Cyber grant funding lapses soon and state leaders want it renewed
L. Toshio Kishiyama via Getty Images
By
Chris Teale
The $1 billion State and Local Cybersecurity Grant Program runs out of money in September.
Several state technology leaders urged a House subcommittee on Tuesday to reauthorize a federal cybersecurity grant program before its funding lapses in September.
The $1 billion State and Local Cybersecurity Grant Program, known as SLCGP, was funded by the 2021 infrastructure law and is administered by the Cybersecurity and Infrastructure Security Agency and the Federal Emergency Management Agency. It has already been successful in helping states prepare cybersecurity plans, provide shared services to localities and fund new initiatives in the face of growing cyber threats.
With concerns growing about how state and local governments will manage cyber threats amid an uncertain future, speakers before the House Committee on Homeland Security’s Subcommittee on Cybersecurity and Infrastructure Protection said the grant program must be reauthorized.
“The State and Local Cybersecurity Grant Program is not a ‘silver bullet’ that can entirely solve our nation’s cybersecurity challenges,” said Utah Chief Information Officer Alan Fuller in his written testimony. “It does, however, help stakeholders develop a solid foundation on which to continue to strengthen their defenses and modernize both their technology and processes.”
Connecticut CIO Mark Raymond said given the role states and localities play as “stewards of civil society,” they need help protecting those vital services like public safety, education, social services and utilities.
“It is important to note that those who deliver these services often do not have the appropriate funds to adequately protect the technology and data within their care alone,” Raymond said. “While states are ready to meet this challenge, it is critical that they receive support from their federal partners if they are to remain effective.”
One of the biggest benefits of the program, speakers said, was its emphasis on allowing states to embrace a “whole-of-state” approach to cybersecurity, which involves greater information and service sharing. Fuller, who is also the secretary-treasurer of the National Association of State Chief Information Officers, said the grant program has allowed states to “provide vital technology services that many smaller communities otherwise would not be able to implement.”
Fuller noted that NASCIO’s 2024 State CIO Survey found that funds have been used for various efforts, including cybersecurity training, endpoint detection, assessments, security monitoring and migration to the .gov domain.
“Perhaps most encouraging, however, has been the spirit of collaboration between state and local leaders that the grant has fostered,” Fuller said. “One requirement to receive funding, the creation of a cybersecurity planning committee to guide how the money will be spent, means that these individuals are able to build relationships and trust that will allow them to respond more effectively and successfully to any cybersecurity attacks.”
Congressional leaders from both sides of the aisle acknowledged the good the program has done, although they said it may need tweaking.
“We cannot leave our state and local governments to fend for themselves,” said Rep. Eric Swalwell, a California Democrat and the subcommittee’s ranking member.
“I'm encouraged by the progress and applaud the efforts of our state and local governments to seize this opportunity to prioritize cybersecurity,” said Rep. Andrew Garbarino, a New York Republican who chairs the subcommittee. “With that said, we know the program does not come without its challenges.”
Witnesses acknowledged those challenges and said some improvements are needed if the grant program is to be sustained. Fuller noted that federal guidance was slow to arrive and sometimes confusing, but that has been resolved. He said the funding match formula could be stabilized to simplify program administration, while the match could be reduced for statewide cyber efforts that provide shared services to localities.
Fuller also suggested that local governments undertake cybersecurity assessments and complete “basic cybersecurity hygiene goals” before they be allowed to buy technology.
Louisville, Kentucky Councilman Kevin Kramer, who also testified on behalf of the National League of Cities, said requiring every city to apply for grant funding through their state is an inefficient “one-size-fits-all” approach that makes it more costly to administer the program. He called for a “direct competitive grant fund” that large municipalities could apply to directly.
Kramer also said the complexities of the program and the grant application process make it difficult for smaller jurisdictions to compete for dollars. He recommended that the application process be simplified and the window for applications be lengthened, all while keeping in mind controls to prevent waste, fraud and abuse.
“Small towns are poised to benefit the most from cybersecurity funding, yet lack the staff support to manage a complex grant application and administration process,” Kramier said. “A tight application window exacerbates this problem, as communities need time to assess their needs, scope out and get quotes for solutions to the gaps they identify and complete all required elements of the application.”
But the future is uncertain, both for cybersecurity funding more broadly and for the future of this program. Raymond, a past NASCIO president, said that uncertainty has local governments reluctant to ask for more money.
“Many local governments have stated that their fear that the program may expire impedes their application for future funding,” he said. “They are reluctant to go through the arduous task of standing up a new cybersecurity program and acquiring the matching funds needed, only to have federal support evaporate after a few years.”
Adding to the uncertainty for state and local governments is a recent executive order from President Donald Trump that put the onus on them, not the federal government, to respond to and prepare for cyberattacks. That effort appears to be part of Trump’s wider push to overhaul FEMA, but Raymond argued that if the federal government wants to take a step back, it should help other levels of government “meet this increased burden” in the face of major threats.
“[While] changes and improvements are needed, we strongly believe that it is better to continue to improve SLCGP rather than allow it to expire,” Raymond said. “We have no reason to believe that states, towns, schools and critical infrastructure providers will see less targeting by criminals, nation states and cyber activists. Rather, we expect that the threats faced by stakeholders will only increase in the coming years.”