6 U.S.C. § 665g — State and Local Cybersecurity Grant Program
Verified against govinfo.gov as of June 20, 2026View official text on govinfo.gov ↗
- (a)DefinitionsIn this section:
- (1)Cybersecurity PlanThe term “Cybersecurity Plan” means a plan submitted by an eligible entity under subsection (e)(1).
- (2)Eligible entityThe term “eligible entity” means a—
- (3)Multi-entity groupThe term “multi-entity group” means a group of 2 or more eligible entities desiring a grant under this section.
- (4)Online serviceThe term “online service” means any internet-facing service, including a website, email, virtual private network, or custom application.
- (5)Rural areaThe term “rural area” has the meaning given the term in section 5302 of title 49.
- (6)State and Local Cybersecurity Grant ProgramThe term “State and Local Cybersecurity Grant Program” means the program established under subsection (b).
- (7)Tribal governmentThe term “Tribal government” means the recognized governing body of any Indian or Alaska Native Tribe, band, nation, pueblo, village, community, component band, or component reservation, that is individually identified (including parenthetically) in the most recent list published pursuant to section 5131 of title 25.
- (b)Establishment
- (1)In generalThere is established within the Department a program to award grants to eligible entities to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, State, local, or Tribal governments.
- (2)ApplicationAn eligible entity desiring a grant under the State and Local Cybersecurity Grant Program shall submit to the Secretary an application at such time, in such manner, and containing such information as the Secretary may require.
- (c)AdministrationThe State and Local Cybersecurity Grant Program shall be administered in the same office of the Department that administers grants made under sections 604 and 605 of this title.
- (d)Use of fundsAn eligible entity that receives a grant under this section and a local government that receives funds from a grant under this section, as appropriate, shall use the grant to—
- (1)implement the Cybersecurity Plan of the eligible entity;
- (2)develop or revise the Cybersecurity Plan of the eligible entity;
- (3)pay expenses directly relating to the administration of the grant, which shall not exceed 5 percent of the amount of the grant;
- (4)assist with activities that address imminent cybersecurity threats, as confirmed by the Secretary, acting through the Director, to the information systems owned or operated by, or on behalf of, the eligible entity or a local government within the jurisdiction of the eligible entity; or
- (5)fund any other appropriate activity determined by the Secretary, acting through the Director.
- (e)Cybersecurity plans
- (1)In generalAn eligible entity applying for a grant under this section shall submit to the Secretary a Cybersecurity Plan for review in accordance with subsection (i).
- (2)Required elementsA Cybersecurity Plan of an eligible entity shall—
- (A)incorporate, to the extent practicable—
- (i)any existing plans of the eligible entity to protect against cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, State, local, or Tribal governments; and
- (ii)if the eligible entity is a State, consultation and feedback from local governments and associations of local governments within the jurisdiction of the eligible entity;
- (B)describe, to the extent practicable, how the eligible entity will—
- (i)manage, monitor, and track information systems, applications, and user accounts owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, and the information technology deployed on those information systems, including legacy information systems and information technology that are no longer supported by the manufacturer of the systems or technology;
- (ii)monitor, audit, and,1 So in original. The comma probably should not appear. track network traffic and activity transiting or traveling to or from information systems, applications, and user accounts owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity;
- (iii)enhance the preparation, response, and resiliency of information systems, applications, and user accounts owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, against cybersecurity risks and cybersecurity threats;
- (iv)implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats on information systems, applications, and user accounts owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity;
- (v)ensure that the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, adopt and use best practices and methodologies to enhance cybersecurity, such as—
- (I)the practices set forth in the cybersecurity framework developed by the National Institute of Standards and Technology;
- (II)cyber chain supply chain risk management best practices identified by the National Institute of Standards and Technology; and
- (III)knowledge bases of adversary tools and tactics;
- (vi)promote the delivery of safe, recognizable, and trustworthy online services by the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, including through the use of the .gov internet domain;
- (vii)ensure continuity of operations of the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, in the event of a cybersecurity incident, including by conducting exercises to practice responding to a cybersecurity incident;
- (viii)use the National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity developed by the National Institute of Standards and Technology to identify and mitigate any gaps in the cybersecurity workforces of the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, enhance recruitment and retention efforts for those workforces, and bolster the knowledge, skills, and abilities of personnel of the eligible entity and, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity, to address cybersecurity risks and cybersecurity threats, such as through cybersecurity hygiene training;
- (ix)if the eligible entity is a State, ensure continuity of communications and data networks within the jurisdiction of the eligible entity between the eligible entity and local governments within the jurisdiction of the eligible entity in the event of an incident involving those communications or data networks;
- (x)assess and mitigate, to the greatest degree possible, cybersecurity risks and cybersecurity threats relating to critical infrastructure and key resources, the degradation of which may impact the performance of information systems within the jurisdiction of the eligible entity;
- (xi)enhance capabilities to share cyber threat indicators and related information between the eligible entity and—
- (xii)leverage cybersecurity services offered by the Department;
- (xiii)implement an information technology and operational technology modernization cybersecurity review process that ensures alignment between information technology and operational technology cybersecurity objectives;
- (xiv)develop and coordinate strategies to address cybersecurity risks and cybersecurity threats in consultation with—
- (xv)ensure adequate access to, and participation in, the services and programs described in this subparagraph by rural areas within the jurisdiction of the eligible entity; and
- (xvi)distribute funds, items, services, capabilities, or activities to local governments under subsection (n)(2)(A), including the fraction of that distribution the eligible entity plans to distribute to rural areas under subsection (n)(2)(B);
- (C)assess the capabilities of the eligible entity relating to the actions described in subparagraph (B);
- (D)describe, as appropriate and to the extent practicable, the individual responsibilities of the eligible entity and local governments within the jurisdiction of the eligible entity in implementing the plan;
- (E)outline, to the extent practicable, the necessary resources and a timeline for implementing the plan; and
- (F)describe the metrics the eligible entity will use to measure progress towards—
- (i)implementing the plan; and
- (ii)reducing cybersecurity risks to, and identifying, responding to, and recovering from cybersecurity threats to, information systems owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity.
- (A)incorporate, to the extent practicable—
- (3)Discretionary elementsIn drafting a Cybersecurity Plan, an eligible entity may—
- (A)consult with the Multi-State Information Sharing and Analysis Center;
- (B)include a description of cooperative programs developed by groups of local governments within the jurisdiction of the eligible entity to address cybersecurity risks and cybersecurity threats; and
- (C)include a description of programs provided by the eligible entity to support local governments and owners and operators of critical infrastructure to address cybersecurity risks and cybersecurity threats.
- (f)Multi-entity grants
- (1)In generalThe Secretary may award grants under this section to a multi-entity group to support multi-entity efforts to address cybersecurity risks and cybersecurity threats to information systems within the jurisdictions of the eligible entities that comprise the multi-entity group.
- (2)Satisfaction of other requirementsIn order to be eligible for a multi-entity grant under this subsection, each eligible entity that comprises a multi-entity group shall have—
- (3)Application
- (A)In generalA multi-entity group applying for a multi-entity grant under paragraph (1) shall submit to the Secretary an application at such time, in such manner, and containing such information as the Secretary may require.
- (B)Multi-entity project planAn application for a grant under this section of a multi-entity group under subparagraph (A) shall include a plan describing—
- (i)the division of responsibilities among the eligible entities that comprise the multi-entity group;
- (ii)the distribution of funding from the grant among the eligible entities that comprise the multi-entity group; and
- (iii)how the eligible entities that comprise the multi-entity group will work together to implement the Cybersecurity Plan of each of those eligible entities.
- (g)Planning committees
- (1)In generalAn eligible entity that receives a grant under this section shall establish a cybersecurity planning committee to—
- (A)assist with the development, implementation, and revision of the Cybersecurity Plan of the eligible entity;
- (B)approve the Cybersecurity Plan of the eligible entity; and
- (C)assist with the determination of effective funding priorities for a grant under this section in accordance with subsections (d) and (j).
- (2)CompositionA committee of an eligible entity established under paragraph (1) shall—
- (3)Cybersecurity expertiseNot less than one-half of the representatives of a committee established under paragraph (1) shall have professional experience relating to cybersecurity or information technology.
- (4)Rule of construction regarding existing planning committeesNothing in this subsection shall be construed to require an eligible entity to establish a cybersecurity planning committee if the eligible entity has established and uses a multijurisdictional planning committee or commission that—
- (5)Rule of construction regarding control of information systems of eligible entitiesNothing in this subsection shall be construed to permit a cybersecurity planning committee of an eligible entity that meets the requirements of this subsection to make decisions relating to information systems owned or operated by, or on behalf of, the eligible entity.
- (1)In generalAn eligible entity that receives a grant under this section shall establish a cybersecurity planning committee to—
- (h)Special rule for Tribal governmentsWith respect to any requirement under subsection (e) or (g), the Secretary, in consultation with the Secretary of the Interior and Tribal governments, may prescribe an alternative substantively similar requirement for Tribal governments if the Secretary finds that the alternative requirement is necessary for the effective delivery and administration of grants to Tribal governments under this section.
- (i)Review of plans
- (1)Review as condition of grant
- (A)In generalSubject to paragraph (3), before an eligible entity may receive a grant under this section, the Secretary, acting through the Director, shall—
- (B)Duration of determinationIn the case of a determination under subparagraph (A)(ii) that a Cybersecurity Plan satisfies the requirements under paragraph (2), the determination shall be effective for the 2-year period beginning on the date of the determination.
- (C)Annual renewalNot later than 2 years after the date on which the Secretary determines under subparagraph (A)(ii) that a Cybersecurity Plan satisfies the requirements under paragraph (2), and annually thereafter, the Secretary, acting through the Director, shall—
- (2)Plan requirementsIn reviewing a Cybersecurity Plan of an eligible entity under this subsection, the Secretary, acting through the Director, shall ensure that the Cybersecurity Plan—
- (3)ExceptionNotwithstanding subsection (e) and paragraph (1) of this subsection, the Secretary may award a grant under this section to an eligible entity that does not submit a Cybersecurity Plan to the Secretary for review before September 30, 2023, if the eligible entity certifies to the Secretary that—
- (4)Rule of constructionNothing in this subsection shall be construed to provide authority to the Secretary to—
- (1)Review as condition of grant
- (j)Limitations on uses of funds
- (1)In generalAny entity that receives funds from a grant under this section may not use the grant—
- (A)to supplant State or local funds;
- (B)for any recipient cost-sharing contribution;
- (C)to pay a ransom;
- (D)for recreational or social purposes; or
- (E)for any purpose that does not address cybersecurity risks or cybersecurity threats on information systems owned or operated by, or on behalf of, the eligible entity that receives the grant or a local government within the jurisdiction of the eligible entity.
- (2)Compliance oversightIn addition to any other remedy available, the Secretary may take such actions as are necessary to ensure that a recipient of a grant under this section uses the grant for the purposes for which the grant is awarded.
- (3)Rule of constructionNothing in paragraph (1)(A) shall be construed to prohibit the use of funds from a grant under this section awarded to a State, local, or Tribal government for otherwise permissible uses under this section on the basis that the State, local, or Tribal government has previously used State, local, or Tribal funds to support the same or similar uses.
- (1)In generalAny entity that receives funds from a grant under this section may not use the grant—
- (k)Opportunity to amend applicationsIn considering applications for grants under this section, the Secretary shall provide applicants with a reasonable opportunity to correct any defects in those applications before making final awards, including by allowing applicants to revise a submitted Cybersecurity Plan.
- (l)ApportionmentFor fiscal year 2022 and each fiscal year thereafter, the Secretary shall apportion amounts appropriated to carry out this section among eligible entities as follows:
- (1)Baseline amountThe Secretary shall first apportion—
- (2)RemainderThe Secretary shall apportion the remainder of such amounts to States as follows:
- (3)Apportionment among Tribal governmentsIn determining how to apportion amounts to Tribal governments under paragraph (1)(C), the Secretary shall consult with the Secretary of the Interior and Tribal governments.
- (4)Multi-entity grantsAn amount received from a multi-entity grant awarded under subsection (f)(1) by a State or Tribal government that is a member of the multi-entity group shall qualify as an apportionment for the purpose of this subsection.
- (m)Federal share
- (1)In generalThe Federal share of the cost of an activity carried out using funds made available with a grant under this section may not exceed—
- (2)Waiver
- (A)In generalThe Secretary may waive or modify the requirements of paragraph (1) if an eligible entity or multi-entity group demonstrates economic hardship.
- (B)GuidelinesThe Secretary shall establish and publish guidelines for determining what constitutes economic hardship for the purposes of this subsection.
- (C)ConsiderationsIn developing guidelines under subparagraph (B), the Secretary shall consider, with respect to the jurisdiction of an eligible entity—
- (i)changes in rates of unemployment in the jurisdiction from previous years;
- (ii)changes in the percentage of individuals who are eligible to receive benefits under the supplemental nutrition assistance program established under the Food and Nutrition Act of 2008 (7 U.S.C. 2011 et seq.) from previous years; and
- (iii)any other factors the Secretary considers appropriate.
- (3)Waiver for Tribal governmentsNotwithstanding paragraph (2), the Secretary, in consultation with the Secretary of the Interior and Tribal governments, may waive or modify the requirements of paragraph (1) for 1 or more Tribal governments if the Secretary determines that the waiver is in the public interest.
- (n)Responsibilities of grantees
- (1)CertificationEach eligible entity or multi-entity group that receives a grant under this section shall certify to the Secretary that the grant will be used—
- (2)Availability of funds to local governments and rural areas
- (A)In generalSubject to subparagraph (C), not later than 45 days after the date on which an eligible entity or multi-entity group receives a grant under this section, the eligible entity or multi-entity group shall, without imposing unreasonable or unduly burdensome requirements as a condition of receipt, obligate or otherwise make available to local governments within the jurisdiction of the eligible entity or the eligible entities that comprise the multi-entity group, consistent with the Cybersecurity Plan of the eligible entity or the Cybersecurity Plans of the eligible entities that comprise the multi-entity group—
- (i)not less than 80 percent of funds available under the grant;
- (ii)with the consent of the local governments, items, services, capabilities, or activities having a value of not less than 80 percent of the amount of the grant; or
- (iii)with the consent of the local governments, grant funds combined with other items, services, capabilities, or activities having the total value of not less than 80 percent of the amount of the grant.
- (B)Availability to rural areasIn obligating funds, items, services, capabilities, or activities to local governments under subparagraph (A), the eligible entity or eligible entities that comprise the multi-entity group shall ensure that rural areas within the jurisdiction of the eligible entity or the eligible entities that comprise the multi-entity group receive not less than—
- (i)25 percent of the amount of the grant awarded to the eligible entity;
- (ii)items, services, capabilities, or activities having a value of not less than 25 percent of the amount of the grant awarded to the eligible entity; or
- (iii)grant funds combined with other items, services, capabilities, or activities having the total value of not less than 25 percent of the grant awarded to the eligible entity.
- (C)ExceptionsThis paragraph shall not apply to—
- (i)any grant awarded under this section that solely supports activities that are integral to the development or revision of the Cybersecurity Plan of the eligible entity; or
- (ii)the District of Columbia, the Commonwealth of Puerto Rico, American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, the United States Virgin Islands, or a Tribal government.
- (A)In generalSubject to subparagraph (C), not later than 45 days after the date on which an eligible entity or multi-entity group receives a grant under this section, the eligible entity or multi-entity group shall, without imposing unreasonable or unduly burdensome requirements as a condition of receipt, obligate or otherwise make available to local governments within the jurisdiction of the eligible entity or the eligible entities that comprise the multi-entity group, consistent with the Cybersecurity Plan of the eligible entity or the Cybersecurity Plans of the eligible entities that comprise the multi-entity group—
- (3)Certifications regarding distribution of grant funds to local governmentsAn eligible entity or multi-entity group shall certify to the Secretary that the eligible entity or multi-entity group has made the distribution to local governments required under paragraph (2).
- (4)Extension of period
- (A)In generalAn eligible entity or multi-entity group may request in writing that the Secretary extend the period of time specified in paragraph (2) for an additional period of time.
- (B)ApprovalThe Secretary may approve a request for an extension under subparagraph (A) if the Secretary determines the extension is necessary to ensure that the obligation and expenditure of grant funds align with the purpose of the State and Local Cybersecurity Grant Program.
- (5)Direct fundingIf an eligible entity does not make a distribution to a local government required under paragraph (2) in a timely fashion, the local government may petition the Secretary to request the Secretary to provide funds directly to the local government.
- (6)Limitation on constructionA grant awarded under this section may not be used to acquire land or to construct, remodel, or perform alterations of buildings or other physical facilities.
- (7)Consultation in allocating fundsAn eligible entity applying for a grant under this section shall agree to consult the Chief Information Officer, the Chief Information Security Officer, or an equivalent official of the eligible entity in allocating funds from a grant awarded under this section.
- (8)PenaltiesIn addition to other remedies available to the Secretary, if an eligible entity violates a requirement of this subsection, the Secretary may—
- (A)terminate or reduce the amount of a grant awarded under this section to the eligible entity; or
- (B)distribute grant funds previously awarded to the eligible entity—
- (i)in the case of an eligible entity that is a State, directly to the appropriate local government as a replacement grant in an amount determined by the Secretary; or
- (ii)in the case of an eligible entity that is a Tribal government, to another Tribal government or Tribal governments as a replacement grant in an amount determined by the Secretary.
- (o)Consultation with State, local, and Tribal representativesIn carrying out this section, the Secretary shall consult with State, local, and Tribal representatives with professional experience relating to cybersecurity, including representatives of associations representing State, local, and Tribal governments, to inform—
- (p)Notification to CongressNot later than 3 business days before the date on which the Department announces the award of a grant to an eligible entity under this section, including an announcement to the eligible entity, the Secretary shall provide to the appropriate congressional committees notice of the announcement.
- (q)Reports, study, and review
- (1)Annual reports by grant recipients
- (A)In generalNot later than 1 year after the date on which an eligible entity receives a grant under this section for the purpose of implementing the Cybersecurity Plan of the eligible entity, including an eligible entity that comprises a multi-entity group that receives a grant for that purpose, and annually thereafter until 1 year after the date on which funds from the grant are expended or returned, the eligible entity shall submit to the Secretary a report that, using the metrics described in the Cybersecurity Plan of the eligible entity, describes the progress of the eligible entity in—
- (i)implementing the Cybersecurity Plan of the eligible entity; and
- (ii)reducing cybersecurity risks to, and identifying, responding to, and recovering from cybersecurity threats to, information systems owned or operated by, or on behalf of, the eligible entity or, if the eligible entity is a State, local governments within the jurisdiction of the eligible entity.
- (B)Absence of planNot later than 1 year after the date on which an eligible entity that does not have a Cybersecurity Plan receives funds under this section, and annually thereafter until 1 year after the date on which funds from the grant are expended or returned, the eligible entity shall submit to the Secretary a report describing how the eligible entity obligated and expended grant funds to—
- (A)In generalNot later than 1 year after the date on which an eligible entity receives a grant under this section for the purpose of implementing the Cybersecurity Plan of the eligible entity, including an eligible entity that comprises a multi-entity group that receives a grant for that purpose, and annually thereafter until 1 year after the date on which funds from the grant are expended or returned, the eligible entity shall submit to the Secretary a report that, using the metrics described in the Cybersecurity Plan of the eligible entity, describes the progress of the eligible entity in—
- (2)Annual reports to CongressNot less frequently than annually, the Secretary, acting through the Director, shall submit to Congress a report on—
- (A)the use of grants awarded under this section;
- (B)the proportion of grants used to support cybersecurity in rural areas;
- (C)the effectiveness of the State and Local Cybersecurity Grant Program;
- (D)any necessary modifications to the State and Local Cybersecurity Grant Program; and
- (E)any progress made toward—
- (i)developing, implementing, or revising Cybersecurity Plans; and
- (ii)reducing cybersecurity risks to, and identifying, responding to, and recovering from cybersecurity threats to, information systems owned or operated by, or on behalf of, State, local, or Tribal governments as a result of the award of grants under this section.
- (3)Public availability
- (A)In generalThe Secretary, acting through the Director, shall make each report submitted under paragraph (2) publicly available, including by making each report available on the website of the Agency.
- (B)RedactionsIn making each report publicly available under subparagraph (A), the Director may make redactions that the Director, in consultation with each eligible entity, determines necessary to protect classified or other information exempt from disclosure under section 552 of title 5 (commonly referred to as the “Freedom of Information Act”).
- (4)Study of risk-based formulas
- (A)In generalNot later than September 30, 2024, the Secretary, acting through the Director, shall submit to the appropriate congressional committees a study and legislative recommendations on the potential use of a risk-based formula for apportioning funds under this section, including—
- (i)potential components that could be included in a risk-based formula, including the potential impact of those components on support for rural areas under this section;
- (ii)potential sources of data and information necessary for the implementation of a risk-based formula;
- (iii)any obstacles to implementing a risk-based formula, including obstacles that require a legislative solution;
- (iv)if a risk-based formula were to be implemented for fiscal year 2026, a recommended risk-based formula for the State and Local Cybersecurity Grant Program; and
- (v)any other information that the Secretary, acting through the Director, determines necessary to help Congress understand the progress towards, and obstacles to, implementing a risk-based formula.
- (B)Inapplicability of Paperwork Reduction ActThe requirements of chapter 35 of title 44 (commonly referred to as the “Paperwork Reduction Act”), shall not apply to any action taken to carry out this paragraph.
- (A)In generalNot later than September 30, 2024, the Secretary, acting through the Director, shall submit to the appropriate congressional committees a study and legislative recommendations on the potential use of a risk-based formula for apportioning funds under this section, including—
- (5)Tribal cybersecurity needs reportNot later than 2 years after November 15, 2021, the Secretary, acting through the Director, shall submit to Congress a report that—
- (A)describes the cybersecurity needs of Tribal governments, which shall be determined in consultation with the Secretary of the Interior and Tribal governments; and
- (B)includes any recommendations for addressing the cybersecurity needs of Tribal governments, including any necessary modifications to the State and Local Cybersecurity Grant Program to better serve Tribal governments.
- (6)GAO reviewNot later than 3 years after November 15, 2021, the Comptroller General of the United States shall conduct a review of the State and Local Cybersecurity Grant Program, including—
- (1)Annual reports by grant recipients
- (r)Authorization of appropriations
- (1)In generalThere are authorized to be appropriated for activities under this section—
- (2)Transfers authorized
- (A)In generalDuring a fiscal year, the Secretary or the head of any component of the Department that administers the State and Local Cybersecurity Grant Program may transfer not more than 5 percent of the amounts appropriated pursuant to paragraph (1) or other amounts appropriated to carry out the State and Local Cybersecurity Grant Program for that fiscal year to an account of the Department for salaries, expenses, and other administrative costs incurred for the management, administration, or evaluation of this section.
- (B)Additional appropriationsAny funds transferred under subparagraph (A) shall be in addition to any funds appropriated to the Department or the components described in subparagraph (A) for salaries, expenses, and other administrative costs.
- (s)Termination
- (1)In generalSubject to paragraph (2), the requirements of this section shall terminate on September 30, 2026.
- (2)ExceptionThe reporting requirements under subsection (q) shall terminate on the date that is 1 year after the date on which the final funds from a grant under this section are expended or returned.