State and local government officials have long hoped that the four-year State and Local Cybersecurity Grant Program would be renewed and extended. On Tuesday, several state and local officials testified to that effect, ahead of the program’s September end date.
The grant funding helps protect government services and critical infrastructure against attacks from cyber threat actors, which can range from opportunistic hackers to nation-states and sophisticated criminal syndicates looking to steal data, extort taxpayer money, spy on government operations or disrupt society by shutting down critical functions. The program provides $1 billion over its four years, with states required to direct at least 80 percent of their grant awards to local governments.
The Trump administration has not shown signs of wanting to direct many federal dollars into state and local cyber initiatives, however. The administration recently cut staff at the federal agencies that manage the State and Local Cybersecurity Grant Program, and cut funding to two organizations that provide state and local governments with free or low-cost supports.
With the grant program due to sunset, state and local officials made their case to Congress to reauthorize it, arguing it has made a tangible difference.
“The results have been extremely positive. We have blocked seven major cyber attack incidents in the last six months alone,” Utah CIO Alan Fuller said during Tuesday’s congressional Subcommittee on Cybersecurity and Infrastructure Protection hearing.
WHERE'S THE MONEY GONE?
Last winter, cyber attackers penetrated the systems of a local airport. It was days before Christmas and if hackers took down the IT systems, it would wreak havoc — and, perhaps, force the airport to pay a rich ransom. But the attack didn’t go far: “Fortunately, [State and Local Cybersecurity Grant Program] SLCGP funds, and provided security tools, were able to detect and interrupt the attack as it was happening,” said Fuller, who is the National Association of State Chief Information Officers (NASCIO) secretary-treasurer. The airport collaborated with the state’s Cyber Center to stop the attack before it could interrupt operations, and without having to pay extortion.
In another incident, tools funded by the grant helped a 911 dispatch center in a large Utah county detect and stop a ransomware attack as it was happening. The funds have also enabled Utah to step up defenses, providing endpoint security for more than 26,000 devices, and cybersecurity awareness training to 31,000 local government employees.
Kentucky’s Louisville Metro Government, meanwhile, used funds to set up a cyber threat intelligence-sharing platform where public- and private-sector partners could anonymously share near real-time threat information. The alerts could help a jurisdiction suffering a cyber attack quickly forewarn other potential victims about threat actors’ tactics and the vulnerabilities being targeted so they could better stave off attack, Kevin Kramer, councilmember for Kentucky’s Louisville Metro Government and first vice president of the National League of Cities, said during testimony to the subcommittee.
In Connecticut, the state began by assessing local governments’ cyber postures, and found that 41 percent were at “high risk.” These lacked best practices like vulnerability scanning, multifactor authentication, employee cybersecurity training, incident response plans and malware prevention tools, state CIO Mark Raymond told the subcommittee. Based on that, the state began awarding subgrants to target specific needs.
NASCIO has called the grant program an “unprecedented opportunity” for states and localities “to improve their security posture, increase collaboration between state, local and federal governments and promote a whole-of-state approach to cybersecurity.” In June 2024, NASCIO Executive Director Doug Robinson joined leaders of other public-sector organizations in calling on congressional leaders to preserve the program through its final year.
While state and local governments report making strides, there’s still plenty of progress to go: A December review found most state and local governments weren’t hitting recommended cybersecurity goals. Smaller communities often struggle, as they may not have full-time IT employees, let alone someone dedicated to cybersecurity — meaning every bit of help counts.
A SPRUCED UP PROGRAM?
State and local government officials praised the program Tuesday but recommended changes in any next iteration.
Almost since the program’s start, government technology officials have been saying the grant’s four-year duration simply isn’t enough for the task. In the program’s first year alone, Connecticut only had enough money to fulfill half the requests it received, Raymond said. And while any money is helpful, state CISOs have called for sustained, reliable funding in the face of continual cyber threats.
A simplified application process — and more time to complete it — would also help smaller communities participate, Kramer said. Such local governments may have few personnel to spare on preparing a grant application.
The grant program requires recipients to match a certain portion, and their match increases each year. The idea was to gradually wean recipients off federal funding, so they’d be prepared to fully assume the costs when the grant program ended. But Raymond said that having funding amounts and match levels vary every year makes for an administrative hassle; he advocated for keeping the match amount stable in any future program.
Beyond the money itself, the State and Local Cybersecurity Grant Program compels state and local governments to work together. Before receiving grant funding, representatives from state and local governments had to come together to prepare and submit a plan for reducing cybersecurity risks across the state. This has led to greater trust, understanding and collaboration among state and local governments, Fuller said. It also sets states up to help counties and towns implement new cyber tools and train on how to use them, if the local governments need.
Kramer, meanwhile, suggested large municipalities that do have the capacity to manage grants should be given a way to apply directly to the federal government for cyber money. Right now, they have to ask the state to pass through federal funds. “The one-size-fits-all pass-through model limits efficiency,” he said.
FEDERAL PICTURE
Subcommittee members were receptive to tales of the grant program’s success, but program proponents may still face a more challenging federal climate. The Trump administration has cut staff at the two federal agencies that administer the grant, the Federal Emergency Management Agency (FEMA) and the Cybersecurity and Infrastructure Security Agency (CISA).
The administration withdrew federal funding for two initiatives that support state and local cybersecurity. Those funding cuts led to the shuttering of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), which had helped election offices with matters like security training and cyber threat information sharing. The administration also cut $10 million from the Multi-State Information Sharing and Analysis Center (MS-ISAC). This ISAC provides state, local, tribal and territorial governments with low- and no-cost supports to help prevent, detect, respond to and recover from cyber attacks.
State and local government representatives argued these kinds of moves further burden them even as they face off against well-resourced cyber attackers. They say they need more help — not less.
“State and local governments are not prepared to fight this kind of cyber engagement with foreign nations,” Raymond said during the hearing. “In combination with the reductions to MS-ISAC and CISA support, additional responsibilities are falling on the states to fight these battles. Should further CISA reductions — or FEMA reductions for that matter — be put in place, I would say it would diminish our ability to help the municipalities that are part of our jurisdiction and defend on behalf of the state.”
