What the SLCGP Actually Pays For (and How to Apply)

There is over $1 billion in federal cybersecurity grant funding that most small water utilities have never heard of. The State and Local Cybersecurity Grant Program, created under the Infrastructure Investment and Jobs Act of 2021, was designed specifically to help state, local, and territorial governments improve their cybersecurity posture. Water and wastewater utilities operated by municipalities are eligible. And every year, hundreds of millions of dollars go unclaimed.

The reason is not complicated. Small utilities do not have grant writers on staff. The person running the water plant is also the person ordering chlorine, managing SCADA alarms, and fielding complaints about water pressure. Nobody has time to research federal grant programs, figure out what qualifies, navigate the application process, and manage the reporting requirements. So the money sits there.

What the program actually is

The SLCGP is a four-year, $1 billion program administered jointly by CISA and FEMA. Funding is distributed to states through their State Administrative Agencies (SAAs), which then sub-grant it to local governments and critical infrastructure operators. Each state is required to submit a Cybersecurity Plan that outlines how the funds will be used. Individual utilities apply through their state's SAA.

The program has two structural requirements that matter for small utilities. First, at least 80% of the funds must pass through to local governments. Second, at least 25% must go to rural communities. If your utility serves a community under 50,000 people, both of those provisions work in your favor.

What it pays for

The SLCGP covers a broad range of cybersecurity activities. For water and wastewater utilities, the most relevant categories include:

• Cybersecurity assessments and risk evaluations. This includes external vulnerability assessments, network architecture reviews, and the kind of passive reconnaissance that identifies internet-exposed control systems. If you need to document your attack surface to meet AWIA requirements, this is a fundable activity.
• Cybersecurity planning. Developing or updating incident response plans, continuity of operations plans, and the Risk and Resilience Assessments that AWIA mandates.
• Implementation of security controls. Network segmentation, firewall deployment, access control hardening, encryption, and monitoring. The actual remediation work that follows an assessment.
• Workforce development. Training existing staff on cybersecurity practices, including OT-specific training for plant operators who manage SCADA and PLC equipment.
• Cybersecurity tools and infrastructure. Purchasing and deploying intrusion detection systems, security information and event management (SIEM) platforms, and endpoint protection for control system networks.

In practical terms, a small water utility could use SLCGP funds to pay for an external vulnerability assessment, implement the recommendations from that assessment, train operators on basic cybersecurity hygiene, and deploy monitoring tools on the OT network. That is the full lifecycle from discovery to remediation to ongoing protection, funded by a single grant program.

What it does not pay for

The SLCGP cannot be used for general IT expenses, hardware that is not cybersecurity-related, or construction projects. It does not cover replacing a SCADA system entirely unless the replacement is specifically driven by a documented cybersecurity need. And it cannot be used to backfill existing staff salaries. The funds are for new cybersecurity capabilities, not for keeping the lights on.

How to apply

The application process goes through your state, not directly through CISA or FEMA. Here is the sequence:

1. Identify your state's SAA. Every state has a designated State Administrative Agency that manages SLCGP distribution. In most states, this is the Department of Homeland Security, the Office of Emergency Management, or the Governor's Office of Homeland Security. FEMA maintains a list of SAAs by state.
2. Check the application window. Each state sets its own sub-grant application timeline. Some states have already distributed their FY2025 allocation. Others have open application windows right now. Contact your SAA to find out.
3. Document the need. The strongest applications tie directly to a documented cybersecurity gap. A passive vulnerability assessment that identifies internet-exposed PLCs, unpatched firmware, or missing network segmentation creates exactly the kind of evidence that grant applications need. It shows the problem is real, specific, and fixable.
4. Submit through the state process. Each state has its own application form and evaluation criteria. Most require a project narrative, a budget, a timeline, and evidence that the proposed work aligns with the state's Cybersecurity Plan.

The hardest part of applying is not the paperwork. It is having the documentation that proves you need the money. A vulnerability assessment creates that documentation.

The SLCGP is not the only option

Water utilities also have access to the EPA's Water Infrastructure Finance and Innovation Act (WIFIA) program, the Drinking Water State Revolving Fund (DWSRF), and the Clean Water State Revolving Fund (CWSRF). All three have cybersecurity-eligible set-asides. Some states also have their own cybersecurity grant programs that stack on top of federal funding.

The pattern is the same across all of them. The money exists. The eligibility criteria are met. The application requires evidence of a specific, documented need. The utility that has a vulnerability assessment in hand is the one that gets funded.

Where Sentinel OT fits

We provide the documentation that grant applications require. Our passive vulnerability assessments identify externally observable exposure on water utility IT and OT infrastructure. Every finding is verified against the National Vulnerability Database and the CISA Known Exploited Vulnerabilities catalog. The resulting report documents the specific CVEs, the affected systems, and the remediation path.

That report is the evidence your grant application needs. It demonstrates a specific, verifiable cybersecurity gap. It scopes the remediation work. And it gives your finance office the documentation to justify the expenditure. We also support grant application preparation, helping utilities translate assessment findings into the project narratives and budgets that SAAs require.

If your utility serves a community under 50,000 people and you have never applied for SLCGP funding, the first step is understanding what is exposed. Everything after that is paperwork.