New president, similar federal agenda for state CIOs in 2025
The National Association of State Chief Information Officers on Tuesday unveiled its federal advocacy priorities for 2025, an abbreviated list indicating what state technology leaders want from the federal government as they govern the likes of artificial intelligence, cybersecurity threats and grant funding.
While the group tweaked some of the language used in its priorities from last year, the list centers on the same five items: artificial intelligence, adoption of the .gov domain, “responsible implementation” of federal cyber grant funding, cybersecurity workforce shortages and federal cybersecurity regulations that don’t conflict.
Alex Whitaker, NASCIO’s director of government affairs, told StateScoop that the organization gave its priorities list to the new administration after recently being contacted by President Donald Trump’s transition team.
He said NASCIO has retained many of its key contacts in the federal government, such as personnel at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. But he said the group is also building new relationships with the incoming administration and the Republican-controlled Congress.
“We’re not starting from scratch, but there’s a lot of meetings to have,” Whitaker said.
State and local cyber grants
Following its creation by the 2021 Infrastructure Investment and Jobs Act, the State and Local Cybersecurity Grant Program continues to be one of NASCIO’s top priorities. The four-year program set aside $1 billion for states to spend on cybersecurity improvements, mainly for local governments. IT officials from several states told StateScoop they’re waiting for their third-year funding.
In its latest publication, NASCIO recommends states continue working with CISA and the Federal Emergency Management Agency, the agencies administering the program. It also recommends states use the grant program, which has required growing levels of fund matching from states each year, as a launch pad for long-term cybersecurity policies that can be sustained beyond any one federal program.
Whitaker said the future of the cyber grant program is unclear, though, after Trump last week signed an executive order telling agencies to “immediately pause” funding from the infrastructure bill and the Inflation Reduction Act of 2022. An Office of Management and Budget memo on Jan. 21 clarified that the order means only to pause Biden–era infrastructure funding related to climate change policy, such as incentives for electric cars and home appliances, but many in state government have said they’re still unclear on the future the cyber grants.
When asked for clarification, CISA directed StateScoop to the White House. The White House did not respond to requests for clarification on the order.
Whitaker said he is unclear on the future of the cyber grant program, but noted that NASCIO is continuing to advocate not only for the final year of funding to be dispersed, but for the program to be renewed for additional years.
“We’ve seen this money put to really good use in the states,” Whitaker said. “And not only has the money been put to good use, but we’ve seen relationships between the state and local governments really improve. So places where we’ve never seen the state and local governments speak to anyone in the state about cybersecurity, well this grant requires that they coordinate and start working together. It’s hard to put a price tag on that.”
Several state chief information officers have told StateScoop that the grant program, and the “whole of state” cybersecurity programs their states led in conjunction with that funding, have strengthened relationships with local governments. Former Indiana CIO Tracy Barnes, who resigned this month as a new governor took office, said improving relationships with local governments, with the aim of bolstering cybersecurity policy, was his legacy as CIO.
“What we’ve done to reconnect with local governments and really bolster the entire state’s technology and cybersecurity posture, that has felt phenomenal. They literally said to me: We have never trusted the state and, Tracy, you’ve made an effort and found a way to help us come together to move this stuff forward,” Barnes said, recounting a recent conversation with local officials.
.Gov domain, cyber workforce
NASCIO is also continuing to push this year for continued adoption of the .gov domain on government websites. CISA, which administers the .gov domain, recommends governments use it for their websites because it offers additional security features and it boosts trust with the public. Since CISA waived the domain’s annual registration fee in 2021, adoption by local governments has grown, but slowly.
NASCIO calls use of the domain “essential.” It this year recommends CISA establish a “stakeholder advisory group” that includes state CIOs and chief information security officers to help support the program for local governments. NASCIO also recommends the federal government make .gov adoption an eligibility requirement for the state and local cyber grant program.
Cybersecurity workforce shortages continue to pester many, though not all, state governments. NASCIO this year recommended a “collaborative approach” to workforce that creates new partnerships between state and federal governments. It also recommends expanding worker training and education programs and the pursuit of “comprehensive solutions,” a nod to the complexity of a challenge that can’t be solved by a single solution.
Meredith Ward, NASCIO’s executive deputy director, said on a recent NASCIO podcast, that she expects cyber workforce shortages to grow worse in the coming months and years as more senior technology workers are expected to retire. She predicted this will lead to more state IT offices to outsource work and build programs to train employees in new technologies.
NASCIO is also continuing to push this year for what it calls “harmonized” cybersecurity regulations. Whitaker said NASCIO’s members often note that they’re not committed to any particular set of cybersecurity rules, but that they are tired of being pulled in several directions by federal agencies that audit the states using conflicting standards.
‘Far off-mission’
The future of states’ interactions with the federal government on cybersecurity policy will be largely swayed by new leadership at the Department of Homeland Security. Former South Dakota Gov. Kristi Noem, whom the Senate confirmed as the department’s new secretary on Saturday, said during her confirmation hearing last week that she believes CISA has strayed “far off-mission.”
“They’re using their resources in ways that was never intended,” Noem told lawmakers during the hearing. “The misinformation and disinformation they have stuck their toe into and meddled with should be refocused back onto what their job is, and that is to support critical infrastructure and to help our local and small businesses and critical infrastructure at the state level to have the resources and be prepared for those cyberattacks they will face.”
In her opening statement, Noem referenced a plan she’ll implement to more heavily rely on the private sector.
“As secretary, I will prioritize a comprehensive whole-of-government approach to cybersecurity,” she said. “In fact, in the coming days, we have to plan bigger and think faster and smarter. I fully acknowledge that people in Washington, D.C., do not have all of the answers, and therefore I will leverage private-public partnerships. I’ll advance cutting-edge state of the art technologies to protect our nation’s digital landscape.”
NASCIO’s final advocacy priority relates to governance of artificial intelligence. As with cybersecurity, Whitaker said, the group is encouraging the federal government to work with states as it develops its policies so that past mistakes in cybersecurity governance are not replicated with AI.
“What we’d like to do,” Whitaker said, “is not get into the position we’re in with cybersecurity regulatory harmonization, where if the feds had talked to states early in that process, 10 or 15 years ago, we might not be in this situation where we have to have to worry about duplicative federal regulations.”
Trump last week revoked Joe Biden’s executive order on AI and replaced it with his own order calling for policies that advance “America’s global AI dominance.” But in absence of nationwide AI governance, states have over the past two years developed a host of new offices, roles, policies, task forces and executive orders to govern the new wave of artificial intelligence technologies.
A recent analysis of AI executive orders by the nonprofit Center for Democracy and Technology showed that while there’s much overlap in how states are approaching AI, each state approaches AI differently. And one analyst pointed out that oversights in AI governance could lead to “unintended consequences.”
