State, local cyber grants would get extension in shutdown deal

The Senate’s approval Monday of a funding package that would reopen the government would also extend authorization of the well-reviewed State and Local Cybersecurity Grant Program.

The deal, which would fund government operations until Jan. 30, mostly at the same rates, including food aid through the Supplemental Nutrition Assistance Program, and also ensure backpay for furloughed federal workers, has reportedly left few entirely satisfied. Democrats did not achieve a resolution on the expiring health care tax credits that prompted the shutdown, and must wait until next month to continue that debate, but the continuation of the cyber grants, along with an extension of the 2015 Cybersecurity Information Sharing Act, is a bright spot for state technology leaders who’ve relied on the vitality of both programs as they’ve sought to defend their IT systems.

The National Association of State Chief Information Officers, a group that represents state governments’ top technology officials, noted in a statement Tuesday that the inclusion of both cyber programs in the House funding bill “demonstrates that Congress is indeed taking this issue seriously,” the issue being cybersecurity. (The House could approve the legislation as soon as Wednesday.)

When the cyber grant program, a four-year, $1 billion fund designed primarily to assist poorly resourced local governments shore up their defenses, became law in 2021, it was received enthusiastically, but envisioned by most as only a starting point to fix the persistent issue of disruptive and costly cyberattacks against the smallest and most vulnerable governments. (The Nevada state government is the most recent victim of a major government cyberattack, an incident attributed by the state last week to a system administrator having unknowingly downloaded malware from a spoofed website.)

The question of how much funding is needed to secure every county office and K-12 school district across the country, or whether funding alone is sufficient for such a task, is a discussion recently renewed as the first iteration of the grant program winds down. Several industry groups in September proposed the figure of $4.5 billion over two years, while more ambitious proposals to renew the program for another decade have others speculating about the potential for even larger commitments. NASCIO on Tuesday alluded to the need for a more permanent program, calling the extension of both laws, while welcome, only a “temporary solution.”

“Congress should act swiftly to provide certainty and stability for state governments by passing a long-term extension of both programs, combined with adequate levels of funding, that will allow stakeholders to strengthen their cyber defenses and meet the challenges of the future,” the group’s statement read.

The grant programs are especially valuable for states as President Donald Trump’s administration continues to shrink security programs, including those at the Cybersecurity and Infrastructure Security Agency, that have long coordinated with state and local agencies and provided resources and support. A round of firings at CISA last month will eliminate almost all of the 95 employees at its Stakeholder Engagement Division, which coordinates cybersecurity improvements for the nation’s critical infrastructure.