Security

State CIOs Urge the House to Reauthorize SLCGP Funding

State and local leaders testified before a House subcommittee in support of the State and Local Cybersecurity Grant Program, as nation-states ratchet up cyberattacks against critical infrastructure.

Dominick Sorrentino

Dominick Sorrentino is web editor for StateTech.

The House Subcommittee on Cybersecurity and Infrastructure Protection heard testimony from state and local leaders Tuesday, who urged reauthorization of the State and Local Cybersecurity Grant Program.

The SLCGP, which provides $1 billion in funding over four years to support state, local and territorial governments, will expire Aug. 31, 2025. The deadline looms as nation-state-sponsored cyberattackers target utilities, transportation, hospitals, emergency services and schools.

During his testimony, Utah CIO Alan Fuller provided a real-world example of how funds directly aided the detection and prevention of a cyberattack on a Utah airport.

“Cybercriminals attempted to deploy ransomware on the airport's IT systems, which would have been disastrous, especially during the busy holiday travel season,” Fuller said. “Fortunately, SLCGP funds have provided security tools, and we were able to detect and interrupt the attack as it was happening.”

Connecticut CIO Mark Raymond advocated for additional funding to help state and local entities combat threats from foreign governments, including China, North Korea, Russia and Iran.

“State and local governments are not prepared to fight this kind of cyber engagement with foreign nations,” he said.

Click the banner below to subscribe for the StateTech newsletter for weekly updates.

CIOs Request More Than Four Years of Additional Funding

In addition to reauthorization, state CIOs requested that funding be offered on a more permanent basis.

“Above all, we ask Congress to reauthorize and fully fund this program with predictability and consistency,” said Louisville (Ky.) Metro Government Councilman Kevin Kramer. “Without that, local governments are less likely to make the necessary investments in planning and assessment that lead to strong applications and long-term resilience.”

Fuller said that predictable funding extending beyond the four-year cycle will encourage greater participation among jurisdictions.

“People feel hesitant that if the funding is not going to be there, that they're going to start into the program and then the funding gets cut and then they're left holding the bag,” he said.

Above all, we ask Congress to reauthorize and fully fund this program with predictability and consistency.”

Kevin Kramer Councilman, Louisville (Ky.) Metro Government

Other requests included faster sharing of federal cybersecurity intelligence with state and local agencies, and simplifying the application process so that small, resource-strapped communities can more easily access funds.

“These are often the very communities that would benefit the most,” Kramer said.

Robert Huber, chief security officer at Tenable, was also on the panel and agreed with Kramer:

“Any administrative burden that might be involved in applying for the grant would be significant for an entity such as that, smaller size. But make no mistake, those smaller rural entities, that could be [home to] the hydrostation that fuels a larger municipality. That's a national security [matter] and an economic impact to the region.”

Local Jurisdictions Have the Most at Stake

Connecticut disburses funds to local jurisdictions as financial packages, whereas Utah and some other states directly purchase tools for specific jurisdictions. Despite a slow start to SLCGP due to lack of awareness, both Connecticut and Utah say that most if not all local jurisdictions are now aware of the program and benefit from the flexibility of the funding model.

“With funding secured through the SLCGP and corresponding state appropriations, a comprehensive cybersecurity initiative has been deployed across 140 governmental entities in the state,” Fuller said of Utah.

Small and rural communities’ needs are particularly dire, Kramer said during his testimony.

“Of the 19,000 municipalities nationwide, over 16,000 have populations under 10,000 people. Many have no dedicated IT staff at all.”

DIVE DEEPER: Small and rural communities are modernizing legacy tech.

Louisville used the funds to develop the Kentucky Cyber Threat Intelligence Cooperative. The platform shares timely, actionable cyberthreat information among regional governments and private sector partners.

“This grassroots multisector effort strengthens the entire region's cyber resilience, not just Louisville's, and it wouldn't be possible without this grant program,” Kramer said.

Kramer also advocated for larger cities to be able to apply directly for grant funding.

“We urge Congress to create a complementary direct-funding track for eligible larger municipalities,” he said.

Lawmakers Express Bipartisan Support

Lawmakers on the committee by and large expressed bipartisan support for the program.

“Getting this reauthorized and fixed, I think, is a very important goal that we all have,” said Rep. Andrew R. Garbarino, R-N.Y., who serves as chair of the subcommittee.

Rep. Eric Swalwell, D-Calif., ranking member of the subcommittee, added, “Reauthorizing the cybersecurity grant program is necessary to ensure we do not take our foot off the gas at this critical time, and passing a reauthorization bill before this program expires in September is one of my top priorities on the committee.”

ajansen/Getty Images