Cybersecurity grant match requirement a ‘steep mountain to climb’ for states

Federal officials said the rising cost of participating in the State and Local Cybersecurity Grant Program could be tough for states over the next two years.
man climbing mountain of arrows
(Getty Images)

As the federal State and Local Cybersecurity Grant Program passes the halfway point of its four-year cycle, officials reflected Tuesday on the ability of states to meet the program’s fund-matching requirement. Lisa Nine, a senior program analyst with the Federal Emergency Management Agency, called it a “steep mountain to climb” for state governments.

The $1 billion grant program, created by the 2021 infrastructure law and jointly administered by FEMA and the Cybersecurity and Infrastructure Security Agency, was designed so that states gradually pay a higher percentage of the program’s costs as federal dollars diminish, said Bess Mitchell, a grant operations chief at CISA.

“There’s a cost-share for the program to encourage state investment into what is being built,” Mitchell said at the Billington State and Local Cybersecurity Summit in Washington on Tuesday. “We really want to see this program maintained and sustained after the life of the grant considering we are working within a set four-year period.”

In the first year of the program, 90% of its funds came from the federal government and the state only had to cover 10%, but the split will change to 80-20, and then to 70-30 before closing at 60-40.


State matches don’t need to be in direct funds, though. States can, for example, host cybersecurity training events at venues where hosting costs are donated and the value of the donated space counts toward the match, Nine said.

So far, about half of the funds from the grant program have been distributed, and all but one state has submitted plans to receive funding, Mitchell said. South Dakota is the lone holdout after Florida opted into the program in its second year.

Three percent of the $1 billion was set aside for tribal nations, and CISA is currently making those awards, she added.

“The bones of the program are what they are,” Mitchell said. “I think we’ve gotten over some of the initial humps. I think our biggest challenge in the next two years of the program will be the increasing cost-share. So, if that is something that is sounding daunting, to you as a state or local government official, please let us know and we can work with you on ways to make that less painful.”

One challenge, Mitchell said, is that state budgets are sometimes determined well in advance and are unable to adapt to the rising cost of participating in the program.


A notice of funding opportunity will be announced later this summer, said Elizabeth Koren, FEMA’s cybersecurity grants chief.

Latest Podcasts