Fiscal Year 2025 State and Local Cybersecurity Grant Program

The Fiscal Year 2025 State and Local Cybersecurity Grant Program (SLCGP) is administered by the U.S. Department of Homeland Security (DHS) through the Federal Emergency Management Agency (FEMA), with programmatic support from the Cybersecurity and Infrastructure Security Agency (CISA). This program, authorized under the Homeland Security Act of 2002 and funded by the Infrastructure Investment and Jobs Act, provides targeted resources to state, local, and territorial (SLT) governments to strengthen cybersecurity practices, reduce systemic cyber risk, and improve resilience of critical infrastructure. The FY 2025 funding pool totals $91,750,000, distributed among 56 states and territories using statutory baseline minimums and population-based formulas. The program’s overarching goal is to help SLT governments manage and reduce cybersecurity risks through the implementation of strategic Cybersecurity Plans. Applications must address at least one of four objectives: establishing appropriate governance structures, assessing and improving current cybersecurity posture, implementing security protections commensurate with risk, and ensuring personnel receive training appropriate to their responsibilities. Priorities include developing or updating statewide Cybersecurity Plans, forming Cybersecurity Planning Committees, and investing in best practices such as multi-factor authentication, enhanced logging, data encryption, and phasing out unsupported software and hardware. Funding may be used for allowable costs in planning, organization, equipment, training, and exercises related to cybersecurity, as outlined in the program’s POETE Solution Areas. Unallowable uses include paying ransom, purchasing insurance premiums, certain construction or renovation activities, costs for ineligible entities, and expenditures unrelated to cybersecurity risks or threats. Management and Administration (M&A) costs are capped at 5% of the federal award, and cost sharing is required—40% for single-entity projects and 30% for multi-entity projects—except for specified U.S. territories where it is waived. Match contributions can be cash or in-kind, and must meet the requirements of 2 C.F.R. § 200.306. Eligibility to apply is limited to the Governor-designated State Administrative Agency (SAA) in each of the 56 states and territories. Eligible subrecipients include local governments and certain public educational institutions functioning as agencies or instrumentalities of a state or local government. Private educational institutions, nonprofit organizations, and for-profit entities are not eligible. Each eligible applicant may submit one application, which may include multi-entity projects in collaboration with other states or territories, provided they align with each participating entity’s Cybersecurity Plan and are approved by each Cybersecurity Planning Committee. Applications are submitted through FEMA’s Grants Outcomes (FEMA GO) system. The projected application opening date is August 1, 2025, at 4:00 p.m. Eastern Time, and the closing date is August 15, 2025, at 5:00 p.m. Eastern Time. Awards are anticipated to be announced on September 9, 2025, with the period of performance running from September 1, 2025, through August 31, 2029. Required application components include a completed SF-424, lobbying certification, budget forms, disclosure forms, Investment Justifications (IJs), a Project Worksheet (PW), and documentation for the Cybersecurity Planning Committee and Plan. Projects must be consistent with approved Cybersecurity Plans and supported by sufficient budget detail. Evaluation involves FEMA review for administrative and eligibility compliance and CISA review for programmatic adherence, feasibility, and alignment with cybersecurity objectives. Applications must demonstrate clear alignment with the Cybersecurity Plan, provide reasonable costs, and include projects that can be completed within the four-year performance period. Recipients are required to pass through at least 80% of federal funds to local governments, with at least 25% of the total award going to rural areas, unless specific exceptions apply. Program contacts include the FEMA SLCGP Program Office (FEMA-SLCGP@fema.dhs.gov), CISA Grant Program Office (SLCGPinfo@mail.cisa.dhs.gov), FEMA Grants News Team (fema-grants-news@fema.dhs.gov, 800-368-6498), FEMA Award Administration Division (ASK-GMD@fema.dhs.gov), and FEMA GO Helpdesk (femago@fema.dhs.gov, 877-585-3242). Additional support is available from FEMA’s Civil Rights Office, Environmental Planning and Historic Preservation Office, and regional CISA cybersecurity staff.

Coordinate with CISA regional staff before submission; ensure projects align with Cybersecurity Plan; avoid unallowable costs; meet pass-through requirements within 45 days