The federal Infrastructure Investment and Jobs Act (IIJA), also known as the Bipartisan Infrastructure Law (BIL), was signed into law on November 15, 2021. One component of the act is the State and Local Cybersecurity Grant Program (SLCGP), which appropriated $1 billion over four rounds of funding (2022-2025) to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, state, local, or tribal governments (SLT). Alabama was allocated approximately $19 million.

The State of Alabama Office of Information Technology (OIT) is the State Administrative Agency (SAA) and serves as the fiscal agent and authorizing official of the SLCGP federal funds and has submitted the SLCGP application to CISA and administers sub-recipient grants. OIT serves as subject matter expert pertaining to all programmatic requirements and federal regulations associated with the SLCGP and developed a Cybersecurity Plan, established a Cybersecurity Planning Committee, supported development of the Plan, and identified projects to implement utilizing SLCGP funding. Recent years have increased the urgency and need for advanced cybersecurity capabilities, which many agencies and localities are unable to provide for themselves.

For Round One (FY22 - FY25), Alabama has $3.07 million available for local government entity (LGE) cybersecurity projects. The SAA secured a matching cost-share waiver (10%) for Round One. For Round Two (FY23 - FY26), Alabama has $6.27 million available and secured a waiver (20%). For Round Three (FY24 - FY27), Alabama has $4.61 million available and a waiver (30%) is pending.

The Alabama Cybersecurity Planning Committee (the “Committee”) is responsible for developing, approving, implementing, and revising the Alabama Cybersecurity Plan. The Committee submitted Alabama's Plan for 2022-2026. The Committee includes representatives from rural, suburban, and urban cities, towns, and counties, public education, public health and public safety.

OIT partnered with Troy University and Auburn University’s McCrary Institute on the Alabama SLCGP program. Together, the three institutions collectively serve as one entity for SAA purposes. Troy provides administration and management of programmatic, reporting, and training components, while Auburn oversees cybersecurity functions and activities.

LGE will submit an application for each round to participate in eligible projects. As defined in 6 U.S.C. § 101(13), an LGE is any county, municipality, city, town, township, local public authority, school district, special district, intrastate district, council of governments, regional or interstate government entity, or agency or instrumentality of a local government; or any Indian tribe or authorized tribal organization; or any rural community, unincorporated town or village, or other public entity. LGE projects will be available and approved on a first-come, first-serve basis. Approved projects will include only one-time cybersecurity services.

Federal funds may be reduced, eliminated, or include additional LGE responsibilities in subsequent funding rounds. As a result, SAA recommends LGE prepare for possible future project sustainment.