The U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection reviewed the State and Local Cybersecurity Grant Program (SLCGP), which is up for reauthorization this year. Witnesses noted that although the program is operational, it may need adjustments to boost its effectiveness. Managed by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA), the SLCGP’s current impact was assessed. Subcommittee members also explored potential collaborations with the federal administration to strengthen state and local governments’ preparedness and resilience against cyberattacks.
To help state and local governments improve their cybersecurity postures, Congress passed the SLCGP in 2021. Since this program began, $838 million has been allocated to address cybersecurity risks and threats to information systems owned and operated by, or on behalf of, state, local, and territorial governments. The SLCGP is set to expire this September, at which point the Program will not continue to receive federal funding unless reauthorized by Congress.
Cybersecurity experts testified before Congress, highlighting that targeted modifications could greatly enhance the program’s success. The witnesses at the Committee’s Tuesday hearing included Robert Huber, chief security officer at Tenable; Alan Fuller, chief information officer at the State of Utah; Kevin Kramer, first vice president for National League of Cities Councilman, Louisville, KY; and Mark Raymond, chief information officer for the State of Connecticut.
Andrew Garbarino, a New York Republican and Subcommittee Chairman, said that cybersecurity is a whole-of-society challenge, meaning the federal government must continue to support and strengthen cybersecurity at the state and local levels to protect the nation’s networks and critical infrastructure. “State and local governments must also continue to share information with each other. They play an important role in disseminating best practices, which could greatly benefit organizations with less mature cybersecurity programs.”
“The threat of cyberattacks to U.S. networks and critical infrastructure is real and rising,” according to Garbarino. “For years, the intelligence community has warned of the threat of state-sponsored cyber actors engaging in malicious activities against our critical infrastructure. As we’ve seen, these warnings have become a reality. With the persistent threat that groups like the Typhoons pose to IT and OT assets, any critical infrastructure sector could be the next to fall victim to attacks, or have its data seized through a phishing scheme.”
As cyber actors become increasingly sophisticated and persistent, Garbarino noted that “we can no longer be complacent when it comes to securing our critical infrastructure. We must take all steps necessary to ensure our nation’s cyber preparedness and resilience. In doing so, it is essential that our state and local government partners are similarly well-situated to respond to these threats.”
He also observed that despite often lacking resources and qualified talent for cybersecurity, state and local governments host the key pieces of critical infrastructure that keep the economy running. “If left unprotected, this presents a huge vulnerability.”
Noting that the program does not come without its challenges, Garbarino said that as “we consider reauthorization, we want to understand any administrative burdens or barriers to ensure state, local, and territorial governments can focus on cyber resiliency and preparedness. To that end, it is also Congress’s responsibility to evaluate whether the State and Local Cybersecurity Grant Program is the most efficient and effective means of strengthening the cybersecurity posture of state, local, and territorial governments.”
Fuller wrote in his testimony that under this approach and with the flexibility allowed to provide shared services to local governments, states have been able to use SLCGP to provide vital technology services that many smaller communities otherwise would not be able to implement. While some states have elected to pass SLCGP funding entirely on to local governments, most have either provided service only or employed a hybrid approach of the two methods.
He added that states are also finding a wide array of applicable uses for SLCGP funding.
According to the NASCIO 2024 State CIO Survey, cybersecurity training, endpoint detection and assessments are the primary focus for funds, followed closely by support for migration to .gov domains and security monitoring. It is precisely these critically important but attainable basic cyber hygiene measures that the grant was designed to address. Additionally, almost 100 percent of survey respondents stated that they would like for SLCGP to continue and cited the uncertainty around the program’s long-term future as an impediment to further success.
“As we’ve seen in Utah, almost every state who has implemented funding from this program has seen some examples of tangible success in improving their cybersecurity posture,” Fuller disclosed. “Perhaps most encouraging, however, has been the spirit of collaboration between state and local leaders that the grant has fostered. One requirement to receive funding, the creation of a cybersecurity planning committee to guide how the money will be spent, meaning that these individuals are able to build relationships and trust that will allow them to respond more effectively and successfully to any cybersecurity attacks.”
Additionally, the ‘whole-of-state’ approach has allowed local governments to learn about state services they can utilize, and for state technology leaders to understand where the greatest needs are.
Huber said that given the ongoing threats and increasing responsibilities of state and local governments in managing cybersecurity risks, the SLCGP is more important than ever.
“To receive SLCGP funding, states follow a structured process, beginning with the establishment of a Cybersecurity Planning Committee,” Huber noted. “The committee must include representatives from various sectors, such as state CIOs, CISOs, election infrastructure, public safety, emergency management, and law enforcement. The committee is responsible for developing and revising the state’s Cybersecurity Plan, which must incorporate baseline cybersecurity requirements that meet cybersecurity best practices and recognized standards identified in the SLCGP legislation, ensure the Plan reflects the input of local governments, outline responsibilities for state and local entities, include metrics to measure progress, and summarize associated projects.”
Additionally, states must conduct capability assessments to evaluate their current cybersecurity posture and meet federal cost-share requirements. By reducing financial barriers, SLCGP enables state and local governments to implement essential protections that safeguard their networks and critical infrastructure. Reauthorization of the program is vital to ensure that state and local governments have the resources they need to safeguard the nation’s critical infrastructure.
Tenable recommends several key actions for Congress to strengthen the cybersecurity capabilities of state, local, tribal, and territorial governments, including reauthorizing and improving the SLCGP and prioritizing workforce development through initiatives like the Cyber PIVOTT Act. These steps will help enhance state, local, tribal, and territorial governments’ ability to protect critical infrastructure.
NLC strongly urges Congress to reauthorize and adequately and consistently fund the SLCGP.
“The tens of thousands of municipalities, counties, and special districts need strong federal partnership to protect the nation’s critical infrastructure and the public services that protect residents’ health and safety,” Kramer said. “States and local governments have built the framework of a system to protect against cyberattacks, through developing and maintaining state plans and raising awareness at all levels of government about threats, readiness gaps, and solutions.”
He added that for this system to become strong and effective, it requires consistency from the federal government from year to year. “Without consistent expectation of SLCGP’s future availability, local governments are less likely to do the self- assessment and advance planning necessary for a successful grant application when the window opens.”
Kramer added that NLC looks forward to supporting the Committee in the reauthorization of the State and Local Cybersecurity Grant Program. “Cybersecurity is a ‘whole of nation’ challenge, and requires a truly intergovernmental partnership between federal, state, and local entities to keep our nation’s infrastructure and our residents safe and secure. The State and Local Cybersecurity Grant Program is a crucial piece of this puzzle.”
Raymond wrote that though much has already been accomplished under SLCGP, “we recognize that more can be done to continue this work. Many local governments have stated that their fear that the program may expire impedes their application for future funding. They are reluctant to go through the arduous task of standing up a new cybersecurity program and acquiring the matching funds needed, only to have federal support evaporate after a few years. Additionally, stabilizing the matching formula across all grant years would help significantly simplify administration and attract more applicants.”
“For a state like Connecticut, where no county government exists, the administrative effort to demonstrate each locality has signed onto a shared or statewide solution could be reduced,” according to Raymond. “Flexibility to implement shared solutions, such as a statewide Security Operation Center, would better serve states. Such solutions should be funded as a default offering, allowing municipal governments to opt-out. This would establish collaboration as the expectation in reducing cybersecurity risks and, therefore, reducing overall costs.”
However, Raymond added that while changes and improvements are needed, “we strongly believe that it is better to continue to improve SLCGP rather than allow it to expire. We have no reason to believe that states, towns, schools and critical infrastructure providers will see less targeting by criminals, nation states and cyber activists. Rather, we expect that the threats faced by stakeholders will only increase in the coming years. This grant has helped to establish a solid foundation to continue to expand our nation’s cybersecurity defenses.”
As the current administration intends to increase the responsibility of state and local government to respond to cyberattacks, Raymond pointed out that it is logical that the federal government provide the tools and resources needed to meet this increased burden.
Last month, Republican members of the House Committee on Homeland Security approached the Department of Homeland Security (DHS) to request information and documents regarding the federal government’s response to extensive cyber intrusions by ‘Volt Typhoon‘ and ‘Salt Typhoon,’ two advanced persistent threat actors supported by the People’s Republic of China (PRC). The members sought information on when DHS and the CISA first became aware of the threats and damages caused by these intrusions and asked for a timeline of CISA’s responses to these events.
