House Homeland Security subcommittee hearing urges reauthorization and fixes for state and local cybersecurity grant program

At a hearing of the House Committee on Homeland Security’s Subcommittee on Cybersecurity and Infrastructure Protection, congressional members and a panel of state and local officials, and private-sector witnesses reviewed the State and Local Cybersecurity Grant Program and urged Congress to reauthorize it and address administrative obstacles.

The program, created in 2021, provides federal grant funding to help state, local, tribal and territorial governments improve cybersecurity for systems that support public services. Members and witnesses said reauthorization is urgent because the program is scheduled to expire in September and because adversary cyber activity against U.S. critical infrastructure is increasing.

Why it matters: Reauthorizing SLCGP would maintain a federal funding stream used by states and municipalities to buy cybersecurity tools, perform assessments, expand incident response and provide training. Witnesses described both measurable benefits — for example, Utah officials said the state used grant funds to provision endpoint security on more than 26,000 devices and provide awareness training to roughly 31,000 local employees — and persistent challenges, including administrative burden, uneven distribution mechanisms and workforce shortages.

Witnesses and testimony: Tenable’s witness (identified in the transcript as Robert Huber; the witness also self-identified as Bob Schubert) described SLCGP as “a vital tool,” and recommended reauthorization with changes including sustainable multi-year funding, alignment with recognized standards (for example, the NIST Cybersecurity Framework), lower and leveled cost-share requirements and simplified application processes. Huber also recommended enactment of the Cyber Pivot Act to expand and diversify the cybersecurity workforce.

Alan Fuller, chief information officer for the State of Utah, said Utah used SLCGP funds and matching state funds (He reported receiving about $13,000,000 in federal funds and $4,000,000 in state matching funds) to deploy a set of common tools, assessments and a cyber center that helped the state detect and interrupt multiple active attacks, including incidents that targeted an airport and a 9-1-1 dispatch center. Fuller said the program enabled common tooling and relationships that allowed rapid response and limited operational impacts.

Mark Raymond, chief information officer for Connecticut, described a grant-driven program of periodic assessments and awards (Connecticut reported awarding close to $3,000,000 in FY 2022 with roughly $2,100,000 of that going to local governments and expected FY 2023 awards exceeding $7,000,000 with about $4,300,000 to local governments). Raymond said assessments using the NIST Cybersecurity Framework showed many municipalities remain at elevated risk and that the grants funded incident planning, multi-factor authentication, ransomware protections and state-level exercises such as "Cyber Nutmeg." He recommended ongoing funding, a stable match percentage and making shared services a default to improve statewide efficiency.

Kevin Kramer, first vice president of the National League of Cities and a Louisville councilman, urged Congress to create a direct funding track for larger municipalities and to simplify the application process for small and rural jurisdictions. Kramer described local innovations supported by the grant, including the Kentucky Cyber Threat Intelligence Cooperative (KCTIC), a near-real-time information-sharing platform supported by SLCGP funds.

Members’ concerns and themes: Republican and Democratic members voiced bipartisan support for continuing the program but differed in emphasis. Several members warned against sudden funding pauses or cuts to FEMA and CISA — the two agencies that partner to administer SLCGP — and said administrative delays would undercut state and local adoption. Representative Eric Swalwell (Ranking Member) said, “We cannot leave our state and local governments to fend for themselves,” urging sustained, predictable funding. Multiple members emphasized addressing rural and small-jurisdiction participation, recommending simplified applications, shared-service models and match-waiver clarity.

Program strengths and limits: Witnesses cited demonstrated outcomes — blocked incidents, broader adoption of baseline controls (asset inventories, vulnerability scanning, multi-factor authentication) and stronger state-local relationships. They also identified limits: the pass-through model that routes most funds via states can slow or complicate delivery for some large municipalities; declining or variable state-match rules can deter participation; small jurisdictions often lack staff to apply or absorb equipment; and some states chose not to participate because of uncertainty about continued funding.

Near-term next steps: Committee members kept the hearing record open for written questions and responses. Multiple witnesses urged Congress to reauthorize SLCGP before its September expiration, extend authorization length to give local governments planning certainty, simplify administrative requirements, and consider a direct funding track for larger cities alongside shared-service approaches for smaller jurisdictions.

Ending: The subcommittee adjourned after questioning and indicated it would pursue record responses from witnesses; members signaled they intend to include program reforms and longer-term funding in any reauthorization bill.