The House did so through legislation called the Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act, which it passed with bipartisan support this week. The bill may now be considered by the U.S. Senate, where it was referred Wednesday to the Committee on Homeland Security and Governmental Affairs. The PILLAR Act would reauthorize the SLCGP for seven years, stabilize cost shares, incentivize multifactor authentication implementations, and implement long-term accountability, according to the House committee summary. It also addresses AI, and it has language to encourage outreach to smaller, rural communities.
Until this year, the SLCGP helped to protect government services and critical infrastructure against cyber attacks, which range from individual hackers to nation-states or criminal syndicates that steal data, extort ransoms, spy on government operations or otherwise disrupt critical functions. The program, created under the Infrastructure Investment and Jobs Act of 2021, provided $1 billion to bolster cybersecurity at the state and local levels, starting in 2022 and ending in September.
The new bill does not specify a dollar amount for future grantmaking, instead noting that grants are "subject to the availability of appropriations."
The U.S. Cybersecurity and Infrastructure Agency has oversight of the program.
HOW STATES USED CYBER GRANTS
“The State and Local Cybersecurity Grant Program was great,” he said Tuesday. “It wasn't enough money for everything that we wanted to do; but one of the ways we attacked — rather than just giving money to municipalities, counties and others — was to do a whole-of-state approach.”
The money in part went to statewide volume licensing for endpoint detection and response and managed detection and response tools. It also went to lowering costs and expanding access to local agencies, he said. The program now supports 153 municipalities and has helped block more than 200 ransomware attacks. Geraghty said the goal was to deliver tools, technologies and services quickly to local governments, schools and utilities within weeks of receiving the first grant.
In Washington state, it went to local jurisdictions, and it funded cyber practitioner training, assessment, policy and program development, CISO Ralph Johnson said in a 2024 Government Technology interview. The state provided pass-through grants to benefit local governments.
“We got so many applications in year one ... that we held back on a few of them to fund these out of year two dollars,” Johnson said. “Out of $7 million that we got in year two, we pre-allocated about $2 million of it to proposals that came in year one.”
ADVOCATING FOR RENEWAL
State and local government leaders have been calling for the renewal of the four-year SLCGP since before the program ended. Leaders of the National Association of State Chief Information Officers (NASCIO) have provided Congressional testimony and a voice for participants.
In April testimony before the House Subcommittee on Cybersecurity and Infrastructure Protection, Utah CIO Alan Fuller, NASCIO’s vice president, and Connecticut CIO Mark Raymond emphasized that the grant has helped states address “critical cybersecurity vulnerabilities” and support local communities in improving their cyber defenses. Both leaders urged Congress to continue the program and maintain funding stability for state and local cybersecurity initiatives.
NASCIO reiterated its support this month, noting that inclusion of the SLCGP in budget negotiations signaled that Congress was taking the issue seriously. The association described the SLCGP as instrumental for state and local cyber defenses, and it called on lawmakers to enact a long-term reauthorization to provide “certainty and stability” for state governments.
The PILLAR Act now awaits action in the Senate Committee on Homeland Security and Governmental Affairs, which will determine whether the reauthorization advances this session.
