The State and Local Cybersecurity Grant Program (SLCGP) is up for reauthorization this year, and cybersecurity experts testified before Congress on Tuesday to explain that the program is working but may need some tweaks to make it more effective.
During a hearing before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, witnesses stressed that the SLCGP is “essential” to helping state and local governments protect themselves against cyberattacks.
Congress established the SLCGP as a part of the Infrastructure Investment and Jobs Act of 2021. The grant program – which operates under a partnership between the Cybersecurity and Infrastructure Security Agency and the Federal Emergency Management Agency – provides $1 billion in funding over four years.
The SLCGP is set to expire this September, at which point the program will not continue to receive Federal funding unless it is reauthorized by Congress.
“The State and Local Cybersecurity Grant Program is a vital component of our national security strategy. It fosters state and local collaboration, builds awareness among local leaders, and enables proactive planning. But for the program to reach its full potential, improvements are needed,” said Kevin Kramer, a councilman in Louisville, Ky., and the first vice president of the National League of Cities.
For example, Kramer explained that the “one-size-fits-all” model limits efficiency for larger jurisdictions like Louisville, which he said are capable of managing direct Federal grants. He urged Congress to create a “complimentary direct funding track” for eligible larger municipalities so that they can apply without going through the state.
Additionally, Kramer said the application process needs to be more accessible for small communities, which face tight deadlines and limited staff capacity.
“These are often the very communities that would benefit the most [from SLCGP]. Simplifying the application process and extending timelines would make participation more realistic for them,” Kramer said.
Finally, Kramer said that organizations like state municipal associations should have an opportunity to work together to offer multi-jurisdictional grants. This would allow technical services to be delivered to multiple communities at once, he noted.
“Just as most people take their cars to a qualified mechanic, small governments need trusted partners to handle complex cyber tasks,” Kramer said.
“Above all, we ask Congress to reauthorize and fully fund this program with predictability and consistency,” he added. “Without that, local governments are less likely to make the necessary investments in planning and assessment that lead to strong applications and long-term resilience.”
Other witnesses also underscored the importance of fully funding the SLCGP. Alan Fuller, the chief information officer (CIO) for the State of Utah, shared that funding from the program has helped Utah block seven major cyberattack incidents in the last six months alone.
“Utah’s positive experience with this grant program is not an outlier,” Fuller said. “States have been able to use SLCGP to provide vital technology services that many smaller communities simply would not otherwise be able to implement.”
However, Fuller said that the program needs “continuity of funding,” and urged lawmakers to make the authorization longer than four years.
“People feel hesitant that if the funding is not going to be there, that they’re going to start into the program and then the funding gets cut, and then they’re left holding the bag,” Fuller explained. “That makes them hesitant to adopt.”
Mark Raymond, the CIO for the State of Connecticut, agreed that “ongoing sustainable funding” is crucial to the program’s success. Additionally, Raymond underscored the importance of ongoing assessments.
“You cannot manage what you don’t measure, and so understanding what that cyber risk looks like is critical to this ongoing success,” Raymond said, adding, “Preventing attacks is far better than recovering from them.”
Subcommittee Chairman Andrew Garbarino, R-N.Y., and Ranking Member Eric Swalwell, D-Calif., both said that reauthorizing the SLCGP and ensuring its success is a priority.
“Getting this reauthorized and fixed, I think, is a very important goal that we all have,” Rep. Garbarino said. “Cybersecurity is a whole of society challenge, meaning the Federal government must continue to support and strengthen cybersecurity at the state and local levels to protect our nation’s networks and critical infrastructure.”
“Reauthorizing the cybersecurity grant program is necessary to ensure we do not take our foot off the gas at this critical time, and passing a reauthorization bill before this program expires in September is one of my top priorities on the committee,” added Rep. Swalwell.