IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Dedicated State and Local Cyber Grants Are Finally Arriving

The newly approved federal infrastructure deal brings with it a great holiday present for state and local governments: dedicated cyber funding. Here’s the history, and the future, of cyber grants.

This has been a long time coming.

After more than a decade of making the case to federal leaders, state and local governments are finally celebrating the passage of dedicated cyber grants for the public-sector organizations that desperately need more resources.

As reported by

"The funds were included in the $1.2 trillion infrastructure package that is awaiting President Biden’s signature after months of negotiations in Congress and years of advocacy from state and local governments, which have faced chronic shortages of resources to address increasing cyber threats.

'We are elated,' Matt Pincus, director of Government Affairs at the National Association of State Chief Information Officers (NASCIO) told The Hill Monday."

Indeed, NASCIO released their own statement on the passage of the Infrastructure Investment and Jobs Act:

“We are grateful for the passage of the bipartisan Infrastructure Investment and Jobs Act, which includes the $1 billion State and Local Cybersecurity Grant Program. NASCIO applauds Congress and the Biden administration for numerous provisions that aim to improve and secure our nation’s digital infrastructure, including significant funding for broadband.

“Dedicated cybersecurity funding for state and local governments, with an emphasis on increased collaboration between state and local governments with our federal counterparts, has been a long-standing priority for our association. The creation of this grant program is a significant step toward improving the cyber resilience for state and local governments across the country. The state CIOs and CISOs look forward to playing a significant role in the implementation of this program.”


Many readers may wonder why this is such a big deal. Skeptics may be thinking that, with the funding spread over the next five years, the amount of dollars available nationwide is relatively small when compared with other initiatives.

In addition, with the passing of the American Rescue Plan of 2021 on March 11, many state, local and education agencies have seen an increase in available grant funds from the federal government. Compared to the $139 billion provided to state and local governments in the CARES Act, the American Rescue Plan increased grant allocations to $350 billion. Of that, $219.8 billion will be allocated to states and $130.2 billion will be allocated to cities and counties.

And yes, some state and local governments did receive a portion of these grant funds to strengthen cyber defenses. However, many others did not receive any funding for cybersecurity efforts.

Indeed, strengthening cyber defenses has been one of many grant options going back almost two decades to the Department of Homeland Security (DHS) grants made available to state and local governments after the 9/11 terrorist attacks.

On a personal level, I remember the early grants that we received in Michigan when I was CISO from 2002 to 2009. Michigan government press releases going back to 2005 describe projects completed with DHS cybersecurity grant funding. In fact, we were able to get millions of dollars during those years to upgrade cyber defenses, buy urgently needed data center generators and much more.

Nevertheless, many other state and local governments were not as fortunate and were unable to get any money dedicated from DHS grants to be used for their cybersecurity programs.

That is why NASCIO, the National Governors Association and many others kept urging Congress and different presidential administrations to provide dedicated funding that must be used for strengthening cybersecurity.

This blog of mine from 2017 made that case again, with more details. Here’s an excerpt:

“The National Association of State CIOs (NASCIO) and the National Governors Association (NGA) have consistently raised this cyberissue with their federal government counterparts, and it appears that the message may finally be getting through. The State Cyber Resiliency Act was introduced by Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., and Reps. Derek Kilmer, D-Wash., and Barbara Comstock, R-Va., on March 2, 2017. …

"The state and local cybersecurity funding problem is not new. Back in 2011, Investor’s Business Daily proclaimed that: Cybersecurity Is Among Casualties of State Budget Woes. Going back further to my days as the Michigan chief information security officer (CISO) from 2002 to 2009, we were able to get millions of dollars in federal Department of Homeland Security (DHS) grants for cybersecurity for many different projects, ranging from new generators for data centers to anti-spam appliances to new encryption for laptops. Those grant dollars launched Michigan into the forefront of government cybersecurity leadership at the time, enabling us to implement many cyberprotections and stop ongoing cyberattacks. An important aspect of many of these FEMA grants is that ongoing (full life-cycle) support of capabilities, including maintenance and upgrade fees, often come from the state or local government. Remember that there are people, process and technology elements to most of the items on the list above. Therefore, the ongoing staffing, training and other aspects of cybersecurity will likely still need to come from operational budgets at some point down the road.”  


There are many unanswered questions that will no doubt be addressed in the months ahead by the Cybersecurity and Infrastructure Security Agency (CISA). Questions like: What are the rules for funding? Will the states allocate the funds to the locals based upon population or need or quality of grant applications (or something else)?

Also, cyber plans are required to receive funds, as specified in the legislation, but will every organization need a plan, or will each state have a plan that includes locals (or some mixture be applied)? What equipment and services will be allowed? How will governments cover ongoing operational costs, and what happens if the local government cannot pay for the matching funds required?

The list of questions goes on and on, and CISA and FEMA guidance will certainly bring some unhappy officials to declare that the program is somehow biased.


This is a moment to celebrate for the many current and former state and local government officials (and their private-sector partners) who have been fighting for these dedicated cyber grants for years. Yes, I do believe that state and local cybersecurity grants are a very good step in the right direction for our government cyber defenses nationwide.

Will these grants solve all of our state and local cyber problems? Certainly not.

Will more dollars be needed down the road? Bank on it.

Will these new funds meet all of the resource needs for 2022-2023? Not even close.

But this is still meaningful progress. I raise a glass to everyone that made this happen over many years. This is something cyber pros and government officials alike can be thankful for, and it will make us safer online.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.