Cybersecurity Funding and Grants Available in New York

Public and private cybersecurity funding programs operating in New York span federal grant mechanisms, state agency initiatives, and regional workforce development channels. These programs serve municipalities, school districts, healthcare organizations, small businesses, and critical infrastructure operators seeking to close resource gaps in their security posture. The funding landscape is governed by a layered set of federal statutes, state appropriations, and agency-administered eligibility frameworks that determine which entities qualify and under what conditions. Understanding this sector requires mapping the distinct program types, their administering bodies, and the decision criteria that determine applicability.

Definition and Scope

Cybersecurity funding and grants, as a formal sector, refers to competitively or formula-allocated financial instruments — grants, sub-grants, matching awards, and cooperative agreements — specifically designated to improve the security of information systems, networks, and data held by eligible organizational categories. These instruments differ from general technology appropriations: they carry defined cybersecurity use restrictions, reporting obligations, and in federal programs, compliance alignment requirements tied to frameworks such as NIST SP 800-53 or the NIST Cybersecurity Framework.

In New York, the primary administering bodies include:

• U.S. Department of Homeland Security (DHS) / CISA — administers the State and Local Cybersecurity Grant Program (SLCGP) authorized under the Infrastructure Investment and Jobs Act (Public Law 117-58)
• New York State Division of Homeland Security and Emergency Services (DHSES) — serves as the State Administrative Agency (SAA) for federal pass-through grants
• Empire State Development (ESD) — administers select workforce and innovation-aligned programs with cybersecurity components
• New York State Education Department (NYSED) — channels federal and state education technology security funds to school districts

The SLCGP, first funded in federal fiscal year 2022, allocated $200 million nationally in its inaugural year (DHS CISA SLCGP program page), with New York receiving allocations through DHSES as the designated SAA. Programs with broader coverage — including federal contracts and privately funded grants — fall outside this page's primary scope.

This page covers New York State-jurisdictional programs and federal programs administered through New York State agencies. It does not address federal direct-award contracts, Department of Defense cybersecurity grants, or funding programs available exclusively to entities headquartered outside New York. For the broader compliance and regulatory environment that shapes eligibility determinations, see the regulatory context for New York cybersecurity.

How It Works

Cybersecurity funding flows through a structured multi-phase process. The sequence below reflects the dominant federal pass-through model, which governs the largest single-source programs available to New York entities:

1. Federal Authorization — Congress appropriates cybersecurity funding through statutes such as the Infrastructure Investment and Jobs Act or annual DHS appropriations. CISA issues program notices, eligibility definitions, and Notices of Funding Opportunity (NOFOs).

2. State Administrative Agency Intake — New York DHSES receives the federal award and develops a State Cybersecurity Plan, which CISA must approve before sub-grants can be issued. The state plan must identify priorities aligned with the CISA Cybersecurity Performance Goals (CISA CPGs).

3. Sub-Recipient Application — Eligible local governments, tribal nations, and in some programs, private critical infrastructure operators, apply to DHSES. Applications typically require a demonstrated cybersecurity needs assessment, an implementation plan, and identification of performance metrics.

4. Award and Compliance Period — Sub-recipients execute grant agreements, obligate funds within specified periods of performance, and submit progress reports. Federal Uniform Guidance (2 CFR Part 200) governs financial management, allowable costs, and audit requirements.

5. Close-Out and Audit — At the end of the performance period, sub-recipients submit final reports and are subject to single audits if total federal expenditures exceed $750,000 in a fiscal year, per 2 CFR §200.501.

New York municipalities and school districts represent the largest sub-recipient categories under SLCGP. New York small business cybersecurity programs involve a distinct track, primarily through ESD and federally backed Small Business Administration (SBA) resource channels rather than DHSES.

Common Scenarios

Scenario 1: County Government Applying for SLCGP Funds
A New York county with fewer than 30 full-time employees in its IT department applies through DHSES for SLCGP sub-grant funding to implement multi-factor authentication and endpoint detection. The county must align its application to the CISA CPGs, demonstrate matching or in-kind contribution where required, and comply with 2 CFR Part 200 financial controls.

Scenario 2: K–12 School District Seeking Security Infrastructure Funds
A New York school district facing ransomware exposure — a documented risk category across New York K–12 cybersecurity — may access funding through the federal E-Rate program (administered by the FCC and USAC), which since 2024 includes a cybersecurity pilot (FCC Cybersecurity Pilot Program) with $200 million designated nationally for schools and libraries. New York districts apply through NYSED coordination with the FCC's Universal Service Administrative Company (USAC).

Scenario 3: Nonprofit Healthcare Entity
A New York nonprofit hospital or community health center may access HHS Office of the National Coordinator for Health IT (ONC) programs and HHS 405(d) Task Group resources for healthcare-specific cybersecurity investment. New York healthcare cybersecurity funding intersects with HIPAA compliance obligations, meaning grant expenditures are frequently tied to HIPAA Security Rule gap remediation.

Scenario 4: Workforce Development Through State Channels
Employers seeking to train existing staff in cybersecurity skills may access New York State's Workforce Development Institute or ESD's Upstate Revitalization Initiative where cybersecurity training is a recognized use. These programs contrast with capital infrastructure grants: they fund human capital rather than technology procurement, carry shorter performance periods, and involve NYSED or the Department of Labor as co-administrators.

Decision Boundaries

Not all New York entities qualify for all programs. The primary eligibility boundaries are:

Entity Type
SLCGP eligibility under CISA's framework is limited to state, local, tribal, and territorial (SLTT) governments. Private sector entities — including privately owned critical infrastructure — are not direct SLCGP recipients, though they may benefit from state-funded capacity-building activities. The New York Security Authority index maps the broader landscape of sector-specific considerations across these entity categories.

Organization Size and Capacity
DHSES, following CISA guidance, prioritizes rural and under-resourced jurisdictions in sub-grant scoring. A municipality with fewer than 50,000 residents will generally score higher on equity-weighted criteria than a large municipality with an established security operations center.

Compliance Alignment
Entities operating under NYDFS 23 NYCRR 500 — New York's financial sector cybersecurity regulation — may find that grant-eligible activities overlap with mandatory compliance expenditures. Grant funds generally cannot reimburse costs that would have been incurred as a regulatory obligation absent the grant, creating a use-of-funds boundary that applicants must document carefully.

Program-Specific Restrictions
Federal grants governed by 2 CFR Part 200 prohibit use of funds for lobbying, certain construction activities without prior approval, and equipment purchases above the capitalization threshold without specific authorization. ESD workforce grants carry separate restrictions around eligible training providers and wage requirements.

For entities assessing their risk profile before applying, New York cybersecurity risk assessment frameworks provide the foundational documentation that most funding applications require.

References

• CISA State and Local Cybersecurity Grant Program (SLCGP)
• CISA Cross-Sector Cybersecurity Performance Goals
• NIST Cybersecurity Framework (CSF)
• NIST SP 800-53 Rev. 5 — Security and Privacy Controls
• Infrastructure Investment and Jobs Act, Public Law 117-58
• 2 CFR Part 200 — Uniform Administrative Requirements, Cost Principles, and Audit Requirements
• New York State Division of Homeland Security and Emergency Services (DHSES)
• Empire State Development (ESD)
• FCC Schools and Libraries Cybersecurity Pilot Program
• HHS 405(d) Health Industry Cybersecurity Practices
• New York State Education Department (NYSED)
• Universal Service Administrative Company (USAC) — E-Rate Program