The shifting cybersecurity mandate for states

Yuichiro Chino via Getty Images

Featured eBooks
NASCIO 2025 Special Report
Changing Workforce
Future of Tech Infrastructure
Insights & Reports
Integrated GRC: When audit and risk collaborate, oversight gets stronger
Presented By Diligent
Download Now
Navigating Dash Cams: A Guide for Union Engagement
Presented By Carahsoft
Download Now
By Claire Bailey

By Claire Bailey

|

COMMENTARY | Federal retrenchment means states must step up with funding and resources in a more complex environment. Multi-year federal funding can reduce some of those burdens.

Cybersecurity has long been one of the few issues to unite policymakers across party lines. No matter the political climate, protecting citizens, critical systems and digital infrastructure is a shared priority. 

Yet as cyber risks grow more complex, the governance and funding structure behind them have become increasingly tenuous, creating uncertainty for the state and local leaders responsible for defending front-line systems. To keep pace with fast moving threats, states now need authority, resources, and tools to act quickly and consistently across their environments. That requires sustained, predictable funding that allows them to plan, build capacity and maintain readiness over time.

Over the past year, major federal funding shifts and strategic realignments have produced ripple effects that states are now being forced to absorb. The initial expiration of the Cybersecurity Information Sharing Act of 2015, which provided liability protections and privacy safeguards for sharing threat intelligence, along with the end of the State and Local Cybersecurity Grant Program on Oct. 1, 2025, represent another compounding challenge in how the nation approaches cyber readiness. 

Congress began 2026 with bipartisan efforts to create more sustainable funding, with a short term approach to continue funding for the Technology Modernization Fund and explore pathways to extend the SLCGP and related information sharing funding resources. Short-term measures help, but they do not replace the need for multi-year appropriations that let states plan beyond annual federal cycles.

Government programs are foundational to cybersecurity across the country, and while their recent extensions provide relief, predictable multi-year support is essential to sustain information sharing and uplift under resourced communities. Without these protections and financial backstops, state and local governments face a choice: stand up their own frameworks, or assemble stopgaps that are often duplicative, fragmented and less coordinated, risking missed signals. In this environment, the old saying that you are only as strong as your weakest link has never been more true.

Meanwhile, leaders are navigating constrained budgets, compressed planning cycles, ongoing attacks and a growing transfer of responsibilities once shouldered by the federal government. For IT and security teams already stretched thin and juggling competing priorities, this is no small feat, especially as cyber threats become more sophisticated. Manual, labor intensive approaches are no longer sufficient, and smaller, resource constrained jurisdictions rely on more automated operations to keep pace. Government cyber teams must operate at the speed of modern threats. Federal funding changes reshape the operational, financial and strategic posture of public sector cybersecurity, making consistency more important than ever.

The policy question is straightforward, will we fund cyber as critical infrastructure with consistent, outcomes based investments, or will we continue to rely on episodic grants that force agencies to rebuild the basics every budget cycle.

A Cog in the National Cybersecurity Machine

States, cities and counties are more than administrative districts; they are critical nodes in the national cybersecurity ecosystem. Local governments, schools, utilities and public safety networks are often key targets for cyber threat actors, including nation‑state adversaries and sophisticated criminal groups. 

Recent incidents in 2025, including coordinated ransomware attacks that disrupted courts and public safety services in Durant, Oklahoma, Lorain County, Ohio, and Puerto Rico’s Justice Department, along with continued targeting of K‑12 districts and universities nationwide, demonstrate how quickly local compromises can escalate into broader operational consequences. 

These entities are frequently the point of entry and the first responders who translate national guidance into action on the ground. Because these front-line systems carry national consequences when compromised, steady funding for their defense is a national imperative, not just a local obligation.

Despite this, federal policy is moving toward a reduced central role. Reduced federal support and fee-based models create affordability gaps that limit access to threat intelligence and response capacity for smaller jurisdictions. Multi-year, predictable funding is the lever that ensures universal participation and keeps shared visibility intact across jurisdictions.

Without the information‑sharing community and its coordination mechanisms, threat intelligence quickly becomes uneven and varies dramatically by budget size. Readiness hinges on four elements: strong intelligence, automated detection, coordinated response, and a unified picture of risk. Targeting funding to these elements, with clear performance measures, translates directly into faster detection and remediation.

For instance, many potentially damaging incidents have been remediated before data theft or ransomware activation thanks to timely threat information shared by federal entities such as the Multi-State Information Sharing and Analysis Center, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and other strategic partners. That intelligence was then passed to state-level incident response teams, which confirmed, mitigated and remediated the threats, reducing what could have been major cybersecurity incidents to brief maintenance activities. These outcomes depend on consistent funding for information sharing and response capacity across all jurisdictions.

With reduced federal support and uncertainty around key protections and grants, states are now expected to extend resilience to counties, local governments, schools and critical infrastructure while also building trust, visibility and sustainable funding models. This expansion of responsibility must be matched by reliable, multi-year resources, otherwise mandates outpace means and risk accumulates at the edges.

The Path Forward? A Shared Responsibility

Maryland’s vulnerability disclosure program is a useful model, and its core lesson is practical, continuous discovery and remediation only work when funding is consistent. States can tailor approaches, but sustained investment is the decisive factor in resilience, not one off pilots.

Some states have larger economies, and thus larger budgets to fund intelligence sharing models and whole of state cyber operations without federal involvement. Not all states have that luxury. Without state to state coordination and ideally federal governance, the result could be a patchwork of uneven protections, where wealthier states develop robust programs while others lag. 

Cyber adversaries only need one weak entry point, and fragmentation becomes a strategic risk. This is why congressional efforts to reauthorize and stabilize state cybersecurity funding are so important, since volatility undermines readiness while predictable support enables planning, workforce development and measurable outcomes.

A durable model pairs a federal baseline with state matching, delivers multi-year appropriations, and ties funding to simple outcome metrics such as mean time to detect, mean time to remediate and percentage of assets covered.

The ideal path forward is a broader program funded by each state, supported by a dedicated federal cyber program scaled to state size and available resource capacity, with aligned federal and state interoperable governance and interoperability standards. This model aligns with how energy, transportation and public health are managed, and cybersecurity should be no different. Shared services, pooled procurement and common platforms reduce total cost of ownership for smaller jurisdictions, and sustained funding allows them to participate on equal footing.

Such a model would include baseline federal guidelines and interoperability standards building upon the MS-ISAC interoperability model for vulnerability disclosure programs, intelligence sharing and reporting, and a unified national clearinghouse for anonymized threat intelligence, ensuring that all states, regardless of means, benefit from collective insights and ensure successful remediation, harnessing the power of intelligent automation with the confidence to patch critical systems autonomously. Shared services models, like those used for emergency management or election security, would ensure equitable access. Policy should also incentivize cross-sector sharing, reward measurable interstate and local collaboration and align public-private playbooks for response, remediation and ultimately risk reduction from the smallest of US governments to the largest.

Although such a model would require bipartisan cooperation and resources to coordinate across all government levels, this is not a matter of political standing or economic advantage. It’s not about big government or small government. It’s about smart government and recognizing that cybersecurity is now a form of national defense across all levels of government and critical infrastructure. Offense succeeds only when the entire ecosystem, federal, state, local and private, is prepared, connected and operating from a common picture of mission and risk.

A Moment of Reckoning and Opportunity

The cybersecurity mandate for government is shifting quickly and decisively. While current cuts and the ongoing threat of expiration of federal protections and funding present immediate challenges, they create a long-overdue inflection point for cyber security modernization. 

States now have an opportunity to build modern, data-driven cyber programs, strengthen collaboration across state lines, and advance a new federal-state partnership model that is more agile and equitable. This is the moment to lock in multi-year, outcomes-based funding that professionalizes cyber security across all levels of government, stabilizes the workforce and standardizes capabilities at scale.

But this must happen with urgency. Cybersecurity is only as strong as its weakest link, and under-resourced state and local environments must be uplifted to close critical gaps.

If we fail to collaborate across all levels of government and the public and private sectors, the nation’s cyber resilience will face greater risk of outages, data theft and potentially life threatening disruptions. Conversely, if we embrace shared responsibility, modern governance and equitable funding models, we can strengthen cyber defenses for every community, not just those with the largest budgets.

We need to treat cybersecurity as the critical infrastructure it is, and fund it for the long term, because the safety of every community depends on it.

Claire Bailey is public sector CIO at Tanium.

NEXT STORY: After North Carolina cyberattacks, IT officials warn General Assembly of poor preparedness

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.