The U.S. Department of Homeland Security (DHS), through the Cybersecurity and Infrastructure Security Agency (CISA), has launched a study to evaluate the implementation and effectiveness of the State and Local Cybersecurity Grant Program (SLCGP). The study will collect quantitative and qualitative feedback to assess how state, local, and territorial (SLT) governments use the program and approach cybersecurity planning and implementation.
The effort was announced through a 60-day notice and request for comments published as part of a new Information Collection Request (ICR). The document, submitted by CISA’s Stakeholder Engagement Division (SED) Grant Analytics Branch to the Office of Management and Budget (OMB) for review under the Paperwork Reduction Act of 1995, outlines plans to collect data supporting the evaluation.
The collection supports the SLCGP, a federal initiative jointly administered by CISA and the Federal Emergency Management Agency (FEMA) that provides funding to SLTl governments to strengthen their cybersecurity posture and resilience. Public comments on the proposed information collection will be accepted through July 31, 2026.
Winfield P. Werntz, acting chief information officer at the agency, detailed in the Federal Register notice that this evaluation will additionally examine how effectively grant funds are being utilized, understand challenges and successes grant recipients have encountered implementing funds to date, and measure progress made towards the program’s short- and medium-term outcomes.
“The evaluation design is informed by an Evaluability Assessment, which determined that the SLCGP is ready for formal evaluation during or after its fourth funding year (FY 2025),” Werntz said. “With the program scheduled to conclude its active funding phase in FY 2026 and the final period of performance to conclude in FY 2029, this evaluation is well-timed to determine the program’s effectiveness and provide information to support evidence-based decisions about its future.”
Ultimately, Werntz recognized that the evaluation would enable a nuanced understanding of both the processes and effects of the program on grant recipients, thereby determining the success of SLCGP. Study findings will support continuous program improvement and demonstrate program value added.
The evaluation is included in DHS’s FY 2024 Annual Evaluation Plan and supports CISA’s implementation of the Foundations for Evidence-Based Policymaking Act. Its findings are intended to inform departmental and agency decision-making related to the 2023 DHS Quadrennial Homeland Security Review, including efforts to counter terrorism and prevent threats, secure cyberspace and critical infrastructure, build national resilience and incident response capabilities, and combat crimes of exploitation while protecting victims.
The evaluation also supports Goal 1 of CISA’s 2023-2025 Strategic Plan, which focuses on leading the national effort to strengthen the security and resilience of cyberspace.
The SLCGP is a federal initiative jointly administered by CISA and FEMA that provides funding to SLT governments to improve cybersecurity capabilities. Established under the Infrastructure Investment and Jobs Act of 2021, the program provides $1 billion over four years to help recipients develop and implement cybersecurity plans, address resource gaps, and strengthen defenses against cyber threats.
The program’s primary objective is to help SLT governments manage and reduce systemic cyber risk. Under the FY 2022-2025 Notices of Funding Opportunity (NOFOs), applicants must align their projects with at least one of four goals: establishing or improving cybersecurity governance and incident response capabilities; assessing and understanding their cybersecurity posture through testing and evaluations; implementing risk-based security controls; and providing cybersecurity training appropriate to employees’ roles and responsibilities.
The evaluation will examine how the program has been implemented and assess its short- and medium-term outcomes. Among the questions the study aims to answer are how implementation approaches differ across SLT governments; which grant-funded projects are most commonly used to mitigate cyber incidents; how recipients are using new technologies and cybersecurity tools to address threats; and which funded initiatives have been most effective in reducing risk and maintaining operational continuity.
The study will also examine barriers that may limit the use of grant funding, the extent to which recipients apply knowledge gained through SLCGP technical assistance and resources, the impact of phishing awareness and role-based cybersecurity training on reducing incidents, and whether the program has improved cybersecurity preparedness and critical infrastructure resilience across participating SLT governments.
To conduct outreach, the notice identified that a comprehensive contact database will be compiled using official grant recipient information, and each response will be linked to a non-personal identifier. To compile this database, CISA SED will provide the evaluation team with a list of state Chief Information Officer (CIO) and Chief Information Security Officer (CISO) names and emails. The survey distribution will follow a clear communication plan, beginning with an initial email notification explaining the evaluation purpose, timeline, and mandatory participation requirements as stipulated in the Notice of Funding Opportunity.
Following this introduction, the Qualtrics survey link will be distributed via email to identified stakeholders, with clear instructions, estimated completion time (60 minutes), and technical support contact information. Automatic reminders will be sent to non-respondents at scheduled intervals to maximize response rates. The survey will collect only personal identifying information for contact purposes (first name, last name, locality/entity name, job title, and work email address), with no additional PII from respondents.
SED has designed the survey to gather both quantitative and qualitative feedback from program participants. Questions will align with program objectives and evaluation metrics outlined in recipients’ approved Cybersecurity Plans and projects, ensuring relevant data collection. The questions will focus on how the program is being implemented to date. This information will help assess whether program activities are being implemented with fidelity to the program’s logic model and observe the intermediate program outcomes, as it relates to recipient cyber posture improvement.
Questions further focus on any challenges recipients are facing in program fund implementation, as well as the successful strategies that have been applied to date.
Survey respondents will have the option to volunteer for a follow-up focus group to provide additional context on their responses. Focus groups will only be conducted if further qualitative insights are needed; if survey responses are sufficiently detailed, CISA will forgo this step to reduce participant burden and delete all focus group opt-in data. If held, participants will be invited via email and asked questions related to the survey topics to gather more detailed feedback.
Findings from the surveys, interviews, and any focus groups will be combined into a report for CISA leadership examining program implementation, successes, challenges, trends, and opportunities for improvement. The results will help inform future grant program decisions, support reporting to Congress and the OMB, and establish baseline metrics for measuring the program’s effectiveness and long-term impact on state and local cybersecurity capabilities.
CISA pilot-tested the survey with eight representatives from CISA, FEMA, and regional offices that work closely with the target respondents to assess burden, usability, question clarity, and survey structure. Half of the participants said the survey was somewhat burdensome because of its length, prompting the evaluation team to remove or combine repetitive questions, consolidate similar sections, and expand skip logic to reduce completion time.
Following these changes, 62% of testers said they were extremely confident that CIOs and CISOs could answer all survey questions, and none reported a lack of confidence. Although the focus group and interview guides were not pilot tested, they were reviewed and approved through DHS and CISA oversight processes. The guides are semi-structured, allowing facilitators to clarify questions as needed, and interviews and focus groups will be limited to one hour.
To further reduce the burden, focus groups will be conducted only if survey responses do not provide sufficient information.
The evaluation will collect information only from federal, state, and territorial government personnel, not from small businesses or other small entities. CISA said the data collection is necessary to meet Evidence Act requirements and support a significant evaluation included in DHS’s FY 2024 Annual Evaluation Plan.
The agency said the information will help determine the effectiveness of the SLCGP, assess whether its funding and services are meeting stakeholder needs, identify opportunities to improve program delivery and stakeholder engagement, and support efforts to strengthen information sharing and risk reduction across sectors.
