Experts urge Congress to reauthorize state and local cyber grant program

Cyber experts urged lawmakers on the Subcommittee on Cybersecurity and Infrastructure Protection to reauthorize funding for the State and Local Cybersecurity Grant Program during a Tuesday hearing, calling it an “essential part of the country’s national security strategy.”

In recent months, Department of Homeland Security Secretary Kristi Noem has questioned the efficacy of the grant program, especially as the Trump administration looks for ways to curb government spending. During her tenure as governor of North Dakota, Noem was one of only two governors in the country to refuse funding for state cybersecurity grants in 2022 and 2023, calling it “wasteful spending.”

With the grants on the chopping block, four cybersecurity experts, including Alan Fuller, chief information officer of Utah, argued before the subcommittee that the program allows municipalities with limited resources to implement a whole-of-state cybersecurity policy, strengthens relationships between state and local governments through information-sharing, and is a cost-effective prevention measure against the growing landscape of cybersecurity threats.

“SLCGP has allowed states to further embrace a ‘whole-of-state’ approach to cybersecurity,” Fuller, who also serves as the secretary-treasurer of the National Association of State Chief Information Officers, told the subcommittee. “By approaching cybersecurity as a team sport, information is widely shared and each stakeholder has a clearly defined role to play when an incident occurs.”

Fuller added that state and local governments can use grant funding in a variety of ways. According to the NASCIO 2024 State CIO Survey, cybersecurity training, endpoint detection and assessments are the primary focus for funds, followed closely by support for migration to .gov domains and security monitoring.

“It is precisely these critically important but attainable basic cyber hygiene measures that the grant was designed to address,” Fuller said. “As we’ve seen in Utah, almost every state who has implemented funding from this program has seen some examples of tangible success in improving their cybersecurity posture.”

Mark Raymond, chief information officer of Connecticut and one of the longest serving state CIOs in the country, argued that local municipalities — which are typically charged with managing critical infrastructure such as water treatment facilities, healthcare facilities, academic institutions, or public safety offices — too often do not have the tools to safeguard the sensitive data they hold.

“It is important to note that those who deliver these services often do not have the appropriate funds to adequately protect the technology and data within their care alone,” Raymond said. “It is critical that they receive support from their federal partners if they are to remain effective.”

Raymond also argued that “preventing attacks is far better than recovering from them.”

According to a 2024 report from cyber firm Sophos, ransomware attacks doubled between 2018 and 2024, causing over $1 billion in operational downtime for state and local governments.

Room for Improvement

Though there was clear bipartisan support and the subcommittee largely acknowledged the cyber grant program’s importance to national security, the expert witnesses also acknowledged there was room for improvement.

Kevin Kramer, a city councilman in Louisville, Kentucky, suggested that extending the program’s deadlines and simplifying the eligibility requirements would make the application process easier and more accessible for smaller communities with a limited workforce that often has competing priorities.

“Small communities face major barriers, tight deadlines, complex requirements and limited staff capacity,” said Kramer, who also serves as vice president for the National League of Cities, a nonpartisan organization that advocates for 19,000 member municipalities. “These are often the very communities that would benefit the most, simplifying the application process and extending timelines would make participation more realistic for them.”

Kramer used multi-jurisdictional grants, which are managed by state municipal associations, as an example of effective grant management that allows technical services to be delivered to many communities at once.

“[This] approach is far more efficient than requiring each town to stand up its own cybersecurity team. Just as most people take their cars to a qualified mechanic, small governments need trusted partners to handle complex cyber tasks,” he argued.

Kramer also suggested Congress create a complementary direct funding track for eligible larger municipalities like his Louisville, which are capable of managing direct federal grants without needing to apply through the state first, he said.

“Cybersecurity is a whole-of-nation challenge. It demands a true intergovernmental partnership,” Kramer said. “The State and Local Cybersecurity Grant Program is a cornerstone of that partnership.”