Full Report
The Federal Emergency Management Agency has clarified its rules for how state and local governments may use funding from the State and Local Cybersecurity Grant Program and the Tribal Cybersecurity Grant Program. In a June 16 information bulletin, FEMA clarified rules created last year by the Department of Homeland Security prohibiting grant funds from being spent on services…
Analysis Summary
# Regulation/Compliance: FEMA Information Bulletin on SLCGP/TCGP Fund Usage
## Overview
The Federal Emergency Management Agency (FEMA) has issued a clarification regarding the allowable use of federal grant funds for the **State and Local Cybersecurity Grant Program (SLCGP)** and the **Tribal Cybersecurity Grant Program (TCGP)**. This update specifically addresses a prohibition on using grant money to pay for "bundled" services provided by membership organizations, such as the Multi-State Information Sharing and Analysis Center (MS-ISAC).
## Key Details
- **Issuing Authority:** Federal Emergency Management Agency (FEMA) / Department of Homeland Security (DHS)
- **Effective Date:** June 16 (Information Bulletin date)
- **Jurisdiction:** United States (State, Local, and Tribal governments)
- **Status:** Final/In Effect
## Requirements
### Mandatory Requirements
1. **Unbundling of Services:** Grant funds must not be used to pay for membership fees that include bundled cybersecurity or technical services.
2. **Cost Justification:** All grant expenditures must be "allowable, reasonable, and allocable."
3. **Disaggregation:** Costs must be breakable into individual line items so that FEMA can correlate the cost of membership with the specific value of each service received.
### Recommended Practices
1. **Direct Procurement:** Seek to procure technical services directly rather than through general membership "packages" where costs are opaque.
2. **Detailed Invoicing:** Ensure any membership organizations provide transparent, itemized billing for any services the grant is intended to cover.
## Affected Organizations
- **Industries:** State, Local, and Tribal Governments; Non-profit cybersecurity membership organizations (specifically the Center for Internet Security/MS-ISAC).
- **Organization Size:** All sizes eligible for SLCGP/TCGP funding.
- **Geographic Scope:** United States and its territories.
## Compliance Timeline
- **June 16 (Current Year):** FEMA Information Bulletin issued, providing immediate clarification for existing grant cycles.
- **Ongoing:** Periodic review of "allowable costs" during the grant application and reimbursement phases.
## Implementation Guidance
### Assessment Phase
- Review current grant applications and budgets for the SLCGP or TCGP.
- Identify any line items dedicated to MS-ISAC or similar membership fees.
### Implementation Phase
- Ensure that federal funds are not allocated to "bundled" membership fees.
- If technical services are required, attempt to isolate the cost of the specific service from the general membership fee.
### Validation Phase
- Audit financial reports to ensure no "membership fee" payments were drawn from SLCGP/TCGP accounts unless they meet the disaggregation criteria.
## Technical Requirements
- **N/A:** This is a financial and administrative compliance requirement rather than a specific technical security control.
## Penalties & Enforcement
- **Fines:** Potential clawback of federal funds if expenditures are deemed "unreasonable" or "unallowable."
- **Other Consequences:** Denied reimbursement for submitted costs; negative impact on future grant eligibility.
- **Enforcement:** FEMA grant audits and Department of Homeland Security (DHS) oversight.
## Related Standards
- **2 CFR Part 200 (Uniform Administrative Requirements):** The underlying federal regulation for grant management regarding cost reasonableness and allocability.
- **DHS Cybersecurity Performance Goals (CPGs):** While the funding is for cybersecurity, the management of the funds must align with DHS's stricter financial standards.
## Resources
- **Official Documentation:** FEMA Information Bulletin [Defanged: hxxps://www.documentcloud.org/documents/28398967-fema/]
- **Guidance Documents:** State and Local Cybersecurity Grant Program (SLCGP) Notice of Funding Opportunity (NOFO).
## Practical Recommendations
- **Itemize Everything:** If your organization pays MS-ISAC for services, request an itemized breakdown that separates the "membership" component from specific technical "services."
- **Alternative Funding:** Use non-grant (local) funds for membership fees if those memberships provide bundled services that FEMA currently refuses to fund.
- **Stay Updated:** Monitor FEMA's Grant Programs Directorate bulletins for further refinements on the definition of "allowable costs."