to the application deadline.
A public FY22 SLCGP applicant webinar was held on 5 April 2023. The purpose of the webinar was to provide information about the FY22 SLCGP program and application process, as well as to answer questions from applicants.
The State Cybersecurity Planning Committee held two follow-up 30-minute Q&A Webinars with two more scheduled.
The purpose of these webinars is to answer questions from applicants. These webinars will be recorded for those who do not attend, and the recordings will be posted on this website.
Link to FY22 SLCGP follow-up Q&A webinars sponsored by the State Cybersecurity Planning Committee: Click here to join the meeting
Required Elements
The State Cybersecurity Planning Committee has developed a State Cybersecurity Plan that aligns with the 16 required elements specified in the FY22 SLCGP NOFO. All eligible applicants requesting FY22 SLCGP funding must align proposed projects with any/all of these required elements:
(Applicants must select any/all element(s) that support their project proposal)
- Manage, monitor, and track information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state, and the information technology deployed on those information systems, including legacy information systems and information technology that are no longer supported by the manufacturer of the systems or technology.
- Monitor, audit, and track network traffic and activity transiting or traveling to or from information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state.
- Enhance the preparation, response, and resilience of information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state, against cybersecurity risks and cybersecurity threats.
- Implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats on information systems, applications, and user accounts owned or operated by, or on behalf of, the state or local governments within the state.
- Ensure that the state or local governments within the state, adopt and use best practices and methodologies to enhance cybersecurity, discussed further below.
- Implement multi-factor authentication
- Implement enhanced logging
- Data encryption for data at rest and in transit
- End use of unsupported/end of life software and hardware that are accessible from the internet
- Prohibit use of known/fixed/default passwords and credentials
- Ensure the ability to reconstitute systems (backups); and
- Migration to the .gov internet domain
Additional best practices that the Cybersecurity Plan can address include:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework
- NIST’s cyber chain supply chain risk management best practices; and
- Knowledge bases of adversary tools and tactics
- Promote the delivery of safe, recognizable, and trustworthy online services by the state or local governments within the state, including through the use of the .gov internet domain.
- Ensure continuity of operations of the state or local governments within the state, in the event of a cybersecurity incident, including by conducting exercises to practice responding to a cybersecurity incident.
- Use the National Initiative for Cybersecurity Education (NICE) Workforce Framework for Cybersecurity developed by NIST to identify and mitigate any gaps in the cybersecurity workforces of the state or local governments within the state, enhance recruitment and retention efforts for those workforces, and bolster the knowledge, skills, and abilities of personnel of the state or local governments within the state, to address cybersecurity risks and cybersecurity threats, such as through cybersecurity hygiene training.
- Ensures continuity of communication and data networks within the jurisdiction of the state between the state and local governments within the state in the event of an incident involving those communications or data networks.
- Assess and mitigate, to the greatest degree possible, cybersecurity risks and cybersecurity threats relating to critical infrastructure and key resources, the degradation of which may impact the performance of information systems within the jurisdiction of the state.
- Enhance capabilities to share cyber threat indicators and related information between the state, local governments within the state, and CISA.
- Leverage cybersecurity services offered by the Department (See Appendix G for additional information on CISA resources and required services and membership).
- Implement an information technology and operational technology modernization cybersecurity review process that ensures alignment between information technology and operational technology cybersecurity objectives.
- Develop and coordinate strategies to address cybersecurity risks and cybersecurity threats. Local governments and associations of local governments within the state should be consulted. Cybersecurity Planning Committees should also consider consulting neighboring entities, including adjacent states and countries.
- Ensure adequate access to, and participation in, the services and programs described in this subparagraph by rural areas within the state.
- Distribute funds, items, services, capabilities, or activities to local governments.
Special Post-Award Requirements
As a condition of receiving SLCGP funding, subrecipients are required to utilize Cybersecurity and Infrastructure Security Agency (CISA) Cyber Hygiene Services, specifically vulnerability scanning and web application scanning.
Additionally, subrecipients must complete an annual Nationwide Cybersecurity Review (NCSR) for each year of the period of performance (POP) of their award. The NCSR is also a requirement for Homeland Security Grant Program (HSGP) subrecipients, but subrecipients receiving both SLCGP and HSGP funding are only required to complete a single annual NCSR covering both awards.
NOTE: Participation in these services and memberships are NOT required to apply for SLCGP funding, only for subrecipients receiving SLCGP awards.
Additional Information
- FY22 SLCGP NOFO
- Fiscal Year 2022 State and Local Cybersecurity Grant Program Fact Sheet | FEMA.gov
- State and Local Cybersecurity Grant Program | FEMA.gov
- Cyber Hygiene Services
- Nationwide Cybersecurity Review (NCSR)
- Applicant Webinar
Questions about the program may be emailed to SLCGP@ncdps.gov