State and Local Cybersecurity Grant Program (SLCGP)

Program Update

The request for applications for year 1 is now closed and projects are under review.

The evaluation and award process is being managed by the Office of the Governor.

Overview

The federal Infrastructure Investment and Jobs Act (IIJA), also known as the Bipartisan Infrastructure Law (BIL), was signed into law on November 15, 2021. One component of the act is the State and Local Cybersecurity Grant Program (SLCGP), which appropriated $1 billion over four years (2022-2025) to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, state, local, or tribal governments.

Texas’ Allocation

Texas was allocated approximately $40 million over four years. The allocation requires matching funds that increase through the years. (Note: Matching funds will be paid by grant sub-recipients.)

For FY22, Texas was allocated $8,469,945. The state matching fund requirement for FY22 is 10% and will be $846,994.50. So, there is a total of $9,316,939.50 available to be spent on cybersecurity projects for FY22.
For FY23, Texas was allocated is $17,418,110. The state matching fund requirement for FY23 is 20% and will be $3,483,622.00, making a total of $20,901,732.00 available to be spent on cybersecurity projects for FY23.

A minimum of 80% of allocations must be passed through to local governments. In addition, at least 25% of the total funds made available under the grant must be passed through to rural communities.

Grant Roles and Responsibilities

The Office of the Governor (OOG) is the State Administrative Agency and serves as the fiscal agent and authorizing official of the SLCGP federal funds and will submit the SLCGP application to CISA and administer sub-recipient grants.

The Department of Information Resources (DIR) serves as the subject matter expert pertaining to all programmatic requirements and federal regulations associated with the SLCGP and will develop a Cybersecurity Plan, establish a Cybersecurity Planning Committee, support development of the Plan, and identify projects to implement utilizing SLCGP funding.

The Cybersecurity Planning Committee is responsible for developing, implementing, and revising Cybersecurity Plans (including individual projects); formally approving the Cybersecurity Plan (along with the chief information officer, chief information security officer or an equivalent official); and assisting with determination of effective funding priorities (i.e., work with entities within the eligible entity’s jurisdiction to identify and prioritize individual projects).

Sub-recipients are local governments as defined in Texas Local Government Code Title 5.c § 176.001(3) and will submit applications for eligible projects, and if awarded, will accept the grant award, satisfy grant requirements including provide the state match, submit financial and programmatic performance reports, and meet any additional grant terms.

Eligible Sub-Recipients

Local governments are eligible sub-recipients. Local governments are defined below. Refer to Texas Local Government Code Title 5.c §176.001(3) for more detail.

a county;
a municipality;
school district;
charter school;
junior college district;
water district;
tribal government; and
other political subdivisions

Rural area is defined as an area encompassing a population of less than 50,000 people that has not been designated in the most recent decennial census as an “urbanized area” by the Secretary of Commerce.

Cybersecurity Planning Committee

The planning committee consists of members from state, county, and municipal government organizations and from public education and public health institutions within the State of Texas, and includes representatives of urban, suburban, and rural areas of the State. The State Cybersecurity Coordinator serves as committee chair.

Committee Members

State Cybersecurity Plan

The State Cybersecurity Plan establishes high level goals and finite objectives to reduce specific cybersecurity risks at SLT governments. It includes a description of roles, an assessment of capabilities, resources and timelines for implementing the Plan, and metrics.

Submitted projects must align with the Cybersecurity Plan.

State of Texas SLCGP Cybersecurity Plan

Application Process

The request for applications (RFA) for year 1 opened January 15, 2024, and closed March 14, 2024.

The Cybersecurity Planning Committee will work collaboratively across the state to identify and prioritize individual projects that align with the Cybersecurity Plan. Funding for projects will be released within forty-five days after approval by the Department of Homeland Security's (DHS) Cybersecurity Infrastructure Security Agency (CISA).

Requirement for CISA Services

All sub-recipients are required to participate in the following free services by CISA:

Web Application Scanning: an “internet scanning-as-a-service.” This service assesses the “health” of your publicly accessible web applications by checking for known vulnerabilities and weak configurations. Additionally, CISA can recommend ways to enhance security in accordance with industry and government best practices and standards.

https://www.cisa.gov/resources-tools/services/web-application-scanning

Vulnerability Scanning: evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities. This service provides weekly vulnerability reports and ad-hoc alerts.

https://www.cisa.gov/resources-tools/services/cisa-vulnerability-scanning

Nationwide Cybersecurity Review (NCSR): a free, anonymous, annual self-assessment designed to measure gaps and capabilities of a SLT’s cybersecurity programs. It is based on the National Institute of Standards and Technology Cybersecurity Framework and is sponsored by DHS and the MS-ISAC. (Required during the first year of the subaward period of performance and annually)

https://www.cisecurity.org/ms-isac/services/ncsr

Additional Requirements

Sub-recipients are also required to join the TX-ISAO:

Texas Information Sharing and Analysis Organization (TX-ISAO): a free membership to a forum for entities in Texas to share information regarding cybersecurity threats, best practices, and remediation strategies.

https://dir.texas.gov/information-security/tx-isao

Sub-recipients must comply with the Cybersecurity Training requirements described in Section 772.012 and Section 2054.5191 of the Texas Government Code. Local governments determined to not be in compliance with the cybersecurity requirements required by Section 2054.5191 of the Texas Government Code are ineligible for OOG grant funds until the second anniversary of the date the local government is determined ineligible. Government entities must annually certify their compliance with the training requirements using the Cybersecurity Training Certification for State and Local Governments.

https://dir.texas.gov/information-security/statewide-cybersecurity-awar…

Sub-recipients are strongly encouraged to join the MS-ISAC and/or EI-ISAC:

Multi-State Information Sharing and Analysis Center (MS-ISAC): a free membership to the cybersecurity ISAC for state, local and territorial (SLT) governments, which provides services and information sharing that significantly enhances SLT governments’ ability to prevent, protect against, respond to, and recover from cyberattacks and compromises.
Election Infrastructure Information Sharing and Analysis Center (EI-ISAC): a free membership for state and local election officials, provided by a collaborative partnership between the Center for Internet Security (CIS), CISA, and the Election Infrastructure Subsector Government Coordinating Council, which offers a suite of elections-focused cyber defense tools, including threat intelligence products, incident response and forensics, threat and vulnerability monitoring, cybersecurity awareness, and training products.

Best Practices and Methodologies

Projects that assist entities with the adoption of these best practices will be prioritized by the Cybersecurity Planning Committee. Approved projects will include only one-time cybersecurity services.

Implement multi-factor authentication.
Implement enhanced logging.
Implement data encryption for data at rest and in transit.
End use of unsupported/end of life software and hardware that are accessible from the Internet.
Prohibit use of known/fixed/default passwords and credentials.
Ensure the ability to reconstitute systems (backups); and
Migrate to the .gov internet domain.

Frequently Asked Questions (FAQs)

Does the Texas Cybersecurity Framework Assessment suffice for the NCSR for the grant requirements?

No, the NCSR is a federal requirement for any entity receiving SLCGP funding and cannot be substituted with another assessment.

Is the grant available to community colleges?

Community colleges are eligible sub-recipients in Texas.

Is the grant available to Institutions of Higher Education?

Institutions of Higher Education are not eligible sub-recipients in Texas.

Is the grant available for charter schools?

Charter schools may be eligible sub-recipients in Texas.

For the state match, is it cash match or in kind?

Funding used as match must be project-specific related costs. There may be an opportunity to submit individual project match waivers as well, however the process has not been outlined by FEMA yet. For additional information, refer to the federal (eCFR :: 2 CFR 200.306) and state (Texas Administrative Code and Texas Grant Management Standards) guidelines for matching funds.

Can anyone in the organization create the eGrants account or is there a best role type for this?

Anyone can register for an eGrants account, however the role for grant officials varies. Each application/subaward must have a project director, financial officer, and authorized official. No person can serve in more than one of these roles. Grant officials must not be related to each other by blood or marriage or have any relationship that creates an actual, potential, or apparent conflict of interest. The grant officials and their roles are:

The Authorized Official (AO) is usually a county judge, mayor, city manager, chairman of a non-profit board, head of a state agency, executive director, etc. They are authorized by the governing body of the organization to:
- apply for, accept, reject, alter, or terminate the grant; and
- certify changes made to applications or grants.
The Financial Official (FO) must be either an employee or board member and should be the Chief Financial Officer, Auditor, or Treasurer of the Board for the grantee agency. The employee or board member designated as the FO should have an in-depth understanding of the grantee’s financial tracking system as well as their obligations related to grant and match expenditures. They are responsible for:
- maintaining financial records to account for all grant expenditures and funds;
- requesting payments; and
- completing all required financial reporting at least quarterly.
The Project Director (PD) must be an employee of the grantee agency. They are responsible for:
- the day-to-day operations of the project; and
- required programmatic reporting.
The Grant Writer (GW) is responsible for:
- Creating an application.

Will the grant pay administrative costs?

Yes, expenses directly relating to the administration of the project are allowable, but the costs cannot exceed 5% of the overall budget amount submitted.

What types of projects can be submitted?

Projects must align with the state Cybersecurity Plan and can only support one-time services that reduce cybersecurity risks to information systems owned or operated by or on behalf of local governments within Texas.

Last updated: 03/15/2024

Information Security

Search:

Search All Pages & Content

Search Contracts & Vendors

Get Started

Buying Through DIR