Cybersecurity Grants and Funding Available in Texas

Texas public entities, small businesses, nonprofits, and critical infrastructure operators have access to a structured landscape of cybersecurity grant programs administered at both the federal and state level. These programs span formula-based allocations to competitive awards, each with distinct eligibility criteria, application requirements, and compliance obligations. Understanding how these funding streams are structured — and which entities qualify under each — is essential for organizations seeking to close security capability gaps without navigating a patchwork of requirements blindly.

Definition and scope

Cybersecurity grants and funding programs are formally appropriated mechanisms through which federal agencies, state agencies, and authorized intermediaries disburse financial resources to qualifying entities for the purpose of improving information security posture. In Texas, this landscape is shaped primarily by the federal Cybersecurity and Infrastructure Security Agency (CISA) at the national level and by the Texas Department of Information Resources (DIR) at the state level.

The two dominant federal programs relevant to Texas entities are the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program, both authorized under the State and Local Cybersecurity Improvement Act (part of the Infrastructure Investment and Jobs Act, Public Law 117-58). The SLCGP allocated $1 billion over four fiscal years specifically for state, local, tribal, and territorial (SLTT) governments (CISA SLCGP Program Page).

Scope and coverage: This page addresses funding mechanisms available to Texas-based entities under federal and Texas state programs. It does not address federal contracts, Department of Defense cybersecurity funding vehicles, or private foundation grants. Entities operating under federal regulatory frameworks — such as financial institutions supervised by the OCC or FDIC — may have access to separate compliance-funding mechanisms not covered here. For the statutory and regulatory architecture governing how Texas entities are required to use any awarded funding, see the Regulatory Context for Texas Cybersecurity.

How it works

Texas participates in the SLCGP as a recipient state, with DIR serving as the designated state administrative agency (SAA). DIR is responsible for receiving federal allocations, administering a state cybersecurity planning committee, and distributing subgrants to eligible local governments and other qualifying entities. Federal rules require that at least 80 percent of SLCGP funds awarded to a state be passed through to local governments (2 CFR Part 200 governs federal grant administration requirements).

The grant lifecycle follows a structured sequence:

1. State planning phase — DIR convenes a cybersecurity planning committee that includes representatives from local governments, public utilities, and other relevant sectors to develop or update a state cybersecurity plan aligned with the NIST Cybersecurity Framework (CSF).
2. Federal application — DIR submits a grant application to CISA documenting the state plan, budget narrative, and performance metrics.
3. Award and subaward process — Upon federal award, DIR opens a competitive or formula-based subgrant process for local governments and eligible entities within Texas.
4. Implementation and reporting — Subgrantees execute approved cybersecurity projects — such as network security assessments, multi-factor authentication deployment, or staff training — and report outcomes to DIR, which reports to CISA.
5. Audit and closeout — All expenditures are subject to federal single audit requirements under the Single Audit Act if the entity expends $750,000 or more in federal awards in a fiscal year (2 CFR §200.501).

Beyond SLCGP, CISA administers free cybersecurity resources — including vulnerability scanning and the Cyber Hygiene service — that function as in-kind grants for Texas government entities. These are not cash transfers but reduce the effective cost of baseline security operations.

For Texas state agencies, DIR manages internal budget mechanisms under Texas Government Code Chapter 2054, which governs cybersecurity appropriations for agency-level security programs. State agencies must align expenditures with DIR's established security control standards, which reference NIST SP 800-53.

Common scenarios

Local governments and municipalities: A Texas county with fewer than 50,000 residents seeking to upgrade its network segmentation or deploy endpoint detection tools can apply for SLCGP subgrant funds through DIR. Rural and smaller jurisdictions are explicitly prioritized under the SLCGP statute. The Texas Cybersecurity for Local Governments reference covers specific eligibility details for municipal entities.

K–12 school districts: Texas public school districts can access cybersecurity funding through the FCC's E-Rate program (administered by USAC), which expanded in 2024 to include a three-year, $200 million cybersecurity pilot program for eligible schools and libraries (FCC E-Rate Cybersecurity Pilot). Districts may also be eligible for SLCGP subgrants when cybersecurity improvements align with local government partnerships. The Texas Cybersecurity for School Districts reference addresses district-specific compliance and funding intersections.

Small businesses: The U.S. Small Business Administration (SBA) and its network of Small Business Development Centers (SBDCs) provide cybersecurity assistance that includes free assessments and training — in-kind support rather than direct cash grants. Texas hosts a statewide SBDC network through the Texas SBDC Network. Direct cash grants for small business cybersecurity are limited and typically tied to federal contracting pipelines such as the SBIR/STTR programs administered by agencies including the Department of Homeland Security. Organizations seeking more on small business security posture can reference Texas Cybersecurity for Small Business.

Healthcare organizations: Hospitals and health systems may qualify for Health and Human Services-aligned grant mechanisms, though HIPAA compliance funding is not a direct grant program. The Texas Cybersecurity for Healthcare Organizations reference frames the compliance obligations that often drive grant-eligible project scopes.

Decision boundaries

Not every funding mechanism is appropriate for every entity type, and misidentifying eligibility is a common source of application failure.

Federal direct vs. state-administered subgrants: SLCGP funds flow to Texas via DIR, not directly to municipalities or counties. An entity that applies directly to CISA for SLCGP funding is outside the correct application pathway. Direct federal awards are available only for specific programs where local entities are listed as eligible applicants in the Notice of Funding Opportunity (NOFO).

Competitive vs. formula allocation: Some programs distribute funds based on population or risk metrics (formula-based); others require a competitive proposal demonstrating measurable security improvement objectives (competitive). DIR's subgrant process may combine both approaches depending on the fiscal year's program design.

Matching requirements: SLCGP subgrants may carry cost-share requirements. For local governments, the federal cost-share can be waived in certain circumstances, but entities must verify current waiver availability in the applicable NOFO before budgeting.

Authorized uses: Grant funds cannot be used for general IT infrastructure that does not have a documented cybersecurity nexus. Prohibited uses typically include hardware purchases without a security justification, general administrative costs beyond the allowed indirect rate, and activities that duplicate existing state-funded programs. Entities planning to use grant dollars for workforce development should cross-reference Texas Cybersecurity Workforce Development for alignment with state training standards.

Federal vs. state statutory obligations: Receiving federal cybersecurity grant funding does not exempt an entity from state-level security requirements under Texas Government Code Chapter 2054 or from the Texas Security Authority's broader regulatory landscape. These obligations operate independently and in parallel.

References

• CISA State and Local Cybersecurity Grant Program (SLCGP)
• Texas Department of Information Resources (DIR)
• Infrastructure Investment and Jobs Act, Public Law 117-58 — Congress.gov
• 2 CFR Part 200 — Uniform Guidance for Federal Awards (eCFR)
• NIST Cybersecurity Framework (CSF)
• NIST SP 800-53 Rev. 5 — Security and Privacy Controls (CSRC)
• Texas Government Code Chapter 2054 — Texas Legislature Online
• FCC E-Rate Cybersecurity Pilot Program
• Texas SBDC Network
• U.S. Small Business Administration — Cybersecurity Resources