Full Report
Cal OES offers up to $250,000 to help California’s state, local, and tribal agencies strengthen their digital infrastructure against evolving cyber threats. Organizations must submit their applications by March 13, 2026. Key takeawaysSignificant competitive funding: Cal OES is distributing $9.7 million for local and tribal governments and $1.8 million for state agencies, with individual awards capped at $250,000.Direct Tenable alignment: Tenable solutions fulfill grant requirements to meet the program’s objectives and statewide priorities by providing continuous asset identification, risk-based vulnerability prioritization, and real-time security gap analysis.Focus on national priorities: Grant applications receive high priority when addressing critical security gaps considered national priorities, such as lack of multi-factor authentication (MFA), use of end-of-life (EOL) software, and inadequate encryption—all of which Tenable identifies and surfaces.Strict deadline and submission rules: Applications are due by 11:59 PM PDT on March 13, 2026, and must be submitted as PDF email attachments; Cal OES will not accept links to files in cloud storage services like Google Drive or Dropbox.Grant overviewThe California Governor’s Office of Emergency Services (Cal OES) is now accepting applications for its Federal Fiscal Year (FFY) 2024 State and Local Cybersecurity Grant Program (SLCGP). The grant program is intended to help local and tribal governments, as well as state agencies address threats to information systems. It also aims to improve the security of critical infrastructure organizations and the resilience of the services these entities provide to their communities.Tenable solutions directly align with the grant's objectives to “understand your current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments” and “ implement security protections commensurate with risk.”Organizations can apply for up to $250,000 through two competitive programs:Local and tribal governments: $9.7 million available for local agencies and federally recognized tribes.State agencies: $1.8 million available for California state agencies.Key program detailsApplication deadline: Friday, March 13, 2026, at 11:59 PM PDT.Performance period: 26 months, July 1, 2026 – August 31, 2028.Cost match: Grant recipients must have a 30% cost match (cash or third-party in-kind). For example, for a $250,000 award, the match is $107,143, totaling a $357,143 project cost.Eligibility restrictions: Previous recipients of FY 2022 or 2023 SLCGP funding are not eligible for this cycle.Meeting SLCGP objectivesProposed projects must align with one of the four primary SLCGP objectives: 1) Governance and Planning; 2) Assessment and Evaluation; 3) Mitigation; and 4) Workforce Development. Tenable solutions are uniquely positioned to support objectives 1, 2, and 3 as described below:SLCGP ObjectiveHow Tenable HelpsObjective 1: Governance and PlanningTenable provides centralized visibility into cyber risk to support stronger governance and strategic planning. Our exposure management insights help agencies align security programs with recognized frameworks and grant requirements.Objective 2: Assessment and EvaluationTenable continuously identifies assets and vulnerabilities across IT, OT, cloud and identity environments to identify security gaps in real-time. Risk-based scoring enables agencies to assess their security posture and measure improvement over time.Objective 3: MitigationTenable pinpoints the exposures that represent the highest risk to organizations, helping them to prioritize and accelerate remediation and mitigation. Meeting SLCGP statewide prioritiesApplicants are also strongly encouraged to incorporate statewide priorities in their project descriptions which align with Tenable solutions, including:Enhance the preparation, response, and resiliency of information systems, applications, and user accounts.Implement a process of continuous cybersecurity risk factors and threat mitigation practices prioritized by degree of risk.Assess and mitigate risks and threats impacting local jurisdictions’ critical infrastructure and key resources.Application requirementsTo be considered, applicants must submit:Notice of Interest (NOI): Applicants must respond to each question in the NOI form. The applicant’s response to each question will be evaluated as part of the rating process. Applicants should develop a thorough project proposal that takes into consideration planning and implementation of the entire process for the proposed project – from conception to completion of all activities using the requested funding.Project Worksheet: Applicants will complete the Project Worksheet to demonstrate their project alignment to SLCGP objectives, their implementation plan, and to identify key project milestones. The Project Worksheet is an Excel spreadsheet that includes two tabs to be completed by the applicant: the Baseline Project Information tab and the Project Implementation tab. Each will be evaluated as part of the rating process.Cybersecurity Maturity Survey: In addition to the NOI form and Project Worksheet, applicants must complete the Cybersecurity Maturity Survey. This is an online survey that will not be scored, but that is required and will be a helpful tool to assist in identifying gaps to address through SLCGP. Upon completion of the survey, applicants must download a copy of their survey responses and attach them as a PDF file to submit with their proposal; proposals submitted without completing the survey may not be considered for funding.System for Award Management (SAM) registration: Applications must have a Unique Entity Identifier (Unique Entity ID) registered in the federal System for Award Management (SAM). Applicants who do not currently have a Unique Entity ID will need to register at SAM.gov to obtain one.Pro Tip: All proposals must be emailed to [email protected]. Cal OES cannot access cloud-based storage like Google Drive.Ready to apply?You can find the full Request for Proposal (RFP) and necessary forms (Notice of Interest, Project Worksheet, and Cybersecurity Maturity Survey) at the links below:Official Press Release: Cal OES NewsGrant Application Info for Local and Tribal AgenciesGrant Application Info for State AgenciesCal OES Grants Management MemorandumFor more information on how Tenable can support your CA SLCGP application, contact us at [email protected] or submit a contact request here.
Analysis Summary
# Industry News: Cal OES Opens $11.5M Cybersecurity Grant Cycle; Tenable Positions for Public Sector Growth
## Summary
The California Governor’s Office of Emergency Services (Cal OES) has announced the Federal Fiscal Year 2024 State and Local Cybersecurity Grant Program (SLCGP), offering $11.5 million in competitive funding. Tenable has simultaneously launched a strategic go-to-market campaign to align its "Exposure Management" solutions with the grant’s specific technical requirements.
## Key Details
- **Date:** Applications due March 13, 2026; Performance period 2026–2028.
- **Companies Involved:** Cal OES (Grantor), Tenable (Vendor), California State, Local, and Tribal Agencies (Applicants).
- **Category:** Government Funding / Public Sector Sales Strategy.
## The Story
Cal OES is distributing $9.7 million for local/tribal governments and $1.8 million for state agencies to harden digital infrastructure. Individual awards are capped at $250,000 and require a 30% cost match from the recipient. The program prioritizes projects that address "national priorities," specifically multi-factor authentication (MFA) gaps, end-of-life (EOL) software, and inadequate encryption.
In a savvy business move, Tenable has published a roadmap for agencies to use these federal funds to purchase their platform. They are positioning their "Tenable One" platform as a "turnkey" solution for the grant's mandates, specifically targeting Objective 1 (Governance), Objective 2 (Assessment), and Objective 3 (Mitigation).
## Business Impact
### For the Companies Involved
- **Tenable:** This represents a significant captured-revenue opportunity. By mapping their product capabilities directly to the SLCGP "Project Worksheet," Tenable lowers the barrier for budget-constrained agencies to acquire their software.
### For Competitors
- **Qualys and Rapid7:** Tenable’s direct positioning creates a first-mover advantage in this specific grant cycle. Competitors must now respond with similar "grant-ready" messaging or risk being excluded from the procurement lists of agencies relying on these funds.
### For Customers
- **Resource-Constrained Agencies:** Small local and tribal governments get a lifeline to modernize. However, the 30% cost-match requirement means agencies must still find roughly $107k in internal budget to unlock the full $250k award.
### For the Market
- **Public Sector Resilience:** This continues the trend of the federal government using state agencies as "pass-through" entities to force cybersecurity maturity down to the municipal level.
## Technical Implications
The grant specifically highlights **Continuous Asset Identification** and **Risk-Based Vulnerability Prioritization**. This signals a shift in public sector requirements away from "point-in-time" audits toward continuous exposure management. The focus on EOL (End-of-Life) software identification suggests a state-wide push to decommission legacy technical debt.
## Strategic Analysis
- **Market Positioning:** Tenable is shifting from a "vulnerability scanner" to a "strategic compliance partner." By helping agencies write the grant application (via their SLCGP alias), they embed themselves into the agency's long-term budget cycle.
- **Competitive Advantage:** Tenable’s ability to cover IT, OT (Operational Technology), and Cloud in a single platform aligns with the grant’s goal of protecting "critical infrastructure," where OT security is often a major gap.
- **Challenges:** The long lead time (applications in 2026, performance through 2028) means sales cycles will be protracted. Additionally, the exclusion of previous award winners limits the total addressable market for this specific cycle.
## Industry Reactions
- **Analyst Perspective:** Market analysts view SLCGP-aligned campaigns as essential for security vendors. Public sector spending is often more "recession-proof" than private sector spending, making these grants high-value targets.
- **Market Response:** This reflects a broader "Professional Services" trend where vendors act as consultants to help clients navigate complex government bureaucracy.
## Future Outlook
- **Predictable Pipeline:** Expect a surge in California public sector RFPs in mid-2026 as these funds are disbursed.
- **What to Watch For:** Whether other major vendors (Microsoft, CrowdStrike) release similar "California-specific" grant toolkits to compete for the remaining slices of the $11.5M pie.
## For Security Professionals
Practitioners in California public agencies should leverage the **Cybersecurity Maturity Survey** required by the grant as a benchmark tool to justify budget requests to their board or city council. If your organization lacks Tenable-like capabilities (Continuous Asset Discovery, MFA gap analysis), this grant represents a "low-cost" way to implement a tier-one security stack.