Congress Can Strengthen State and Local Cybersecurity in One Bill

In response to recent cuts in federal funding for state and local cybersecurity, Sen. Mark Warner (D-VA) introduced the Guaranteeing Universal Access to Cybersecurity Act in early June 2026, which would fund the Multi-State Information Sharing and Analysis Center (MS-ISAC), a cybersecurity information sharing program that provides participating state and local governments with cybersecurity advisories, network monitoring, and other shared security resources. Later that month, a joint letter by multiple associations representing state and local government leaders called for the Senate to restore funding to another important program, the State and Local Cybersecurity Grant Program (SLGCP), which provides funding to state, local, tribal, and territorial governments to strengthen cybersecurity capabilities and address threats. Congress should address both of these gaps at once by incorporating funding for MS-ISAC into the renewal of the SLGCP.

The Guaranteeing Universal Access to Cybersecurity Act would restore federal funding for the Center for Internet Security (CIS), the nonprofit that operates MS-ISAC, through a dedicated $50 million annual grant. The funding would allow state and local governments to access its cybersecurity services at no cost. Meanwhile, the proposed Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act, put forward by Rep. Andrew Ogles (R-TN), would extend the SLGCP through FY2035, while strengthening and modernizing its scope by expanding eligibility to include operational technology and artificial intelligence (AI)-powered platforms, tightening accountability requirements, encouraging cybersecurity best practices, and broadening outreach to underserved and rural communities. The Act passed the House in November 2025 but failed to reach the Senate floor.

For years, federal funding from the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) supported CIS’s operation of MS-ISAC, a key source of cyber threat intelligence and cybersecurity assistance for many smaller jurisdictions. Previous grant guidance allowed recipients to use SLGCP funds to support participation in MS-ISAC, underscoring that the two programs have already operated within the same framework. However, CISA cut federal support for CIS-operated programs in 2025, arguing that some services, such as cybersecurity advisories and cyber hygiene initiatives, overlapped with assistance the agency already provided directly to state and local governments via the SLGCP.

This creates a unique opportunity to achieve two goals at once. Rather than creating a separate federal funding mechanism for CIS, Congress should incorporate funding for MS-ISAC into the PILLAR Act. This would preserve access to critical CIS services without creating another standalone cybersecurity funding program. It would also allow lawmakers to address uncertainty surrounding both MS-ISAC funding and the future of the SLGCP through a single legislative framework, reducing administrative complexity and providing greater flexibility for state and local governments.

Congress should also address the concerns that led CISA to terminate its previous funding arrangement with CIS. Rather than simply recreating the earlier partnership, lawmakers should require CISA and CIS to establish a more clearly defined division of responsibilities through the SLGCP. Under this framework, CISA would retain its lead role in operational cybersecurity assistance, incident response coordination, and federal cyber defense efforts, while MS-ISAC could focus on information sharing, cybersecurity advisories, and support services for state and local governments. Formalizing these complementary roles would reduce duplication while preserving the strengths each organization brings to the cybersecurity environment.

This approach may be particularly important as CISA faces increasing demands. In recent years, staffing reductions, contract cuts, and growing mission demands have strained CISA’s ability to keep pace with a rapidly evolving threat environment, leaving many smaller communities that lack the staffing, procurement capacity, and operational resources particularly vulnerable. A structured partnership with CIS through the SLGCP would allow CISA to concentrate resources on national coordination and operational cybersecurity while enabling MS-ISAC to provide no-cost services to state and local entities.

The challenge facing Congress is not whether MS-ISAC deserves a renewal of support but how to deliver that support in ways that strengthen the broader cybersecurity ecosystem. By pairing long-term SLGCP reauthorization with dedicated support for MS-ISAC and a more clearly defined partnership between CISA and CIS, Congress can address two pressing cybersecurity challenges through a single legislative vehicle. Such an approach would preserve critical cybersecurity services, avoid unnecessary duplication, and give state and local governments the support they need to address evolving cyber threats.