Federal lawmakers reactivated the SLCGP Feb. 3 with passage of H.R. 7148, but when they were unable to agree on aspects of H.R. 7147, which would have funded DHS through Sept. 30, the shutdown began Saturday.
DHS allocations — the money to keep the department open — have been handled separately from other annual spending bills amid ongoing political disputes over immigration enforcement, including controversy surrounding January’s fatal federal agent-involved shootings.
Originally created by the Infrastructure Investment and Jobs Act of 2021 with $1 billion in grant funds to bolster cybersecurity at the state and local levels, SLCGP was reauthorized — but not funded — on Feb. 3 through H.R. 7148, a broader federal spending package that extended several expiring programs.
New SLCGP grant opportunities have ended, although states have up to three years to spend funds and are continuing to do so. In many states, SLCGP funds are being used to provide phishing-resistant multifactor authentication tokens to local governments. But while Congress has extended the program’s authorization, it has not provided new funding. That’s essential to its ongoing support, one state cyber leader said.
“To extend this program meaningfully requires Congress to put more money into it,” said Colin Ahern, New York state’s chief cyber officer. A leader of the National Association of State Chief Information Officers (NASCIO) agreed.
“We know from our 2024 NASCIO State CIO Survey that states have used the funds to offer several services to local governments including training, risk assessments, endpoint detection and support for .gov domain adoption, among others,” Meredith Ward, NASCIO deputy executive director, said via email earlier this month.
The organization is among state and local government associations that support the SLCGP and its funding. Federal lawmakers have introduced the PILLAR Act, which would extend the program through 2033, and also a Senate reauthorization that would provide additional funding, but the measures have not advanced in committee.
In its 2026 federal advocacy priorities, NASCIO called for the SLCGP’s long-term authorization and encouraged states to treat federal funds as a catalyst, not a substitute, for sustained cybersecurity investment.
SHUTDOWN IMPLICATIONS
The SLCGP isn’t the only entity impacted by the lack of an accord.
DHS oversees the Cybersecurity and Infrastructure Security Agency (CISA), which is also now operating in shutdown mode. During a Feb. 11 hearing, CISA Acting Director Madhu Gottumukkala said proactive threat monitoring is among its responsibilities affected. Proactive vulnerability scanning, which is part of that, is not classified as essential, he said, and the agency would shift to a more reactive posture, with response, assessment, training and planning activities also limited.
Because CISA operates within DHS, its cybersecurity functions are tied to broader appropriations debates.
Ahern also pointed to bipartisan support for the PILLAR Act, which would extend SLCGP programming. He emphasized that cybersecurity efforts depend on coordination across state, local and federal partners. “We can either succeed together or fail separately,” he said. “States need each other, and they need the federal government.”
