Critical Infrastructure Cybersecurity Program
Proposals Due Oct. 6, 2025
CCI seeks proposals for seed research grants that advance the state of the art of critical infrastructure cybersecurity.
We welcome applications from all researchers, including those researchers and institutions who have yet to engage with CCI or each other. Applications from all eligible people in the commonwealth will be equally considered for funding.
Presidential Policy Directive 21 defines critical infrastructure sectors as:
- Chemical
- Commercial Facilities (e.g., NFL stadiums)
- Communications
- Critical Manufacturing
- Dams
- Defense Industrial Base, including research universities doing Department of Defense (DoD) research
- Emergency Services
- Energy
- Financial Services
- Food & Agriculture
- Government Services & Facilities, including local and state government
- Healthcare & Public Health
- Information Technology
- Nuclear Reactors, Materials, & Waste
- Transportation Systems
- Water & Wastewater Systems
Over 80 percent of the United States’ critical infrastructure is privately owned and operated. In rural areas, it is common for small cooperatives to provide critical infrastructure services such as electricity distribution. These enterprises rarely have the capacity to staff a security operation center 24x7, evaluate cybersecurity posture, evaluate cybersecurity products, and so on. At the other end of the spectrum, large municipalities such as Fairfax County may have the resources to staff a large cyber fusion center but are also the target of well-funded nation state actors and criminal gangs.
Topics for this call include but are not limited to advancing the state-of-the-art in:
- AI-informed cybersecurity operations for small- and medium-sized critical infrastructure providers.
- Broad, generally applicable horizontal solutions that protect most critical infrastructure sectors.
- Tailored, vertical solutions that protect specific critical infrastructure segments because of the specialized nature of the sector or leverage or address unique characteristics of a sector, such as limited, intermittent connectivity, 30-year equipment lifetimes, legacy installed base, or public policies that inhibit the deployment of modern cybersecurity solutions.
Objectives of this call include:
- To produce seminal contributions to critical infrastructure cybersecurity, targeting the expansion of this research through competitive grants from the federal government, private sector, philanthropic foundations, and other sources.
- To foster interdisciplinary collaboration to produce high-quality research with strong domain knowledge resulting in a high likelihood of future extramural funding.
- To produce research contributions that translate into benefits to Virginia companies.
- To explore opportunities for innovation (commercialization, entrepreneurship, etc.) in critical infrastructure cybersecurity.
Proposal Guidelines
Eligibility
Who Can Serve as Principal Investigator (PI): Researchers and faculty members at public institutions in CCI who are deemed eligible by their home institution to serve as a PI on an external grant are eligible to apply.
Limit on Number of Proposals per Institution: There are no restrictions or limits.
Limit on Number of Proposals per Investigator: An eligible researcher can participate in one proposal.
Other Requirements: Proposals:
- Proposers must indicate which additional funding opportunities from the federal government or industry (e.g., specific calls, agencies or companies that have expressed interest in the work, etc.) they will pursue to build on the research funded by this call. Proposals must identify alternate funding opportunities should the primary opportunity fail.
Awards
Maximum Award Amount: $100,000 per proposal. Proposals must involve multiple CCI institutions. CCI cannot award grants to private institutions. Thus, the proposal must include at least two public CCI institutions. Private institutions may participate but cannot be funded by this proposal.
Award Conditions: Successful applicants are expected to participate fully in CCI activities. Researchers must meet specific conditions by:
- Providing materials needed for reports.
- Participating in CCI meetings.
- Acting as a reviewer for future CCI calls for proposals.
- Responding to data collection requests by CCI relating to the grant.
- Acknowledging CCI support in all publications and presentations resulting from the grant.
The PI is responsible for a final technical report and a final financial report 30 and 60 days following the end of the period of performance.
Full Proposal Format
1. Title page (one page): Title of the proposed project, name, affiliation, and contact information for the Principal Investigator (PI) and co-Principal Investigators (co-PIs), if any. Find an example of the title page format at the bottom of this page.
2. Proposed Research Project (up to four pages): Project description.
- Rationale: Discussion of the technical background and engineering/scientific justification. This should include project objectives and the intellectual merit of the proposed work.
- Relevance to CCI and this call: A brief paragraph describing how the project will advance the state of the art in cybersecurity, particularly cybersecurity for critical infrastructure. Include an explanation of how the proposed research will address one or more critical infrastructure sectors.
- Research plan: What exactly will you do? How will you meet the objectives? What are the motivations, methods, likely outcomes, milestones, and future directions? If you’ll leverage existing CCI assets and equipment to support the research, describe the equipment/assets and how you'll use them.
- Deliverables: Describe the expected deliverables for the project (publications, demonstrations, intellectual property, etc.).
3. Plan for Additional Funding and Impact on the Commonwealth (up to one page):
- Identify one or more specific opportunities for additional funding to expand the proposed research. Outline a plan to pursue this funding. See the Requirements section above for more details.
- Address the potential for commercialization and economic development and impact from this work.
4. References (not included in the page count)
5. Budget:
- A detailed budget and one-page justification must be included. Confirm your ability to utilize all potentially awarded funds by Dec. 31, 2026.
- Travel should be included to support the PI’s and team members’ attendance at the annual CCI Symposium and other CCI events. The next Symposium is expected to take place in April 2026 in Richmond, Va.
- Indirect costs are not allowed.
6. Biographical sketches: Up to three pages for each investigator, using NSF format.
7. Current and pending support for each investigator:
- Title of the project, status (current, pending, submission planned, etc.), source of the support, period of performance, total award amount, and the portion of the award attributed to the investigator.
- Investigators can use a current NSF Current & Pending Support document that contains this information.
Proposal Submission
The proposal must be submitted to CCI Managing Director John Delaney at jpdelaney@vt.edu on Oct. 6, 2025, by the close of business day (5 p.m. ET). All proposals must be submitted as a PDF with the subject line reading: “CCI Fall 2025 Research Call.”
Proposals and budgets should go through the appropriate approval process at the PI’s institution. For example, many universities require researchers to include a proposal and budget approved in the standard Office of Sponsored Programs (or your institution’s equivalent) pre-award procedure. Consult the PI’s node director to confirm the process.
Contact information of CCI node directors:
- Central Virginia: Erdem Topsakal at etopsakal@vcu.edu
- Coastal Virginia: Daniel Takabi at takabi@odu.edu
- Northern Virginia: Liza Wilson Durant at ldurant2@gmu.edu
- Southwest Virginia: Gretchen Matthews at gmatthews@vt.edu
Evaluation Criteria
A committee will review the proposals and make funding recommendations. Evaluation criteria include:
- Substantial intellectual merit related to cybersecurity.
- Relevance to the focus of the call on cybersecurity for critical infrastructure.
- A clear plan for obtaining future funding from the government, the private sector, philanthropy, etc., and the likelihood of being competitive for the programs identified by the PI.
- Substantial broader impacts related to CCI’s mission lines of innovation and workforce development, as well as in diversifying the cyber workforce.
Refer to the Frequently Asked Questions section below for general questions concerning this call for proposals. Specific questions and the requirements herein should be directed in writing to CCI Research Director Eric Burger at ewburger@vt.edu.
Schedule
| Milestone | Date |
| Call for Proposal Announced | Sept. 2, 2025 |
| Question Period Ends | Sept. 26, 2025 |
| Proposals Due | Oct. 6, 2025 |
| Award notification | Dec. 8, 2025 |
| Period of performance | Jan. 1, 2026, to Dec. 31, 2026 |
Title Page Format Example
CCI Request for Proposals: Cybersecurity for Critical Infrastructure
Project Title:
Project Abstract (up to 250 words):
Total Requested Amount:
Requested Amount per Institution:
Name, Title, and Mailing Address for Primary Contact at Each Institution Requesting Funding:
Project Investigators:
| PI Name | INSTITUTION | DEPARTMENT | |
Frequently Asked Questions
At least two public institutions in CCI must be funded by the proposal. Private institutions may be a part of the proposal, but they cannot receive funding from this call, either directly or indirectly via a subcontract.
There is no limit. However, the maximum budget request is $100,000.
You can only request funding as a Principal Investigator (PI), co-PI, or funded researcher on a single proposal. You may collaborate on any number of proposals without requesting funding. If researchers have other support, they can be listed on a second (or more) proposal, but they cannot request funding on those proposals.
You can directly identify a funding opportunity. For example, if you have a proposal for the NSF CISE Future CoRe, reference it, including what submission date you are targeting. Please be realistic with the submission date: a proposal for a year-long seed project with a submission deadline two months from the proposal submission date is not realistic.
If the program typically has annual submission dates but the current program solicitation does not list them, say so. Back up the claim with evidence.
Any program with a minimum of $1,000,000 over four years counts. This is a minimum: over time, several CCI collaborative extramural awards are in excess of $10,000,000.
There is a balance of credibility and credibility. If you say your project will lead to submissions to several different funding programs, you need to explain how those disparate funding agencies will all see the value in the work funded by CCI. Conversely, if you focus on a single grant opportunity, the first thing reviewers will ask themselves is What if that opportunity fails? You should have an explanation for that, as well.
See Presidential Policy Directive 21 and CISA guidance. You may be surprised at what counts as critical infrastructure.
Yes.
If the project is tailored to a critical infrastructure sector, addressing cybersecurity, then it is a critical infrastructure cybersecurity project. We call this addressing a critical infrastructure vertical. Examples would be cybersecurity for wastewater treatment, cybersecurity for aviation, cybersecurity for elections, etc.
If you are proposing basic algorithm or systems projects, they are not likely to get funded by this call. However, if you are proposing basic cybersecurity science or technology with a direct application to critical infrastructure, that might be eligible for funding from this CCI call.
Not necessarily. You need to explain in your proposal how the project addresses the unique needs of the various critical infrastructure sectors. For example, one of the aspects of the Critical Manufacturing Sector is the expectation that equipment, including software embedded in that equipment, has a service life of decades. Another example would be the Transportations Systems Sector. A recent article noted the German National Railway was looking for a Windows 3.11 Administrator. Many applications in the Energy Sector require millisecond response times. The Financial Services Sector and the Healthcare & Public Health Sector have strict privacy regulations. Articulating how your project addresses the needs of one or more sectors will help reviewers understand the relevance of your proposal to critical infrastructure cybersecurity.