State and Local Cybersecurity Grant Program

The State and Local Cybersecurity Grant Program (SLCGP) is a cybersecurity preparedness and resilience funding program established through the Infrastructure Investment and Jobs Act of 2021. The program is administered by the U.S. Department of Homeland Security through the Federal Emergency Management Agency in coordination with the Cybersecurity and Infrastructure Security Agency. The purpose of the program is to strengthen cybersecurity capabilities across state, local, and territorial governments by supporting investments that reduce cyber risk, improve operational resilience, and protect critical public infrastructure and government services. The State of Georgia administers the grant opportunity through the Georgia Emergency Management and Homeland Security Agency (GEMA/HS), which manages the application process for eligible entities within the state. The SLCGP is intended to help government entities improve their cybersecurity posture through planning, governance, assessments, technical protections, and workforce development. The program supports four primary objectives: developing and implementing cybersecurity governance structures and cybersecurity plans; understanding cybersecurity risks and vulnerabilities through assessments and testing; implementing security protections appropriate to identified risks; and ensuring personnel receive cybersecurity training that matches their responsibilities. Examples of allowable activities include implementation of multi-factor authentication, endpoint detection and response systems, enhanced logging, vulnerability scanning, data encryption, backup and recovery capabilities, migration to .gov domains, cybersecurity awareness training, penetration testing, and continuity of operations improvements. The program also allows recipients to respond to imminent cybersecurity threats when confirmed by CISA and DHS. The FY 2024 SLCGP places a strong emphasis on supporting local governments. Federal guidance requires that a substantial portion of funding directly benefit local entities through either direct pass-through funding or state-provided cybersecurity services and capabilities. The Georgia guidance states that at least 70 percent of grant funds must benefit local governments and at least 25 percent of that local government allocation must benefit rural areas. Eligible subrecipients may include counties, municipalities, cities, townships, school districts, regional authorities, tribal organizations, and rural public entities. Public educational institutions may also qualify if they are considered agencies or instrumentalities of government under state or local law. Nonprofit organizations and private for-profit entities are not eligible subrecipients under this funding opportunity. Funding for Georgia under the FY 2024 cycle is expected to total approximately $7.59 million based on the federal allocation formula administered by CISA and FEMA. The program includes a mandatory non-federal cost share requirement of 30 percent for FY 2024 single-entity projects. Multi-entity projects may qualify for a reduced match requirement under federal guidance. Matching contributions may consist of cash contributions or eligible in-kind support. The federal share percentage decreases over future funding cycles, increasing the required match percentage over time. The grant program prohibits certain activities and expenditures, including construction, land acquisition, ransom payments, cybersecurity insurance premiums, recreational activities, and unrelated information technology expenses that do not directly address cybersecurity risks affecting government-owned systems. Applications for the Georgia SLCGP opportunity will be accepted online through the Georgia EM Grants Manager portal beginning April 1, 2026. All applications must be submitted by May 15, 2026 in order to be considered for funding. Applicants are expected to complete all required application materials and comply with applicable federal and state grant requirements. Required application components may include cybersecurity project narratives, implementation schedules, Investment Justifications, Project Worksheets, budget narratives, pass-through documentation, and evidence of alignment with approved Cybersecurity Plans. Applicants must also maintain applicable federal registrations and comply with reporting and documentation requirements established by FEMA and GEMA/HS. Applications are evaluated based on completeness, eligibility, alignment with approved cybersecurity planning objectives, reasonableness of costs, feasibility of implementation, and the anticipated effectiveness of proposed cybersecurity investments. FEMA and CISA review projects for alignment with cybersecurity capability gaps, risk reduction goals, and program priorities. Applicants are encouraged to prioritize measurable cybersecurity improvements and adoption of best practices such as multi-factor authentication, enhanced logging, endpoint detection capabilities, vulnerability management, and cybersecurity training. The program includes ongoing reporting obligations including financial reporting, annual progress reporting, cybersecurity plan updates, and performance measurement activities throughout the period of performance. The FY 2024 SLCGP is part of a recurring federal cybersecurity investment strategy designed to modernize cybersecurity readiness across state and local governments. The federal NOFO establishes a four-year period of performance running from February 1, 2025 through January 31, 2029. Recipients are required to maintain approved Cybersecurity Plans and submit annual updates to CISA during the grant period. Questions regarding the program and application requirements may be directed to FEMA through FEMA-SLCGP@fema.dhs.gov or through GEMA/HS grant administration resources. The SLCGP represents a long-term effort to strengthen cybersecurity governance, preparedness, and resilience across public sector systems throughout Georgia and the broader United States.

Align projects directly to documented cybersecurity capability gaps and approved Cybersecurity Plans. Prioritize measurable improvements such as MFA, enhanced logging, endpoint detection, encryption, and vulnerability remediation. Clearly demonstrate feasibility within the four-year performance period and ensure all budget requests are well-supported.