Full Report
The U.S. Department of Homeland Security (DHS), through the Cybersecurity and Infrastructure Security Agency (CISA), has launched a... The post DHS opens public comment period as CISA begins review of state and local cybersecurity grant program appeared first on Industrial Cyber.
Analysis Summary
# Regulation/Compliance: State and Local Cybersecurity Grant Program (SLCGP) Data Collection & Evaluation
## Overview
The U.S. Department of Homeland Security (DHS), through CISA, has initiated a formal evaluation of the State and Local Cybersecurity Grant Program (SLCGP). This involves a new Information Collection Request (ICR) to gather quantitative and qualitative data from grant recipients. The goal is to assess the effectiveness of the $1 billion federal investment in strengthening the cybersecurity posture of state, local, and territorial (SLT) governments.
## Key Details
- **Issuing Authority:** Cybersecurity and Infrastructure Security Agency (CISA) & Federal Emergency Management Agency (FEMA)
- **Effective Date:** Public comment period open through July 31, 2026
- **Jurisdiction:** United States (State, Local, and Territorial governments)
- **Status:** Proposed (Information Collection Phase)
## Requirements
### Mandatory Requirements (for Grant Participation)
1. **Cybersecurity Planning:** Recipients must develop and implement comprehensive cybersecurity plans.
2. **Goal Alignment:** Projects must align with one of four goals: Governance/Incident Response, Assessment/Testing, Risk-based Controls, or Employee Training.
3. **Data Reporting:** Under the new ICR, recipients will be required to provide feedback on fund utilization, challenges, and progress toward medium-term outcomes.
4. **Evidence-Based Policy:** Compliance with the Foundations for Evidence-Based Policymaking Act regarding data submission.
### Recommended Practices
1. **Continuous Evaluation:** Regularly assessing the "value-added" of grant-funded projects.
2. **Stakeholder Engagement:** Participating in the 60-day public comment period to shape future program phases.
3. **Alignment with National Strategy:** Mapping local efforts to the 2023 DHS Quadrennial Homeland Security Review.
## Affected Organizations
- **Industries:** Government (State, Local, Tribal, and Territorial), Critical Infrastructure operators affiliated with SLT entities.
- **Organization Size:** All sizes of SLT government agencies.
- **Geographic Scope:** All 50 U.S. States and U.S. Territories.
## Compliance Timeline
- **June 2, 2026:** Launch of the study and 60-day notice period.
- **July 31, 2026:** Deadline for public comments on the information collection request.
- **FY 2026:** Scheduled conclusion of the active funding phase of the SLCGP.
- **FY 2029:** Final period of performance concludes; full compliance and evaluation reporting required.
## Implementation Guidance
### Assessment Phase
- **Gap Analysis:** SLT governments should identify resource gaps in their current cybersecurity posture relative to the four program goals.
- **Evaluability Assessment:** Review internal data to determine readiness for formal CISA/FEMA evaluation.
### Implementation Phase
- **Resource Allocation:** Apply grant funds toward risk-based security controls and incident response capabilities.
- **Metric Tracking:** Establish KPIs to measure the "short and medium-term outcomes" requested by CISA.
### Validation Phase
- **Submission of Fed Register Comments:** Provide qualitative feedback on "challenges and successes" encountered.
- **Audit Preparedness:** Maintain documentation on how funds reduced systemic cyber risk for future GAO or DHS audits.
## Technical Requirements
- **Risk-Based Security Controls:** Implementation of technical measures to mitigate identified vulnerabilities.
- **Incident Response Capabilities:** Technical infrastructure to detect and respond to threats like ransomware.
- **Testing and Evaluation:** Regular vulnerability scanning and penetration testing as part of the assessment goal.
## Penalties & Enforcement
- **Fines:** Not applicable, but significant:
- **Other Consequences:** Loss of future eligibility for grant funding; clawback of mismanaged funds.
- **Enforcement:** Jointly enforced by CISA and FEMA through the Grant Analytics Branch and OMB review.
## Related Standards
- **NIST Cybersecurity Framework (CSF):** Implicitly used for the "Risk-based security controls" requirement.
- **Infrastructure Investment and Jobs Act (2021):** The enabling legislation for the $1B funding.
- **CISA 2023-2025 Strategic Plan:** Goal 1 (Security and Resilience).
## Resources
- **Official Documentation:** Federal Register Notice (h-t-t-p-s://www[dot]federalregister[dot]gov)
- **Guidance Documents:** CISA Stakeholder Engagement Division (SED) Grant Analytics Branch.
- **Tools:** SLCGP Notice of Funding Opportunity (NOFO) archives.
## Practical Recommendations
- **Immediate Action:** Review the Information Collection Request (ICR) and submit comments if your organization has encountered administrative burdens or implementation barriers.
- **Strategic Alignment:** Ensure all grant-funded projects for 2026-2029 are mapped to the four core goals to ensure successful "Validation Phase" reporting.
- **Focus on Training:** Utilize remaining FY2025/2026 funds to address the "Human Element" through role-based cybersecurity training.