For K-12 schools, houses of worship, museums, and transit authorities, the challenge is twofold. First, you're competing for limited federal dollars against a growing pool of applicants. Second, federal agencies are now evaluating your compliance readiness before a single award decision is made. A documentation gap or misaligned proposal can eliminate your organization from consideration entirely.
This guide covers what's actually changed in 2026, the compliance requirements you cannot afford to miss, how to build genuine grant readiness before you apply, and the post-award strategies that separate organizations that keep their funding from those that lose it.
Key Takeaways
- The 2024 revisions to 2 CFR 200 Uniform Guidance, Executive Order 14332 (August 2025), and the 2025 OMB Compliance Supplement have reshaped how agencies award and oversee federal grants.
- Compliance is a pre-award requirement, not just a post-award obligation — agencies assess your readiness during the review process itself.
- The most common audit failures involve inadequate documentation, poor subrecipient oversight, and cash drawdown discrepancies.
- Key 2026 programs for security-focused organizations include NSGP ($274.5M in FY2025), COPS SVPP (up to $73M), and BRIC ($1B for hazard mitigation).
- Organizations that build a compliance-first culture — with written internal controls, regular reconciliations, and audit-ready documentation — consistently out-compete those that don't.
The 2026 Federal Grants Landscape: What's Changed
Key Regulatory Updates Shaping 2026
Three major developments are reshaping how federal grants work in 2026. Each one directly affects security-focused organizations.
1. Revised 2 CFR 200 Uniform Guidance (effective October 1, 2024)
OMB's 2024 final rule published on April 22, 2024 introduced several meaningful changes:
- Single Audit threshold raised to $1,000,000 for fiscal years beginning on or after October 1, 2024 (up from $750,000)
- De minimis indirect cost rate increased to 15% of modified total direct costs
- Equipment threshold raised to $10,000
- Clarified internal control documentation expectations across all award types
2. Executive Order 14332 — "Improving Oversight of Federal Grantmaking" (August 7, 2025)
Published at 90 FR 38929, this order fundamentally changed how agencies approach discretionary grants. Key provisions require:
- Senior appointees to review new funding opportunities for alignment with agency priorities and national interest
- Annual progress reviews with potential termination for awards that no longer advance agency priorities
- Independent judgment in award decisions rather than routine ratification
- Preference for lower indirect cost rates where all else is equal
Agencies are already embedding these requirements into new NOFOs and award terms.
3. 2025 OMB Compliance Supplement (effective November 25, 2025)
The updated Compliance Supplement refined audit procedures, expanded subrecipient monitoring expectations, and strengthened internal control documentation requirements across federal programs. Part 6 of the Supplement specifically addresses internal control over compliance requirements for federal awards.
What These Changes Mean for Security-Focused Organizations
Federal agencies are now writing measurable outcome language directly into NOFO requirements. A proposal that describes planned activities — installing cameras, upgrading doors — without quantifying expected outcomes will score lower than one that specifies reduced incident rates, faster emergency response times, or a defined number of individuals protected.
Operational infrastructure matters just as much. Under 2 CFR 200.206, federal reviewers assess organizational risk before making awards — and organizations that can't demonstrate grants management systems for financial tracking, performance reporting, and document retention face real scrutiny. Key areas reviewers examine include:
- Financial management systems with audit-ready records
- Performance reporting processes tied to measurable outcomes
- Document retention practices that meet federal standards
- Subrecipient monitoring controls (if passing funds to other entities)
Federal Grant Compliance Requirements You Must Know
The Compliance Framework: Core Pillars
2 CFR 200 (Uniform Guidance) is the foundational rulebook for all federal award management. It governs every aspect of how organizations — from direct recipients to subrecipients — must administer federal funds.
The four cost principles that underpin every expenditure decision:
| Principle | What It Means |
|---|---|
| Allowable | Costs must conform to award terms and applicable regulations |
| Reasonable | A prudent person wouldn't pay more under similar circumstances |
| Allocable | Costs must be chargeable to the award based on relative benefits received |
| Documented | Every cost must have adequate source documentation |
For security infrastructure, this matters directly. Equipment purchases, vulnerability assessments, training programs, and contractor fees can all qualify as allowable costs — but only when properly justified in the budget narrative and tied to documented vulnerabilities.
Financial management requirements under 2 CFR 200.302 are just as strict. Organizations must:
- Maintain separate accounts or funding codes for each grant
- Track expenditures by budget category
- Prevent cost overlap across federal awards
- Log personnel time by project when salaries are charged to grant funds
Reporting and Documentation Standards
Every grant period requires two types of reports: financial reports (expenditures tracked against your approved budget) and programmatic reports (progress toward stated outcomes). Both must be submitted on time through systems such as GrantSolutions or the Payment Management System (PMS).
Discrepancies between drawdown requests and actual expenditures are among the top triggers for federal scrutiny. Per 2 CFR 200.305, advance payments must reflect actual, immediate cash needs — not projected or estimated future costs.
Record retention under 2 CFR 200.334 requires all grant-related records to be kept for a minimum of three years from the date of the final financial report submission. That clock extends indefinitely if audits, litigation, or unresolved findings are pending. Records that must be retained include:
- Award documents and amendments
- Approved budgets and budget revisions
- Procurement files and vendor contracts
- Invoices and payment records
- Time and attendance records (when personnel costs are charged)
- Subrecipient monitoring documentation
- Audit findings and corrective action plans
Common Compliance Pitfalls — and How to Avoid Them
Inadequate documentation is the most frequently cited finding in OIG and federal audit reports. DHS OIG report OIG-25-13 (January 2025) found that FEMA delayed action to recoup unsupported costs identified in improper payment reviews — a direct result of documentation failures at the recipient level.
DOJ OIG's semiannual report through September 2025 cited $226,431 in questioned costs, including $158,131 in unsupported costs. Procurement records, expenditure receipts, and performance data gaps can all result in disallowed costs and repayment demands.
Avoidance tactic: Build a documentation checklist for every transaction before it's processed. No receipt, no drawdown.
Poor subrecipient oversight is a violation of 2 CFR §200.332 and one that can jeopardize an entire award. Prime recipients remain fully responsible for ensuring subrecipients meet the same compliance standards they do. Common failures include:
- Skipping initial risk assessments of subrecipients
- Accepting subrecipient reports without reviewing them
- Failing to document monitoring activities in writing
Avoidance tactic: Treat every subrecipient like an auditor will ask you to prove you monitored them — because they will.
Discrepant financial reporting (cash drawdowns that don't match actual expenditures) triggers automatic scrutiny from federal program officers. Avoidance tactic: Run monthly reconciliations comparing your drawdown history to your general ledger. Catch gaps before your quarterly report is due.
Missed closeout deadlines result in financial penalties and can affect future award eligibility. Avoidance tactic: Build a closeout calendar at award kickoff. Set 90-day advance reminders for every reporting and closeout milestone.
Building Grant Readiness Before You Apply
What Is Grant Readiness?
Grant readiness is an organization's demonstrated capacity to apply for, receive, manage, and be accountable for federal funding. It covers five dimensions:
- Accounting software, fund tracking, and segregation of duties (financial systems maturity)
- Procurement, cost approval, and conflict-of-interest procedures (written internal control policies)
- Defined roles for grant management, expenditure approval, and reporting (staff expertise)
- Prior audit findings, corrective actions, and past performance (compliance history)
- File organization, retention protocols, and digital access (documentation infrastructure)
Under 2 CFR 200.206, federal agencies conduct pre-award risk assessments that examine financial stability, management system quality, audit history, and capacity to implement award requirements. Compliance gaps discovered before applying can cost an organization the award before a single dollar is spent.
Conducting a Grant Readiness Assessment
A structured self-assessment covers four areas:
Financial system alignment: Map your accounting systems against 2 CFR 200.302 standards. Can you produce grant-specific expenditure reports? Are funds segregated by project code?
Policy review: Compare written policies against common compliance citations: procurement procedures, cost allowability, subrecipient monitoring, and conflict-of-interest.
Staffing gaps: Identify who owns grant management tasks. If no one can answer that question clearly, you have a gap.
Documentation readiness: Could you respond to an auditor's document request within 48 hours? If not, your file infrastructure needs work.
Not all gaps are equal. Disqualifying gaps (no written procurement policy, no financial management system) must be resolved before submission. Remediable gaps (an outdated conflict-of-interest form, missing personnel time sheets) can be addressed quickly with a focused effort.
Knowing which gaps fall into which category shapes how much time you need before a NOFO deadline. EMD works with K-12 schools, houses of worship, museums, and nonprofits to evaluate compliance infrastructure and build submission-ready application packages.
Federal Funding Programs Relevant to Security-Focused Organizations
| Program | Eligible Entities | Funding Level | Key Uses |
|---|---|---|---|
| NSGP (Nonprofit Security Grant Program) | 501(c)(3) nonprofits at elevated risk — houses of worship, museums, community centers | FY2025: $274.5M total | Target hardening: access control, surveillance, ballistic glazing, perimeter security, bollards, training |
| COPS SVPP (School Violence Prevention Program) | K-12 schools, school districts, state/local government, law enforcement | FY2025: up to $73M, max $500K per award | Emergency notification, threat reporting systems, vestibule hardening, door locks, surveillance, training |
| BRIC (Building Resilient Infrastructure and Communities) | States, territories, tribal governments (locals as subapplicants) | FY2024–25: $1B | Hazard mitigation infrastructure — applicable where security projects tie to documented hazard risks |
Of the three programs above, NSGP is the primary funding pathway for houses of worship, museums, and nonprofit institutions. Organizations submit applications through State Administrative Agencies (SAAs) as subapplicants — not directly to FEMA. EMD prepares the complete NSGP package: vulnerability assessment, investment justification, mission statement, and state worksheet.
COPS SVPP is purpose-built for K-12 schools, with 36-month award periods and up to 75% federal cost share. EMD's SVPP applications are built on physical vulnerability assessments that document specific site conditions — the kind of site-specific findings that reviewers require to score an application competitively.
SAM.gov registration is a hard prerequisite: every applicant must maintain an active entity registration with a valid Unique Entity ID (UEI), renewed every 365 days. An expired registration can disqualify an otherwise strong application.
Success Strategies for Post-Award Compliance
The foundation of post-award compliance is a written internal controls system that exists before the first dollar is spent. Federal agencies may request these documents during award negotiations, and having them ready signals organizational maturity. At minimum, your system should document:
- Procurement procedures and approval thresholds
- Cost approval workflows and authorization levels
- Segregation of duties across financial functions
- Conflict-of-interest policies for all staff involved in procurement
- A recurring internal reconciliation schedule
With that foundation in place, turn to performance reporting. EO 14332 now requires deliverables to be tied to measurable outcomes — performance reports must demonstrate impact using logic models, KPIs, and evaluation frameworks. For security contexts, measurable outcomes include:
- Number of physical vulnerabilities remediated
- Personnel trained in emergency response protocols
- Reduction in unauthorized access incidents
- Emergency notification response time improvements
- Coverage percentage increase from surveillance upgrades
EMD's AI-augmented vulnerability assessment methodology is specifically designed to produce quantifiable findings rather than generic recommendation lists. Clients enter the grant period with documented baseline metrics, which makes performance reporting straightforward when deadlines arrive.
Maintain a live digital grant binder from day one. This centralized file should contain every award document, budget version, procurement record, report, reconciliation, and audit finding, organized by date and category.
Also schedule a mock internal audit at the midpoint of your fiscal year, before any official review. Gaps found internally are far cheaper to correct than gaps an auditor surfaces.
EMD's post-award grant management service handles the operational workload across the full cycle, including:
- EHP submissions and regulatory coordination
- Procurement workflows and contractor management
- Drawdown management and progress reporting
- Final closeout documentation
Most engagements complete the full grant cycle within 12 to 18 months. Clients receive phase-by-phase summaries so boards and leadership maintain full visibility into every expenditure decision.
Frequently Asked Questions
What is a grant readiness assessment?
A grant readiness assessment is a structured review of an organization's financial systems, internal controls, staffing capacity, and compliance history — identifying both disqualifying gaps and quickly remediable ones before a submission deadline determines whether you're prepared to apply for, receive, and manage federal funding.
Is federal grant training worth it?
Yes. Training equips staff to understand 2 CFR 200 requirements, recognize common compliance errors before they occur, and respond effectively to audit findings. Organizations with trained grant managers are far less likely to face disallowed costs or repayment demands.
What is 2 CFR 200 and why does it matter for my organization?
2 CFR 200, the Uniform Guidance, is the federal regulation governing how all recipients must administer federal awards, including allowable costs, procurement, financial management, reporting, and audit requirements. Compliance is mandatory for any organization receiving federal funds, regardless of award size.
What happens if my organization fails a federal grant audit?
Consequences include repayment of disallowed costs, increased monitoring, potential award termination, and reputational damage affecting future funding. A corrective action plan (CAP) is typically required to document remediation for the awarding agency.
What security projects are eligible for federal grant funding in 2026?
Eligible projects vary by program. Common categories include:
- Physical security upgrades and vulnerability assessments
- Surveillance systems, access control, and intrusion detection
- Perimeter hardening, ballistic glazing, and emergency notification technology
- Security training programs
Review the specific NOFO for each program to confirm eligibility before budgeting.
How long do I need to retain federal grant records?
Federal grant records must be retained for at least three years after the grant closeout date. That period extends if there is an ongoing audit, litigation, or unresolved finding. All record categories — financial, procurement, programmatic, and subrecipient — are subject to this requirement.
