The White House’s March 2025 Executive Order (EO) on “Achieving Efficiency Through State and Local Preparedness” raised an issue of utmost importance for national security and our critical infrastructure.
As noted in the order, “federal policy must rightly recognize that preparedness is most effectively owned and managed at the state, local and even individual levels, supported by a competent, accessible and efficient federal government.”
Despite claims from various cybersecurity leaders that the March EO is a federal retreat on information technology security, has funding gaps and lacks implementation clarity and expertise at the local level, the president is correct: Local jurisdictions are best positioned to anticipate their electronic security needs, understand their unique weaknesses, vulnerabilities and risks, and are best suited to develop and implement an incident response, mitigation and recovery plan based on their unique circumstances.
Congress is right, too. In 2021, it established the State and Local Cybersecurity Grant Program (SLCGP) to “award grants to eligible entities to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, state, local or tribal governments.”
The SLCGP authorizes $1 billion over four years to help state, local, tribal and territorial governments reduce systemic cyber risks and requires a pass-through of at least 80 percent of those funds to local governments, while reserving 25 percent of those funds for rural jurisdictions. A key component of the SLCGP ties any disbursement of funds to the Cybersecurity Infrastructure and Security Agency’s (CISA) approval of a state’s cybersecurity plan. That proposal must meet the requirements set forth in the SLCGP, such as implementation of the National Institute of Standards and Technology (NIST) cybersecurity framework.
This September, the Homeland Security Committee — with bipartisan support — introduced the Protecting Information by Local Leaders for Agency Resilience Act(PILLAR Act, H.R. 5078), which seeks to not only extend SLCGP for 10 years, but also provide long‑term stability and funding, strengthen milestone‑based accountability, expand its scope to AI and operational technology, and clarify cost‑sharing between federal and state governments.
Combined, the March 2025 EO and the SLCGP create a framework that will succeed if implemented in tandem. Unfortunately, that’s not what happened. In January 2025, the Office of Management and Budget directed all federal agencies to “temporarily pause all activities related to obligations or disbursement of all federal financial assistance.” This effectively ended all SLCGP disbursements and left it and the EO as unfunded mandates. But that’s not quite where this story ends. As part of the re-opening of the government in November, the SLCGP was potentially resurrected when its authorization was extended to January 30. This is a crucially important development.
Now is the time to act and bring SLCGP fully back to life through the PILLAR Act. With our adversaries already embedded in our critical infrastructure (see Salt and Volt Typhoon, advanced persistent threat actors tied to China’s government), and the recent deployment of AI as a cyber-super-weapon — as demonstrated by Anthropic’s recent announcement of how its Claude AI was manipulated by Chinese state-sponsored hackers to conduct a large-scale attack executed almost entirely by AI agents — states and local jurisdictions are even more vulnerable. This is not simply a matter of funding; it’s a matter of national security.
There should not be much debate as to whether states will utilize SLCGP effectively; they already have the data. As of August 1, 2024, according to the Government Accountability Office, “the Department of Homeland Security provided approximately $172 million in grants to 33 states and territories” and “[t]he grants are funding 839 state and local cybersecurity projects that align with core cybersecurity functions as defined by [NIST],” including developing cybersecurity plans and policies, employing cybersecurity contractors, upgrading equipment and implementing multi-factor authentication.
The passage of the PILLAR Act will also enhance CISA’s reach, even with its reduced workforce and limited resources, by making it a force multiplier because it can now focus on oversight — approving state cybersecurity tactics, setting standards and guiding and monitoring priorities — while state, local and tribal governments execute the day-to-day implementation.
Not mentioned in the PILLAR Act, but something practical and easily executed as part of the SLCGP, is local governments partnering with private and public universities to tap into a pipeline of students trained in cybersecurity strategy (e.g., law, policy, risk management, governance) and emerging technologies such as artificial intelligence, resulting in lower costs for the local governments, hands-on experience for students and community building and outreach between local governments and universities.
The PILLAR Act has bipartisan support, and the president’s March 2025 EO reinforces everything contained within it. We now have the framework for securing our state, local and tribal governments. Let’s get this done immediately, as the stakes have never been higher and our national security depends on it.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses