The State and Local Cybersecurity Grant Program (SLCGP) is the largest federal funding source ever created specifically for municipal cyber defense. Established by Congress in the 2021 Infrastructure Investment and Jobs Act, the program appropriated $1 billion over four years to help American state, local, tribal, and territorial governments build the cybersecurity controls that the federal government has been telling them to build for a decade.
This briefing covers what SLCGP is, who qualifies, how the application process works in 2026, the common mistakes cities make, what funded projects typically look like, and what the future of the program looks like as the original four-year appropriation winds down. Where state-by-state details matter, we point at the patterns rather than listing all fifty.
Section 01The Program in Plain English
SLCGP is jointly administered by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA). CISA provides the cybersecurity subject-matter expertise. FEMA handles grant administration. The funds flow from the federal government to state-level agencies (typically the Office of the Governor or a state homeland security office, called the State Administrative Agency or SAA), and from there to local governments.
Two structural rules matter. Eighty percent of the funds must pass through to local governments. And at least twenty-five percent of the funds must reach rural areas. The pass-through to rural entities counts toward the overall eighty percent local pass-through requirement. The point of these rules is to push the money down to where the cyber gap is largest, away from state-level IT departments and toward small municipalities, school districts, and water utilities.
Section 02The Funding Curve
The four years of the original appropriation are not equal. The funding has actually decreased dramatically year over year:
- Fiscal Year 2022: approximately $185 million
- Fiscal Year 2023: approximately $374 million (the peak)
- Fiscal Year 2024: approximately $279 million
- Fiscal Year 2025: approximately $91.75 million (the steep drop)
The dramatic decline in FY 2025 reflects a combination of political dynamics and the natural tail-off of an appropriated program. As of mid-2026, the PILLAR Act (Protecting Information by Local Leaders for Agency Resilience) is under consideration in the U.S. Senate to renew the program. Whether PILLAR passes is uncertain. What is certain is that any city or county serious about cybersecurity should treat SLCGP as a near-term opportunity, not a perpetual program.
Section 03Who Is Eligible
FEMA defines "local government" broadly. Eligible entities include counties, municipalities, cities, towns, townships, local public authorities, school districts, special districts (including water and sewer districts), intrastate districts, councils of governments, regional or interstate government entities, agencies or instrumentalities of local governments, federally recognized Indian tribes, authorized tribal organizations, Alaska Native villages and corporations, and rural communities or unincorporated areas with public functions.
If your jurisdiction has a tax-collecting authority and provides public services, it is almost certainly eligible. The State Administrative Agency in your state runs the actual application process and determines specific eligibility within the federal framework.
Section 04How the Process Actually Works
The full application sequence has more steps than most cities realize. Some of these steps consume weeks or months of lead time, which is why successful applicants generally start engaging six to twelve months before they want money.
- Federal funds released. Congress appropriates, FEMA issues a Notice of Funding Opportunity (NOFO) for the year.
- State submits. The State Administrative Agency applies on behalf of the state, including a state Cybersecurity Plan approved by a state Cybersecurity Planning Committee.
- State opens local solicitation. The SAA publishes a Request for Applications (RFA) inviting local entities to submit project proposals. The window is often only four to eight weeks.
- Locals apply. Cities, counties, and special districts submit project proposals aligned to (a) the state's Cybersecurity Plan, (b) CISA's Cybersecurity Performance Goals (CPGs), and (c) the federal allowable activities list.
- State reviews. The state Cybersecurity Planning Committee reviews local proposals for alignment, feasibility, and cost-effectiveness.
- Federal review. CISA and FEMA review approved projects for compliance and feasibility.
- Award released. States typically have to release funds to subrecipients within forty-five days of CISA approval.
- Subrecipient implements. The local government does the work, with reporting and audit requirements throughout.
Two specific federal requirements catch first-time applicants by surprise. Every recipient must complete the Nationwide Cybersecurity Review (NCSR), a free self-assessment that takes two to three hours and benchmarks the organization's posture against established standards. And every state's plan must be re-approved annually. The 2026 deadline for cybersecurity plan resubmission was January 30. States that missed the resubmission deadline created downstream timing problems for their local applicants.
Section 05What's Allowable and What's Not
The most common misconception about SLCGP is that it can fund anything cyber-flavored. It cannot. Allowable activities are specifically tied to risk reduction aligned with CISA's Cybersecurity Performance Goals.
Allowable typically includes cybersecurity assessments, governance and planning work, implementation of CPG-aligned controls (multi-factor authentication, endpoint detection and response, network segmentation, immutable backups, etc.), training and exercises (tabletop, technical), specific technology purchases that close documented control gaps, and one-time professional services to deploy or configure those technologies.
Not allowable includes general IT modernization unrelated to cyber risk, projects unrelated to information system security, ongoing operating expenses that should be in the regular budget, and replacement of existing IT spend with grant dollars (no supplanting). Most awards are structured as one-time investments rather than recurring services.
Section 06Common Application Mistakes
The cities that get funded look different from the cities that don't, and the differences are predictable.
Mistake 1: Missing the application window. State RFAs typically open and close inside an eight-week window. Cities that read the announcement and start their proposal process in week six rarely finish in time.
Mistake 2: Generic project proposals. Proposals that read like a vendor brochure ("we will improve our cybersecurity posture") rarely fund. Proposals tied to specific gaps in the state's Cybersecurity Plan, with measurable outcomes against named CPGs, fund routinely.
Mistake 3: Trying to fund recurring services. SLCGP is mostly a one-time investment vehicle. Proposals that look like multi-year managed-service contracts get pushed back. Proposals that buy hardware, deploy controls, conduct assessments, or run exercises fund well.
Mistake 4: Skipping the NCSR. The Nationwide Cybersecurity Review is a precondition for funding in every state we have looked at. Cities that have not completed the NCSR cannot receive an award. Many cities discover this requirement only after their proposal is otherwise approved.
Mistake 5: Underestimating administrative complexity. SLCGP grant administration includes federal grant requirements, state requirements, audit rules, period-of-performance constraints, and reporting obligations that often require staff time most small cities do not have. Cities that succeed plan administrative capacity into the proposal.
Mistake 6: Treating it as free money. SLCGP funds work that the city should be doing anyway. Awards that look like windfalls (let us buy something we want) fund poorly. Awards that look like accelerated delivery on a strategic plan (let us close documented control gaps faster) fund well.
Mistake 7: Ignoring the rural set-aside. If your jurisdiction qualifies as rural, the application math is more favorable than for urban applicants. Rural eligibility should be made explicit in the proposal.
Section 07What Cities Are Spending the Money On
The funded project list across states reads like a checklist of the eight cybersecurity gaps documented in Briefing 007:
- Multi-factor authentication rollouts (especially across email, VPN, and admin accounts)
- Endpoint detection and response (EDR) licensing and deployment
- Network segmentation projects, particularly between IT and operational technology
- Immutable backup and recovery infrastructure
- Vulnerability assessments and penetration tests
- Tabletop exercises and incident response plan development
- Cybersecurity awareness training programs
- SIEM and monitoring platform implementations
- Identity and privileged access management deployments
Note the alignment with CISA's CPGs and with cyber insurance carrier requirements. The same investments that win an SLCGP award generally also satisfy the carrier and meet the controls expected by CI Fortify. The dual-use nature of these investments is part of what makes SLCGP valuable beyond the dollar amount of any individual award.
Section 08How to Position Your Application
The cities whose proposals get funded share patterns that are not difficult to replicate.
Lead with risk reduction tied to specific CPGs. Open with the gap your project closes, not with what you want to buy. Reviewers grade against CPG alignment. Make the alignment obvious.
Quantify exposure. Use the cost-of-ransomware data from Briefing 006 or comparable public sources. Demonstrating that the proposal closes a documented vulnerability worth millions in potential incident cost is far more persuasive than describing the proposed work in technical terms.
Show alignment with the state Cybersecurity Plan. The state plan typically includes specific objectives. Map your project to one or more of those objectives explicitly. Quote the relevant section by name.
Document existing controls or the lack of them. If you do not have MFA, say so. The proposal is stronger when honest about the gap, because reviewers are looking for projects that close real gaps rather than incremental improvements on already-strong postures.
Bundle related projects. A single proposal that delivers MFA plus EDR plus an IR plan is generally stronger than three separate proposals. The reviewer can see the integrated risk-reduction story. Administrative overhead is also lower.
Submit early, especially if rural. Rural applicants benefit from explicit set-asides. Submitting early in the window gives reviewers more time to evaluate, which generally helps.
Section 09What's Next
The original SLCGP appropriation is in its final year. Whether the program continues depends on Congressional action on the PILLAR Act or a successor vehicle. As of mid-2026, the outcome is uncertain but the underlying need is not. The federal government has acknowledged that it cannot directly defend every U.S. municipality, and it has built CI Fortify around the explicit assumption that cities, counties, and water utilities must defend themselves.
The smart municipal posture is to assume SLCGP funds may continue but plan as if they will not. Cities that have built strategic plans aligned with CPGs and have invested in foundational controls regardless of grant timing are in the best position when grant cycles open and the best position when they do not.
Section 10How OneCyberShield Aligns with SLCGP-Funded Work
The OneCyberShield product stack maps directly to the CPG categories most commonly funded by SLCGP awards. Network Defense covers the segmentation and remote-access objectives. Endpoint Protection covers the EDR objectives. Immutable Backup & Recovery covers the backup architecture objectives. The Threat Intelligence and SOC Platform covers the monitoring and incident-response visibility objectives.
If your city is preparing a current or future SLCGP application, the OneCyberShield team can help you structure the proposal so it maps cleanly to CPG categories and to your state's Cybersecurity Plan. Use the briefing form to start a conversation. Select "SLCGP grant assistance" from the inquiry-type dropdown.