.png)
Threats against houses of worship, schools, and community organizations keep rising, but the budget to defend against them rarely keeps pace. That gap is what the Nonprofit Security Grant Program exists to close. For FY 2026, FEMA has made $300 million available, and eligible organizations can request up to $200,000 per site across as many as three sites, with no matching funds required.
Winning the grant is hard. So is spending it in a way that actually changes anything. A lot of applications end up funding hardware that records incidents after they happen, when the same money could fund a system that helps catch them in real time. This guide covers how the program works, how reviewers score it, and how to build a request that protects more of your people per dollar.
The NSGP is the largest federal funding source dedicated to protecting at-risk nonprofits, including houses of worship, schools, community centers, and service organizations. FY 2026 offers $300 million nationally, capped at $200,000 per site and $600,000 across three sites, with no cost-share.
California nonprofits have a second path. The California State NSGP is a state-funded program focused on organizations at risk of hate-based crimes, and it ran $76 million in its most recent cycle. You don't have to pick one. A lot of organizations phase projects across both, using one program to fund what the other can't.
You need to be a 501(c)(3) that can show elevated risk of a terrorist, extremist, or (for the state program) hate-based attack tied to your ideology, beliefs, or mission.
Three logistics catch first-time applicants. First, you apply through the state, not FEMA. In California that means Cal OES, which reviews and scores applications before forwarding them to FEMA, and it sets its own deadline earlier than the federal one. Second, you have to pick the right funding stream. NSGP-UA is for organizations inside FEMA-designated high-risk urban areas like the Bay Area, and NSGP-S is for everyone else. Apply to the wrong one and you're disqualified, full stop. Third, you need a Unique Entity Identifier from SAM.gov. It's free, but registration can take weeks, so start it before you touch anything else.
Reviewers aren't grading effort. They score how tightly you connect a documented threat, a specific vulnerability, and a serious consequence, and whether the equipment you request resolves that chain. The rubric is published right in the funding notice, so write to it directly.
A few things move the score more than anything else:
One more edge worth knowing. Organizations that have never received NSGP funding earn bonus points, 15 in the most recent cycle. If this is your first application, your odds are meaningfully better than you'd think. Say so.
A complete application rests on three pieces, and reviewers check them against each other.
The Investment Justification is the scored application. It's a fillable PDF with strict space limits. No attachments, no addendums, always the current-year form, always kept digital. A scanned copy is disqualified.
The Vulnerability Assessment is the evidence behind every request. You need one per physical address, and it has to be recent. CISA runs these at no cost, and Cal OES publishes a free worksheet and webinar if you'd rather do it yourself with local law enforcement.
The Mission Statement is short. Who you are and who you serve. Put anything here that raises your risk profile, like your community, your beliefs, and the activities that make you a target.
These aren't scoring deductions. They're hard rejections, and reviewers see them constantly:
Two more things to know before you win. NSGP is a reimbursement grant, so you spend first and get paid back, and anything you spend before the award date isn't covered. And installation needs FEMA Environmental and Historic Preservation approval before anything gets mounted or drilled. That one matters a lot for older buildings, so don't schedule the install until you've cleared it.
Because funding is capped per site, the real question isn't how much hardware you can buy. It's how much of your building you can actually protect with the money you're allowed to request.
That's where recording and real security part ways. A camera that only records buys you footage to review after something has already happened. What changes the math is connecting your cameras, doors, visitor check-in, and emergency workflows into one system that watches activity as it happens and flags a threat while there's still time to act on it. Instead of piecing together what went wrong afterward, staff get alerted in the moment and can coordinate a response.
That's also the exact chain reviewers are scoring. Real-time detection spots things like firearms, unauthorized entry, and safety events as they occur, alerts staff in seconds, and ties the response together. It's the difference between an application that funds a recorder and one that funds prevention.
Coram adds real-time AI detection for weapons, intrusions, and safety events to the cameras you already own, and it works with your existing infrastructure, so there's no rip and replace. It's one platform across video, access, visitors, and emergency response rather than four disconnected tools. For a capped grant, that shows up in three practical ways.
More protection per dollar. Since funding is capped per site, upgrading your existing cameras with AI detection usually covers more of your facility than replacing hardware would, and that's the kind of efficiency reviewers notice. [ADD A REAL EXAMPLE IF YOU HAVE ONE, e.g. a site that covered every entrance by upgrading existing cameras instead of replacing them.]
A budget built on real numbers. You get an itemized quote and bill of materials you can drop straight into your IJ budget, so your line items use real figures instead of estimates.
Application-ready language. We help you describe each item as a capability tied to a specific assessment finding, which is exactly what the rubric rewards.
FEMA released the FY 2026 funding notice on June 24, 2026, and state deadlines follow within weeks. The state-funded CSNSGP usually opens its next window in the fall. Even if you don't make this cycle, the work you do now carries forward. The assessment, the incident log, and the first-time bonus all stay intact for the next window.
So this week: confirm the Cal OES deadline and download the FY 2026 IJ form from the Cal OES Infrastructure Protection Grants page, register for a UEI at SAM.gov, book a vulnerability assessment through CISA (or complete the Cal OES worksheet with local law enforcement), start your threat and incident log, and get itemized vendor quotes so your budget runs on real numbers.
If you want a hand mapping your assessment findings to a capability-based budget, we'll walk your team through the assessment, the budget, and the application at no cost. Book a walkthrough with Coram →
For FY 2026, you can request up to $200,000 per site and up to $600,000 across three sites, with no matching funds required. FEMA has made $300 million available nationally for the program this cycle.
You must be a 501(c)(3) nonprofit that can demonstrate elevated risk of a terrorist, extremist, or (for the California state program) hate-based attack tied to your ideology, beliefs, or mission. Houses of worship, schools, community centers, and service organizations are typical applicants.
No. You apply through your state. In California that's Cal OES, which reviews and scores applications before forwarding them to FEMA. Cal OES sets its own deadline, and it's always earlier than the federal one.
NSGP-UA is for organizations inside FEMA-designated high-risk urban areas, like the Bay Area. NSGP-S is for everyone else. Applying to the wrong stream disqualifies your application, so confirm which one covers your location before you start.
Three: the Investment Justification (the scored, fillable-PDF application), a Vulnerability Assessment (one per physical address, and recent), and a short Mission Statement. You'll also need a free Unique Entity Identifier from SAM.gov to receive funds, and that registration can take weeks.

