Exploring the State of State and Local Cyber Resources

Posted on by

State and local organizations are highly targeted by cyber criminals due to the value of the data they hold and the criticality of the systems they operate. In 2024, there were over 40,000 potential cyber attacks targeting state, local, and tribal governments. Despite this very real threat, these same organizations are largely underfunded and understaffed when it comes to cyber protection.

The federal government has looked to fill this gap between risk and preparedness. The State and Local Cybersecurity Grant Program (SLCGP) was established under the Infrastructure Investment and Jobs Act of 2021, providing (when combined with the Tribal Cybersecurity Grant Program) $1 billion in funding available over four years for state, local, tribal, and territorial cybersecurity efforts. This program ended at the close of the 2025 government fiscal year but received a short-term extension under the stopgap funding agreement that reopened the government in November 2025.

Similarly, the Multi-State Information Sharing and Analysis Center (MS-ISAC) was also discontinued as of September 30, 2025. This center, established 20 years ago as a partnership between the non-profit Center for Internet Security (CIS) and the Cybersecurity and Infrastructure Security Agency (CISA), facilitated the sharing of critical cybersecurity intelligence across state lines, providing threat-monitoring services and other resources at free or heavily discounted rates.

Looking ahead, there are several initiatives underway to ensure states and localities get the support they need to secure the IT and physical infrastructure that the nation's citizens depend on.

PILLAR Act

The Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act was passed by the House in November 2025. It reauthorizes the SLCGP through 2033 or 2035 (depending on final bill language) with some changes:

  • Adds "Operational Technology" (OT) and systems that leverage "artificial intelligence" (AI) to the list of eligible infrastructure that can be funded under the grant.
  • Sets federal cost-share, with incentives for strong security practices, with the base federal share at 60% for single entities and 70% for multi-entity (joint) applicants.
  • Incentivizes adoption of multi-factor authentication (MFA) by increasing the percent of federal cost share if MFA is implemented by a set date.
  • Adds long-term planning and accountability requirements, requiring grant recipients to report how they plan to assume ongoing costs after the grant ends. This is particularly important given the concerns that arose when MS-ISAC and SLCGP ended.
  • Requires CISA to conduct outreach specifically to local governments in rural areas or small populations to raise awareness about no-cost (or low-cost) cybersecurity services.

The bill has passed the House but does not yet have a funding amount attached to it.

New Grant Funding Model

With the cooperative agreement between the government and the Center for Internet Security ending, states and localities must pay a membership fee to access MS-ISAC services. Many underfunded states and localities are unlikely to pay these fees, reducing the reach of the program.

To compensate, CISA will now support state and local governments more directly, offering grant funding, no-cost cybersecurity tools/services, and support from regional cybersecurity coordinators/advisers utilizing SLCGP funding.

States are also looking for ways to expand cyber funding and support to more rural or underfunded areas. Arizona launched a $10 million Statewide Cyber Readiness Program to provide free basic security services to underfunded local and tribal government organizations.

To stay on top of efforts to ensure the security of state and local IT, check out these resources:

  • CyberTalks (February 19, 2026; Washington, DC) - Hear from the leading voices at the intersection of government and the technology industry on the latest tactics to combat current and future cyber risks.
  • 3rd Annual Billington State and Local Cybersecurity Summit (March 9-11, 2026; Washington, DC) - Federal, state, local, and tribal government officials, along with industry experts, will share best practices, learn from one another, enhance current cyber operations, and bolster future defenses.
  • Harris County Regional Digital Government Summit 2026 (March 16, 2026; Houston, TX) - This summit empowers public-sector leaders to explore cutting-edge technologies, modernize operations, and solve pressing challenges. From cybersecurity and AI to data governance and digital service delivery, sessions are designed to spark insight, foster collaboration, and accelerate real-world results.
  • Navigating Challenges: How GovRAMP Empowers State and Local Governments (white paper) - State and local governments face mounting pressure from tight budgets, rising cyber threats, staffing shortages, and aging technology. This paper explores how GovRAMP provides a standardized, trusted framework that helps agencies modernize securely while navigating complex procurement and compliance demands.
  • Enterprise Architecture: A Guide to State Government Continual Transformation (white paper) - Enterprise architecture is more than an IT framework--it's a strategic discipline that helps state governments manage complexity and drive ongoing transformation. By aligning business processes, technology investments, and organizational goals, this approach reduces redundancies and boosts service efficiency.
  • Creating a Privacy Program: A Roadmap for States (white paper) - As states expand digital services and data-sharing partnerships, the demand for formal privacy governance is rising--prompting a sharp increase in the appointment of state Chief Privacy Officers (CPOs). NASCIO's roadmap offers a structured approach for states to launch or strengthen privacy programs, from establishing a mission to developing breach response plans.
  • IoT for the Public Sector: Moving from Risk to Reward (white paper) - The public sector is increasingly turning to IoT to enhance mission outcomes--from streamlining city traffic to improving classroom safety and enabling remote healthcare in rural areas. Security risks--from outdated firmware to lateral network attacks--are real, and discovery is the first step in addressing them.

For more on state and local cybersecurity efforts, visit and search GovEvents and GovWhitePapers.

Acquisition Impacts of the 2026 National Defense Authorization Act (NDAA)

Posted on by

The 2026 National Defense Authorization Act (NDAA) was passed by both houses of Congress and signed by the President. It authorizes $900 billion in spending and includes significant reforms to the acquisition process, impacting how that money is spent.

Provisions in the NDAA that impact acquisition include: Continue reading

2026 Government Event Trends

Posted on by

The government market has seen an unprecedented level of change in the past year. From integrating new technologies to adapting to new policies, government professionals need opportunities for collaboration and learning now more than ever. The event market has been adapting to all of these changes; here are some key trends we're keeping an eye on for 2026.

Shutdown and Travel Restrictions

The disruption of extended government shutdown threw a wrench in carefully crafted event plans. The annual meeting of the Association of the United States Army (AUSA), drawing 40,000 attendees, was scheduled as always, in the middle of October. Alex Brody, AUSA's director of events, shares, "We had 12-14 months to plan the event and then had two weeks to create alternatives and contingency plans." In the end, the event had full participation in terms of speakers and attendees. Brody is thankful that they now have solid contingency plans in place for any future disruptions, stating, "We now know how to operate in a shutdown."

Continue reading

Tracking the Rollout of CMMC

Posted on by

The Cybersecurity Maturity Model Certification (CMMC) is a framework that requires companies contracting with the Department of Defense (DoD) to meet security standards based on the sensitivity of the data they manage. These standards, based on the National Institute of Standards and Technology's (NIST) SP 800-171 standard, have been in place for eight years, but CMMC further formalizes compliance.

As of November 10, 2025, Defense agencies now require at least a Level 1 certification to award any new contract. To meet this requirement, companies must self-certify that they comply with 15 controls--specified by 800-171--that cover basic cyber hygiene. Next November 10 (in 2026), DoD will require that Level 2 status for contracts dealing with Controlled Unclassified Information (CUI), which currently can be self-assessed, be verified through a third-party assessment of compliance with all 110 controls in the NIST standard. Then in 2027, contracting officers can start requiring those seeking Level 3 certification to undergo an assessment by the Defense Industrial Base Cybersecurity Assessment Center. A Level 3 requirement would apply to technology dealing with highly sensitive data or systems, where a breach could have far-reaching impact. Continue reading

Securing Our Healthcare Infrastructure

Posted on by

We don't typically think of healthcare as infrastructure, but the functioning of our healthcare facilities is just as essential as that of our roads and utilities. Because of this criticality, healthcare systems require 100% uptime, a necessity that is vulnerable to the reality of cyber threats.

According to the FBI's Internet Crime Report, the healthcare industry reported 444 cyber-related incidents in 2024, the most out of any critical infrastructure industry. Despite this reality, many hospitals and health systems feel unprepared to respond and recover from these threats. The Travelers Risk Index survey found that only 51% of healthcare respondents were confident their organizations have best practices in place to prevent or mitigate a cyber event. Key challenges driving this lack of confidence include: Continue reading