Fiscal Year (FY) 2022 State and Local Cybersecurity Grant Program | DHS 22 GPD 137 00 01

Opportunity Information: Apply for DHS 22 GPD 137 00 01

The Fiscal Year (FY) 2022 State and Local Cybersecurity Grant Program (funding opportunity number DHS 22 GPD 137 00 01) is a discretionary federal grant run by the U.S. Department of Homeland Security through FEMA under CFDA 97.137 and funded through the Infrastructure Investment and Jobs Act (IIJA). Its central purpose is to strengthen cybersecurity readiness and resilience across state, local, and tribal governments by requiring applicants to build, document, and execute a structured Cybersecurity Plan that improves how public-sector systems are managed, defended, and recovered after incidents. The program is designed to push jurisdictions toward measurable, repeatable cybersecurity practices rather than one-off purchases, and to encourage coordination across multiple levels of government, including strong state-local collaboration where states are the eligible entity.

Eligible applicants include state governments, county governments, city or township governments, and federally recognized Native American tribal governments. FEMA anticipated 56 awards, with a listed award ceiling of $185,024,069. The opportunity was created on September 16, 2022, with an original closing date of November 15, 2022. While the notice emphasizes planning requirements rather than a narrow list of allowable tools, the structure makes clear that the funding is intended to support practical cybersecurity capabilities, governance, and workforce improvements that align to widely accepted federal standards and best practices.

A core requirement of the program is that an eligible entity must produce a Cybersecurity Plan that, to the extent practicable, builds on what already exists. That means incorporating any current cybersecurity or IT protection plans the jurisdiction already uses. If the eligible entity is a state, the plan must also reflect consultation and feedback from local governments and local government associations within the state. In other words, states are expected to avoid a purely top-down plan and instead document how local stakeholders helped shape priorities, activities, and roles.

The plan must describe, in practical terms, how the jurisdiction will manage and oversee its information systems, applications, and user accounts, including the technology running on them. This requirement explicitly includes legacy systems and unsupported technology, which is a common weakness in government environments. Beyond basic asset management, the plan must also explain how the jurisdiction will monitor, audit, and track network traffic and activity moving to and from those systems, applications, and accounts. Together, these expectations point to improved visibility: knowing what exists, who has access, what is happening on the network, and where the highest-risk exposures are.

Another major focus is operational resilience: the plan must explain how the eligible entity will enhance preparation, response, and resiliency against cybersecurity risks and threats. This includes implementing continuous vulnerability assessment and threat mitigation practices, prioritized by risk. The emphasis on continuous assessment signals that cybersecurity is expected to be an ongoing cycle of identifying weaknesses, ranking them based on potential impact and likelihood, and then addressing them in a disciplined way rather than relying on occasional audits or reactive fixes after an incident.

The grant also pushes recipients toward recognized cybersecurity standards and shared language. The plan must ensure adoption and use of best practices and methodologies such as the NIST Cybersecurity Framework, NIST supply chain risk management best practices, and knowledge bases of adversary tools and tactics. Practically, this means applicants are expected to align their cybersecurity program to established frameworks for governance and controls, consider vendor and supply chain risks as part of procurement and operations, and use current threat intelligence concepts to understand how attackers operate.

Service delivery and public trust are also addressed. The plan should promote safe, recognizable, and trustworthy online services, including by using the .gov domain. This reflects a broader federal push to help the public quickly identify legitimate government services and reduce confusion, impersonation, and fraud risks. In parallel, continuity of operations is a required element: the plan must show how the jurisdiction will keep operating during and after a cyber incident, including by conducting exercises to practice incident response. That expectation highlights that planning is not considered complete unless it is tested through drills or tabletop exercises that reveal gaps before real-world incidents do.

Workforce capability is another explicit pillar. The plan must use the NICE Workforce Framework for Cybersecurity (developed by NIST) to identify and mitigate workforce gaps, improve recruitment and retention, and strengthen the knowledge, skills, and abilities of personnel. It also calls out cybersecurity hygiene training as an example of how to raise the baseline across staff, which matters because many government breaches begin with routine user actions like clicking phishing links or mismanaging credentials.

For states, the plan includes added responsibilities tied to statewide coordination. States must ensure continuity of communications and data networks between the state and local governments if an incident disrupts those networks. The plan must also address cybersecurity risks connected to critical infrastructure and key resources when degradation could harm government information system performance. This expands the focus beyond traditional IT systems to the broader ecosystem where operational disruption (for example, in utilities or other key services) can spill over into public-sector operations.

Information sharing is treated as a capability to be built and sustained. The plan must enhance the ability to share cyber threat indicators and related information between the eligible entity and, for states, local governments within the state, including by expanding information sharing agreements with DHS. The plan should also describe coordination with DHS more generally, including leveraging cybersecurity services offered by the Department. This ties local and state improvements into federal threat awareness and support resources rather than leaving jurisdictions isolated.

Modernization and cross-domain alignment are also covered. The plan must implement an IT and operational technology modernization cybersecurity review process that aligns IT and OT cybersecurity objectives. That matters because many public services rely on OT environments (like industrial control systems) that historically have different tooling, risk tolerance, and patching realities than traditional IT. The plan is also expected to include coordinated strategies developed in consultation with local governments and associations, and, where applicable, neighboring eligible entities, information sharing and analysis organizations, and even neighboring countries. This underscores that cyber threats and dependencies do not stop at jurisdictional boundaries.

Equity of access is addressed through explicit rural inclusion. The plan must ensure that rural areas can access and participate in the services and programs described, and it must describe how funds, items, services, capabilities, or activities will be distributed to local governments, including what fraction is planned for rural areas. This requirement is meant to prevent resources from clustering only in major metropolitan areas and to ensure smaller or more resource-constrained communities are not left behind.

Finally, the plan must be grounded in implementation reality and measurable outcomes. It must assess the entity's current capabilities related to the required actions, define responsibilities between the eligible entity and local governments (as appropriate), outline the resources needed and the timeline for implementation, and define the metrics that will be used to measure progress. Those metrics must address both progress in implementing the plan itself and progress in reducing cyber risk while improving the ability to identify, respond to, and recover from threats. The overall design of the program is therefore not just to fund cybersecurity, but to drive a disciplined program: assess current state, plan improvements, coordinate across governments, implement on a timeline, and prove results with metrics.

• The Department of Homeland Security, Department of Homeland Security - FEMA in the infrastructure investment and jobs act (iija) sector is offering a public funding opportunity titled "Fiscal Year (FY) 2022 State and Local Cybersecurity Grant Program" and is now available to receive applicants.
• Interested and eligible applicants and submit their applications by referencing the CFDA number(s): 97.137.
• This funding opportunity was created on Sep 16, 2022.
• Applicants must submit their applications by Nov 15, 2022. (Agency may still review applications by suitable applicants for the remaining/unused allocated funding in 2026.)
• Each selected applicant is eligible to receive up to $185,024,069.00 in funding.
• The number of recipients for this funding is limited to 56 candidate(s).
• Eligible applicants include: State governments, County governments, City or township governments, Native American tribal governments (Federally recognized).

Apply for DHS 22 GPD 137 00 01

[Watch] Creating a grant proposal using the step-by-step wizard inside the applicant portal: