Fiscal Year 2025 Tribal Cybersecurity Grant Program Key Changes

Download a PDF copy of this webpage.

The Tribal Cybersecurity Grant Program (TCGP) provides funding to eligible Tribal governments to manage and reduce systemic cyber risk, thus improving the security of critical infrastructure and improving the resilience of the services Tribal governments provide their communities. This document outlines key changes in the program for Fiscal Year (FY) 2025.

FY 2025 TCGP Goals and Objectives

The goal of TCGP is to assist Tribal governments with managing and reducing systemic cyber risk. Accomplishment of this goal can be achieved by implementing or revising Cybersecurity Plans, priorities and projects, and addressing TCGP objectives.

• Objective 1: Develop and establish appropriate governance structures, including by implementing or revising Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.
• Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation and structured assessments.
• Objective 3: Implement security protections commensurate with risk.
• Objective 4: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.

The only eligible Tribal applicants are those listed in Section 3 of the Notice of Funding Opportunity, "FY 2025 TCGP Target Allocations." FY 2025 TCGP applications are limited to only those meritorious applicant projects and investments as identified by Federal Emergency Management Agency (FEMA) in individual notifications to the eligible Tribal governments.

A detailed overview of the program, including the goals, objectives, sub-objectives, and desired outcomes for FY 2025 TCGP is not included in the Notice of Funding Opportunity (NOFO) as an appendix. Instead, it is available as a webpage on CISA.gov.

FEMA Grants Outcomes (FEMA GO) System

Applicants must apply to TCGP in the new FEMA GO system. The previous Non-Disaster Grants (ND Grants) platform will become a legacy system. For more information about FEMA GO, please review Section 5 "Submission Requirements and Deadlines" of the TCGP NOFO and FEMA Grants Outcomes (FEMA GO) | FEMA.gov for additional guidance and tools.

1. Program Funding and Cost Share Requirement

The total funding allocated for the TCGP decreased from $18.1 million in FY 2023 to $12.1 million in FY 2025. Allocation percentages to Tribal governments remain the same. The funding for the TCGP for FY 2024 and FY 2025 is $9,142,996 and $3,021,975 respectively. FEMA and the Cybersecurity and Infrastructure Security Agency (CISA) combined the funding from both fiscal years into a single TCGP Notice of Funding Opportunity (NOFO), for a total of $12,164,971. The cost share requirement for FY 2025 is 40%. Multi-entity projects have a cost share of 30% for FY 2025. Section 2220A of the Homeland Security Act of 2002 requires recipients to meet a non-federal matching requirement for an "activity" carried out under an TCGP grant award. DHS interprets the term "activity" to be an approved "project" under an TCGP grant award and administers the nonfederal matching requirement in accordance with 2 C.F.R. § 200.306. The Secretary of Homeland Security may waive or modify the non-federal share for an individual entity if the entity demonstrates economic hardship. However, the Department of Homeland Security (DHS) is not able to provide additional funds even if it does grant a cost share waiver. The federal funding will remain at the same amount as indicated by the statutory formula.

All Cost Share Waiver requests must be submitted post-award by the eligible entity by emailing the request and supporting documentation to [email protected].

FY 2025 Period of Performance (POP)

The FY 2025 POP is specified in the funding notice and remains 48 months from the date the awards are made. Unlike FY 2023, DHS will not consider requests for any extensions to the FY 2025 POP.

Application Materials

There are no program-specific required documents required at the time of application. All program-specific required documents, forms and information will be required from recipients post award and can be found in Appendix B of the NOFO. The following forms or information are required to be submitted via FEMA GO. The Standard Forms (SF) are also available at Forms | Grants.gov.

• SF-424, Application for Federal Assistance
• Grants.gov Lobbying Form, Certification Regarding Lobbying
• SF-LLL, Disclosure of Lobbying Activities

Post-Award Program-Specific Required Documents, Forms, and Information

There are no program-specific required documents and information at the time of application. The following program-specific forms or information are required to be submitted in FEMA GO after awards are made:

1. Cybersecurity Project Submissions
   1. Investment Justifications
   2. Project Worksheets (FEMA will provide recipients with a draft Project Worksheet)
   3. Detailed Budget Worksheet and Narrative (Appendix E, "Sample Budget Worksheet and Budget Narrative")
   4. Negotiated Indirect Cost Rate Agreement (if applicable)
2. Cybersecurity Planning Committee Membership List and Charter
3. Cybersecurity Plan with required signatures (resubmissions of updated plan, if applicable)
4. SF-424A, Budget Information (Non-Construction) (as an attachment in FEMA GO)

All program-specific forms are available on Grants.gov and Tribal Cybersecurity Grant Program | FEMA.gov. Recipients can email questions about program-specific required documents, forms and information to [email protected]. User guides are available for TCGP Investment Justifications (IJs) and Project Worksheets (PWs) at Tribal Cybersecurity Grant Program | FEMA.gov. Additional programmatic guidance can be found at the CISA.govTCGP webpage.

Management and Administration (M&A)

Up to 5% of TCGP funds awarded may be used by the Tribal government solely for M&A purposes associated with the TCGP award. Indirect costs and M&A costs are not the same for TCGP and, therefore, should not be combined on the Project Worksheet application document during the post award process. Some examples of M&A costs include grants management training for M&A staff, membership fees for M&A staff, equipment and supplies for M&A staff to administer the grant award, etc. All membership costs using TCGP funding must be approved in advance by FEMA. For TCGP, allowable M&A are direct costs only.

Cybersecurity Plan Revisions

One of the priority outcomes of TCGP is the development and approval of applicants' Cybersecurity Plans. An applicant is required to have its Cybersecurity Plan approved by CISA. An entity is not required to revise its CISA-approved Cybersecurity Plan unless CISA notifies them that it does not meet plan requirements. CISA has streamlined the instructions and provided additional suggestions about the process for reviewing or updating a plan.

Cybersecurity Plans are intended to be living documents and a Tribal government, following submission of its final plan in its grant application, may later update that plan. FEMA and CISA are available to provide technical assistance to Tribal governments on Cybersecurity Plan development. Tribal governments can connect with their FEMA Tribal Liaisons if they need assistance in locating their respective CISA regional Cybersecurity Advisor or Cybersecurity State Coordinator.

Starting in FY 2025, the requirements for revising or updating Cybersecurity Plans and additional suggestions are not included in the NOFO as an appendix. Instead, those requirements and suggestions are available as a webpage on CISA.gov at SLCGP and TCGP Cybersecurity Plans Overview.

Performance Measures

CISA remains invested in collecting data to gauge program performance. In FY 2025, performance measures were adjusted to better to inform applicants of the information CISA will collect through the program duration. Each performance measure now includes a recommended target range to better communicate how CISA will measure the program's performance to applicants. Adjusted performance measures include the following:

• Percentage of tribes with CISA approved Tribal Cybersecurity Plans (100% target range - statutorily required).
• Percentage of tribes with Tribal Cybersecurity Planning Committees that meet the Homeland Security Act of 2002 and TCGP funding notice requirements (100% target range - statutorily required).
• Percentage of tribes conducting annual tabletop and full-scope exercises to test Cybersecurity Plans (40% target range).
• Percent of the tribes' TCGP budget allocated to exercises (10% target range).
• Average dollar amount expended on exercise planning for tribes (10% target range).
• Percentage of tribes conducting an annual cyber risk assessment to identify cyber risk management gaps and areas for improvement (70% target range).
• Percentage of tribes performing phishing training (50% target range).
• Percentage of tribes conducting awareness campaigns (90% target range).
• Percentage of tribes providing role-based cybersecurity awareness training to employees (60% target range).
• Percentage of tribes with capabilities to analyze network traffic and activities related to potential threats (60% target range).
• Percentage of tribes implementing multi-factor authentication (MFA) for all remote access and privileged accounts (70% target range).
• Percentage of tribes with programs to anticipate and discontinue end-of-life software and hardware (60% target range).
• Percentage of tribes prohibiting the use of known/fixed/default passwords and credentials (75% target range).
• Percentage of tribes operating under the ".gov" internet domain (50% target range).
• Number of cybersecurity gaps or issues addressed annually by tribes (50% target range).
• Percentage of tribe-created performance metrics that were met (50% target range).
• Percentage of tribes participating in CISA services (50% target range).
• Percentage of tribes that have implemented data encryption projects (50% target range).
• Percentage of tribes that have implemented enhanced logging projects (60% target range).
• Percentage of tribes that have implemented system reconstitution projects (60% target range).

Similar performance measures to those listed above have previously been included in the NOFO. CISA views the implementation of those best practices as informative in determining TCGP's success.

Required, Encouraged, and Optional Services and Resources

Tribal governments are no longer required or encouraged to participate in the National Cybersecurity Review as a post-award requirement.

CISA has information about Cyber Protective Visits, the agency's Cyber Resource Hub, and its Interoperable Communications Technical Assistance Program (ICTAP) to the list of Encouraged Services (Appendix C) in the NOFO. Cyber Protective Visits are performed by CISA's regional Cybersecurity Advisors. The visits are designed to gauge a Tribal Nation's interest in DHS's cybersecurity offerings and help the advisor understand the Tribal Nation's cybersecurity needs and orientation within the broader landscape.