State and local organizations are highly targeted by cyber criminals due to the value of the data they hold and the criticality of the systems they operate. In 2024, there were over 40,000 potential cyber attacks targeting state, local, and tribal governments. Despite this very real threat, these same organizations are largely underfunded and understaffed when it comes to cyber protection.
The federal government has looked to fill this gap between risk and preparedness. The State and Local Cybersecurity Grant Program (SLCGP) was established under the Infrastructure Investment and Jobs Act of 2021, providing (when combined with the Tribal Cybersecurity Grant Program) $1 billion in funding available over four years for state, local, tribal, and territorial cybersecurity efforts. This program ended at the close of the 2025 government fiscal year but received a short-term extension under the stopgap funding agreement that reopened the government in November 2025.
Similarly, the Multi-State Information Sharing and Analysis Center (MS-ISAC) was also discontinued as of September 30, 2025. This center, established 20 years ago as a partnership between the non-profit Center for Internet Security (CIS) and the Cybersecurity and Infrastructure Security Agency (CISA), facilitated the sharing of critical cybersecurity intelligence across state lines, providing threat-monitoring services and other resources at free or heavily discounted rates.
Looking ahead, there are several initiatives underway to ensure states and localities get the support they need to secure the IT and physical infrastructure that the nation's citizens depend on.
PILLAR Act
The Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act was passed by the House in November 2025. It reauthorizes the SLCGP through 2033 or 2035 (depending on final bill language) with some changes:
- Adds "Operational Technology" (OT) and systems that leverage "artificial intelligence" (AI) to the list of eligible infrastructure that can be funded under the grant.
- Sets federal cost-share, with incentives for strong security practices, with the base federal share at 60% for single entities and 70% for multi-entity (joint) applicants.
- Incentivizes adoption of multi-factor authentication (MFA) by increasing the percent of federal cost share if MFA is implemented by a set date.
- Adds long-term planning and accountability requirements, requiring grant recipients to report how they plan to assume ongoing costs after the grant ends. This is particularly important given the concerns that arose when MS-ISAC and SLCGP ended.
- Requires CISA to conduct outreach specifically to local governments in rural areas or small populations to raise awareness about no-cost (or low-cost) cybersecurity services.
The bill has passed the House but does not yet have a funding amount attached to it.
New Grant Funding Model
With the cooperative agreement between the government and the Center for Internet Security ending, states and localities must pay a membership fee to access MS-ISAC services. Many underfunded states and localities are unlikely to pay these fees, reducing the reach of the program.
To compensate, CISA will now support state and local governments more directly, offering grant funding, no-cost cybersecurity tools/services, and support from regional cybersecurity coordinators/advisers utilizing SLCGP funding.
States are also looking for ways to expand cyber funding and support to more rural or underfunded areas. Arizona launched a $10 million Statewide Cyber Readiness Program to provide free basic security services to underfunded local and tribal government organizations.
To stay on top of efforts to ensure the security of state and local IT, check out these resources:
- CyberTalks (February 19, 2026; Washington, DC) - Hear from the leading voices at the intersection of government and the technology industry on the latest tactics to combat current and future cyber risks.
- 3rd Annual Billington State and Local Cybersecurity Summit (March 9-11, 2026; Washington, DC) - Federal, state, local, and tribal government officials, along with industry experts, will share best practices, learn from one another, enhance current cyber operations, and bolster future defenses.
- Harris County Regional Digital Government Summit 2026 (March 16, 2026; Houston, TX) - This summit empowers public-sector leaders to explore cutting-edge technologies, modernize operations, and solve pressing challenges. From cybersecurity and AI to data governance and digital service delivery, sessions are designed to spark insight, foster collaboration, and accelerate real-world results.
- Navigating Challenges: How GovRAMP Empowers State and Local Governments (white paper) - State and local governments face mounting pressure from tight budgets, rising cyber threats, staffing shortages, and aging technology. This paper explores how GovRAMP provides a standardized, trusted framework that helps agencies modernize securely while navigating complex procurement and compliance demands.
- Enterprise Architecture: A Guide to State Government Continual Transformation (white paper) - Enterprise architecture is more than an IT framework--it's a strategic discipline that helps state governments manage complexity and drive ongoing transformation. By aligning business processes, technology investments, and organizational goals, this approach reduces redundancies and boosts service efficiency.
- Creating a Privacy Program: A Roadmap for States (white paper) - As states expand digital services and data-sharing partnerships, the demand for formal privacy governance is rising--prompting a sharp increase in the appointment of state Chief Privacy Officers (CPOs). NASCIO's roadmap offers a structured approach for states to launch or strengthen privacy programs, from establishing a mission to developing breach response plans.
- IoT for the Public Sector: Moving from Risk to Reward (white paper) - The public sector is increasingly turning to IoT to enhance mission outcomes--from streamlining city traffic to improving classroom safety and enabling remote healthcare in rural areas. Security risks--from outdated firmware to lateral network attacks--are real, and discovery is the first step in addressing them.
For more on state and local cybersecurity efforts, visit and search GovEvents and GovWhitePapers.
