NASCIO lists its federal advocacy priorities each year, a collection of considerations designed to address the most pressing technology and cybersecurity challenges facing state governments. Their development is a collaboration, with input from state CIOs and CISOs guiding the direction of their points of focus.
For 2025, the top federal priorities include expanding AI; pushing forward on .gov; responsible implementation of the State and Local Cybersecurity Grant Program; expanding and strengthening the state cyber workforce; and reaching better alignment with federal cybersecurity regulations.
AI topped the list of federal priorities, but states haven’t waited on Washington to act — many have rolled out their own policies. State-level strategies across the U.S. have varied, but generally aim to harness AI’s potential while tackling key aspects such as data protection, ethical usage and cybersecurity.
However, to ensure consistency, NASCIO advises that Congress and federal agencies take into account the work states have already done and craft federal AI regulations that minimize duplication. The federal government should, NASCIO recommends, provide states with the necessary resources to ensure a workforce can be trained, service can be uninterrupted and data secured.
“As both Congress and federal agencies are contemplating what a federal AI policy looks like, even if that policy may not specifically mention states, it’s likely going to roll down at the state level,” Alex Whitaker, NASCIO’s director of government affairs, told Government Technology. “Federal regulations are going to create compliance issues for states.”
This issue can be overcome, Whitaker said, through increased collaboration between local, state and federal government agencies.
“States need the federal government to listen to what they’ve already done because a lot of states have already developed their own AI policies and have some good ideas,” he said. “But they’ll need help from the federal government implementing these programs, be that financial resources or workforce help. Don’t just hand out a mandate without talking to states but instead develop something in consultation with states and then help to implement it.”
NASCIO’s second-ranked priority focuses on continued adoption of the .gov domain. The domain was initially created to advance security protocols on government websites, but many local government entities have yet to make the transition. Waiving the $400 annual registration fee has made this more affordable, but NASCIO's findings indicate that additional education, outreach and advocacy are still necessary. The organization recommends establishing a stakeholder advisory group to educate locals on the benefits of transitioning to .gov, tying federal grant funding to the domain’s adoption, and allowing flexible use of State Homeland Security Grant funds for transition costs.
Cybersecurity emerged as a central focus across the third, fourth and fifth priorities. Whitaker mentioned the importance of a “whole-of-state approach” to cybersecurity, adding that states already often extend services to local governments to address challenges smaller entities lack the resources to manage — which is good for collaborative efforts. However, one major challenge is the lack of cohesion across federal cybersecurity protocols. Duplicative regulations from federal agencies, according to Whitaker, often burden state agencies with unnecessary compliance work.
“You may have to submit data to three different federal agencies and have different security protocols at each one,” he said. “What we’re asking for is continuity across these protocols so that a state doesn’t have to do completely different compliance measures every time they’re submitting the same set of data.”
Similar concerns arise when it comes to audits. State agencies are seeking to avoid being audited multiple times by different federal agencies for submitting the same information, and the current system can consume significant time and resources. NASCIO’s recommendation is to reduce redundant audits and compliance measures.
Another priority highlights the need to address the cyber workforce gap, as state CIOs turn to public universities to build a pipeline of young talent.
“CIO offices are working with universities to develop internship programs,” Whitaker said. “We see that in almost every state — Texas, North Carolina, and the list kind of goes on and on — of CIO[s] and offices partnering with universities.”
While states often can’t compete with private-sector salaries, they can offer competitive benefits, excellent training and experience job seekers may not get, Whitaker said.
He identified two significant areas of focus for NASCIO’s federal advocacy beyond this year’s priorities list: preparing for the next big cybersecurity threat, and navigating AI uses as they evolve.
“Sometimes those cybersecurity threats are foreign entities and state actors, but sometimes they’re also non-state actors, so it’s about making sure we’re keeping resilient information security practices and staying ahead of the curve,” he said. “But it’s also working with AI, where a lot of states are proactive in embracing AI, but they want to do it in a safe manner that ensures cybersecurity and also protects citizen data and information.”
