How Public and Private Sector Organizations Can Get Grants to Help Mitigate Cyber Risk

From ChatGPT to Chick-fil-A, 2023 has seen its fair share of high-profile data breaches. With cybersecurity incidents like these making headlines on a regular basis, many business leaders and stakeholders are asking what they can do to mitigate their own organizations’ risks.

From improving vulnerability management to implementing multi-factor authentication (MFA), there are any number of steps—big and small—that your organization could take to level up its cybersecurity maturity, but most of them require an upfront investment. How can a smaller organization—or a public sector entity—with limited resources scale up its defenses against phishing and ransomware without breaking the bank?

In some cases, it may be possible to secure cybersecurity grant funding, either from the federal government, from a state program, or from another source.

Federal funds available for reducing cyber risk

The largest of these grant programs has set aside funds specifically for state and local governments. Congress signed the Infrastructure Investment and Jobs Act (IIJA) into law late in 2021, establishing the State and Local Cybersecurity Grant Program (SLCGP). One billion dollars was appropriated to the program to be distributed over the course of four years.

State, local, and territorial governments can qualify for awards from this first-of-its kind program intended to help these government entities identify, manage, and reduce systemic cyber risk.

The Cybersecurity and Infrastructure Security Agency (CISA), an agency within the Department of Homeland Security (DHC), and the Federal Emergency Management Agency (FEMA) are jointly managing this program, as well as a similar program that’s making funds available to federally-recognized tribes. CISA is providing subject matter expertise, while FEMA will conduct eligibility reviews and administer grant awards.

The stated goals of the SLCGP are to help state and local governments:

  • implement cybersecurity governance and planning
  • assess and evaluate their systems and capabilities
  • mitigate prioritized issues; and
  • build a cybersecurity workforce

To apply, CISOs in state and local government entities must prepare a grant proposal that outlines how their department will use the funds. The intent is to alleviate financial constraints so that security programs can accelerate projects that will meaningfully reduce cyber risk. Agencies that have already begun their strategic planning stand to gain the most value from this program.

Cybersecurity best practices: a key requirement

To apply for SLCGP funding, public-sector entities must meet several key requirements, many of which are valuable steps that any organization can take in order to improve its cybersecurity maturity. Applicants must conduct assessments and evaluations to help them understand their current cybersecurity posture and identify areas for improvement. They must establish a cybersecurity planning committee and figure out which steps they should take to mitigate the greatest risks, and they must create a comprehensive cybersecurity plan.

The SLCGP is intended to help state and local government entities implement cybersecurity best practices. Here again, this is valuable advice for any organization, even if it can’t qualify for an SLCGP grant because it’s not in the public sector. In the Notice of Funding Opportunity (NOFO) that was published in August 2023, the following baseline cybersecurity practices are listed as examples:

  • implement MFA
  • enable enhanced logging
  • use data encryption for data at rest and in transit
  • end the use of unsupported/end of life software and hardware that are accessible from the internet
  • restrict the use of known/fixed/default passwords and credentials
  • enable backups
  • engage in rapid bidirectional information sharing with CISA to drive down cyber risk

migrate to the .gov internet domain

Additional funding sources exist

While the SLCGP is probably the largest and best-funded cybersecurity grant programs in our nation’s history, it is by no means the only source of funding available to help organizations shore up their cyber defenses. The U.S. Department of Energy has a grant program that offers funding to rural and municipal utilities, for instance. It’s also possible to apply for SLCGP funds administered by your state’s government, or to receive a state-level grant such as the one that the Massachusetts Executive Office of Technology Services and Security is administering for municipalities and school districts in the state.

Just because your organization is a for-profit company, you’re not necessarily out of luck. Some government funding sources are available to private sector entities, and cybersecurity vendors like Microsoft offer funding and incentives to help their clients improve their security programs.

Want to learn more about funding sources you might be eligible for that you may not have considered? Get in touch with a member of our team to schedule a free consultation.


Eric Xu

Eric Xu is a consultant in the Modern Applications & Data Intelligence practice at Netrix Global. His expertise in cloud solutions allows him to translate technical concepts into actionable strategies to optimize productivity and collaboration. Passionate about empowering people through technology, Eric excels at prioritizing clients’ needs, then delivering tailored solutions that drive business success. Prior to Netrix, Eric earned his master’s degree in information technology from Rensselaer Polytechnic Institute.”