State, Local, Tribal and Territorial Security Operations Center/Information Sharing and Analysis Center


This program addresses the DHS mission to Safeguard and Secure Cyberspace, as defined in the Quadrennial Homeland Security Review, through efforts to support the state, local, tribal and territorial (SLTT) governments and election infrastructure to keep pace in sharing cyber threat information and responding to cyber risk in as close to real-time as possible. This program leverages the strength of market technology forces to spur innovative strategies within a Security Operations Center (SOC) to enable a cyber-relevant Information Sharing and Analysis Center (ISAC) operating model that is consistent with section 2209 of the Homeland Security Act, Executive Order 13636, Executive Order 13691, and Presidential Decision Directive-63 (PDD-63). Specifically, section 2209(d)(E) requires the composition of the national cybersecurity and communications center to include an entity that collaborates with State and local governments on cybersecurity risks and incidents. This program convenes state-of-the-art SOC technology and their cyber analytic expertise with SLTT cyber coordinators, cyber and fusion center coordinators, and critical SLTT sectors (to include elections, communications, energy etc.) to evolve cyber capabilities from mission control to community collaboration models that face current threats in the digital battlefront. Services will allow SLTT and elections infrastructure stakeholders to consume and exchange awareness of threats via technologies that serve to derive a more accurate and timelier picture of prioritized cyber defense actions, while ensuring coordination is sustained with federal partners to defend forward and prevent or thwart malicious cyberspace actors and activities. Thus, through these efforts, the program makes improvements in technical cyber expertise, provides for a more efficient response and recovery time of systems during attack, and develops resilience capabilities for our nations SLTT government and elections infrastructure sectors. The program provides a 24x7 SOC| ISAC that fosters a platform for generating and disseminating cyber threat information and coordinating cybersecurity expertise upon which SLTT governments and elections entities can rely when making decisions that enable adequate preventative and response measures to cyber threats. By integrating the SLTT and elections cyber ecosystems, and empowering insight and cyber situational awareness from across the SLTT/elections trusted circle, the community will mutually benefit from the innovative measures that protect and improve defenses. Priorities: Successful execution will focus customer relationships on enhanced models for threat intelligence exchange. New technologies in data analytic correlation, collaborative threat intelligence and orchestration have created opportunities for faster and actionable threat intelligence exchange. The priority in focus is to advance SLTT and elections cybersecurity risk management and to help build a healthy and resilient SLTT/elections cyber ecosystem via automated collective community action.

General information about this opportunity
Last Known Status
Program Number
Federal Agency/Office
Cybersecurity and Infrastructure Security Agency, Department of Homeland Security
Type(s) of Assistance Offered
B - Project Grants; Z - Salaries and Expenses
Program Accomplishments
Fiscal Year 2016 Objective 1: Acting as the DHS CS&C Liaison for Cyber Security to SLTT governments. Objective 2: Sustaining Network Analysis Services to all 50 States and 6 Territories. Objective 3: Analyzing threat and attack information to maintain a real time cybersecurity posture of the SLTT sector. Objective 4: Developing appropriate mitigation strategies to assist SLTTs. Objective 5: Information Sharing, Incident management and response. Objective 6: Implementation of the Nationwide Cyber Security Review. Objective 7: Implementation of the MS-ISAC SCIF and facilitation of classified information sharing with DHS and State and local Fusion Centers. Objective 8: Support DHS’s weather map through metrics and data reporting. • Completing monitoring expansion to all 56 States and Territories • Increased membership by 31.5% • Number of MS-ISAC CERT engagements 169 in 2014, 164 in 2015 and 171 in 2016 An Engagement is assisting an SLTT with a cyber incident. This typically may include one, or all of the following: log analysis, malware analysis and full forensics review of the suspect system (s) and remediation recommendations. • Increased local participation in the NCSR by 103% • Increased automated indicator sharing by 157% (from 33 to 85 entities) This is the number of entities that are connected to the automated indicator sharing platform (Soltra Edge) which includes DHS. • Promoting DHS Programs such as NCATS, Cyber Security Exercises, Cyber Security Advisors, distribute DHS materials, etc. to the MS-ISAC members and conference attendees across the country. • Increased products covered by VMP by 142% (from 7 products to 17) • Increased threat actor tracking by 81% (from 326 to 591 actors) The threat actor tracking enables us to identify TTPs which are available to all MS-ISAC analysts. The analysts use this information in analyzing and providing assessment of threats and responding attacks impacting SLTTs. Threat actor tracking in also used to develop signatures that are deployed to Albert devices. The information is also used in reports provided to members. • Analyzing the use of cloud services for data analysis. The size and scale of our Netflow data repository has exceeded our ability to provide timely enterprise analysis of the data. A query of all of our Netflow data can take up to a week with our current platform. We are analyzing different options to see if a cost effect solution can be found. We have meetings/discussions scheduled with US-CERT, Carnegie Melon, DARPA, cloud providers and data analysis tool providers to assess what the options are. • Expanded membership partnerships by holding 3 Open Houses (7 to 10 members on-site for a 2 day exchange program • Support State ISAO initiatives We have products and tools that would be valuable for the state ISAOs that are forming to support critical infrastructure owners and operators in their respective states. One of the first questions by any prospective ISAO member is, “how can you help me?” We can assist with that. For example, if a state provided us with the IPs and domains of its CI partners, we could add them to our databases and notify the state ISAO regarding vulnerable domains, compromised credentials, connections to sink holes, etc., belonging to their ISAO members. They would also re-distribute all of the DHS and FBI products that we currently send to members. This will be a tremendous value add, which should encourage CI owners and operators to see the value of joining the state ISAO.
Fiscal Year 2017 • Sustain monitoring of all 56 States and Territories • Increasing membership by 20% • Increasing CERT engagements by 10% • Increasing participation in the NCSR by 20% • Increasing automated indicator sharing by 20% • Promoting DHS Programs • Increasing products covered by VMP • Expanding Membership partnerships to include staff exchange program • Support State ISAO initiatives
Fiscal Year 2018 Membership in 50 states, 6,000 Localities, 6 Territories and 88 Tribes *11,000 users * Webinars, working groups and meetings bring together a nationwide network of cyber expertise to share critical cyber information and best practices * Leverage security operations center cyber intrusion detection platform capabilities, open source monitoring and a trusted nationwide community network of cyber expertise to provide a robust offering of cyber awareness
Fiscal Year 2019 Increase in membership by 40% * Increased SLTT participation in the Nationwide Cybersecurity Review by 50% *Build trusted nationwide cyber SLTT analyst to analyst collaboration via a threat intelligence platform to support threat context and prioritization *Analysts in all 50 states trained on a threat intelligence collaboration platform *Seek to reduce mean time to respond to cyber threats through use of machine capabilities to support resilience.
Fiscal Year 2020 During this period, the MS-ISAC increased in membership by 20%. There was an increase in managed cybersecurity service offerings to the Elections Subsector, including Endpoint Detection and Response (EDR) capability. The MS-ISAC launched the new Malicious Domain Blocking and Reporting (MDBR) managed service offering to mitigate threats to the SLTT community, and saw 546 SLTT organizations subscribe. During this period, the MS-ISAC added 360 members to the Indicator Sharing Program, a 73% increase. Adoption of the Nationwide Cybersecurity Review (NCSR), the cybersecurity maturity assessment, increased by over 300%.
Fiscal Year 2021 Actual Accomplishments 2021 - Thus far, the MS-ISAC and EI-ISAC expanded MDBR adoption by nearly 4000 enrolled entities as of the end of Oct, 2021, and expanded EDR endpoint coverage to 10,172 and extended the vendor contract to provide licenses to EI-ISAC members. This represents a large expansion in managed service adoption. The MS-ISAC adopted a new Threat Intelligence Platform and worked to engage SLTTs in indicator sharing and direct access to the platform. Since implementing STIX/TAXII and supporting with automated workflows and Analyst1, the MS-ISAC is able to "score" and thus prioritize the sharing of IOCs most relevant to SLTTs. The MS-ISAC ingests 211 total intelligence feeds, with 147 new added YTD, a 230% increase. 1,847 threat groups are currently tracked, and over 60,000 campaigns with potential impact to SLTTs were tracked since October 2020. Additionally, over 100 presentations have been delivered at various SLTT focused events across the U.S.
Fiscal Year 2022 Fiscal Year 2022 (funding awarded September 30, 2022; Program Year September 30, 2022 - September 29, 2023) Program Accomplishments: Thus far, the MS-ISAC and EI-ISAC have expanded MDBR adoption by 19% to 5118 enrolled entities as of the end of March, 2023, and expanded EDR endpoint coverage to cover 16,207 so far, a 32 % increase in less than a year's time. This represents a large expansion in managed service adoption. The MS-ISAC expanded the Threat Intelligence Platform to 57 organizations. This year there was record-breaking participation by SLTT members in the Nationwide Cyber Security Review (NCSR), with 3,681 completed assessments, an increase of 414 from 2022. The total membership for the MS/EI-ISAC as of March 2023 is 18,763 which is a 14% higher than March 2022. The Coordinated Vulnerability Disclosure Program/Vulnerability Disclosure Program (CVD/VDP), which is a formalized process to receive, validate, remediate, and communicate vulnerability information on specific technology systems from security researchers, will continue to expand and be an efficient way for an election organization to improve its security posture. Web Application Firewall service, which provides SLTT members protection against HTTP-based inbound attacks and Distributed Denial of Service Protection DDOS protection, will continue to mature. Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) will continue to improve the efficiency and effectiveness of the Security Operations Center (SOC) by enhancing the automation and orchestration of tasks and processes, requiring that products and services be automation-enabled through use of Application Programming Interfaces (APIs). Enhanced Malicious Domain Blocking and Reporting (MDBR+) will provide an additional layer of cybersecurity protection through policy-based blocking of DNS activity, access to real-time DNS activity, enhanced reporting and portable device protection with the use of client software and virtual machines to SLTT members. Development of the Critical Infrastructure Baseline Security program will continue.
Fiscal Year 2023 Fiscal Year 2023 & 2024 (funding awarded near the end of the fiscal year) Estimated Program Accomplishments: With FY2023 and FY2024 funding, the program plans to expand the use of its existing services, streamline the data and reporting effort for NCSR, and continue to engage with the ISAC by providing distanced outreach and stakeholder engagement through virtual service reviews and remote speaking engagements. Plans to extend EDR services and Albert sensors to additional underserved SLTT and elections entities will continue. Additionally, the program will update the Albert sensor functionality to include preventive capabilities. As always, expansion of the number of MS-ISAC and EI-ISAC members will continue.
Homeland Security Act of 2002, Title II, 6 U.S.C. 52 Public Law 116-260 Consolidated Appropriations Act, 2023, Pub. L. No. 117-328, Division F - Department of Homeland Security Appropriations Act, 2023, Title III - Protection, Preparedness, Response and Recovery, Cybersecurity and Infrastructure Security Agency
Who is eligible to apply/benefit from this assistance?
Applicant Eligibility
This funding opportunity is awarded through an open competitive process. Specific information on applicant eligibility is identified in the funding opportunity announcement.
Beneficiary Eligibility
State Governments, local government, territorial governments, tribal governments and territories
Refer to Section 140: Regulations, Guidelines, and Literature. 2 CFR 200, Subpart E - Cost Principles applies to this program
What is the process for applying and being award this assistance?
Pre-Application Procedure
Preapplication coordination is not applicable.
Application Procedure
2 CFR 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards applies to this program. 2 CFR 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards applies to this program. Application deadline and other information are contained in the application.
Award Procedure
Applications or plans are reviewed by DHS program and administrative staff. Any issues or concerns noted in the application will be negotiated with the successful applicant prior to the award being issued.
Contact the headquarters or regional location, as appropriate for application deadlines
Approval/Disapproval Decision Time
Refer to Funding Opportunity Announcement.
Not applicable.
Subject to future appropriations.
How are proposals selected?
This continuation and supplemental funding opportunity is restricted to the Center for Internet Security, DHS Award Number 19PDMSI00004-01-00 as awarded via DHS NOFO: DHS-19-CISA-123-ISAC000001. Specific information on criteria for selecting proposals is identified in the funding opportunity announcement.
How may assistance be used?
Restricted to supporting the activities of Security Operations Center and Information Sharing and Analysis Center, involving engagement with State, Local, Tribal and Territorial (SLTT) governments and Elections Infrastructure. Additional information concerning uses and restrictions is contained in the Funding Opportunity Announcement document or can be obtained from the administering program office identified in this announcement. Financial and nonfinancial assistance may be provided for the following: salaries, materials and supplies, equipment, travel, publication costs, subcontractor and supporting costs required for technical and other activities necessary to achieve the objective. Restrictions on use of funds will be identified in the funding opportunity announcement and award provisions. See Funding Opportunity Announcement. Refer to program guidance.
What are the requirements after being awarded this opportunity?
Performance Reports: Grantees are required to submit a monthly report of planned, projected, and disbursed funds.
In accordance with the provisions of 2 CFR 200, Subpart F - Audit Requirements, nonfederal entities that expend financial assistance of $750,000 or more in Federal awards will have a single or a program-specific audit conducted for that year. Non-Federal entities that expend less than $750,000 a year in Federal awards are exempt from Federal audit requirements for that year, except as noted in 2 CFR 200.503.
Grant records shall be retained for a period of 3 years from the day the recipient submits its final expenditure report. If any litigation, claim, negotiation, audit, or other action involving the records has been started before the expiration of the 3-year period, the records must be retained until completion of the action and resolution of all issues which arise from it, or until the end of the regular 3-year period, whichever is later. Grant records include financial and program/progress reports, support documents, statistical records, and other documents that support the activity and/or expenditure of the recipient or sub-recipient under the award.
Other Assistance Considerations
Formula and Matching Requirements
Statutory formula is not applicable to this assistance listing.

Matching is . This cooperative agreement is a cost share program. The applicant is required to commit to the cost share requirement at the time of the application. The required cost share is based on and calculated against the total program cost as reflected in the application budget. The maximum Federal share is 70 percent of the total program cost as reflected in the application budget. The recipient must provide a minimum non-federal entity contribution supporting 30 percent of the total program costs as reflected in the application budget. A MOE provision is required as a condition of eligibility for federal funding, to maintain a financial contribution to the program at not less than 100 percent of its program income contribution for the prior fiscal year. The federal government wants awardees to rely on state and local funds thus ensuring that federal funds "supplement" rather than "supplant" (normal) activities.

MOE requirements are not applicable to this assistance listing.
Length and Time Phasing of Assistance
Refer to Funding Opportunity Announcement. Awards are subject to the Cash Management Improvement Act for payment and/or reimbursement of expenditures. Refer to Funding Opportunity Announcement.
Who do I contact about this opportunity?
Regional or Local Office
Program Manager for this award is: Amy Nicewick Cybersecurity and Infrastructure Security Agency 703-203-0634
Headquarters Office
Cybersecurity & Infrastructure Security Agency Stop 0380
245 Murray Lane
Washington, DC 20528 US
Phone: (703) 203-0634
Website Address
Financial Information
Account Identification
(Salaries and Expenses) FY 22$38,003,000.00; FY 23 est $43,003,000.00; FY 24 Estimate Not Available FY 21$26,343,000.00; FY 20$10,468,300.00; FY 19$10,447,510.00; FY 18$10,447,510.00; FY 17$9,500,000.00; FY 16$9,500,000.00; -
Range and Average of Financial Assistance
Refer to Funding Opportunity Announcement.
Regulations, Guidelines and Literature
44 CFR Part 13, Uniform Administrative Requirements for Grants and Cooperative Agreements to State and Local Governments,A-87, Cost Principles for State, Local and Indian Tribal Governments (2 CFR Part 225), A-110, Uniform Administrative Requirements for Grants and Agreements with Institutions of Higher Education, Hospitals and Non-Profit Organizations (2 CFR Part 215), A-21, Cost Principles for Educational Institutions (2 CFR Part 220), A-122, Cost Principles for Non-Profit Organizations (iii. 2 CFR Part 230), and A-133 Audits of States, Local Governments, and Non-Profit Organizations, in addition to program regulations, guidelines, DHS policy and procedure.
Examples of Funded Projects
Not applicable.


Federal Grants Resources