Most nonprofits think cybersecurity grants are just about buying firewalls and antivirus software. They’re not.

The best programs in 2026 fund what you actually need: threat assessments, staff training, backup systems, and the security planning that stops breaches before they happen. Federal programs like FEMA’s Nonprofit Security Grant Program can provide up to $150,000 for physical and cybersecurity protections. State-level grants add another layer. Regional programs, like those serving arts organizations in Canada, offer free security services worth thousands.

This guide breaks down exactly which grants exist, who qualifies, what you can fund, and how to apply without drowning in paperwork. You’ll learn the difference between NSGP-UA and NSGP-S programs, what makes a strong vulnerability assessment, and which expenses federal agencies actually approve.

If you’re running a 501(c)(3) nonprofit and you’re worried about ransomware, donor data breaches, or just meeting basic security standards on a tight budget, these grants exist specifically for organizations like yours.

What Is the Nonprofit Security Grant Program (NSGP)?

The Nonprofit Security Grant Program is FEMA’s primary funding mechanism for nonprofit organizations at high risk of terrorist attacks. It’s administered through the Department of Homeland Security (DHS) and provides funding for physical security enhancements and cybersecurity improvements.

Two distinct programs fall under the NSGP umbrella: NSGP-UA (Urban Area) and NSGP-S (State). Both programs serve 501(c)(3) nonprofit organizations, but they operate in different geographic areas and have slightly different application processes.

NSGP Program Goals and Purpose

FEMA designed the NSGP to protect nonprofit organizations that face elevated risk due to their ideology, beliefs, or mission. Houses of worship, community centers, museums, and other nonprofits that could be targets of terrorist or extremist attacks can access funding to harden their facilities and enhance security measures.

The program doesn’t just hand out money for security cameras. It requires documented risk assessments, detailed Investment Justification documents, and proof that your organization faces genuine threats.

What Makes NSGP Different from Other Grant Programs

Unlike general nonprofit grants that fund programs or operations, NSGP focuses exclusively on security. You can’t use NSGP funds for staff salaries, program expansion, or general operating expenses.

Every dollar must go toward target hardening, security training, planning activities, or equipment explicitly listed on FEMA’s Authorized Equipment List (AEL). The program requires detailed documentation of terrorist threats and vulnerability assessments before you even apply.

This isn’t a grant for organizations that “might” face risk. It’s for nonprofits that can document specific threats, incidents, or characteristics that make them high-risk targets.

Who Is Eligible for Cybersecurity Grants for Nonprofits?

Not every nonprofit qualifies for NSGP funding. FEMA has strict eligibility requirements that focus on organizational structure, tax status, and documented risk.

Core Eligibility Requirements

Your organization must be a 501(c)(3) nonprofit recognized by the IRS. That’s non-negotiable. You also need to be registered in the System for Award Management (SAM) before you can receive federal funding.

Beyond tax status, you must demonstrate that your organization is at high risk of terrorist attack. This typically means you serve communities that have experienced hate crimes, you’re located in areas with documented extremist activity, or your mission focuses on ideologies or beliefs that extremist groups target.

Houses of worship qualify frequently because they serve visible communities and gather large groups in predictable locations. But eligibility isn’t automatic—you still need documentation.

Required Documentation for Eligibility

FEMA requires specific evidence that your nonprofit faces elevated risk:

• Documented threats against your organization or similar entities
• Police reports of incidents targeting your facility or community
• Evidence of hate crimes or extremist activity in your area
• Risk assessments conducted by security professionals
• Records of previous security incidents or attempted attacks

You’ll also need current mission statements, organizational bylaws, IRS determination letters, and Environmental and Historic Preservation (EHP) compliance documentation for any construction or installation activities.

Geographic Restrictions and Urban Area Designations

NSGP-UA operates only in designated Urban Areas defined by DHS. These are typically major metropolitan regions with dense populations and documented terrorist threats. If your nonprofit operates outside these Urban Areas, you’ll need to apply through NSGP-S instead.

Check FEMA’s Notice of Funding Opportunity (NOFO) released each year to confirm which Urban Areas are eligible. Geographic boundaries change based on threat assessments and funding allocations.

Understanding NSGP-UA vs. NSGP-S: Which Program Applies to You?

The two NSGP programs serve different geographic areas and operate through different administrative channels. Knowing which one applies to your organization determines where you submit your application.

NSGP-UA: Urban Area Program Details

NSGP-UA serves nonprofits located within designated Urban Areas. These are regions DHS identifies as having elevated terrorist threat levels and dense nonprofit populations.

Urban Area programs typically offer higher maximum awards—up to $200,000 per site in recent years—and have more competitive application processes. You apply through your local Urban Area Working Group (UAWG), not directly to FEMA.

The advantage? Local UAWGs understand regional threats and can provide guidance tailored to your area. The challenge? Competition is fierce because many nonprofits in urban centers apply for limited funds.

NSGP-S: State-Level Program Structure

NSGP-S covers nonprofit organizations outside designated Urban Areas. If your nonprofit operates in suburban, rural, or smaller metropolitan regions, this is likely your program.

Maximum award amounts under NSGP-S are typically lower—around $150,000 per site—and you apply through your State Administrative Agency (SAA) rather than a local working group. Your state’s emergency management division usually administers the program.

State programs often have longer application windows and may offer more direct support to smaller nonprofits unfamiliar with federal grant processes.

How to Determine Your Correct Program

Start by checking the current NOFO on FEMA’s grants page. The NOFO lists all designated Urban Areas for that funding cycle.

If your nonprofit’s primary facility falls within a listed Urban Area, apply through NSGP-UA. If not, contact your State Administrative Agency to confirm NSGP-S application procedures.

Some nonprofits operate multiple facilities across both urban and state jurisdictions. You can apply to both programs if you have sites in different areas, but each application must cover distinct facilities.

How Much Funding Can Your Nonprofit Receive?

NSGP award amounts vary by program type, site count, and funding availability each year. Understanding the maximums helps you plan your security investment strategy.

Maximum Award Amounts for 2026

For NSGP-UA, individual nonprofits can receive up to $200,000 per site. Organizations with multiple sites can apply for funding at each location, up to a maximum of three sites per grant period, potentially reaching $600,000 total.

NSGP-S typically caps awards at $150,000 per site with similar multi-site provisions. These amounts aren’t guaranteed—they represent maximums, and actual awards depend on your application strength, documented risk, and available funding.

FEMA makes final award decisions based on vulnerability assessments, Investment Justification quality, and how effectively you demonstrate elevated risk.

Multi-Site Funding Rules

If your nonprofit operates multiple locations, you can request funding for up to three sites in a single application period. Each site needs its own vulnerability assessment, Investment Justification, and security enhancement plan.

Multi-site applications require careful coordination. You must demonstrate that each location faces documented threats and that security enhancements at one site don’t simply shift risk to another.

The additional administrative burden is significant, but for large nonprofits with multiple at-risk facilities, multi-site funding can be worth the effort.

Matching Requirements and Cost-Share Provisions

NSGP grants do not require matching funds or cost-share contributions. That’s unusual for federal grant programs and makes NSGP particularly valuable for smaller nonprofits.

However, you’re responsible for maintenance, ongoing training, and operational costs after installation. Budget for these expenses when planning your security enhancements.

What Can NSGP Funds Be Used For?

FEMA maintains strict guidelines on allowable expenses under NSGP. Understanding what qualifies prevents application rejections and ensures you request appropriate equipment and services.

Target Hardening and Physical Security Enhancements

The bulk of NSGP funding typically goes toward target hardening—physical modifications that make facilities harder to attack. This includes:

• Security cameras and video surveillance systems
• Access control systems and badge readers
• Reinforced doors, locks, and window protection
• Perimeter fencing and bollards
• Lighting systems for parking areas and building exteriors

All equipment must appear on FEMA’s Authorized Equipment List. Custom or unlisted items require special justification and approval.

Cybersecurity Enhancements as Eligible Costs

NSGP increasingly recognizes cybersecurity as a critical component of nonprofit security. Eligible cybersecurity expenses include:

• Firewall and network security equipment
• Intrusion detection and prevention systems
• Endpoint protection and antivirus solutions
• Security information and event management (SIEM) tools
• Backup and disaster recovery systems
• Cybersecurity training for staff

You must tie cybersecurity investments to documented threats. Generic “we need better security” justifications don’t work. Show evidence that your organization faces cyber threats related to your mission or community.

Planning, Training, and Exercise Activities

NSGP funds aren’t limited to equipment. You can use grants to develop security plans, conduct training exercises, and build organizational capacity around security operations.

Eligible planning and training expenses include security assessments, emergency response plan development, active shooter training, tabletop exercises, and security awareness programs for staff and volunteers.

These “soft” security investments often deliver better long-term protection than equipment alone. Trained staff who recognize threats prevent more incidents than cameras that no one monitors.

Contracted Security Personnel

NSGP allows funding for contracted security personnel, but only for the grant’s period of performance—typically 36 months. You cannot use NSGP funds to hire permanent security staff.

Contracted guards must provide specific security functions documented in your Investment Justification. General “presence” doesn’t qualify. You need clear roles tied to threat mitigation.

What NSGP Funds Cannot Cover

Several common security expenses are explicitly prohibited:

• Permanent staff salaries or benefits
• General operating expenses or facility maintenance
• Equipment not listed on the AEL
• Construction projects unrelated to security
• Legal fees or grant writing services

Read the NOFO carefully before finalizing your budget. Prohibited expenses in your application will result in rejection or reduced funding.

Required Documents for Your NSGP Application

NSGP applications require extensive documentation. Missing or inadequate documents are the most common reason applications get rejected.

Investment Justification Document

The Investment Justification (IJ) is your application’s centerpiece. It’s a detailed narrative explaining why your organization faces elevated risk and exactly how proposed security enhancements will mitigate specific threats.

Your IJ must include documented evidence of threats, a clear description of vulnerabilities identified in your risk assessment, and detailed explanations of how each requested security measure addresses specific risks.

Generic language fails. Instead of “We need cameras for security,” write “We documented three incidents of vandalism targeting our facility’s north entrance in the past 18 months. Installing four cameras with night vision capabilities will provide 24/7 monitoring of this vulnerable access point.”

Vulnerability and Risk Assessment Requirements

Every NSGP application requires a formal vulnerability assessment conducted by a qualified security professional. Self-assessments don’t meet FEMA’s standards.

Your assessment must identify specific vulnerabilities at your facility, evaluate the likelihood and impact of potential attacks, and prioritize security improvements based on risk levels.

Many nonprofits hire security consultants to conduct these assessments. The cost typically ranges from $2,000 to $10,000 depending on facility size and complexity. Some State Administrative Agencies offer free or subsidized assessment services—check with your SAA before paying for private assessments.

Environmental and Historic Preservation Compliance

If your proposed security enhancements involve construction, installation, or modifications to buildings, you must complete Environmental and Historic Preservation (EHP) screening.

This process ensures your security improvements don’t damage historic structures or violate environmental regulations. EHP review can add weeks or months to your project timeline, so start early.

Projects involving historic buildings, sites near wetlands, or facilities in designated preservation districts face more scrutiny. Work with your State Administrative Agency to navigate EHP requirements.

Organizational Documentation Checklist

Beyond security-specific documents, FEMA requires standard nonprofit paperwork:

• Current IRS 501(c)(3) determination letter
• Active SAM registration confirmation
• Organizational mission statement
• Articles of incorporation or bylaws
• Financial statements or IRS Form 990

Gather these documents before starting your application. Missing organizational paperwork is an easy problem to avoid but still causes application delays.

How to Complete Your Vulnerability Assessment

The vulnerability assessment forms the foundation of your entire NSGP application. A weak assessment produces a weak application, regardless of how real your threats are.

Choosing a Qualified Security Assessor

FEMA doesn’t mandate specific credentials for security assessors, but your assessor must demonstrate expertise in physical security, risk assessment methodologies, and nonprofit facility protection.

Look for assessors with backgrounds in law enforcement, military security, or certified protection professional (CPP) credentials. Ask for examples of previous nonprofit assessments and references from organizations that received NSGP funding.

Some State Administrative Agencies maintain lists of approved assessors or offer assessment services directly. Contact your SAA before hiring an independent consultant.

Key Elements of a Strong Vulnerability Assessment

Your assessment must cover multiple security domains. Strong assessments address physical security vulnerabilities, cybersecurity weaknesses, personnel security gaps, and emergency preparedness deficiencies.

The assessment should identify specific vulnerabilities (unlocked doors, unmonitored access points, outdated locks), evaluate likelihood and impact of potential attacks, and prioritize improvements based on risk severity.

FEMA wants to see evidence-based analysis, not opinions. Your assessor should reference industry standards, best practices, and specific threat intelligence when making recommendations.

Documenting Threats and Incidents

Your vulnerability assessment must include documented evidence of threats. This can include police reports of incidents at your facility, news coverage of attacks on similar organizations, documented hate crimes in your community, or threat intelligence from law enforcement partners.

The more specific your threat documentation, the stronger your application. “Houses of worship face increased risk” is too general. “Three synagogues within 20 miles of our facility experienced vandalism in 2025, and local police documented increased antisemitic activity in our neighborhood” is specific and compelling.

Connecting Vulnerabilities to Proposed Solutions

The best vulnerability assessments don’t just identify problems—they connect each vulnerability to specific, actionable solutions that you can request in your NSGP application.

If your assessment identifies your parking lot as a vulnerable area with poor lighting and no surveillance, your solution section should recommend specific lighting systems and camera placements with equipment models from the AEL.

This direct connection between assessment findings and funding requests makes your Investment Justification more persuasive and demonstrates strategic thinking.

Step-by-Step Application Process

NSGP applications follow a multi-stage process with strict deadlines. Missing any step can disqualify your application.

Pre-Application Requirements

Before you can apply, complete these foundational steps:

1. Register your organization in the System for Award Management (SAM) at sam.gov
2. Obtain a Data Universal Numbering System (DUNS) number if you don’t have one
3. Verify your 501(c)(3) status and gather IRS documentation
4. Complete your vulnerability assessment
5. Develop your security enhancement plan and budget

SAM registration alone can take several weeks. Start this process months before application deadlines, not days.

Working with Your State Administrative Agency

Your State Administrative Agency is your primary resource throughout the application process. Contact your SAA as soon as you decide to pursue NSGP funding.

SAAs can provide application guidance, review draft documents, connect you with approved security assessors, and clarify state-specific requirements that supplement FEMA’s federal guidelines.

Many states offer pre-application workshops or webinars. Attend these sessions. They provide insider knowledge about what reviewers look for and common application mistakes to avoid.

Submission Timeline and Deadlines

FEMA typically releases the NSGP Notice of Funding Opportunity in February or March each year. Application deadlines usually fall 60-90 days after the NOFO release.

Don’t wait until the deadline to submit. Technical problems, missing documents, or SAA review requirements can derail last-minute applications. Submit at least two weeks early if possible.

After submission, expect a 60-90 day review period. FEMA announces awards typically by late summer or early fall. The period of performance usually begins 30-60 days after award notification.

What Happens After You Apply

After submission, your State Administrative Agency conducts an initial review to verify completeness and state-level eligibility. Applications that pass state review move to FEMA for federal evaluation.

FEMA scores applications based on risk level, vulnerability assessment quality, Investment Justification strength, and budget reasonableness. Highest-scoring applications receive funding first until available dollars are exhausted.

If your application is approved, you’ll receive an award package with detailed terms and conditions. You must accept the award and complete additional paperwork before funds are released.

State and Regional Cybersecurity Grant Programs

Beyond FEMA’s NSGP, several state-level and regional programs offer cybersecurity funding specifically for nonprofits. These programs typically have smaller award amounts but less competition and more flexible eligibility requirements.

State-Specific Grant Opportunities

Many states operate their own nonprofit security grant programs separate from NSGP. These programs vary widely in structure, funding amounts, and focus areas.

Some states prioritize cybersecurity explicitly, while others focus on physical security with cybersecurity as an allowable expense. Contact your state’s nonprofit association or emergency management division to identify available programs.

State programs often have shorter application cycles and faster award timelines than federal grants. They can be excellent options for smaller nonprofits intimidated by NSGP’s documentation requirements.

Regional Arts Cybersecurity Program Example

The Essential Cybersecurity for Arts Organizations program offers up to 25 arts nonprofits in Southern Alberta, Canada, free access to the EverSecure cybersecurity service for one year, normally valued at upwards of $5,000.

This program provides a full cybersecurity assessment of email systems, ticketing platforms, CRM/donor databases, financial software, and third-party tools, followed by a prioritized remediation plan.

Eligibility requires organizations to be registered Canadian charities or nonprofits, arts-focused and presenting arts-based work for a public audience, operating in the Treaty 7 region (Southern Alberta), and committed to staff completing quarterly cybersecurity training.

This program model demonstrates how regional initiatives can address specific sector needs. Arts organizations face unique cybersecurity challenges around ticketing systems and donor databases. A targeted program delivers better results than generic grants.

Industry-Specific Programs Worth Exploring

Beyond geographic programs, some grant initiatives target specific nonprofit sectors. Healthcare nonprofits, educational institutions, and social service organizations may qualify for industry-specific cybersecurity funding.

Professional associations in your sector often maintain grant databases. Check with your industry’s national nonprofit association for cybersecurity funding opportunities targeted to your organization type.

Common Application Mistakes to Avoid

Most NSGP applications fail for predictable reasons. Understanding common mistakes helps you avoid them.

Weak or Generic Threat Documentation

The most common failure point is inadequate threat documentation. Statements like “nonprofits face increased risk” or “cybersecurity threats are rising” don’t demonstrate your organization’s specific elevated risk.

FEMA wants police reports, incident logs, news coverage, and threat intelligence. Generic industry statistics don’t substitute for specific documentation relevant to your organization.

Poor Budget Justification

Applications with equipment lists but no explanation of how each item addresses specific vulnerabilities get rejected. Your budget must connect directly to your vulnerability assessment findings.

For every line item, explain which vulnerability it addresses and how it mitigates documented threats. This level of detail transforms a shopping list into a strategic security plan.

Missing Administrative Requirements

Simple administrative failures sink applications. Expired SAM registrations, missing EHP documentation, incomplete financial statements, or outdated IRS determination letters all cause rejections.

Create a checklist of every required document and verify each item before submission. Have someone else review your complete application package. Fresh eyes catch missing pieces.

Requesting Prohibited Expenses

Applications that include ineligible costs raise red flags about your understanding of NSGP requirements. Review the NOFO’s list of prohibited expenses carefully.

If you’re unsure whether something qualifies, ask your State Administrative Agency before including it in your application. Don’t guess on eligibility.

Maximizing Your Application’s Competitiveness

Strong applications share common characteristics. Incorporating these elements increases your approval odds significantly.

Professional Vulnerability Assessment Quality

Applications based on professional, thorough vulnerability assessments dramatically outperform those with basic or self-conducted assessments. The assessment quality signals your organization’s security sophistication.

Don’t cheap out on the vulnerability assessment. It’s the foundation of everything else. A $5,000 professional assessment that secures $150,000 in funding is a phenomenal investment.

Clear, Evidence-Based Investment Justification

Your Investment Justification should read like a logical argument, not a grant proposal. Present evidence, identify vulnerabilities, propose solutions, and explain expected outcomes.

Use clear, direct language. Avoid grant-speak and buzzwords. Security reviewers value clarity and specificity over elaborate prose.

Realistic Implementation Timeline

Include a detailed implementation timeline showing when you’ll procure equipment, complete installations, conduct training, and achieve operational capability. Unrealistic timelines suggest poor planning.

Account for procurement delays, installation schedules, training coordination, and EHP review periods. A 36-month period of performance seems long, but complex security projects need time.

Strong Letters of Support

Letters from local law enforcement, community leaders, or partner organizations strengthen applications by validating your documented threats and community risk level.

Generic letters don’t help. Request letters that reference specific incidents, acknowledge documented threats in your community, and affirm your organization’s elevated risk profile.

Managing Grant Funds After Award

Receiving NSGP funding is just the beginning. Proper grant management ensures you can use funds effectively and maintain compliance throughout the period of performance.

Procurement and Installation Requirements

FEMA requires competitive procurement for equipment and services funded by NSGP. You must obtain multiple quotes and document your selection process.

Federal procurement rules are complex. Work with your State Administrative Agency to understand specific requirements. Improper procurement can result in disallowed costs and fund recapture.

Reporting and Compliance Obligations

NSGP recipients must submit quarterly progress reports and financial reports documenting expenditures. These reports aren’t optional—failure to report on time can result in funding suspension.

Track your spending meticulously. Maintain detailed records of purchases, installation dates, training completion, and security system activation. You may face federal audits during or after your period of performance.

Maintenance and Sustainability Planning

NSGP funds equipment purchase and installation, but you’re responsible for ongoing maintenance, monitoring, and operational costs. Budget for these expenses in your operational planning.

Security systems that aren’t maintained become useless quickly. Include maintenance contracts in your initial budget if possible, or plan for ongoing costs after the grant period ends.

Alternative Cybersecurity Funding Sources

If NSGP doesn’t fit your organization’s needs, several alternative funding sources exist for nonprofit cybersecurity improvements.

Technology Modernization Grants

Many general nonprofit capacity-building grants include technology improvements as allowable expenses. While not specifically cybersecurity-focused, these programs can fund security upgrades as part of broader IT modernization.

Foundation grants from major technology funders often support digital infrastructure improvements. Research foundations in your region that fund nonprofit capacity building and technology adoption.

In-Kind Technology Services

Programs like Microsoft for Nonprofits, Google for Nonprofits, and TechSoup provide discounted or free technology services including cybersecurity tools.

While not grants, these programs can significantly reduce cybersecurity costs by providing enterprise-grade security tools at nonprofit pricing. The savings often exceed what you’d receive from small grant programs.

Cybersecurity Training and Assessment Programs

Organizations like the Center for Internet Security offer free or low-cost cybersecurity assessments and training specifically for nonprofits.

These programs help you understand your vulnerabilities without the cost of hiring consultants. While they don’t provide funding, they reduce the expense of grant preparation and improve your security posture immediately.

Building Long-Term Cybersecurity Resilience

Grants provide funding for initial security improvements, but long-term protection requires ongoing commitment and strategic planning beyond one-time equipment purchases.

Staff Training as Foundation

The most effective security investment you can make is staff training. Your people are both your greatest vulnerability and your strongest defense.

Regular security awareness training, phishing simulations, and incident response drills create a security-conscious culture. This cultural shift protects your organization more effectively than any technology purchase.

For practical guidance on implementing security training programs, review this guide to cybersecurity training programs.

Integrating Security into Organizational Culture

Security can’t be an IT department responsibility alone. Effective nonprofit cybersecurity requires board-level oversight, executive commitment, and organization-wide participation.

Develop security policies, conduct regular risk assessments, and include security metrics in board reporting. When leadership treats security as a strategic priority, staff follow.

Balancing Security Needs with Budget Constraints

Most nonprofits operate with limited budgets. Cybersecurity competes with programs, staff, and mission-critical expenses for scarce dollars.

Focus on cost-effective security measures that deliver maximum protection. Strong password policies, multi-factor authentication, regular backups, and staff training provide excellent security without major expense.

This approach to affordable cybersecurity for organizations with limited budgets applies equally to nonprofits and small businesses.

Frequently Asked Questions

Can small nonprofits with limited staff qualify for NSGP funding?

Yes, organization size doesn’t determine NSGP eligibility. What matters is documented risk level, 501(c)(3) status, and your ability to complete required documentation. Many small nonprofits successfully receive NSGP funding, particularly houses of worship and community organizations facing documented threats.

Does Google give grants to nonprofits for cybersecurity?

Google provides up to $10,000 per month in free Google Search advertising to eligible nonprofits through the Google Ad Grants program, totaling up to $120,000 annually. This in-kind grant focuses on awareness and engagement rather than direct cybersecurity funding, though nonprofits can use the program to promote security awareness campaigns.

How long does the NSGP application process typically take?

From initial planning to award notification, expect 6-8 months minimum. The formal application window is usually 60-90 days, with review periods lasting another 60-90 days. However, preparing required documentation—particularly vulnerability assessments and SAM registration—can take several additional months. Start planning at least 9-12 months before you need funds.

Can NSGP funds cover cybersecurity insurance premiums?

No, NSGP funds cannot be used for insurance premiums, including cybersecurity or cyber liability insurance. The program funds security enhancements, equipment, training, and planning activities—not insurance products. However, implementing NSGP-funded security improvements may reduce your insurance premiums by lowering your risk profile.

Getting Started with Your Grant Application

If you’ve made it this far, you’re serious about protecting your nonprofit from cybersecurity threats. That’s good, because the threats aren’t going away.

Here’s what to do this week:

First, check if your organization is eligible for NSGP-UA or NSGP-S. Visit FEMA’s website and review the current Notice of Funding Opportunity to confirm your location falls within an eligible area.

Second, verify your SAM registration status. If you’re not registered, start that process immediately. It takes weeks.

Third, contact your State Administrative Agency. Introduce yourself, explain your interest in NSGP, and ask about upcoming application cycles, available support services, and state-specific requirements.

Fourth, begin documenting threats. Gather police reports, news coverage, and any evidence of incidents targeting your organization or similar nonprofits in your community. This documentation forms the foundation of your application.

For nonprofits serving specific communities or sectors, explore this detailed guide to cybersecurity for nonprofits that covers sector-specific considerations.

Don’t wait for perfect timing or complete information. The application process itself will teach you what you need to know. Start now, ask questions along the way, and remember that thousands of nonprofits successfully navigate NSGP every year.

Your mission matters. The communities you serve depend on you. Protecting your organization isn’t optional—it’s fundamental to fulfilling your purpose.

What’s your first step going to be?