New bill would reauthorize state and local cyber grant program
Sky Noir Photography by Bill Dickinson via Getty Images
By
Chris Teale
The bipartisan legislation, which expires at month’s end, would extend the popular program and ensure that critical infrastructure and AI systems are covered under it.
A new House bill would reauthorize a federal grant program for state and local government cybersecurity before it expires at the end of this month.
A bipartisan group of lawmakers introduced legislation to reauthorize the State and Local Cybersecurity Grant Program earlier this week, and it advanced by a vote of 21-1 through a markup in the House Homeland Security Committee.
The Protecting Information by Local Leaders for Agency Resilience Act, known as the PILLAR Act, would reauthorize the program for 10 years, and stabilize cost-sharing agreements so that the federal government would provide 60% of a grant to a single entity that applies and 70% for a multi-entity group, with states providing the rest.
The bill, introduced by Tennessee Republican Rep. Andy Ogles, would incentivize governments to implement multifactor authentication, including across critical infrastructure, operational technology and artificial intelligence systems. It also would encourage more outreach to smaller and rural communities that lack the budget or staff to invest heavily in cybersecurity, and in the long term would require states to be responsible for funding.
“State and local governments handle everything from residents’ personal data to the controls of our power, water and emergency services,” Ogles said during the markup. “Many, especially smaller or rural communities, lack the staff and the technology to defend against cyberattacks, making them prime targets for ransomware and data breaches, and service-disrupting attacks.”
The $1 billion program, administered by the Cybersecurity and Infrastructure Security Agency and the Federal Emergency Management Agency, was originally funded by the 2021 infrastructure law and was massively oversubscribed as states and localities tried to get cybersecurity funding and services.
The Government Accountability Office found in a report earlier this year that the program helped fund 839 state and local cybersecurity projects as of Aug. 1, 2024, by which time the Department of Homeland Security had provided $172 million in grants to states out of a total $1 billion in funding. Those projects included developing cybersecurity policy, hiring cybersecurity contractors, upgrading equipment and implementing multi-factor authentication.
Rep. Bennie Thompson, a Mississippi Democrat and the committee’s ranking member, noted that the program’s requirements for states to have a cybersecurity planning committee alongside representatives from localities, academia, the private sector, nonprofits and elsewhere, improved “strategic collaboration” across government. Without reauthorization, he warned, that progress will “halt.”
This effort comes as state and local governments face ever-increasing threats, including from attackers aligned with nation-states. And given the ripple effects felt when a government entity is breached, Ogles said it is important for the federal government to step up and help now.
“I usually want Washington to do less, but it must be ours to not leave our local communities and governments exposed,” he said. “The question is whether we help state and local authorities prepare now, or wait until catastrophe forces heavier handed federal action in the future.”
Reauthorization received broad support, including in an open letter led by the Alliance for Digital Innovation that included the Better Identity Coalition, the Cybersecurity Coalition, the Information Technology Industry Council and TechNet. And in a statement, the National Association of State Chief Information Officers praised the committee for acting.
“This program has been instrumental in providing state and local governments with the resources they need to improve their cyber defenses and address critical threats,” NASCIO said in a statement. “We encourage swift passage in both the House and Senate, accompanied by a robust appropriation to ensure that the progress that has been made through this program can continue.”
Others said the bill’s emphasis on protecting AI systems is beneficial, given how important the technology is already becoming to state and local governments. Agencies are increasingly turning to it for all manner of services and tasks, including making employees more efficient, streamlining permitting and improving communications.
“We are particularly encouraged by the bill’s recognition that AI is already embedded in many state and local information and operational technology systems,” Mitch Herckis, global head of government affairs at cloud security company Wiz, said in a statement released by the committee. “Implementing solutions that support the resiliency of AI-enabled systems is critical to reducing future risk and safeguarding public trust.”
Congress faces a race against time to get the program reauthorized. Funding expires at the end of September, and companion legislation has not yet been introduced in the Senate to extend it. Appropriators would also need to agree on how much to fund the grant program. Lawmakers said there is a national security imperative to reupping the program.
“China and Russia are waiting,” Committee Chair Andrew Garbarino, a New York Republican, said during the markup. “They are hoping that this lapses, because they are looking for vulnerabilities. They attack us every day and are looking for vulnerabilities.”
NEXT STORY: Push continues to fund cyber info-sharing center