Cybersecurity Incident Response Planning and Tabletop Exercise Grant

The Cybersecurity Incident Response Planning and Tabletop Exercise Grant Opportunity is a competitive funding program administered by the Massachusetts Executive Office of Public Safety and Security's Office of Grants and Research (OGR). This program is designed exclusively for Massachusetts state agencies and aims to strengthen the state’s cybersecurity posture through the development of Incident Response Plans (IRP) or the execution of Tabletop Exercises (TTX). The funding originates from federal sources via the U.S. Department of Homeland Security (DHS) and its Federal Emergency Management Agency (FEMA), specifically under the State and Local Cybersecurity Grant Program (SLCGP), with additional support from the Healey-Driscoll Administration through matching state funds. The primary objective of this funding opportunity is to assist state agencies in reducing their cybersecurity vulnerabilities and threats, and in mitigating the impact of cyberattacks. Agencies can apply to either develop a formal Cyber IRP or conduct a TTX to test and refine an existing one. These exercises are intended to help agencies modernize their cybersecurity frameworks, align with Zero Trust Architecture principles, and prepare their cross-functional teams, including senior leadership, for real-world cyber incidents. Each applicant may only pursue one of these two allowable objectives per application cycle. A total of approximately $1,000,000 in funding is available through this program. State agencies may request up to $40,000 to develop a Cyber IRP or up to $30,000 to implement a TTX. The awarded funds must be used with a vendor approved by the Commonwealth, listed through the COMMBUYS system, and may only be spent on direct project costs. Unallowable expenses include personnel, administrative costs, equipment, and food. State match requirements mandated by FEMA will be covered by the Commonwealth. However, these match funds must be spent by June 30, 2026, or the subrecipient will be responsible for providing their own match. Applicants must be Massachusetts state agencies, including independent or quasi-public agencies, district attorney offices, and sheriff departments. Municipalities, nonprofits, and private entities are not eligible. The Chief Executive Officer of the applying agency must sign the application, and each agency may only submit one application. Additionally, subrecipients are required to maintain SAM registration, obtain a Unique Entity Identifier (UEI), and complete several cybersecurity compliance steps, including Cyber Hygiene Services from CISA, adherence to Homeland Security Exercise and Evaluation Program (HSEEP) standards, and completion of the Nationwide Cybersecurity Review (NCSR). Applications are due by 4:00 p.m. on October 1, 2025. Optional support is available through a webinar scheduled for September 16, 2025, at 11:00 a.m. Award announcements are anticipated in November 2025, with the grant performance period expected to run from November/December 2025 through June 30, 2026. Required documents include a completed online application and a Budget Excel Workbook (Attachment B). Email submissions will not be accepted. Applications will be evaluated through a peer review process using a detailed scoring rubric that includes the applicant's organizational profile, needs assessment, project description, milestones, and budget justification. All awards will also be subject to final approval by FEMA. Additional monitoring or special conditions may be required based on a risk assessment conducted by OGR. For further information, applicants may contact Program Coordinators Sarah E. Cook or Ira Berberaj via email at sarah.e.cook@mass.gov and ira.berberaj@mass.gov respectively.

Register early for UEI and SAM, budget must enhance agency services, use only approved vendors