Many local governments have been asking about the status of the SLCGP, so I raised the question with the folks managing the process at the Washington State Emergency Management Division – the state’s equivalent of FEMA, which is the agency managing the process at the federal level.
In Washington State, the first round of the grant (totaling $3.3M for distribution) has been consumed, with some grant applications on that round pushed into round two. If your jurisdiction’s application was denied (likely due to a large funding request), it may have been split into multiple requests or approved for funding in the current round.
The “round” of the grant is named for the fiscal year in which the funding was appropriated by Congress, and the first was FY 2022. In February we said that the FY 2023 round of competitive solicitations for SLCGP would go out in March 2024, and now we’ve received information that the funds will be released at the end of the month on March 29. The total amount for distribution in WA State for this round is $5m.
During FY 2022, applicants focused on Program Objective 1: Develop and establish appropriate governance structures, including developing, implementing, or revising Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.
In FY 2023, applicants are required to focus on implementing their Cybersecurity Plans by addressing the following program objectives:
- Objective 2: Understanding their current cybersecurity posture and areas for improvement based on continuous testing, evaluation and structured assessments.
- Objective 3: Implementing security protections commensurate with risk.
- Objective 4: Ensuring organization personnel are appropriately trained in cybersecurity, commensurate with their responsibilities.
Example projects aligning with these goals include risk assessments, penetration testing, improving vulnerability management, incident response tabletop exercises, and employee training and certification.
While State EMD does the grant management, WaTech (the State’s Information Technology agency) is responsible for plan development and project approval. The most current information on the grant program and WA State specifics can be found at https://watech.wa.gov/state-local-cybersecurity-grant-program.
It is likely (although this is today impossible to confirm) that the application process for this round is the same as the last. This means that your application will need to describe how the funding requests align with state and federal goals, and the language used in the application will be scrutinized for this justification.
From the WaTech site: “While the program continues to be established, this is a great time to assess baseline security measures currently in place.” This is great advice, as having your request for grant funding backed up by the results of an assessment measured against a recognized standard of practice goes a long way toward ensuring that your application for funds will be approved.
To review, cities, counties, hospital districts with an elected Board, Tribal and other organizations that can be considered ‘local government’ are all in scope for the grant, and there is a focus on rural jurisdictions, defined as a jurisdiction with a population of less than 50,000 individuals. If you haven’t already, you may want to review the Notice of Funding Opportunity (NOFO) found at https://www.fema.gov/grants/preparedness/state-local-cybersecurity-grant-program#nofos, as well as other updates located there for the FY 2023 round.
For our managed security customers – this is a great time to use the CyberSaint tool provided with your MDR subscription to perform an assessment against the NIST Cybersecurity Framework (CSF), the CIS critical controls, or the framework of your choice (there are many built into the tool).
For those without access to a governance, risk, and compliance (GRC) tool like CyberSaint, Critical Insight can provide a spreadsheet with the NIST CSF that will allow you to create a risk assessment, corrective action plan, and budget request for the upcoming round.
That tool is located here: https://cybersecurity.criticalinsight.com/nist-risk-assessment-and-budgeting-tool
If you need assistance with the assessment, contact us.
To be added to a distribution list for further instructions and logistics on the FY23 round of the SLCGP, or have more in-depth questions, they may reach out to preparedness.grants@mil.wa.gov.