Assistance Listings

CISA Cyber Security Awareness Campaign

Objectives

CISA’s mission is to lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure. In carrying out this mission, Section 2202 of the Homeland Security Act of 2002 assigns CISA with the responsibilities to coordinate a national effort to secure and protect against critical infrastructure risks, carry out cybersecurity and critical infrastructure stakeholder outreach and engagement, and encourage and build cybersecurity awareness and competency across the United States. Section 102 of the Homeland Security Act of 2002 authorizes CISA to make cooperative agreements in carrying out these responsibilities. In carrying out its mission and pursuant to these authorities, CISA provides financial assistance under the Cybersecurity Awareness Campaign Program to non-federal entities to perform cybersecurity awareness activities to reduce cybersecurity risks through messaging, tools, and resources to encourage individuals and organizations to reduce their exposure to malicious cyber activity. Through strategies implemented year-round with a focal point of Cybersecurity Awareness Month in October, a recipient under a federal award will engage in efforts to improve the public’s understanding of cyber threats, amplify opportunities that individuals and non-federal entities can leverage to strengthen their own cybersecurity posture, and encourage discussion, engagement, and actions that can be taken to reduce cyber risk. CISA has established the following six goals for the Cybersecurity Awareness Campaign Program: (1) strengthen the security and resilience of critical infrastructure; (2) assess and counter evolving cybersecurity risks through actions that promote threat risk reduction; (3) build a national culture of preparedness and ensure equity and accessibility to increase online and digital safety; (4) build stakeholder relationships that encourage and support data-driven actions by state, local, tribal, and territorial governments, for-profit and nonprofit organizations, other non-federal entities, and individuals that reduce cybersecurity risk; (5) reinforce the importance of secure by default and secure by design industry practices that do not place the first line of cyber threat risk reduction on those with the least capabilities and resources; and (6) encourage activities supported by data which result in key behavior change that reduce cyber risk. In support of the six program goals, CISA has established the following six objectives for the Cybersecurity Awareness Campaign Program: (1) educate the public and non-federal entities about the dangers of cyber threats and key actions to mitigate risks; (2) promote sustainable cybersecurity and encourage the technology industry to provide secure-by-default technology products and technology that is secure-by-design; (3) identify effective approaches to increase cybersecurity awareness among the general public and target audiences; (4) build relationships and coalitions across cybersecurity stakeholders to support Cybersecurity Awareness Month; (5) develop a baseline from which to measure the impact Cybersecurity Awareness Month campaign strategies and messaging has on changing behavior and increasing public awareness of cybersecurity risk; and (6) contribute to CISA’s efforts to build a culture of preparedness. The Cybersecurity Awareness Campaign Program aligns with Goal 3: Secure Cyberspace and Critical Infrastructure and Goal 5: Strengthen Preparedness and Resilience under the 2020-2024 Department of Homeland Security Strategic Plan. It also supports Goal 2: Risk Reduction and Resilience and Goal 3: Operational Collaboration under the CISA Strategic Plan 2023-2025.

Examples of Funded Projects

Homeland Security Act of 2002, Pub. L. No. 107-296, §§ 102(b)(2) and 2202 (codified as amended at 6 U.S.C. §§ 112(b)(2) and 652); Consolidated Appropriations Act, 2023, Pub. L. No. 117-328, Division F – Department of Homeland Security Appropriations Act, 2023, Title III – Protection, Preparedness, Response, and Recovery, Cybersecurity and Infrastructure Security Agency; Further Consolidated Appropriations Act, 2024, Pub. L. No. 118-47, Division C – Department of Homeland Security Appropriations Act, 2024, Title III – Protection, Preparedness, Response, and Recovery, Cybersecurity and Infrastructure Security Agency

Range and Average of Financial Assistance

CISA awarded a competitive cooperative agreement to a single non-profit organization in FY 2023 with a 29-month period of performance comprised of three budget periods. The funding awarded for the initial 1-year budget period was $549,996 and projected continuation funding to be awarded for the second 1-year budget period is $549,996. Therefore, the range of financial assistance per 1-year budget period is $549,996 and the average is $549,996.

Accomplishments

Account Identification

70-0565-0-1-999

Types of Assistance

B - Cooperative Agreements

Credentials and Documentation

An applicant for a Cybersecurity Awareness Campaign cooperative agreement award must provide documentation that it meets various eligibility criteria as further detailed in the Notice of Funding Opportunity. This will include documentation that the applicant’s mission includes promoting cybersecurity-related awareness and safe behavior online and that the applicant is a nonprofit organization with an effective ruling letter from the U.S. Internal Revenue Service granting tax exemption under Section 501(c)(3) of the Internal Revenue Code of 1986. The Cost Principles at 2 C.F.R. pt. 200, subpart E apply to all recipients under the Cybersecurity Awareness Campaign Program. 2 CFR 200, Subpart E - Cost Principles applies to this program.

Applicant Eligibility

Nonprofit organizations, other than institutions of higher education, with an effective ruling letter from the U.S. Internal Revenue Service granting tax exemption under Section 501(c)(3) of the Internal Revenue Code of 1986 A recipient under the Cybersecurity Awareness Campaign Program must be a nonprofit organization with an effective ruling letter from the U.S. Internal Revenue Service granting tax exemption under Section 501(c)(3) of the Internal Revenue Code of 1986. A “nonprofit organization” means any organization that: (1) is operated primarily for scientific, educational, service, charitable, or similar purposes in the public interest; (2) is not organized primarily for profit; (3) uses net proceeds to maintain, improve, or expand the organization’s operations; and (4) is not an institution of higher education as defined at 20 U.S.C. § 1001.

Beneficiary Eligibility

Individuals, businesses, states, local governments, Indian tribes, institutions of higher education, and nonprofit organizations The beneficiaries of a Cybersecurity Awareness Campaign cooperative agreement award are the individuals and non-federal entities that will experience the benefits of the information provided by a recipient through its cybersecurity awareness activities. As these activities are intended to reach all individuals and non-federal entities in the United States, the beneficiaries include individuals, businesses, states, local governments, Indian tribes, institutions of higher education, and nonprofit organizations

Length and Time Phasing of Assistance

The period of performance for a cooperative agreement award under the Cybersecurity Awareness Campaign Program is typically two to three years and comprised of separate budget periods that CISA will fund individually. CISA will provide funding for only the initial budget period at the time of initial award and may issue continuation funding for subsequent budget periods. Funding for subsequent budget periods is conditioned on the availability of funds, satisfactory performance by the recipient, program authority, compliance with the terms and conditions of the federal award, and a CISA determination that continued funding is in the best interests of the federal government. A recipient may only expend funding during the budget period for which CISA has issued funding unless CISA authorizes the recipient to carry forward unexpended funding into a subsequent budget period. CISA makes payments for federal awards in accordance with 2 C.F.R. § 200.305(b). Under this payment process, CISA makes the federal funds available to a recipient in the U.S. Department of Health and Human Services Payment Management System (“PMS”) at the time of the federal award (or time of continuation funding) and the recipient draws down funds on the advance payment, reimbursement, or working capital advance method. Method of awarding/releasing assistance: Annual Lump sum (Period of Performance will be 29 months comprised of 12-month budget periods and one 5 month budget period). Applicants will be making draw downs through the HHS-Payment Management System in accordance with the Cash Management Improvement Act.

Use of Assistance

Communications The Cybersecurity Awareness Campaign Program provides financial assistance for a nonprofit organization to carry out public awareness activities concerning cybersecurity risks and messaging, tools, and resources to encourage individuals and non-federal entities to reduce their exposure to malicious cyber activity. The eligible work under a cooperative agreement award may include strategy development, communications materials production, stakeholder engagement and outreach, development and execution of Cybersecurity Awareness Month activities, cross-promotion of CISA cybersecurity resources, and program management. The allowable direct costs to pursue eligible work may include salaries and fringe benefits of a recipient’s employees; travel costs of recipient employees; purchase of supplies; contract costs; and subawards. Indirect costs are also allowable. Unallowable costs include acquiring land or buildings; construction, renovation, or alteration of buildings and other physical facilities; purchasing equipment; foreign travel; purchasing food and refreshments; and gifts or incentives to beneficiaries. In addition, recipients may not use federal funds for the matching or cost sharing requirements for other federal grants and cooperative agreements (2 C.F.R. § 200.306), lobbying or other prohibited activities under 18 U.S.C. § 1913 and 2 C.F.R. § 200.450, or prosecuting claims against the federal government or any other government entity (2 C.F.R. § 200.435). The Notice of Funding Opportunity will detail the eligible work, allowable costs, and restrictions on the use of federal funds.See above.

Deadlines

Preapplication Coordination

Preapplication coordination is required. Environmental impact information is not required for this program. This program is excluded from coverage under E.O. 12372. Intergovernmental review under Executive Order 12372, Intergovernmental Review of Federal Programs (1982) (as amended) may be required.

Application Procedures

2 CFR 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards applies to this program.

The Notice of Funding Opportunity will provide the application procedures for the Cybersecurity Awareness Campaign Program. The following summarizes the typical application procedures for this competitive program. An applicant must submit a grant application online via www.grants.gov. The documents required to be submitted in the application include various standard forms, such as the Standard Forms (“SF”) 424 (Application for Financial Assistance), SF 424A (Budget Information for Non-Construction Programs), SF 424B (Assurances for Non-Construction Programs), and Certification Regarding Lobbying, and (if applicable) SF LLL (Disclosure of Lobbying Activities). They will also include a budget narrative, program abstract, program narrative, project plan, and documentation concerning exemption under Section 501(c)(3) of the Internal Revenue Code. Lastly, they will also include resumes for key personnel, current organizational chart, and certain information regarding subawards. CISA/DHS will initially screen applications to determine whether an applicant is eligible, whether an applicant submitted its application on time, and whether the application conforms to the administrative requirements for application content. Any application not meeting these requirements will not be considered and will not move forward to the evaluation phase. Following this initial screening, an objective review panel will evaluate and score applications using the criteria detailed in the Notice of Funding Opportunity. CISA, during the objective review process, may communicate with applicants about their applications. The objective review panel will use the results of the review process to make funding recommendations to the DHS awarding official. Final funding decisions will be made by the DHS awarding official. Following any necessary pre-award communications and clarifications, CISA/DHS will issue and communicate via email a federal award notice to each successful recipient.

Criteria for Selecting Proposals

The Notice of Funding Opportunity will set forth the criteria that CISA will use in evaluating and scoring applications. These criteria include program design and rationale; project management and organizational capability; demonstrated experience and past performance; and project plan and budget. CISA will also review information about an applicant through any OMB-designated repositories of governmentwide eligibility qualification or financial integrity information as required by 31 U.S.C. § 3354 (enacted by the Payment Integrity Information Act of 2019, Pub. L. No. 116-117, § 2 (2020)), 41 U.S.C. § 2313, and 2 C.F.R. § 200.206. Therefore, evaluation criteria will include risk-based considerations concerning an applicant’s financial stability, quality of management systems and ability to meet management standards, history of performance in managing federal awards, reports and findings from audits, and ability to effectively implement statutory, regulatory, or other requirements. CISA, in cases where the project federal award exceeds the simplified acquisition threshold (currently $250,000), is also required by 41 U.S.C. § 2313 and 2 C.F.R. § 200.206 to review and consider any information about the applicant in the Federal Awardee Performance and Integrity Information System.

Award Procedure

CISA/DHS communicates the Notices of Award to recipients for which CISA/DHS has made a cooperative agreement award. Payments to a recipient under the cooperative agreement award are made via an electronic system as detailed above in the Length and Time Phasing of Assistance section. A recipient may not contract out or subaward any work under the federal award unless described in the application and funded in the approved cooperative agreement award or approved by CISA after the cooperative agreement award. There is no negotiation of any terms and conditions or any other parts of the cooperative agreement award communicated to the recipient in the Notice of Award.

Date Range for Approval/Disapproval

The range of time required for CISA to process applications for a federal award is approximately 30-60 days. CISA will communicate all Notices of Awards on or before September 30.

Renewals

CISA may issue continuation funding for the second and subsequent budget periods falling within the period of performance of a cooperative agreement award. Upon the end of the period of performance for a cooperative agreement award, CISA does not make renewal awards.

Appeals

Not Applicable. There are no appeal rights for applicants that CISA does not select for a federal award. An unsuccessful applicant may request an informal debriefing and CISA may, in its sole discretion, elect to provide such a debriefing. As it relates to recipients of a federal award, the regulation at 2 C.F.R. § 200.342 requires CISA to provide a recipient an opportunity to appeal any remedy for non-compliance taken by CISA pursuant to 2 C.F.R. § 200.339. There are no other recipient appeal rights. For example, a recipient has no right to appeal the amount of a federal award, denial of a period of performance extension request, or denial of a budget change request.

Policy Requirements

Reports

Audits

Records

The regulation at 2 C.F.R. § 200.334 sets forth the records retention requirements for a recipient of a federal award. As detailed in the regulation, a recipient must retain financial records, supporting documents, statistical records, and all other recipient records pertinent to the federal award for a period of three years from the date the recipient submits its final federal financial report. There are, however, exceptions to this requirement that may result in a longer records retention period. First, if any litigation, claim, negotiation, audit, monitoring visit, or other action involving the records has been started before the expiration of the 3-year period, the recipient must retain records until the later of completion of the action and resolution of all issues which arise from it or until the end of the regular 3-year period. Second, CISA, DHS, the recipient’s oversight agency for audit, or the recipient’s cognizant agency for indirect costs may notify the recipient in writing to retain records for a longer period.

Regulations, Guidelines, and Literature

There are no implementing rules in the Code of Federal Regulations for the Cybersecurity Awareness Campaign Program. The Notice of Funding Opportunity will establish the procedures for applying for and administering a cooperative agreement award and the policies and procedures for determining eligibility of applicants, eligibility of work, and eligibility and allowability of costs. All recipients must comply with the version of 2 C.F.R. pt. 200 in effect at the time of the initial cooperative agreement award. They must also comply with the Department of Homeland Security Standard Terms and Conditions (which can be found at https://www.dhs.gov/sites/default/files/2023-12/2023_1130_dhs_standard_terms_and_conditions_fy24.pdf), all other terms and conditions set forth in the Notice of Funding Opportunity and the federal award, and all other applicable laws and regulations.

Formula and Matching Requirements

Regional or Local Locations:

Headquarters Office: