State, local cyber grant funding can’t be used on ‘bundled’ services from membership groups, FEMA clarifies
The Federal Emergency Management Agency has clarified its rules for how state and local governments may use funding from the State and Local Cybersecurity Grant Program and the Tribal Cybersecurity Grant Program.
In a June 16 information bulletin, FEMA clarified rules created last year by the Department of Homeland Security prohibiting grant funds from being spent on services provided by the Multi-State Information Sharing and Analysis Center, a popular membership organization run by the Upstate New York nonprofit Center for Internet Security. Rather, the new bulletin notes, state and local governments are prohibited only from spending the federal cyber grant funds on “membership fees that include bundled cybersecurity or technical services,” because FEMA is unable to determine if “these costs are reasonable.”
“Membership fees in general have been subject to additional scrutiny for being allowable, reasonable, and allocable for FEMA awards,” the bulletin read. “Using SLCGP and TCGP grant funds to pay for membership in an organization that offers a broad suite of cybersecurity or other technical services is not allowable due to FEMA’s inability to correlate the cost of the membership with the cost of each service received.”
The upshot of the clarification is that purchasing individual products or services through membership organizations like the MS-ISAC is permitted, “provided that the recipient adheres to … federal procurement standards.” The rules now being clarified, which were made public when DHS last August issued a notice of funding opportunity for the fourth and final year of the State and Local Cybersecurity Grant Program, were met with frustration by some officials, but not surprise, because they had arrived after a sustained campaign by Kristi Noem, then the DHS secretary, to reduce spending and eliminate reliance on organizations outside of the private sector.
The recent document, which is omitted from FEMA’s online repository of bulletins, also notes that federal cyber grant recipients — including those of the Homeland Security Grant Program and the Tribal Homeland Security Grant Program — are no longer required, as they were in past years, to complete the Nationwide Cybersecurity Review, a self-assessment of cybersecurity readiness provided by the Center for Internet Security. “An alternative cybersecurity assessment may be required in the future,” FEMA’s bulletin read. (A DHS spokesperson was not immediately available to explain the reasoning behind the bulletin.)
The document was distributed widely, to state and local grant recipients, just 11 days after Mark Warner, the Democratic senator from Virginia, introduced a bill that would provide the MS-ISAC with $50 million in annual funding. Warner said last month that Noem’s policy had “not only endangered national security, but it placed an unanticipated, costly item on SLTT budgets.” The membership group saw its funding slashed and its cooperative agreement with the federal government revoked not long after Donald Trump returned to the White House last year, forcing CIS to begin charging its members, many of which are poorly resourced local governments.
In an emailed statement, Warner said he was “grateful to see DHS reverse course.” “After my letters to [DHS Secretary Markwayne Mullin] and governors warning of the risks of defunding and deprioritizing cybersecurity, and my bill to fully fund and expand access to the MS-ISAC,” he wrote, “DHS is finally restoring some access to the tools and resources necessary to protect American cybersecurity and critical infrastructure.”