PILLAR Act Aims to Modernize Federal Cybersecurity Grant Program
Created with four years of advance funding in the infrastructure law, SLCGP was designed to help states stand up enterprise cyber programs and support local partners who often lack dedicated security staff. The Government Accountability Office reported earlier this year that by Aug. 1, 2024, the program had already supported 839 projects nationwide, from hiring cyber contractors and writing policies to upgrading equipment and rolling out multifactor authentication.
That record helped build momentum for a more durable fix. On Nov. 17, the House approved H.R. 5078, the Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act, by voice vote. The bill would extend SLCGP’s authorization through fiscal 2033, replacing the one-time infrastructure law appropriation with a standing authority that Congress would fund annually.
The PILLAR Act also aims to modernize the program. It locks in cost-sharing rules, under which the federal government would cover 60% of eligible activities for single-entity applicants and 70% for multientity regional efforts, with an added bump in the federal share for governments that implement multifactor authentication by a specified deadline, according to the National Association of Counties. It explicitly extends eligibility to operational technology environments and systems that incorporate artificial intelligence, reflecting concerns about attacks on water systems, transit and other critical infrastructure, not just back-office IT.
Like the shutdown deal, however, the House bill is an authorization measure, not a check. NACo notes that the legislation “does not include appropriations,” meaning SLCGP’s future dollar amounts will depend on annual spending bills rather than a new multiyear block grant like the original $1 billion package.
State and Local Cybersecurity Grant Program Unites Leaders
Even so, the reauthorization push has drawn a rare degree of unity from states, counties and industry. In its shutdown statement, NASCIO urged Congress to pair any long-term extension with “certainty and stability for state governments” so they can carry projects past a single grant cycle. County officials have echoed that message, telling lawmakers that predictable cyber dollars are now as basic as road or water funding.
Vendors that work closely with public sector customers are also leaning in. Ahead of the House vote on PILLAR, Ryan Gillis, senior vice president and global head of government partnerships at Zscaler, framed SLCGP as the federal share of a broader national investment.
“Zscaler commends the House Homeland Security Committee’s bipartisan efforts to reauthorize the State and Local Cybersecurity Grant Program, an essential first step toward securing the federal portion of the investment needed to defend the systems that power our communities and support our military readiness,” he said, adding that state and local governments are “on the frontlines of asymmetric cyber warfare, and they cannot meet this challenge alone.”
A long list of other technology firms, trade groups and state and local organizations have filed similar endorsements, arguing that a stronger, modernized SLCGP would help under-resourced communities stand up shared services — such as endpoint detection, security operations centers and cyber training — that they could never afford on their own.
For now, the program’s near-term fate is secure: SLCGP is alive through at least January, and there is a House-passed bill that would keep it on the books for the rest of the decade. The next tests will come in the Senate, where the PILLAR Act awaits consideration, and in upcoming spending negotiations, where state and local leaders will press to ensure that a reauthorized grant program doesn’t exist only on paper.
