State Cyber Center seeks stable funding; lawmakers hear 0‑trust and digital identity progress
Loading...
Summary
The Utah Cybersecurity Commission and state IT leaders briefed the committee on endpoint protection, ransomware mitigation, and a statutory progress report on 0‑trust architecture and state‑endorsed digital identity (SEDI). Officials requested $5 million in ongoing state funding to sustain programs after federal grants expire and outlined privacy and 'no tracking' principles for the planned digital identity framework.
State cybersecurity and technology leaders told the committee that Utah’s cyber posture has strengthened but needs sustained funding and legislative direction to continue expansion.
Catherine McNeal of the Statewide Information and Analysis Center said the Utah Cyber Center has deployed endpoint protection on more than 30,000 endpoints in 23 counties, helped stop 272 ransomware attacks and nearly 8,000 malware attempts, provided security awareness training to 24 of 29 counties, and expanded patch management and technical support for rural jurisdictions. She said the state‑local cybersecurity grant program (SLCGP) is set to expire in 2027 and the Cyber Center is seeking $5,000,000 in ongoing state funding to sustain these services.
McNeal and Phil Bates, the state chief information security officer, described the SLCGP as a federal match program that supplied roughly $13,000,000 over four years; Bates said the federal match rate has shifted and that the state would need $5,000,000 to run the program absent federal support (or a smaller $1.5M state share if federal funding returns with a lower match requirement).
McNeal highlighted the leading causes of successful ransomware incidents—unpatched software, default passwords and lack of multi‑factor authentication—and said many attacks are preventable with common controls and training. She also said some crypto‑funded scams and ransomware payments mean losses are larger than official reporting; she cited FBI IC3 figures and ongoing work to reconcile underreporting.
Alan Fuller, the state chief information officer, briefed the committee on 0‑trust architecture required by statute, describing adoption of NIST 0‑trust guidance, a statewide push to standardize multi‑factor authentication (ENTRE ID/UTID), an approved‑vendor list (FedRAMP/GovRamp standards) and a planned migration of over 1,200 state applications as part of identity and access management modernization.
Christopher Bramwell, the state chief privacy officer, discussed progress under Senate Bill 260 on a state‑endorsed digital identity (SEDI). Bramwell emphasized foundational principles: identity belongs to the individual, privacy protections (including a commitment of ‘‘no tracking’’), parental delegation for children’s identities, and that the state’s role is to protect rights. He described efforts to build a SETI framework that prioritizes constitutional protections and interoperability with other states while seeking to avoid surveillance risks.
Committee members asked about concrete loss figures, cross‑jurisdictional data sharing and whether physical IDs would be eliminated; McNeal said FBI IC3 undercounts losses and provided a 2025 FBI IC3‑attributed figure of about $68 million for Utah, and Bramwell and Fuller said the state does not plan to eliminate physical IDs and will emphasize legal, technical and accountability safeguards.
What happens next: presenters said they will provide more detailed financial and programmatic RFA materials for legislative consideration, continue engagement with stakeholders, and return with statutory or budget requests during the 2026 session.
