State and Local Cybersecurity Grant Program Q&A

Q: Are SLCGP subrecipients allowed to purchase products and services from vendors included in the NC State Contract 240x in lieu of a formal RFP?   We are wishing to purchase a NAC solution, as specified in our grant award.  

A: Local govt. entities are eligible, but certainly not required, to purchase goods & services from the cited state convenience contract by directly contacting the vendors and referring to the contract:  

“The contract shall be a Statewide IT CONVENIENCE Contract for the use of Executive State Agencies and non-Executive State Agencies as permitted by law. This is not a mandatory IT Statewide Term Contract. Non-Executive State Agencies include the North Carolina University System and its member campuses, Instructional components of the Department of Public Instruction, Instructional components of the North Carolina Community College System, as well as local (municipal and county) governments.” (p.2 of 49 of the contract)

Since SLCGP subrecipients must be either a state agency or a local govt. entity per N.C.G.S. 159-44 as required by the grant, we believe SLCGP subrecipients would also be eligible to use this state convenience contract.  Having said that, it’s really up to the vendor(s) if they are going to honor the contract with SLCPG subrecipients or any other local govt. entity.  Recommend you contact the vendor(s) directly to discuss.

In terms of procurement rules for the SLCGP grant, a local govt. entity must follow the strictest of their own procurement policy, state policy or federal policy, and must ensure that the required federal provisions are included in any contract using federal grant funding.  With this being an official state contract, it should include and/or refer to the latest NC General Terms & Conditions, which includes all required federal provisions (in paragraph # 28 of 11/2023 version of NC Terms & Conditions).  This state contract also meets all state law procurement requirements, which are stricter than federal requirements in this context.  

To be safe, it is recommended that the SLCGP subrecipient’s own procurement policy should also authorize use of state contracts on an as-needed basis.  If the SLCGP subrecipient’s own procurement policy does not authorize use of state contracts, or if the SLCGP subrecipient’s own procurement policy prohibits use of state contracts, it could create a conflict.  

Click here for information related to NC Statewide Contract number 208M – Endpoint Protection solutions.  SLCGP subrecipients may be eligible to use this state convenience contract as well.”

Q: Wilkes Community College is interested in applying for the State and Local Cybersecurity Grant and I have a question regarding the Rural Community population requirement of less than 50,000.  We serve the following three counties, Ashe, Alleghany, and Wilkes counties. Ashe and Alleghany counties are under the 50,000-population requirement; however, Wilkes County is over the requirement. Do we qualify? And if so, which county do we use for the application purpose? And/or how do we address this on the application?  Any guidance you can provide is greatly appreciated.

A: When an eligible community college applicant has multiple campuses in different locations, they should use the main campus location for their SLCGP application.  If the main campus is in a rural area (population of less than 50,000), then the applicant would be considered rural.  If the main campus is not in a rural area, then the applicant would not be considered rural.

Q: For Community Colleges, when answering whether we are a rural community, what metric should we use to determine population size? County? Service Area? City? Town? Student enrollment?

A: Community colleges should use the county of the physical address for their main campus as the location for their SLCGP application.  For example, if the physical address of the main campus is 2855 Hickory Boulevard, Hudson, NC, located in Caldwell County, then the community college would use the population of Caldwell County to determine if they are considered rural.

Q: Should/Can the individual campuses and affiliates of the UNC System apply for this grant themselves? Or does the System need to apply and then disburse? Of course, the System Office is an entity in and of itself, and would potentially have an interest/need in these funds too.

A: State government agencies are eligible to apply for SLCGP funding; however, they are limited to one application per eligible state government agency with a single project for up to $100,000 of total FY22 SLCGP funding.

UNC System has 17 institutions and 5 affiliates according to their website.  The NCEM Director has determined that each institution and/or affiliate in the UNC System can apply separately for this grant, each application with a single project for up to $100,000 of total FY22 SLCGP funding.  

Q: We just entered into a contract with Sophos for a MDR product.  We have the terms split out over 3 years.  We have paid the first year, but can we use the grant to pay for the next two?  Or is that disallowed since the project is already underway?

A: According to the Sophos website, “Sophos Managed Detection and Response is a fully managed service delivered by experts who detect and respond to cyberattacks targeting your computers, servers, networks, cloud workloads, email accounts, and more.”  MDR services like this can be eligible expenditures under SLCGP in NC; however, certain procurement rules and requirements apply to this grant per 2 CFR Part 200 for non-state entities, including local governments.

Local governments and non-profit organizations that receive federal grant funding through NCEM are generally required to follow the most restrictive of all federal, state of NC, and their own local procurement policies and procedures that allows for compliance with all applicable layers (federal, state & their own).  In this case, if the procurement for the MDR services occurred prior to the SLCGP award, it may not have been conducted IAW with all applicable rules & requirements.  Refer to FEMA fact sheet on procurement under federal awards for details.

Q: Are K12 public school districts in North Carolina eligible to apply for the NC State and Local Cybersecurity Grant Program? I see “merged school administrative units” in the entity definition below. Seeking clarity on what/who that entails?

A: County and City Boards of Education that are subject to the requirements of the Local Government Commission (LGC) in NC are generally eligible to apply for SLCGP, and individual schools should use their governing body to submit applications thru.  For example, the Camden County Board of Education (Camden County Schools) could apply for SLCGP funding, separately and distinctly from Camden County, because the Camden County Board of Education is itself subject to the requirements of the LGC.  However, Camden High and Camden Middle should not separately apply for SLCGP because they are not individually subject to the requirements of the LGC.  If they are interested, Camden High and Camden Middle would contact Camden County Board of Education to discuss applying for SLCGP funding.

Q: I am interested in the SLCGP and was wondering if utilities (cooperatives) are eligible to apply to the program?

A: Certain utilities are subject to the requirements of the Local Government Commission (LGC) in NC, and they are generally eligible to apply for SLCGP funding; however, any utilities (incl. cooperatives) that are not subject to the requirements of the LGC are ineligible to apply for SLCGP funding in NC.  The leadership of the utility (incl. cooperatives) should know if they are subject to the requirements of the LGC.  If there is any question about whether a particular entity is subject to the requirements of the LGC and eligible to apply for SLCGP, please contact us with your specific inquiry at SLCGP@ncdps.gov.

Q: Would Wilson County need to submit one application, or could individual departments submit one as well?

A: The County should submit one application with a single project for up to $100,000 of total FY22 SLCGP funding.

Q: Another technical assistance question: many community colleges will have a federally approved indirect cost (also known as Facilities and Administration) rate. Are indirect costs an eligible expense under this program?

A: No.  Indirect costs are not an eligible expense under SLCGP, nor under any other grant program currently managed by North Carolina Emergency Management.

Q: This question/comment is in reference to the SLCGP application v1.4, page 5.  Is the final acknowledgment statement linked to the sensitive information statement? I can't uncheck the sensitive information statement box without also unchecking the final acknowledgement statement (Any person who knowingly makes a false claim.....).

A: This glitch has been corrected in the most recent version of the SLCGP application form available on the SLCGP website.  The sensitive information box has been decoupled from the other certification boxes on the updated SLCGP application form so that it is not automatically checked anymore.  Each applicant must separately check the sensitive information box if it applies to their application.

Q: My IT department provided me with a list of approximately 17 items to be listed under Equipment costs.  Is there a way to create additional lines under the equipment cost category on the application.  14 of the 17 will have the same AEL # but are different items.

A: Applicants should not create additional lines under “Equipment” on the application form.  To accommodate additional equipment items, you can attach another sheet with the equipment detailed and plug in as a single expense in an equipment entry, or you can detail the same listing in the “Additional Information” text box and summarize as a single entry in an equipment line on the application form.

Q: Which expenditure area would software (licenses) fit under in the budget narrative?

A: Software and software licenses are authorized expenditures under SLCGP.  Software can be included in the “equipment” cost category of the project budget under the appropriate “authorized equipment list” number (AEL).  Software licenses would generally be covered under the same AEL as the software.

There are currently 21 different sections of the AEL, including information technology (section 4) and cybersecurity equipment (section 5).  Each AEL section includes numerous categories and subcategories. SLCGP applicants should search all AEL sections, categories, and subcategories on the FEMA AEL website to find the appropriate AEL.  For example, the AEL for SAAS (software as a service) is 04AP-11-SAAS - Applications, Software as a Service.

Q: After watching the recorded State and Local Cybersecurity Grant Program webinar I have a few questions regarding specifics of the grant:

(a) Does a quote from a Vendor need to be attached with the submission form?  If not, would we need to have specific numbers for the project or will estimated costs be fine?

(b) Is partial funding being awarded?  For example, if Alexander County asks for $50,000 for a project is there a chance only $30,000 would be awarded?

(c)What is the deadline for spending the money awarded?

(d) How long must the project remain in effect?  For example, if we use the money for a Security Operation Center service and the grant money runs out how long must we “sustain” the service afterwards?

(e) Can grant money be used to pay for multi-year service contracts upfront?  Referencing the previous question, could we use the funds to pay for multi-year agreements with security services?

A: (a) Vendor quotes are not required to be provided with (or attached to) the SLCGP application; however, all project/budget costs reported on the SLCGP application should be as specific and currently accurate as possible.

(b) It is possible that partial SLCGP funding could be awarded to applicants, depending how many applications are received relative to available funding and how the application scores.

(c) The anticipated period of performance for this grant for subrecipients is estimated to be 1 July 2023 – 30 June 2026; however, those dates are subject to change depending when exactly the awards are made and grant agreements are executed with each subrecipient.  The actual period of performance for each subrecipient will be specified in their grant agreement.

Expenditures must be incurred during the period of performance of the grant, for goods or services received during the period of performance of the grant, to be reimbursable under the grant.  Any expenditures incurred prior to the start of the period of performance would not be reimbursable.  Any expenditures incurred after end of the period of performance would not be reimbursable.  Any expenditures for goods or services not received during the period of performance would generally not be reimbursable.

(d) If awarded funds, SLCGP subrecipients should sustain capabilities once SLCGP funds are no longer available; however, there is no minimum period of sustainability specified for projects.  Applicants that feasibly demonstrate longer sustainability of capabilities may be more competitive than applicants who are unable to do so.

(e) Expenditures must be incurred during the period of performance of the grant, for goods or services received during the period of performance of the grant, to be reimbursable under the grant.  Any expenditures incurred prior to the start of the period of performance would not be reimbursable.  Any expenditures incurred after end of the period of performance would not be reimbursable.  Any expenditures for goods or services not received during the period of performance would generally not be reimbursable.

Q: Could you help us understand the Authorizing Official's role regarding this grant?  We want to ensure we're listing the correct contact on our application.

A: The authorizing official must have the legal authority to sign the SLCGP grant agreement (called a “Memorandum of Agreement” or MOA) on behalf of the applicant, if the applicant is awarded SLCGP funds.  This is typically the senior leader of the organization or his/her authorized delegate within the organization who possesses the same legal authority to bind the organization to the terms and conditions of the grant agreement/MOA.

Q: Does the applicant need to fill out the SF424 and SFLL-Lobbying Form for this grant?

A: Applicants do not need to submit any SF-424 forms or any lobbying forms at the time of application; however, applicants may be required to submit various SF-424 forms to North Carolina Emergency Management as a condition of the grant agreement/MOA if they are awarded SLCGP funds.  The grant agreement/MOA will also contain various lobbying provisions the subrecipient will have to agree to if they are awarded SLCGP funds.  

Q: We are interested in using these funds to purchase equipment for a new building that is under construction.  The equipment has been ordered, but not paid for at this point.  Would this qualify for consideration for this grant since the purchase is already started?

A: Expenditures must be incurred during the period of performance of the grant, for goods or services received during the period of performance of the grant, to be reimbursable under the grant.  Any expenditures incurred prior to the start of the period of performance would not be reimbursable.  Any expenditures incurred after end of the period of performance would not be reimbursable.  Any expenditures for goods or services not received during the period of performance would generally not be reimbursable.

Q: Per the email below, what is the Department referenced in required elements?  It is in an abbreviated form in the application form itself.  Below are the referenced required elements from the NC DPS SLCGP website (https://www.ncdps.gov/SLCGP).

Enhance capabilities to share cyber threat indicators and related information between the state, local governments within the state, and CISA. Leverage cybersecurity services offered by the Department (See Appendix G for additional information on CISA resources and required services and membership).

From the above, it could be interpreted as CISA, but potential interpretations could be NC DIT or NC DPS.  Please clarify.

A: The “Department” referenced in these required elements is the U.S. Department of Homeland Security (DHS), Cybersecurity & Infrastructure Security Agency (CISA).

Q: I have two questions about the SLCGP applications:

The years noted in the section “Milestone timeline for individual activities”, are you referring to calendar or fiscal years?If we are not sharing any sensitive information in our application, are we still required to check the Sensitive Information box?

A: The preference is for applicants to use calendar years in the milestone timeline on the application, and for applicants to report milestones in quarterly increments for each respective calendar year.  However, applicants may report milestones in different increments for each respective year if they prefer, which is why there are more than four lines provided for each year in the milestone timeline on the application.  If applicants require even more space to discuss their project milestones, they can use the “Additional Information” box at the end of the application.

Applicants do not need to check the sensitive information box on the application if their applications do not contain any sensitive information that the applicant believes is not subject to public release per N.C.G.S. 132-6.1(c).

Q: I have some timeline questions for price quotes I am receiving for this grant.  These are some “quarter end” type pricing quotes I am receiving that expire on certain dates.  With SLCGP applications open until April 30th, what is the expected decision date?  Once a decision is made how quickly would the funds be available?  Based on the website I seem to be pointed to a date of July 1st but I seem to recall during our class that you already have funding available perhaps I misunderstood that.  Basically, I am trying to stamp in before budget year end.

A: If an applicant is selected for FY22 SLCGP funds, the anticipated award date is estimated to be NLT 6/30/23; however, that date is estimated and subject to change.  The corresponding period of performance for the grant is anticipated and estimated to begin on/about 7/1/23, but again that date is estimated and subject to change.

Expenditures must be incurred during the period of performance of the grant, for goods or services received during the period of performance of the grant, to be reimbursable under the grant.  Any expenditures incurred prior to the start of the period of performance would not be reimbursable.  Any expenditures incurred after end of the period of performance would not be reimbursable.  Any expenditures for goods or services not received during the period of performance would generally not be reimbursable.     

Q: Can you tell me if a generator to provide backup power to the IT servers is on the AEL list and is an eligible expense for this grant?

A: There are currently 21 different sections of the AEL, including information technology (section 4) and cybersecurity equipment (section 5).  Each AEL section includes numerous categories and subcategories. SLCGP applicants should search all AEL sections, categories, and subcategories on the FEMA AEL website to find the appropriate AEL for their project.  For example, here are some results for generators when you search the AEL: 

10GE-00-GENR – Generators - Generators, varying types, and sizes, including gasoline, diesel, propane, natural gas, alternator, gas turbine powered devices, etc. (Allowed under Homeland Security Grant Program (HSGP)/EMPG/NSGP and UASI) Keep in mind the AEL does not reflect SLCGP at this time so we are going by HSGP for FEMA AELs.

10PE-00-UPS - Supply, Uninterruptible Power (UPS)- Systems that compensate for loss of power to serviced equipment for some period of time. May include short-duration battery devices, or standby generator devices for longer duration. (Allowed under HSGP/EMPG/NSGP and UASI)

10PE-00-PTSW - Switch, Power Transfer - Switch for power output transfer to support generator maintenance and fueling. (Allowed under HSGP and UASI)

Q: Can multi-year support services be prepaid up front? If so, for what period of time? For example, if I purchase a server appliance for a SIEM solution and support covers hardware and software, can I prepay for 3 or 5 year coverage up front using the grant?

A: Expenditures must be incurred during the period of performance of the grant, for goods or services received during the period of performance of the grant, to be reimbursable under the grant.  Any expenditures incurred prior to the start of the period of performance would not be reimbursable.  Any expenditures incurred after end of the period of performance would not be reimbursable.  Any expenditures for goods or services not received during the period of performance would generally not be reimbursable.  
It is possible that if authorized equipment is purchased with grant funds during the period of performance, then a service or support agreement can also be purchased for that equipment at the same time with grant funds.  It is also possible that the service or support agreement could potentially extend beyond the period of performance of the grant in this situation, but only under very limited circumstances.  This would be a fact-specific determination that would have to be discussed if/when the applicant is awarded grant funds.

Q: Wilson County is submitting an application.  Would Wilson County DSS be able to submit one as well?

A: No.  The County should submit one application with a single project for up to $100,000 of total FY22 SLCGP funding.

Q: While a couple of these are self-explanatory, I was hoping that you could define the 4 different expenditure areas for us to make sure we are listing our expenses accurately in each area.  

A: All of the categories (planning, organization, exercise, training & equipment) are described on pages 26, 27 and 28 of the FY22 SLCGP NOFO (NOFO).

Q: If you are a County, which official should go in the Authorizing Official field…the County Manager or Chairman of the Board of Commissioners?

A: The authorizing official must have the legal authority to sign the SLCGP grant agreement (called a “Memorandum of Agreement” or MOA) on behalf of the applicant, if the applicant is awarded SLCGP funds.  This is typically the senior leader of the organization or his/her authorized delegate within the organization who possesses the same legal authority to bind the organization to the terms and conditions of the grant agreement/MOA.

Q: Can an intrusion detection system (IDS) be included as part of the SLCGP application?

A: Intrusion Detection and/or Prevention Systems (IDS, IPS), deployed at either host or network level to detect and/or prevent unauthorized or aberrant behavior on the network, are authorized expenditures under SLCGP.  IDS/IPS can be included in the “equipment” cost category of the project budget under the appropriate “authorized equipment list” number (AEL).  The AEL for IDS/IPS is: 05NP-00-IDPS - System, Intrusion Detection/Prevention.

 

The Authorized Equipment List can be found here.