Cybersecurity at the State and Local Level: Washington Has the Framework, It’s Time to Act

The March 2025 Executive Order marks a strategic shift, recognizing that cyber resilience is most effective when managed at the state, local and tribal level. By delegating responsibility to the entities closest to the assets, the federal government positions itself as a facilitator rather than a direct operator. This approach aligns with the National Institute of Standards and Technology (NIST) framework, ensuring that local plans are both standardized and adaptable to regional risk profiles, while still benefiting from federal guidance.

Funding the vision, the State and Local Cybersecurity Grant Program earmarks $1 billion to address systemic vulnerabilities. Since its inception, the program has distributed roughly $172 million to 33 jurisdictions, supporting 839 projects that span multi‑factor authentication, infrastructure upgrades, and contractor engagements. However, the January 2025 OMB moratorium froze these disbursements, creating an unfunded mandate that threatens momentum. The PILLAR Act, now moving through Congress, proposes a ten‑year extension, expands eligibility to AI‑related threats, and clarifies cost‑sharing, offering a durable financial backbone for local cyber initiatives.

Beyond dollars, the evolving threat landscape—exemplified by AI‑driven attacks and state‑sponsored actors—demands a coordinated response. Strengthening CISA’s oversight role while leveraging partnerships with universities can create a talent pipeline and reduce costs for municipalities. By integrating academic expertise in policy, risk management, and emerging technologies, local governments can accelerate implementation and foster community resilience. Prompt passage of the PILLAR Act will convert the existing framework into a functional, long‑term shield for America’s critical infrastructure.