Fiscal Year 2025 Tribal Cybersecurity Grant Program Fact Sheet

In Fiscal Year (FY) 2025, the U.S. Department of Homeland Security (DHS) is providing $12.16 million to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, Tribal governments.

Overview

The Tribal Cybersecurity Grant Program (TCGP) enables DHS to provide targeted cybersecurity resources that improve the security of critical infrastructure and resilience of the services that Tribal governments provide to their members. The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Emergency Management Agency (FEMA) jointly manage the Tribal Cybersecurity Grant Program (TCGP). DHS respects the sovereignty and self-determination of tribal governments and recognizes the intent of Congress to provide flexibility to Tribal governments to meet cybersecurity needs across Indian Country through the TCGP. The framework of the program was determined as a result of nation-to-nation consultation with Tribal representatives across the country and is intended to support Tribal cybersecurity resiliency.

Program Goal and Objectives

Goal

The goal of TCGP is to assist Tribal governments with managing and reducing systemic cyber risk. Accomplishment of this goal can be achieved by implementing or revising Cybersecurity Plans, priorities and projects, and addressing TCGP objectives.

Objectives

Listed below are the objectives for the TCGP:

• Objective 1: Develop and establish appropriate governance structures, including by implementing or revising Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations.
• Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
• Objective 3: Implement security protections commensurate with risk.
• Objective 4: Ensure Tribal organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.

The only eligible Tribal applicants are those listed in Section 3 of the Notice of Funding Opportunity (NOFO), "FY 2025 TCGP Target Allocations." Fiscal Year (FY) 2025 TCGP applications are limited to only those meritorious applicant projects and investments as identified by FEMA in individual notifications to the eligible Tribal governments. Applicants should refer to the CISA.gov website for more information on TCGP program goals, objectives, sub-objectives, and desired outcomes required in their FY 2025 TCGP application.

FY 2025 Funding and Allocations

The funding appropriated for the TCGP for FY 2024 and FY 2025 is $9,142,996 and $3,021,975 respectively. DHS combined the funding from both fiscal years into a single TCGP NOFO, for a total of $12,164,971. For the FY 2022/2023 TCGP award cycle, DHS created a discretionary allocation structure based on Tribal populations that elicited extensive interest (e.g., 73 Tribal governments submitted applications for requests exceeding $100 million, far oversubscribing the available roughly $18 million). The statutory authorization for the TCGP expires on Sept. 30, 2025, after which no new awards can be made.

Therefore, DHS has allocated the remaining $12,164,971 of Fiscal Year 2024/2025 TCGP funding to make additional awards to fund meritorious Tribal applicant projects that did not receive funding during the FY 2022/2023 award cycle. This decision is consistent with and reflects extensive feedback from Tribal Nations after nation-to-nation consultations in August 2022, November 2023, and September 2024. Final allocation amounts will be determined after the Application Deadline date of Aug. 15, 2025, at 5 p.m. ET. Additional information is available in the FY 2025 TCGP NOFO Section 3 "Program Description."

Eligibility

The only eligible Tribal applicants are those listed in Section 3 of the NOFO, "FY 2025 TCGP Target Allocations." FY 2025 TCGP applications are limited to only those meritorious applicant projects and investments as identified by FEMA in individual notifications to the eligible Tribal governments. Applicants must be a Tribal government that is eligible for the program. "Tribal government" is defined at Section 2220A(a)(7) of the Homeland Security Act (codified as amended at 6 U.S.C. § 665g(a)(7)) as the recognized governing body of any Indian or Alaska Native Tribe, band, nation, pueblo, village, community, component band, or component reservation, that is individually identified (including parenthetically) in the most recent published list of Federally Recognized Tribes.

Cybersecurity Planning Committee and Cybersecurity Plan Requirements

The statute authorizing the TCGP requires each Tribal government to establish a Cybersecurity Planning Committee that assists with developing, implementing, and revising the Cybersecurity Plan of the Tribal government, approves the Cybersecurity Plan of the Tribal government, and assists with the determination of effective funding priorities. An existing Tribal Council or Governing Body that includes the participation of (1) a representative from the grants administration office and (2) a Chief Information Officer (CIO), a Chief Information Security Officer (CISO), or an equivalent official to the CIO or CISO with expertise in information technology and systems can be used to meet this requirement and fulfill these duties. If the Tribal government would prefer to establish a separate Cybersecurity Planning Committee, the required members of that committee must include the following: the grants administration office and a designated CIO, CISO, or equivalent official to the CIO or CISO with expertise in information technology (IT) and systems. Additional members are encouraged but not required.

Cybersecurity Plans are meant to guide implementation of cybersecurity capabilities within the Tribal government. The Cybersecurity Planning Committee is responsible for approving the Cybersecurity Plan and assisting in prioritizing individual projects. CISA considers Cybersecurity Plans to be living, strategic documents. If any changes need to be made to a plan after post-award submission, Tribal governments may work with CISA to update their plan.

Cost Share or Matching Requirements

Eligible applicants must agree to make available non-federal funds to carry out a TCGP award in an amount not less than 40% of the total project costs (federal award amount plus cost share amount, rounded to the nearest whole dollar). The cost share for the multi-entity projects is 30% for FY 2025. Section 2220A of the Homeland Security Act of 2002 requires recipients to meet a non-federal matching requirement for an "activity" carried out under an TCGP grant award. DHS interprets the term "activity" to be an approved "project" under an TCGP grant award and administers the nonfederal matching requirement in accordance with 2 C.F.R. § 200.306. The Secretary of Homeland Security may waive or modify the non-federal share for an individual entity if the entity demonstrates economic hardship. However, DHS is not able to provide additional funds even if it does grant a cost share waiver. The federal funding will remain at the same amount as indicated by the statutory formula.

All Cost Share Waiver requests must be submitted post-award by the eligible entity by emailing the request and supporting documentation to [email protected].

Performance Measures

Performance measures are data used to gauge program performance. The FY 2025 TCGP NOFO contains a list of performance measures, some of which overlap with the best practices, that applicants are encouraged to consider when evaluating their program performance. Referencing these measures will help applicants ensure their projects are meeting CISA standards for improving cybersecurity posture.

Application Process

Applying for an award under the TCGP is a multi-step process. To apply for a grant award, an applicant must have a Unique Entity Identifier (UEI), Employer Identification Number (EIN), an active System for Award Management (SAM) registration, a Grants.gov account, and a FEMA Grants Outcomes (GO) account. Submit the complete application in FEMA GO using the TCGP FEMA GO Application Process (copies can be obtained by emailing [email protected].

There are no program-specific required documents required at the time of application. All program-specific required documents, forms, and information will be required from recipients post award and can be found in Appendix B of the Notice of Funding Opportunity. The following forms or information are required to be submitted via FEMA GO. The Standard Forms (SF) are also available at Forms | Grants.gov.

• SF-424, Application for Federal Assistance
• Grants.gov Lobbying Form, Certification Regarding Lobbying
• SF-LLL, Disclosure of Lobbying Activities

Applicants are encouraged to register early in the SAM, UEI, and FEMA GO system, as the registration process can take four weeks or more to complete. Registration should be done in sufficient time to ensure it does not impact an applicant's ability to meet the required submission deadline. Please refer to Section 5 "Submission Requirements and Deadlines" in the FY 2025 TCGP NOFO for detailed information and instructions.

All application materials will be posted on Grants.gov. Eligible applicants must submit their application through the FEMA GO system. Applicants needing technical support with FEMA GO should contact [email protected] or call the FEMA GO Help Desk at 1-877-585-3242, Monday - Friday from 9 a.m. - 6 p.m. ET.

Completed applications must be submitted in the FEMA GO system no later than 5 p.m. ET on Aug. 15, 2025.

1. Period of Performance Extension Requests

Extensions to the FY 2025 TCGP period of performance (POP) for this program are not allowed.

1. TCGP Resources

There are a variety of resources available to assist with TCGP applications that address programmatic, technical and financial questions.

• The FY 2025 TCGP NOFO is located online at Grants.gov.
• For additional grants management and application information, please email [email protected]. You may also contact your Preparedness Officer.
• For support regarding financial grants management and budgetary technical assistance, applicants may contact the FEMA Award Administration Help Desk, via email at [email protected].
• For support regarding programmatic elements and technical assistance related to cybersecurity planning and project development applicants may contact CISA via [email protected]. For regional contact information, please visit cisa.gov/about/regions.