Editor's note: This article was originally published in American City & County, which has merged with Smart Cities Dive to bring you expanded coverage of city innovation and local government. For the latest in smart city news, explore Smart Cities Dive or sign up for our newsletter.
As the September deadline for reauthorization of the $1 billion, four-year State and Local Cybersecurity Grant Program (SLCGP) looms, state and local leaders are watching closely — not just for its renewal, but for what it signals about the future of federally administered cyber programs and partnerships.
Funded from the 2021 infrastructure law and jointly administered by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA), the SLCGP has proven instrumental in helping states build cybersecurity plans, deliver shared services and adopt a “whole-of-state” approach. While state and local governments await news on the program’s reauthorization, its impact on advancing cybersecurity efforts is already evident. However, as this and other federal, state and local initiatives continue to be evaluated, it is essential for Congress to reconsider how it assesses and supports such critical services.
The truth is that today's rigid, bureaucratic frameworks cannot match the speed and agility of increasingly sophisticated cyber adversaries targeting our communities. If we want to move the needle on public sector cyber resilience, we must reimagine how these partnerships are structured. This requires a new model: one built for speed, flexibility and real-time impact.
The need for speed
In today's rapidly evolving digital landscape, timing is critical. While threat actors evolve their tactics daily, the government's cyber defenses often remain trapped in multi-year funding cycles and reauthorization debates. This fundamental mismatch creates a dangerous vulnerability that threat actors are exploiting.
While programs such as the SLCGP have achieved meaningful success, reauthorization must be more frequent. The pace of these initiatives simply isn’t keeping up with the rapidly evolving cyber threats we face today. To effectively safeguard our digital infrastructure, state and local cybersecurity grants must be deployed more swiftly and with a greater sense of urgency.
The current system is burdened by strict procedures, constant check-ins and lengthy applications, all barriers that can discourage the very communities these programs aim to support. Take the Broadband Equity Access and Deployment Program, for example. Although designed to prevent misuse, its complex, multi-step process created a bureaucratic maze that slowed implementation and reduced its real-world impact. As a result, many rural communities still lack reliable broadband access, despite substantial federal investments made years ago.
While rigid processes create barriers for all communities, smaller ones are often hit the hardest. With tight deadlines and limited resources, they frequently struggle to navigate complex bureaucratic systems. Adopting a more flexible approach would enable faster deployment of critical defenses, helping to reduce vulnerabilities and minimize the risk of major disruptions to essential services and infrastructure — even in the most resource-constrained areas.
By streamlining the reauthorization process, the federal government can ensure that state and local governments have the right tools at the right time, improving overall cybersecurity efforts. This not only enhances overall efforts and drives efficiency but also maximizes the return on federal investments. With timely access to resources, states are better positioned to prevent cyber incidents, ultimately saving on the high costs of recovery and minimizing long-term financial impacts.
Measurable outcomes and transparency
Many grant programs lack robust performance metrics. While state chief information officers have acknowledged the value of grants, the absence of concrete, measurable goals makes it difficult to assess their true effectiveness. To address this, we need to establish clear metrics, such as reduction in attacks, number of systems modernized, or improvements in response times, and make this data publicly accessible. Transparent, standardized reporting across all programs and partnerships — not just select ones — will foster accountability and support continuous improvement.
Additionally, a key concern with the current approach is that it prioritizes equitable allocation over impact. This “one-size-fits-all” model limits efficiency. The focus should shift from merely distributing funds proportionally across states to targeting resources where they can make the greatest difference. If a small state has infrastructure of national importance, it should potentially take priority over a larger state with less critical needs.
Accelerating the impact of cybersecurity
To stay ahead of evolving threats and maintain a strong cybersecurity posture, the federal government should take the following key actions:
- Make faster grant distributions and reauthorizations. The time it takes for grants to be distributed should be significantly reduced, and the application process must be streamlined.
- Allocate risk-based resources. Move beyond geographic formulas to target resources based on critical infrastructure significance, vulnerability assessments and potential impact of compromise.
- Define clear cybersecurity standards. Implement standardized metrics that provide visibility into actual security improvements, with transparent reporting accessible to all stakeholders.
- Centralize cybersecurity support. Many local governments lack the resources and expertise to address cybersecurity effectively. Federal programs, like the SLCGP, are essential, especially with the Trump administration’s recent Achieving Efficiency Through State and Local Preparedness Executive Order, which shifts more cyber responsibilities to the state and local government.
Critical infrastructure depends on robust cybersecurity protection
As scrutiny over government efficiency and spending grows, it’s vital that the progress made through federal, state and local partnerships is acknowledged. These collaborations are enhancing cybersecurity, streamlining operations and protecting the systems that underpin our national security.
But progress must not lead to complacency. We are at a pivotal moment to refine our approach. By prioritizing speed, adaptability and measurable results, we can ensure that state and local governments are not only prepared for today’s cyber threats but are resilient against those yet to emerge.
