States and Localities May Get More Federal Cybersecurity Money

Schools, public drinking water systems and other state and local government entities too often find themselves in the crosshairs of sophisticated cyber attackers. For cash-strapped local governments, improving cyber defenses and fending off the threats is a big ask.

The federal government took note and in 2021 launched a grant program to help state and local entities boost their cybersecurity. The State and Local Cybersecurity Grant Program (SLCGP) gave $1 billion over four years to state and local governments to use to better protect their IT systems against cyber attacks. The program emphasized local governments’ need for aid: states had to pass through 80 percent of the value of their grants to localities. This could be in the form of subgrants, state-managed cybersecurity services and other manners of support.

The program was only designed to last four years, however, and cybersecurity officials have long said it needed to last longer and be more richly funded. Those hopes may now come to fruition. The House voted unanimously yesterday to pass the Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act, a bipartisan bill that would extend the grant program for seven years, while making several updates. If the act doesn’t pass, the SLCGP ends on Jan. 30.

“When a resident pays a utility bill online, when a police department dispatches an officer, when a hospital connects to a county network, all those activities rely on state and local systems that are now squarely in the sights of foreign adversaries and criminal groups,” said Republican Sponsor Rep. Andrew Ogles of Tennessee during a House hearing Monday.

Federal officials believe hackers linked to China have penetrated drinking water systems’ networks and lurked, positioning themselves to disrupt operations should China-U.S. relationships sour. Cyber criminals have hit cities with ransomware attacks and forced public schools to temporarily close. Small local jurisdictions and entities don’t always have enough — or any — IT staff or the budgets to easily defend themselves, Ogles said.

“State and local governments must defend against cyber intrusions from transnational criminal gangs and nation-state adversaries,” said Resident Commissioner for Puerto Rico Pablo José Hernández, a Democrat, during the House session. The federal government needs to help: “There are no other circumstances under which we would expect a state or local government to defend itself from an attack from a state actor, particularly not China, Russia or Iran.” 

A Four-Year Boost

During an April hearing, Utah CIO Alan Fuller said SLCGP tools and funds had helped the state detect and thwart an attack against a local airport just before the 2024 Christmas holiday. Kevin Kramer, councilmember for Kentucky’s Louisville Metro Government, said his jurisdiction had used the funds to create a platform where members could share about cybersecurity threats in real time. That would enable an entity hit by a cyber attack to quickly warn its peers about the attacker’s methods.

The SLCGP also prompted state and local governments to collaborate: as part of qualifying for the grant, they were required to work together to craft a statewide cybersecurity plan that met certain criteria.

Hernández said Monday that the SLCGP had put state and local governments on better footing than they were on four years ago, but that plenty of work remains.

Re-envisioning Cyber Grants

The PILLAR Act puts some new tweaks on the grant program. Instead of just addressing IT system security, it also covers securing operational technology systems, like water treatment plants’ industrial control systems, and AI tools used by government, Ogles said.

The PILLAR Act also explicitly requires that recipients only use grant money to purchase tools built with security in mind (a practice known as secure-by-design), and offers a financial incentive for governments to move quickly to adopt multifactor authentication (MFA) and identity and access management tools.

Another difference: money. Both programs involve a cost share. The SLCGP was designed to give recipients a larger financial boost initially, then ease them off federal funding as the grant approached its end. In FY2022, the first year of funding, the federal government covered 90 percent of costs for cybersecurity projects or activities; in FY2025, it covered 60 percent. Some state officials had said a steady matching level would simplify administrative work. The PILLAR Act provides steadier funding, but it’s less generous than the SLCGP’s early years. It fixes the federal portion at no more than 60 percent (or 65 percent, if entities meet those MFA and identity and access management goals by a certain date).

And there are hanging questions — Alex Whitaker, director of Government Affairs for the National Association of State Chief Information Officers, notes that while the SLCGP provided $1 billion over four years, the PILLAR Act doesn’t specify a dollar amount for the grants.

“I understand why that was done,” Whitaker said, speaking a few days before the House hearing. “We want to get the program passed and we don’t want people to balk at the price tag. But, in order for it to work, we have to have money attached.”

The SLCGP had passed as part of the larger bipartisan Infrastructure Investment and Jobs Act. The PILLAR Act sailed easily in the House on Monday, and now all eyes turn to the Senate. The Senate recently showed interest in the grant program; the SLCGP expired Sept. 30 but the deal to reopen the government temporarily extended it until Jan. 30, 2026.