Cybersecurity and technology officials from the state governments of Tennessee, New York and Florida travelled to Washington, D.C., to testify before the U.S. House Homeland Security Subcommittee on Cybersecurity Infrastructure Protection. During the livestreamed meeting, they called for the reauthorization of funds for the State and Local Cybersecurity Grant Program (SLCGP) as well as for maintaining federal cyber coordination programs that state officials described as essential to defending local governments and critical infrastructure.
“Our states are on the front lines of multiple cyber conflicts,” said Colin Ahern, New York's director of security and intelligence, during the hearing.
Much of the hearing centered on the future of the SLCGP, which was created in 2021 to help state, local, tribal and territorial governments strengthen cybersecurity protections and expand shared services. Multiple witnesses said the program has helped states deploy enterprise cybersecurity tools, centralized protections and workforce training to smaller and rural communities that cannot otherwise afford them.
Currently, Congress has reauthorized the State and Local Cybersecurity Grant Program, but no new money has been allocated for it. A Senate bill that proposed allocating $300 million this year has not moved, despite the U.S. House of Representatives voting yes to the PILLAR Act to extend programming through 2033. That legislation now sits with this committee.
Ahern called the grant program “the single most consequential investment in the cyber protection of state and local governments in this country.”
The state leaders also emphasized the importance of continued support for the federal government's Cybersecurity and Infrastructure Security Agency (CISA), as well as for federal-state information sharing efforts as cyber threats become increasingly sophisticated and AI-driven. Witnesses also warned that smaller communities largely lack the staffing, procurement capacity and operational resources needed to defend against ransomware gangs, criminal organizations and nation-state actors without state and federal support.
Tennessee CIO Kristin Darby described what she called “a dangerous imbalance between highly sophisticated attackers and severely resource-constrained defenders,” warning that AI-enabled attacks and rapidly evolving threats are compressing the time between vulnerability discovery and exploitation.
“Many of these local governments simply could not deploy or sustain these capabilities on their own,” Darby said.
Several panelists also warned against reductions in federal cybersecurity coordination capacity, including changes affecting the Multi-State Information Sharing and Analysis Center and staffing reductions at CISA.
Samir Jain, vice president of policy at the Center for Democracy and Technology, said the federal government provides capabilities individual states cannot replicate, including intelligence gathering, coordinated threat visibility and information sharing across jurisdictions. The feds also track nation-state actors that pose threats to utilities and other large infrastructure, something that isn’t a state responsibility.
“The federal government has unique capabilities that no individual state can match,” he said.
In addition to talking about these broader issues, the state leaders shared details on how they have allocated money for cybersecurity within their jurisdictions.
Tennessee has used a mix of direct reimbursement, shared services and training to deliver allocations of roughly $4.2 million in FY2022, $8.6 million in FY2023 and $6.5 million in FY2024. The state provided SIEM and logging tools, vulnerability management, email filtering and encryption, cybersecurity training, governance and risk tools, network firewalls, endpoint detection and response, and Microsoft 365 upgrades.
New York, for its part, emphasized centralized procurement and shared services rather than competitive individual grants, using the state’s purchasing power to expand access to cybersecurity tools and services for eligible entities. Through allocations of approximately $5.8 million in FY2022, $11.6 million in FY2023 and $8.9 million in FY2024, the state funded multifactor authentication hardware and software tokens, cybersecurity certification scholarships, employee awareness training and shared cybersecurity services.
Florida CIO Warren Sponholtz stressed that coordinated defense and information sharing remain critical as cyber attacks increasingly cross jurisdictional boundaries, noting that “cybersecurity threats transcend state lines.”
His state received $5.9 million in FY2022, $12 million in FY2023 and $8.8 million in FY2024 and supported cybersecurity initiatives focused on critical infrastructure protection and law enforcement risk mitigation. Funding was used to harden SCADA systems, industrial control systems, operational technology and related IT assets across all 16 CISA-designated critical infrastructure sectors.
