AWS Public Sector Blog

5 things to consider while applying to the State and Local Cybersecurity Grant Program (SLCGP)

State and local government (SLG) organizations are experiencing an increase in cyber incidents that impact and disrupt citizen services. In 2021, US President Joe Biden signed the Infrastructure Investment and Jobs Act (IIJA). This act provides funding that state, local, and academic institutions can access to make strategic decisions that can build resilience, modernize systems, and enhance and strengthen the overall security posture of critical infrastructure services.

IIJA created the State and Local Cybersecurity Grant Program (SLCGP), which provides funding to eligible entities to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, state, local, or tribal governments. SLCGP allocates $1B distributed over four years to support state, local, and tribal agencies in the implementation of cybersecurity best practices.

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released the FY22 Notice of Funding Opportunity (NOFO), which provides more details about the requirements to apply for SLCGP funding. The funding opportunity requires participants to prioritize the establishment of a cybersecurity planning committee; the development of a state-wide cybersecurity plan; assessments; and the adoption of cybersecurity best practices.

This blog post guides you through some resources and approaches to consider as organizations strive to meet the SLCGP funding requirements. Note: the SLCGP funding’s overall per state allocations are not sizeable enough for each local organization to implement their own security measures effectively. Participating state and local government entities should take a strategic and enterprise approach to leverage these funds in a manner that will make a broad impact in risk reduction, and to make their infrastructure more resilient.

The SLCGP funding requirements

 With a tight 60-day window for submission, grant program participants need to act quickly while meeting the intent of the grant, which requires 80% of the funds to be allocated to local government. For those entities pursuing the grant for enterprise initiatives, like consolidated IT programs, approval from local government representatives is required. The SLCGP also includes stringent grant reporting requirements. These reporting requirements may be considered cumbersome to smaller local government participants that may not have a grants office or knowledgeable staff to support these efforts. Local government organizations can consider leveraging the statewide grant offices to support meeting the grant reporting requirements.

Participating SLG organizations with strong private-public partnerships with their vendor community can streamline their SLCGP funding efforts by using already established processes and solutions.

Considerations to help meet the SLCGP funding opportunity

Organizations must apply for SLCGP funds before the deadline on November 15, 2022. As the SLCGP necessitates establishing a cybersecurity planning committee, the following are recommended approaches for a cybersecurity planning committee to consider to secure funding:

1. Streamline cybersecurity solution procurement to standardize operations and reduce costs

Organizations can take advantage of independent software vendors’ (ISV) solutions that can provide visibility, integration, automation, and protection at scale. However, the cybersecurity planning committees in charge of reviewing and submitting requests for these solutions should prioritize reducing various agencies’ requests—rather, they should look broadly across all requests to identify repeated themes and focus on areas that can scale across agencies and departments. In taking this approach, states can standardize capabilities and better operationalize threat data that they can use to make actionable decisions. Ransomware is one of the most dominant cyber incidents across state and local government (SLG) organizations, so having an integrated system that allows for simplified operations and automated response can benefit SLG organizations that are resource constrained. Committees can find vendor solutions to meet this need in the AWS Marketplace from Amazon Web Services (AWS) or with AWS Partners; some examples of such solutions are Presidio’s Ransomware Mitigation Kit and SentinelOne for AWS Elastic Disaster Recovery.

2. Find ready-made solutions in a digital catalog to support cybersecurity governance and more

Given the short timeline for submission, participants can consider using digital catalogs that simplify, consolidate, and accelerate procurement processes by offering a wide range of relevant solutions from ISVs. In addition, these catalogs can provide solutions that offer enhanced visibility into utilization and other critical data points that factor into the SLCGP’s metrics and grant reporting requirements. Digital catalogs like the AWS Marketplace can offer organizations solutions that support procurement speed, flexible pricing and terms, and the needed governance to oversee cyber events as required by grant programs like the SLCGP. SLG customers can collaborate with vendor partners that can assist in fast-tracking implementations and offer flexible contract terms, e.g. shelf ware clause, and volume discounts.

3. Prioritize resilience for your infrastructure

SLG organizations looking to secure SLCGP funding may consider prioritizing resilience for their infrastructure. Organizations can build resilience and an effective data strategy with various cloud services. Cloud services provide opportunities to increase scalability, resilience, reliability, and offer low cost disaster recovery and centralized immutable back up offerings. Services like AWS Backup can be used to centralize and automate data protection across your services regardless of whether they are on premises or in the cloud. AWS Backup secures your backups by encrypting your data in transit and at rest, which reduces risk of data compromise.

4. Skill your organization with no-cost cybersecurity training

The NOFO details that applying organizations must adopt cybersecurity best practices and implement cyber awareness training to be eligible for funding. SLG Organizations can consider using no-cost training opportunities and cyber awareness services offered by leading security vendors. AWS Cybersecurity Awareness Training is a no-cost training solution that can scale for use by private organizations and citizens. The training offers 15-minute lessons on cybersecurity-related topics like secure communication, data classification, phishing, physical security, social engineering, data privacy, third-party/application security, laptop standard, protect data, and acceptable use in over 10 different languages. It also meets accessibility requirements.

5. Think long-term with a modernization strategy

Lastly, for subsequent year SLCGP efforts, SLG organizations should focus on long-term strategies, like statewide modernization of critical applications and infrastructure. Organizations can use cloud services to help meet the NOFO requirement to implement best practices like implementing zero trust architecture, which can further support efforts to enhance digital transformation efforts while securing the citizen experience.


State and local governments should not be deterred by the grant submission timeline and reporting requirements. This funding opportunity can help implement state-wide risk mitigation strategies to protect data privacy, secure infrastructure, and serve citizens across the nation.

AWS and AWS Security Partners provide a portfolio of services that support SLG organizations with their SLCGP objectives and can help implement end-to-end enhanced security. For more information on how AWS can support customers’ security requirements, visit the AWS Security & Compliance hub. Learn more about how state and local governments use AWS in the AWS Cloud for State and Local Governments hub.

Do you have questions about how your agency can use AWS to support your cybersecurity goals? Reach out to the AWS Public Sector Team to learn more.

Read more about AWS for state and local government:

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.

Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.

Maria S. Thompson

Maria S. Thompson

Maria S. Thompson is the state and local government executive government advisor for cybersecurity at Amazon Web Services (AWS). In this role, she brings over 20 years of experience in information technology, strategic planning, computer network defense and risk management. Prior to her role with AWS, Maria served as North Carolina’s first State Chief Risk and Security Officer. There, she was instrumental in establishing the Whole of State Approach to Cyber. This included the development and implementation of the state’s first Cyber Disruption Plan, and the Joint Cyber Task Force (JCTF). Maria also served 20 years in the United States Marine Corps and retired as the cybersecurity chief/information assurance chief for the Marine Corps. Other security roles held include certification and accreditation (C&A) lead for the Multi-National Forces – Iraq and senior security engineer in a joint military organization and Security Operations Center lead for a federal agency.