Unlocking $100M in cyber grant funding: What risk pools & public entities need to know

The U.S. Department of Homeland Security, through CISA and FEMA, has announced more than $100 million in federal cybersecurity grant funding for state, local, and tribal governments. This includes $91.7 million through the State and Local Cybersecurity Grant Program (SLCGP) and $12.1 million via the Tribal Cybersecurity Grant Program (TCGP). These investments mark the final allocation in the $1 billion initiative authorized by the State and Local Cybersecurity Improvement Act.

The programs are designed to help governments strengthen cyber defenses through initiatives such as cybersecurity planning, risk assessments, workforce development, service delivery enhancements, infrastructure upgrades, and improved network security.

As cyber threats to state, local, and tribal governments grow in both frequency and impact—and budgets remain stretched—these grants offer a rare opportunity to take proactive steps that build resilience for the long term.

Turning Grant Funding into Measurable Cyber Resilience

The Cybersecurity and Infrastructure Security Agency (CISA) sets the technical direction for the State and Local Cybersecurity Grant Program, while FEMA manages the grant application and funding process.

To qualify, agencies must submit a CISA‑approved Cybersecurity Plan that addresses three core areas: annual assessments and evaluations to understand current risk posture, adoption of cybersecurity best practices, and a strategic cybersecurity plan to guide investments and track progress.

1. Assessments & Evaluations

Eligible entities must conduct annual assessments to establish a clear understanding of their current cyber posture. This means evaluating existing systems, identifying vulnerabilities, and documenting the maturity of cybersecurity capabilities.

Without a baseline, it’s impossible to know where to prioritize resources. Assessments ensure that grant-funded projects are targeted at the most pressing and high-impact risks, and they create the foundation for tracking measurable improvement over time—something CISA expects in annual reporting.

How KYND helps: KYND’s platform delivers rapid, non-intrusive cyber risk assessments that provide an immediate view of vulnerabilities and risk exposure. For risk pools, KYND can assess eligible member entities, providing a consolidated portfolio view that highlights critical risks and helps inform investment priorities. This streamlined visibility helps build stronger investment justifications and can help support annual reporting requirements.

2. Adoption of Cybersecurity Best Practices

CISA requires eligible entities adopt a set of best practices, like multifactor authentication and encryption, over the life of the grant. These best practices represent some of the most effective, widely accepted safeguards against cyber incidents. By making them a program requirement, CISA ensures that funding leads to concrete, foundational improvements—not just point solutions.

How KYND helps: KYND’s continuous monitoring helps identify gaps, enabling agencies to show measurable progress toward cyber resilience. The platform also helps prioritize actions by highlighting which issues pose the greatest risk, ensuring limited budgets and staffing are focused where they will have the most impact.

3. Cybersecurity Plan

To be eligible for SLCGP funding, agencies must submit a CISA-approved Cybersecurity Plan. This plan outlines how they will use grant funds to improve its cyber maturity. It includes governance structures, risk assessment findings, project timelines, and measurable objectives.

The Cybersecurity Plan is the roadmap for how grant funds will be used and measured. A well-structured plan increases the likelihood of approval, ensures projects are coordinated, and provides transparency for both internal stakeholders and federal reviewers.

How KYND helps: KYND’s platform and reporting capabilities help populate plan inputs by providing risk data and measurable improvement tracking. For risk pools, KYND can aggregate eligible member data into a portfolio-level view, making it easier to present a comprehensive picture of cyber posture and planned improvements.

Next Steps for State, Local, and Tribal Entities

With application deadlines and funding windows expected to close in early FY 2026, now is the time to assess current cyber posture and develop a prioritized plan. Risk pools, while not directly eligible, can play a critical role by helping their members evaluate risk, align with their state’s Cybersecurity Plan, and prepare for structured assessments. For more detailed guidance and eligibility information, visit CISA’s official cyber grants page.

Let’s assess your pool’s cyber readiness now and map a path forward to support eligible members before the funding window closes. Visit kynd.io/pe to get started.