Is Your Grant Funding Safe?

Since October 1, 2024, new cybersecurity-related revisions from the Office of Management and Budget (OMB) have been in effect for new federal grants and cooperative agreements – or amendments for extra funds to existing grants. Federal agencies and grant recipients must be proactive and assess whether their current or new projects comply with revised Uniform Guidance for cybersecurity frameworks and internal controls.

OMB, in its Fall 2024 revision, clarified previous guidance issued in April 2024. Documenting internal controls for federal awards has been in effect since 2013; however, the latest guidance requires special emphasis on enhanced controls with mechanisms to protect confidential or sensitive information. Failure to comply with updated cybersecurity standards could result in heightened scrutiny and/or penalties, funding delays, or funding ineligibility.

Why This Matters Now for Grant Administrators, CFOs, and Compliance Officers

Cyber threats continue to escalate. In response, OMB’s mandate now requires federal grant recipients to implement strong cybersecurity measures or potentially risk losing funding. These updates reflect an increasing federal emphasis on cyber resilience, data protection, and risk management. Organizations, for their benefit, can gain clarity and demonstrate transparent, effective fund management with the updated measures.

Key Cybersecurity Provisions in the Updated Uniform Guidance

Mandatory Cybersecurity Risk Assessments

Under Section 200.206– Federal Agency Review of Risk Posed by Applicants, grant administrators and compliance officers must ensure their organization is prepared for federal agencies to evaluate cybersecurity risks when assessing applicants for federal awards. The latest update, linked above, specifies:

  • Reviewing an entity’s IT security posture, cybersecurity policies, and risk management framework.
  • Assessing past security breaches, incident reports, and remediation actions.
  • Evaluating compliance with established federal cybersecurity frameworks, such as, NIST Cyberecurity Framework (CSF) 2.0
    • Note that OMB has not mandated a specific framework.
  • Determining financial and operational risks tied to cybersecurity vulnerabilities.

Federal agencies are now required to document and update cybersecurity risk assessments. Proactive compliance throughout the grant cycle can help to avoid potential funding disruptions. Grant administrators should also be aware that agencies may impose additional cybersecurity conditions or require corrective actions from noncompliant recipients.

New Internal Cybersecurity Controls Requirement

OMB Guidance Section 200.303 – Internal Controls mandates that all recipients and subrecipients of federal grants establish cybersecurity measures to protect sensitive information, including Protected Personally Identifiable Information (PII), grant-related financial data, and federal systems access. Required measures include:

  • Documented cybersecurity policies that address user access, encryption, and multi-factor authentication (MFA).
  • Implementation of cybersecurity controls aligned with federal best practices, such as NIST CSF 2.0 or other federally recognized security frameworks (reminder that OMB has not mandated using something specific).
  • Incident response plans to detect, mitigate, and report cyber threats to ensure regulatory compliance.
  • Vendor risk management policies for third-party service providers handling federal data.

Since federal agencies will conduct compliance audits at some point, it’s important for grant recipients to familiarize themselves with NIST or other cybersecurity frameworks now. Policies and procedures may need to be adjusted.

CISA’s Cybersecurity Playbook for Federal Grant Recipients

As part of the federal government’s broader push for cybersecurity accountability, in December 2024 the Cybersecurity and Infrastructure Security Agency (CISA) published the CISA Cybersecurity Grant Playbook  to help agencies and grant recipients implement cybersecurity requirements effectively. CISA lay out step-by-step guidance to integrate cybersecurity into federal grant programs, best practices for cybersecurity policies and risk assessments, and useful compliance checklists already aligned with OMB’s Uniform Guidance updates.

Next Steps: Cybersecurity Compliance with Federal Grants

The multi-page update released at the end of 2024 along with CISA’s playbook can be a lot for federal agencies and grant recipients to understand. Knowing where to start can be challenging. There are a few steps that grant administrators, CFOs, and compliance officers can take now to position themselves for success.

  1. Conduct a Cybersecurity Risk Assessment: Review cybersecurity vulnerabilities and outline milestones on the road to compliance.
  2. Implement Stronger Data Protection Measures: Strengthen encryption, access controls, and secure authentication mechanisms.
  3. Prepare for Compliance Audits: Before federal audits begin in FY 2025, update cybersecurity documentation.
  4. Develop a Cyber Incident Response Plan: Begin by reviewing CISA Guidelines for Cybersecurity Best Practices.

Cybersecurity Solutions and Expert Guidance

At PBMares, we specialize in helping federal agencies and grant recipients navigate OMB’s evolving cybersecurity mandates. Our services include:

  • Cybersecurity risk assessments to identify gaps in compliance.
  • Implementation of internal controls aligned with OMB’s Uniform Guidance.
  • Federal grant compliance audits to secure funding eligibility.
  • Cyber incident response planning and security awareness training.

Protecting Your Federal Funding: Ensuring Compliance with OMB’s Cybersecurity Mandates

With cybersecurity now a core compliance requirement for federal grants, federal agencies and recipients must act immediately to meet OMB’s expectations and protect funding eligibility.

Need guidance on achieving cybersecurity compliance? Contact our team today or connect with Antonina McAvoy, Cybersecurity & Risk Advisory Partner.

Link to May 2024 Article Update:  Securing Grants: Decrypting OMB’s Latest Uniform Guidance for a Secure Funding Future