Maryland Department of Emergency Management

CPU Funding Opportunities

​​​
CPU HOME

A header image of computer code overlaid with the logo of the Cyber Preparedness Unit  


Maryland organizations and jurisdictions have access to multiple funding streams to support their development, resilience, and cyber maturity. 

Read on to learn more about what's available!


Note: This page contains links to external websites. Those links are marked with this icon:   . Pages targeted by those links are not managed by the State of Maryland and may not be fully digitally accessible. The State of Maryland provides them as suggested resources only, and not through any contractual, licensing, or other formal arrangement; and disclaims any liability relating to their accessibility status.




State + Local Cybersecurity Grant Program


IMPORTANT NEWS: An additional funding opportunity for short-term projects has opened! 
See "Upcoming Opportunities" to learn more.


General Info:

The goal of the State and Local Cybersecurity Grant Program (SLCGP) is to help states, local governments, rural areas, and territories address cybersecurity risks and cybersecurity threats to information systems. Through this program, the Department of Homeland Security (DHS) can direct strategic investments to enhance the cybersecurity posture of government agencies, bolstering the protection of critical infrastructure and the resilience of essential public services.

 (Read the official FEMA Notice of Funding for this grant here)


Background & Purpose
In Maryland, the strategy for prioritizing and approving projects using SLCGP funds will be developed and maintained by the State of Maryland SLCGP Planning Committee.

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Emergency Management Agency (FEMA) jointly manage the SLCGP. CISA provides subject-matter expertise and determines allowable activities, whileFEMA conducts eligibility reviews and issues/administers the grant awards consistent with all applicable laws, regulations, and policies.

The Maryland Department of Emergency Management (MDEM) is the state’s lead agency for the State and Local Cybersecurity Grant Program (SLCGP). MDEM manages the program on behalf of the State of Maryland, provides administrative oversight, and serves as the main point of contact for eligible applicants. Once projects are awarded, MDEM also helps subrecipients by processing reimbursement requests and making sure all grant requirements are met.

The Maryland Department of Information Technology (DoIT) serves as the program’s subject-matter expert. DoIT reviews project proposals, provides technical guidance, and ensures projects align with the state’s cybersecurity
priorities.

Together, MDEM and DoIT co-chair the Maryland State Cybersecurity Planning Committee, which includes representatives from state and local governments. This committee is responsible for developing strategies, reviewing applications, and approving projects. The committee has also created Maryland’s Cybersecurity Plan, which guides how SLCGP funding isused to strengthen cybersecurity across the state.

State agencies and local governments that receive SLCGP funding are subrecipients of the grant. Subrecipients must follow all federal and state compliance requirements, including proper reporting and documentation. MDEM and DoIT will provide guidance and support throughout this process.

The goals of the program are to ensure that resources reach the jurisdictions that need them most and to build long-term cybersecurity capacity across Maryland.




Current Subrecipient Information

​Congratulations to all FY22 and FY23 subrecipients!
Be sure to check the "General Information" section below to find the continuing requirements for completing your project.


Subrecipients for the FY22 and FY23 periods are subject to the following deadlines:

  • FY22 Subrecipients: All FY2022 projects must be completed by September 30, 2026.
  • FY23 Subrecipients: All FY2023 projects must be completed by September 30, 2027.
  • Subrecipients of ISO (a.k.a. the Local Support Program): The Local Support Program is overseen by DoIT. Information for this program was sent to your project's designated primary point of contact.


General Information

This section contains basic compliance & reporting information for approved projects only.



Getting Started
IMPORTANT: DO NOT START your project until you receive notification of FEMA approval (from MDEM) AND have a fully executed Subrecipient Agreement (SRA) contract in place.

If you have received approval for SLCGP funding, you MUST have a signed SRA contract in place, and acknowledge the Terms & Conditions document.

For a more comprehensive list of instructions, refer to:
  • The email you received with your award notification
  • the Funding Guide for your specific fiscal year (FY)

                  
If you have any questions, please reach out to MDEM at [email protected].                  


Period of Performance (POP)
Your project must be completed within the period of performance for your grant cycle. The performance dates each fiscal year of funding are:

  • FY2022 - December 1, 2022 to August 31, 2026
  • FY2023 - June 25, 2025 to August 31, 2027
  • FY2024 - More information to come!
  • FY2025 - More information to come!

NOTE: As a subrecipient, your POP may differ from the information indicated in the federal Notice of Funding Opportunity. Check your project's SRA for the most accurate information, and reach out to MDEM ([email protected]) with any questions.


Grant Compliance Requirements & Programmatic Reporting
Step 1: Register for the Cyber Hygiene (CyHy) service.

Cyber Hygiene is a free cybersecurity service provided by CISA to help organizations reduce their exposure to threats. CyHy registration is a one-time requirement.

All subrecipients MUST send a PDF copy of their CyHy acceptance email to MDEM at [email protected].

Please visit the  Cyber Hygiene Services page for access and additional information.


Step 2: Complete the Nationwide Cybersecurity Review (NCSR) annually.

The NCSR is a self-guided assessment of your agency's cybersecurity posture. This tool will help you to evaluate your cybersecurity strengths and identify gaps for improvement. Completing this self-assessment is an annual requirement of your SLCGP award.

All subrecipients MUST send a copy of their NCSR certificate of completion to MDEM every year, until the end of the POP, regardless of your project's phase of completion. Certificate copies can be sent to [email protected].

Please visit the  NCSR landing page for access and additional information.


Step 3: Complete & submit programmatic reports quarterly.

Subrecipients are required to submit Quarterly Status Reports (QSRs) with financial and programmatic information about your project until your project is complete, at which time you will use different instructions to submit a Close-out Report. Due dates for each quarterly reporting period are listed below.
  • For the reporting period of July 1 to September 30, reports are due October 15.
  • For the reporting period of October 1 to December 31, reports are due January 15.
  • For the reporting period of January 1 to March 31, reports are due April 15.
  • For the reporting period of April 1 to June 30, reports are due July 15.

    NOTE: If your project is a one-time expense, you will not need to complete quarterly reports. Instead, you will complete a one-time closeout report using the QSR template.

           
Please be aware that reimbursements and/or future awards may be withheld if these reports are delinquent. Additionally, subrecipients should retain copies of these reports (along with any additional documentation supporting the project's financial expenditures) for at least 3 years after the end of the project's period of performance.           

           
Download the QSR template. (MDEM will also email the template alongside a reminder of the deadline for each quarter.)           

           
Be sure to follow all instructions provided, and include:           
  • Expenditure & obligation details
  • Brief narrative of the project(s) status
  • Summary of project expenditures
  • Description of any potential issues that may affect project completion
  • Data collected for any additional Committee performance measure requirements
    • Recipients are also required to submit an updated SCLGP Measureable Milestones document (included in QSR template).
            
QSRs may be submitted via email to [email protected].           


Reimbursement Process
The SLCGP is a reimbursement-based grant program. Subrecipients must submit requests to the SAA for approved grant project-related expenses.

When submitting a reimbursement request, subrecipients must ensure that all documentation is complete and accurate to prevent delays in the payment process. Documentation should clearly demonstrate an allowable purchase that is directly related to the scope of work from your approved proposal, and include both proof of purchase and proof of payment.

Reimbursement requests and accompanying documentation must be emailed to [email protected].




Upcoming Opportunities


This section contains information regarding grant funds that are now, or will soon, be available.



FY2023 - New Funding Now Available!
A second-round application for FY2023 SLCGP funds is now open! Applications will be accepted on a rolling basis.

To apply for the second-round opportunity, please fill out and submit the following application documents:

  1. Maryland FFY2023 SLCGP Subgrant Project Proposal Application [Download - Word]
  2. Maryland SLCGP FFY2023 Additional Application Documents Packet [Download - Excel]
    • Included in this packet:
      • Maryland FFY2023 SLCGP Budget Narrative & Justification
      • Appendix A: Cybersecurity Capabilities Assessment
      • Appendix E: Measurable Milestones
  3. Form W-9 (if applicable)   [Download via IRS.gov]

Additionally, please review the following informational guides:


After reviewing the informational guidance documents, follow the process listed below:

  1. Ensure you feel comfortable with the contents of the documents above. Reach out to [email protected] with any questions.
  2. Download and complete the FFY2023 application documents (Items 1-3 shown above).
  3. Email the completed forms to [email protected]. The subject line must be formatted as follows:
    • FY[funding year] SLCGP - [Subrecipient name] - [Project title] Application Forms]
    • Example: FY[23] SLCGP - [MDEM] - [SLCGP Project X] Application Forms
  4. The Committee will submit project proposals formally to FEMA.
  5. FEMA will approve or reject projects.
  6. Committee will receive project disposition.
  7. If approved, funds are awarded to the pass-through entity (MDEM, in this case) upon signature of the subrecipient subaward agreement.
  8. Applicants must then submit a Letter of Intent to Accept or Reject Funding to [email protected]. Letters of Intent must be submitted within 30 days. Emails submitting Letters of Intent should have subject lines formatted as follows:
    • FY[funding year] SLCGP - [Subrecipient name] - [Project title] Letter of Intent
    • Example: FY[23] SLCGP - [MDEM] - [SLCGP Project X] Letter of Intent

The scoring criteria for project applications are included in the Maryland FFY2023 SLCGP Subrecipient Funding Guide (linked above). Applicants should review the scoring criteria thoroughly to best understand how the Committee will score their application.

Unique Entity Identifier (UEI)

Entities doing business with the federal government must obtain and use a Unique Entity Identifier (UEI) created in SAM.gov. 

  • For current applicants, if you have a UEI, enter it in the application template where it is indicated. 
  • If you do not yet have a UEI, you may leave that field in the application template blank and your application will still be accepted. However, please continue your efforts to acquire a UEI, as MDEM must have a UEI for all successful applicants in order to issue subrecipient awards in the coming months. Please refer to UEI instructions at SAM.gov.
REMINDER: Do not submit applications to FEMA or grants.gov. MDEM will do that on behalf of the State of Maryland.          

          
If you submitted a project by the October 3, 2024 deadline and were approved for SLCGP funding, please find more information on ongoing requirements in the "General Information" section above.          
          


Please note that ALL FY2023 projects must be completed by September 30, 2027.


FY2024
More information is coming soon!


FY2025
More information is coming soon!



  


Want to Learn More?

If you have questions about the SLCGP or the application documents, please email [email protected].

We'd love to hear from you, and we're here to help!




SLCGP Planning Committee Minutes & Agendas

Find these on MDEM's​ Public Meetings page!

​ ​



​​​


Back to top button