Fiscal Year (FY) 2023 State and Local Cybersecurity Grant Program | DHS 23 GPD 137 00 01

Opportunity Information: Apply for DHS 23 GPD 137 00 01

The Fiscal Year (FY) 2023 State and Local Cybersecurity Grant Program (Funding Opportunity Number DHS 23 GPD 137 00 01; CFDA 97.137) is a discretionary grant program run by the U.S. Department of Homeland Security through FEMA. It is designed to strengthen cybersecurity across state, local, and related public-sector partners by requiring each eligible applicant to develop and carry out a comprehensive Cybersecurity Plan. In practice, the grant opportunity is less about a single tool purchase and more about pushing states to build repeatable, measurable cybersecurity capabilities that can be coordinated across jurisdictions, including counties, cities, and other local entities.

Eligibility under this specific notice is limited to state governments, with an expectation that states will actively involve local governments in both planning and execution. The program structure makes local input a central requirement: a state plan must incorporate, to the extent practicable, any existing cybersecurity plans already used by the eligible entity, and if the eligible entity is a state, the plan must be informed by consultation and feedback from local governments and associations of local governments within the state. That requirement signals that the federal government is looking for statewide alignment rather than isolated, agency-by-agency efforts, while still recognizing that many cybersecurity responsibilities and systems sit at the local level.

A major focus of the required Cybersecurity Plan is basic visibility and control over public-sector IT environments. The plan must explain how the state (and, where applicable, local governments within the state) will manage, monitor, and track information systems, applications, and user accounts, including the technology running on them. This explicitly includes legacy systems and end-of-life products that are no longer supported by manufacturers, acknowledging a common real-world problem in government environments where outdated systems can create persistent, hard-to-fix security exposure. Alongside asset and account management, the plan must address monitoring, auditing, and tracking of network traffic and activity moving to and from government systems and applications, emphasizing detection and situational awareness as a baseline capability.

The opportunity also emphasizes preparedness and operational resilience, not just prevention. States are expected to describe how they will improve preparation, response, and resiliency against cybersecurity risks and threats, and how they will keep government services operating during incidents. Continuity of operations is called out directly, including the use of exercises to practice incident response. For states in particular, the plan must also consider continuity of communications and data networks between the state and local governments during incidents that affect those networks, reflecting the reality that coordinated response often depends on shared connectivity and interoperable communications.

Another key theme is continuous risk management: the plan must include an ongoing process for cybersecurity vulnerability assessments and threat mitigation practices that are prioritized by degree of risk. This pushes applicants toward repeatable assessment cycles, risk-based remediation backlogs, and a defensible approach to choosing which weaknesses to fix first. The plan must also ensure the adoption of recognized best practices and methodologies, explicitly referencing the NIST Cybersecurity Framework, NIST supply chain risk management best practices, and knowledge bases of adversary tools and tactics. In other words, the program is steering recipients toward widely accepted standards for governance and control design, plus modern threat-informed defense that accounts for how attackers actually operate.

The program also highlights trust and modernization in public-facing digital services. States are encouraged to promote safe, recognizable, and trustworthy online services, including through the use of the .gov domain. This is less about branding and more about reducing phishing and impersonation risk by helping residents identify official government services. In parallel, the plan must include an IT and operational technology (OT) modernization cybersecurity review process that keeps IT and OT cybersecurity objectives aligned. That requirement matters for environments where operational technology supports essential public services and infrastructure, and where security gaps can arise when IT modernization and OT realities are handled in separate lanes.

Workforce capability is treated as a first-order requirement rather than an afterthought. The Cybersecurity Plan must use the NICE Workforce Framework for Cybersecurity (developed by NIST) to identify and address workforce gaps, strengthen recruitment and retention, and improve staff skills and knowledge, including through cybersecurity hygiene training. This ties grant-funded activities to a standardized model for roles and competencies, supporting more consistent job design, training plans, and staffing strategies across agencies and local partners.

Information sharing and intergovernmental coordination are also built into the program expectations. The plan must enhance capabilities to share cyber threat indicators and related information between the eligible entity and, where applicable, local governments within the state, including expanding information-sharing agreements with the Department of Homeland Security. It also calls for leveraging cybersecurity services offered by DHS, which generally signals an expectation that states will integrate federal services, advisories, and possibly shared capabilities into their operating model instead of building everything independently. Beyond the state boundary, the plan can involve coordination with neighboring jurisdictions, information sharing and analysis organizations, and even neighboring countries where relevant, reflecting that cyber threats and critical service dependencies do not stop at borders.

Equity of access, especially for rural communities, is explicitly included. The plan must ensure adequate access to and participation in the described services and programs by rural areas within the state. It must also address how the state will distribute funds, items, services, capabilities, or activities to local governments, including the fraction of that distribution intended for rural areas. This makes rural inclusion a planning and reporting expectation, not an informal aspiration, and it pushes states to think about how smaller or resource-constrained local governments will actually benefit from statewide cybersecurity improvements.

From a planning and accountability standpoint, the required Cybersecurity Plan must go beyond a list of goals. It must assess current capabilities related to the required actions, describe roles and responsibilities between the state and local governments for implementing the plan, and outline the resources and timeline needed to execute it. Finally, it must define metrics to measure progress both toward implementing the plan and toward reducing cybersecurity risk, including improving the ability to identify, respond to, and recover from cyber threats. Those measurement requirements are important because they force applicants to define what success looks like in operational terms, rather than relying on vague statements about improving security.

Administrative details from the notice include an Opportunity Creation Date of August 7, 2023, an Original Closing Date of October 6, 2023, an Award Ceiling listed as $374,981,324, and an anticipated 56 awards. Taken together, the structure and required plan elements show a program aimed at building durable statewide cybersecurity governance and operational capability, with strong emphasis on local consultation, continuous risk management, standards-based practices, incident readiness, workforce development, information sharing, and ensuring that rural communities are not left out of statewide cybersecurity improvements.

• The Department of Homeland Security, Department of Homeland Security - FEMA in the other (see text field entitled explanation of other category of funding activity for clarification) sector is offering a public funding opportunity titled "Fiscal Year (FY) 2023 State and Local Cybersecurity Grant Program" and is now available to receive applicants.
• Interested and eligible applicants and submit their applications by referencing the CFDA number(s): 97.137.
• This funding opportunity was created on Aug 07, 2023.
• Applicants must submit their applications by Oct 06, 2023. (Agency may still review applications by suitable applicants for the remaining/unused allocated funding in 2026.)
• Each selected applicant is eligible to receive up to $374,981,324.00 in funding.
• The number of recipients for this funding is limited to 56 candidate(s).
• Eligible applicants include: State governments.

Apply for DHS 23 GPD 137 00 01

[Watch] Creating a grant proposal using the step-by-step wizard inside the applicant portal: