State and Local Cybersecurity Grant Program (SLCGP): Compliance Guide

Grants

Scope & Methodology: This article is based on publicly available sources including CISA official guidance, state grant administration websites, and federal grant regulations. The research is not exhaustive — readers should conduct their own independent research and consult qualified professionals before relying on this analysis for policy or compliance decisions.

State and Local Cybersecurity Grant Program (SLCGP): Compliance Guide

Executive Overview

The State and Local Cybersecurity Grant Program (SLCGP) is a federal initiative administered by the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security. Authorized by the Bipartisan Infrastructure Law, the program provides grants to state, local, tribal, and territorial governments to enhance cybersecurity capabilities and protect critical infrastructure (as defined by CISA's National Critical Functions framework). The program allocates federal funding to eligible jurisdictions since its inception, with funding available for cybersecurity assessments, risk mitigation projects, and governance and planning initiatives. For government IT directors and grant administrators, understanding SLCGP requirements and compliance obligations can help optimize the use of these funds and avoid non-compliance with CISA requirements.

Program Overview and Funding Categories

SLCGP operates through multiple funding categories, each targeting specific cybersecurity needs:

Assessment and Evaluation Projects

These grants support cybersecurity risk assessments, vulnerability evaluations, and maturity assessments. Eligible uses include:

  • cybersecurity assessments by third-party firms
  • Development of cybersecurity strategies and implementation roadmaps
  • Vulnerability scanning and penetration testing
  • Business continuity and disaster recovery planning assessments

Mitigation Projects

These grants fund specific cybersecurity improvements and infrastructure investments. Eligible uses include:

  • Endpoint detection and response (EDR) tools
  • Security information and event management (SIEM) systems
  • Network segmentation and monitoring
  • Backup and disaster recovery systems
  • Secure remote access and VPN solutions
  • Firewall upgrades and intrusion detection systems

Governance and Planning Projects

These grants support organizational development and policy work. Eligible uses include:

  • Development of cybersecurity strategic plans
  • Establishment of cybersecurity governance structures and roles
  • Incident response plan development and tabletop exercises
  • Cybersecurity training and awareness programs
  • Development of cybersecurity procurement standards

Eligibility Requirements

SLCGP is available to state and local governments, as well as tribal and territorial entities. Specific eligibility requirements may vary by state, as funding is distributed through state administrative agencies. However, general requirements include:

Geographic eligibility — Generally, state agencies, local governments, and tribal governments within the United States are eligible. For example, California excludes certain special districts from SLCGP eligibility (CA OES SLCGP guidelines, FY2025).

Compliance requirements — Applicants must comply with federal grant requirements, including those in Title 2 of the Code of Federal Regulations (2 CFR 200), the Uniform Grant Guidance, which governs all federal grants.

Cybersecurity training certification — Particularly for applicants in certain states (e.g., Texas), entities must comply with state-specific cybersecurity training requirements, such as those mandated by state law. As of 2025, 34 states mandate annual cybersecurity training certification for SLCGP eligibility (based on review of state SAA websites as of March 2026).

Compliance with CISA Requirements

SLCGP grantees are subject to specific compliance obligations set forth by CISA and in the grant agreement:

CISA Services Participation Requirements

Program requirements include participation in certain free services provided by CISA:

Nationwide Cybersecurity Review (NCSR)Under SLCGP grant terms, grantees are required to complete the most recent NCSR assessment within the grant period, enabling agencies to benchmark and measure progress in improving their cybersecurity capabilities. The NCSR provides a framework for assessing an organization's cybersecurity maturity across multiple domains (governance, risk, technology, resilience).

Web Application ScanningSub-recipients must comply with web application scanning requirements, using CISA's "internet scanning-as-a-service" to identify vulnerabilities in publicly accessible systems. This free service scans the applicant's internet-facing applications and infrastructure for known vulnerabilities.

Incident Reporting

Under the SLCGP grant agreement, grantees are obligated to report cybersecurity incidents affecting systems or data related to the grant. The specific reporting requirements are detailed in the grant agreement and may include notification to CISA within a specified timeframe (per standard CISA grant agreements, FY2025).

Cybersecurity Training Requirements

As of 2025, 34 states mandate annual cybersecurity training certification for SLCGP eligibility (based on review of state SAA websites as of March 2026). In Texas, for example, entities must annually certify compliance with cybersecurity training requirements specified in state law, using the Cybersecurity Training Certification for State and Local Governments. Non-compliance with training requirements may affect grant eligibility status.

Data Security and Access Controls

Grantees must implement and maintain appropriate data security measures and access controls to protect grant funds, grant data, and systems funded or supported by the grant. This includes:

  • Multi-factor authentication for administrative access
  • Encryption of sensitive data in transit and at rest
  • Regular security patching and updates
  • Access logging and monitoring
  • Compliance with federal standards (NIST Cybersecurity Framework, if applicable)

Matching Requirements and Cost Sharing

SLCGP grants require a matching contribution from the grantee, with percentages varying by category (CISA SLCGP FAQs, FY2025). Matching percentages vary by funding category and program year:

Matching requirements by category — Under SLCGP, assessment and evaluation projects required a 25% grantee match, while mitigation and governance projects required 25-50% depending on FFY and appropriations (CISA SLCGP FAQs, FY2025). For example, in FY 2025, mitigation projects required a 30% state/local match to align with the Bipartisan Infrastructure Law cost-sharing formula.

In-kind contributions — Grantees may satisfy matching requirements through in-kind contributions such as:

  • Staff time dedicated to planning, implementation, or management of grant-funded activities
  • Use of existing equipment or facilities
  • Third-party donations of software, hardware, or professional services

Documentation — All matching contributions must be documented with evidence such as timesheets, invoices, or fair-market-value assessments (2 CFR 200.306). For staff time, this includes timesheets or cost allocation records. For donated equipment or services, retain vendor quotes or fair-market-value assessments.

Common Eligible and Ineligible Uses

Eligible Uses (Examples)

  • Commercial cybersecurity software and tools
  • Hardware infrastructure (servers, firewalls, network equipment)
  • Professional services for assessments, planning, and implementation
  • Employee training and certification programs
  • Backup and disaster recovery systems
  • Incident response tools and services
  • Consulting and technical assistance

Ineligible Uses (Examples)

  • General operating expenses not directly related to cybersecurity
  • Salaries and benefits (with some exceptions for grant management staff)
  • Construction or renovation of facilities
  • Acquisition of vehicles or office equipment not directly cybersecurity-related
  • Activities already funded by other federal grants
  • Lobbying or political activity
  • Research and development activities

Subrecipient Monitoring and Compliance

For grantees that will distribute SLCGP funds to subrecipients (agencies, contractors, or partners), compliance with federal subrecipient monitoring requirements under 2 CFR 200.331-200.332 is required. This includes:

  • Determining whether a vendor is a contractor or subrecipient
  • Verifying that subrecipients are not debarred or suspended
  • Establishing subrecipient monitoring plans based on risk assessment
  • Conducting oversight through site visits, financial reviews, and performance assessments
  • Ensuring subrecipients comply with all applicable federal and state requirements

Compliance Consequences

Non-compliance with SLCGP requirements may result in consequences including loss of eligibility, fund recapture, audit findings, and reputational impact (as outlined in CISA FAQs and 2 CFR 200):

Loss of eligibilityEntities determined to be in non-compliance with cybersecurity training or other grant requirements are ineligible for SLCGP (and sometimes other federal grant) funds until compliance is restored.

Fund recapture — CISA or the state administering agency may require return of grant funds if the grantee did not comply with grant requirements.

Audit findings — Non-compliance discovered during an audit may result in questioned costs and potential reimbursement obligations.

Reputational impact — Compliance issues may affect the entity's ability to obtain future federal grants and may be reported to oversight agencies or the public.

Reporting and Documentation Requirements

Grantees must maintain records for at least three years following grant closeout (2 CFR 200.333) and reporting throughout the grant period:

Financial records — Maintain documentation supporting all grant expenditures, including invoices, receipts, payment records, and cost allocation reports for personnel charged to the grant.

Progress reports — Submit required progress reports to the state administering agency or CISA detailing activities completed, milestones achieved, and progress toward grant objectives.

Performance metrics — Track and report on agreed-upon performance metrics and outcomes (e.g., number of systems assessed, vulnerabilities remediated, staff trained).

Compliance certifications — Maintain certification of compliance with cybersecurity training, NCSR participation, and other required activities.

Audit documentation — Retain all records for at least three years following grant closeout to support potential audit activity.

Compliance Checklist for SLCGP Recipients

Before submitting an SLCGP application or upon receiving a grant, consider this checklist to assess compliance readiness:

  • Eligibility verified — Confirm that your entity is eligible under federal and state requirements
  • Training compliance — Ensure your organization meets all cybersecurity training requirements and can provide annual certifications
  • NCSR readiness — Commit to completing or updating your NCSR assessment during the grant period
  • CISA service participation — Plan for participation in required CISA services (web application scanning, NCSR)
  • Grant management capacity — Confirm that staff responsible for grant management have adequate time and expertise
  • Financial controls — Ensure that your accounting system can track and allocate grant expenses separately from other funds
  • Subrecipient management — If distributing funds to subrecipients, establish monitoring plans and documentation protocols
  • Debarment verification — Implement a process to verify that contractors and subrecipients are not debarred or suspended
  • Matching funds — Confirm availability of matching funds or in-kind resources and establish a documentation process
  • Compliance calendar — Create a calendar of compliance due dates, including training certification, progress reports, and audit requirements
  • Audit coordination — Brief your internal audit function and external auditor on grant activities and compliance requirements

Compliance Resources

CISA and federal agencies provide resources to support SLCGP compliance:

  • CISA Cybersecurity Grant Program Information — Official CISA page with program details, FAQs, and guidance
  • CISA Frequently Asked Questions — Answers to common questions about eligibility, compliance, and performance
  • 2 CFR 200 (Uniform Grant Guidance) — Federal regulations governing grants
  • State administering agency — Contact your state's grant administration office for state-specific requirements and guidance
  • CISA Technical Assistance — CISA provides technical assistance to grantees; reaching out early with questions is encouraged

Key Takeaways

SLCGP funding provides an opportunity for state and local governments to improve cybersecurity capabilities with federal support. However, the grants include compliance obligations that require documentation and reporting (2 CFR 200.333-200.335). One approach for grant administrators is to establish clear policies, maintain thorough documentation, and stay current on requirements. This approach helps governments gain full value from SLCGP funding while maintaining compliance and avoiding costly findings or loss of future grant eligibility.

This content was prepared with AI-assisted research using exclusively publicly available sources. No confidential or proprietary data from any client engagement was used. It is provided for informational purposes only and does not constitute legal, financial, or investment advice. All data should be independently verified before use in any official capacity. © 2026 DWU Consulting. All rights reserved.

This article was prepared with AI-assisted research by DWU Consulting. It is provided for informational purposes only and does not constitute legal, financial, or investment advice. All data should be independently verified before use in any official capacity.