State and Local Cybersecurity Grant Program

The State and Local Cybersecurity Grant Program is a federally funded initiative administered in North Carolina by North Carolina Emergency Management, a division of the North Carolina Department of Public Safety. The program originates from the U.S. Department of Homeland Security through FEMA and is designed to strengthen cybersecurity capabilities across state, local, and tribal governments. The FY cycle described reflects a continuation of prior year efforts to build resilience against cybersecurity threats, improve infrastructure security, and align with national cybersecurity priorities. The total federal allocation for North Carolina is approximately 2,638,773 dollars, with strict requirements governing how funds are distributed and used. The purpose of the program is to support the development and implementation of cybersecurity plans, enhance threat detection and mitigation capabilities, and improve overall preparedness and response to cyber incidents. Projects funded under this program must align with federally defined cybersecurity objectives, including system monitoring, vulnerability management, adoption of best practices such as multi-factor authentication and encryption, and workforce development. The program emphasizes building sustainable cybersecurity capabilities, requiring that any funded personnel or systems demonstrate long-term viability beyond the grant period. Funding may be used across several categories including planning, organizational improvements, equipment acquisition, training, and exercises. Allowable costs include cybersecurity software, licenses, personnel related to cybersecurity operations, and training programs aligned with identified capability gaps. However, strict limitations apply. Funds cannot be used for land acquisition or major construction activities, though minor facility modifications necessary to install equipment may be permitted with appropriate environmental and historic preservation review. All equipment purchases must align with FEMA’s Authorized Equipment List and are limited to the period of performance. A significant requirement of this grant is the mandatory 40 percent non-federal cost share. Subrecipients must cover this portion entirely, meaning applicants must demonstrate financial capacity to support their share of project costs. Additionally, at least 80 percent of total funding must be passed through to local government entities, with a minimum of 25 percent specifically directed to rural communities. These requirements ensure equitable distribution and prioritization of underserved areas. Eligibility is restricted to North Carolina entities, including local governments, community colleges, tribal governments, and state agencies. Applicants are limited to submitting one application that contains only one project. Any deviation from this rule, including multiple submissions or incomplete applications, results in automatic rejection. Applications must be submitted through a Salesforce grants management portal, and applicants must first register their organization and user account before submission. The application process is competitive and involves review and scoring by the State Cybersecurity Planning Committee. Applicants must align their proposed projects with required cybersecurity elements defined in the federal notice of funding opportunity. Additional submission requirements include organizational information such as leadership details and compliance disclosures related to federal policies. Technical assistance is provided through scheduled virtual sessions, and applicants may seek support during designated Q&A periods. The application window opens on November 1 and closes on November 30, with submissions due by 11:59 pm Eastern Time on the final day. Awards are anticipated to be announced in Spring 2026 or later, with a projected period of performance extending from September 1 through March 31, 2029. The program operates on an annual cycle, consistent with prior funding rounds, and is expected to continue in future years subject to federal appropriations.

Ensure only one complete application is submitted and fully aligned with required cybersecurity elements; failure to meet match requirement or submission rules results in rejection