Federal Grants: Numerous Programs Provide Cybersecurity Support to State, Local, Tribal, and Territorial Governments

What GAO Found

GAO identified 27 federal grant programs managed by eight federal agencies that could be used to fund state, local, tribal, and territorial (SLTT) governments' cybersecurity. None of these grant programs were intended to primarily support cybersecurity activities and these agencies are not required to track amounts specifically used for cybersecurity activities. However, four federal agencies tracked cybersecurity-related expenditures for 10 of the 27 programs. For fiscal years 2019 through 2022, the agencies reported awarding about $827 million (see table) to support cybersecurity-related activities, such as purchasing new software and network equipment. The cybersecurity-related amounts awarded by the remaining 17 grant programs are unknown.

Cybersecurity-Related Grant Award Amounts Tracked by Four Agencies, Fiscal Years 2019 through 2022

Source: GAO analysis of agency grant data. | GAO-24-106223

Agencies have established policies and processes to monitor grant programs. Agency officials stated that they conduct periodic reviews of progress reports and financial reports submitted by grant recipients to ensure the appropriate usage of funds.

Officials from national associations, SLTT government representatives, and agency officials did not identify challenges with applying for the identified grant programs. However, they identified challenges with the federal grant process in general. For example, officials from two national associations, one Tribal Nation, and three federal agencies said that the federal grant application process can be cumbersome for applicants, especially when the applicants are small SLTT governments with a relative lack of expertise in grant writing. Another Tribal Nation said it can be difficult to retain staff who have grant writing expertise.

GAO has previously reported on a wide range of grant-related issues, including long-standing challenges with federal grants management. For example, GAO identified human capital capacity—the extent to which an organization has sufficient staff, knowledge, and technical skills to effectively meet its goals and objectives—as a key factor in successful grants management.

Why GAO Did This Study

SLTT governments provide essential services that are increasingly reliant on the internet, making them vulnerable to various cybersecurity-related risks. The Department of Homeland Security and other federal agencies administer grant programs for these types of governments.

GAO was asked to identify federal grant programs that provide funding to improve cybersecurity for SLTT governments. The objectives for this report are to describe the (1) federal grant programs supporting SLTT governments' cybersecurity, and how much has been awarded for cybersecurity; and (2) actions taken by relevant federal agencies to monitor cybersecurity-related grants, and what challenges, if any, SLTT governments faced with the application process for cybersecurity-related grant programs.

GAO collected and analyzed federal grant data to determine what federal agencies and programs may support SLTT governments' cybersecurity from fiscal years 2019 through 2022. Using these data, GAO identified federal agencies that administer relevant grant programs and interviewed agency officials about these programs. GAO also reviewed federal requirements and policies regarding agencies' responsibilities for monitoring cybersecurity-related grants. Finally, GAO interviewed officials from national associations that represent SLTT governments, Tribal Nations, and agencies to obtain their perspectives on challenges SLTTs faced when applying for federal cybersecurity-related grants.

For more information, contact David B. Hinchman at (214) 777-5719 or hinchmand@gao.gov or Tina Won Sherman at (202) 512-8461 or shermant@gao.gov.