Full Report
Three state tech leaders plan to testify before Congress Thursday to discuss cybersecurity as well as the currently unfunded State and Local Cybersecurity Grant Program, officials have announced. The group is slated to speak with the U.S. House Homeland Security Subcommittee on Cybersecurity Infrastructure Protection, in an afternoon hearing that will be livestreamed. The National Association…
Analysis Summary
# Regulation/Compliance: State and Local Cybersecurity Grant Program (SLCGP) & PILLAR Act
## Overview
The State and Local Cybersecurity Grant Program (SLCGP) is a federal funding initiative designed to assist state, local, and territorial (SLT) governments in addressing cybersecurity risks and threats to their information systems. The current legislative focus, specifically the **PILLAR Act**, aims to extend the program’s authorization through 2033 and secure necessary funding allocations that remain currently stalled in the Senate.
## Key Details
- **Issuing Authority:** Department of Homeland Security (DHS) / Cybersecurity and Infrastructure Security Agency (CISA)
- **Effective Date:** Program originally established via the Infrastructure Investment and Jobs Act (IIJA); Reauthorization/extension (PILLAR Act) is currently pending Senate approval.
- **Jurisdiction:** United States (State, Local, Tribal, and Territorial governments)
- **Status:** Proposed/Pending (The PILLAR Act has passed the House; $300M funding bill is pending in the Senate).
## Requirements
### Mandatory Requirements
1. **Cybersecurity Planning:** Participants must develop and maintain a comprehensive Cybersecurity Plan.
2. **NASCIO Collaboration:** States must demonstrate coordination between State CIOs and local entities to ensure funds reach sub-recipients.
3. **Pass-Through Mandate:** States are generally required to pass through at least 80% of the federal funding to local government entities.
4. **Matching Funds:** Recipient organizations must meet cost-sharing requirements (percentage varies by fiscal year).
### Recommended Practices
1. **Multi-State Projects:** Engagement in regional or multi-state cybersecurity initiatives to maximize resource efficiency.
2. **NIST Alignment:** Adoption of the NIST Cybersecurity Framework (CSF) for all grant-funded projects.
3. **Zero Trust Implementation:** Prioritizing funding for Zero Trust architecture and Identity and Access Management (IAM).
## Affected Organizations
- **Industries:** Government (State, Local, Tribal, Territorial), Public Education, and Public Health systems.
- **Organization Size:** All sizes, with a specific focus on under-resourced rural or local municipalities.
- **Geographic Scope:** All 50 U.S. States and associated territories.
## Compliance Timeline
- **May 2026:** Testimony provided to the House Homeland Security Subcommittee regarding current gaps and program effectiveness.
- **2026 (Pending):** Awaiting Senate vote on the $300 million annual allocation bill.
- **2033:** Proposed sunset date for the program under the PILLAR Act.
## Implementation Guidance
### Assessment Phase
- Conduct an enterprise-wide risk assessment to identify vulnerabilities in legacy infrastructure.
- Evaluate current alignment with CISA’s "Cybersecurity Performance Goals" (CPGs).
### Implementation Phase
- Create or update the statewide Cybersecurity Plan as required by CISA/FEMA.
- Establish a "Cybersecurity Planning Committee" comprising diverse stakeholders from local and state government.
### Validation Phase
- Submit annual progress reports to CISA detailing how funds were utilized and the resulting improvement in security posture.
- Federal audits of fund dispersal to ensure the 80% local pass-through requirement is met.
## Technical Requirements
- **Vulnerability Management:** Regular scanning of public-facing assets.
- **MFA Implementation:** Mandatory Multi-Factor Authentication for all government employees and contractors accessing sensitive systems.
- **Incident Response:** Development of a formal incident response plan that integrates with federal reporting requirements.
## Penalties & Enforcement
- **Fines:** Not applicable; however, non-compliance results in the **clawback of funds**.
- **Other Consequences:** Loss of eligibility for future grant cycles and increased federal oversight.
- **Enforcement:** Managed by CISA and FEMA through the grant oversight process.
## Related Standards
- **NIST CSF:** The primary framework used to guide the development of the required Cybersecurity Plans.
- **CISA Cybersecurity Performance Goals (CPGs):** Benchmarks often used to prioritize grant spending.
## Resources
- **Official Documentation:** [h-xxps://www.cisa.gov/cyber-grants]
- **Guidance Documents:** [h-xxps://www.congress.gov/bill/119th-congress/house-bill/5078/text] (PILLAR Act)
- **National Association of State CIOs (NASCIO):** Provides advocacy and strategic guidance for state leaders.
## Practical Recommendations
- **Engage Legislators:** State and local leaders should continue to emphasize the link between funding and the protection of critical infrastructure (e.g., healthcare/public health) to ensure the $300M allocation passes.
- **Inventory Assets:** Prior to applying for funds, ensure a complete inventory of IT and OT assets to justify budgetary requests.
- **Focus on Training:** Use grant funds not just for hardware, but for workforce development to close the cybersecurity talent gap at the local level.