Cyber grant uncertainty puts state programs in limbo, GAO report shows
Some state and local government agencies are unsure how they will continue to fund their cybersecurity initiatives in absence of federal support, according to a report published Tuesday by the Government Accountability Office.
Over the past year, the office examined the $1 billion, 4-year State and Local Cybersecurity Grant Program, by randomly sampling state and territorial government agencies that have received funding. It found that most agencies had positive things to say about the program, and some agency representatives selected for interviews by the federal office reported concerns with how they’ll continue their cybersecurity initiatives after the program’s one-time funding runs out, or if it’s prematurely ended.
The findings mirror what many technology officials and industry analysts have been saying during the first three months of the Trump administration, which has slashed hundreds of positions at the Department of Homeland Security and its Cybersecurity and Infrastructure Security Agency, with plans to cut hundreds more.
After cuts of several other treasured DHS programs in recent weeks, many state leaders fear the cyber grants may be next. State technology officials testified before a House cybersecurity subcommittee this month that the program has been essential, and asked for its continuation.
Some officials told GAO they would instead use other federal funding sources, like the Homeland Security Grant Program, to continue their IT security projects, but several said those funds would not be enough.
The Cyber Grant Program, jointly administered by the DHS’s Federal Emergency Management Agency and CISA, requires states to funnel 80% of the funding to local governments, which are often the shortest on IT staff and funding, further stretching a critical pot of funding shared by the states.
“We have really benefitted from the SLCGP,” Maryland Chief Information Officer Katie Savage told StateScoop. “Because of the funding, we are working with 40 different counties to do assessments and remediations of their cyber posture, so we really rely on that funding.”
The GAO report shows that the program, as of Aug. 1, 2024, had funded 839 projects, covering a wide range of security needs. This represented $172 million in grants provided to 33 states and territories.
Of that funding, $42 million represents projects related to identity. The next two largest funding areas were detecting cybersecurity events ($22 million), and protecting systems ($20 million). The office identified $75 million in projects that belong to multiple categories.
Some officials told GAO they’ve been administratively challenged by the program, citing inexperienced grants management staff and personnel turnover.
States and local governments that receive Cyber Grant funding must also provide a share of matching funds that grows each year. Officials told GAO this has also been challenging because many states do not dedicate a fixed percentage of funding to cybersecurity but must continually justify the existence of each cyber project.
One unnamed official interviewed by the GAO is quoted in the report as saying that some localities are left deciding between paving their roads or effectively defending their networks.
Savage said the grant program has allowed Maryland to provide local governments with additional technical support. A so-called “whole of state” approach to cybersecurity, in which state officials more frequently collaborate with academia, local governments and private industry, has been a trend furthered by the grants that many have welcomed.
“They don’t always have that expertise,” Savage said of local governments. “And cyber talent’s hard to find. The SLCGP gives us some funding to at least send professionals in to diagnose the problems. And it helps them be more targeted with the funding they do have to do remediation.”
In another instance of whole-of-state support, Savage said her state created a “community of practice” for wastewater utilities. Utilities don’t fall under the CIO office’s jurisdiction in Maryland, she said, but a broader approach to cyber enabled by the grants creates new opportunities to consider defense.
