State cybersecurity officials from Florida, New York, and Tennessee took their case directly to Congress this week, warning lawmakers that without renewal of the State and Local Cybersecurity Grant Program (SLCGP), local governments will be left defenseless against a wave of AI-powered attacks, ransomware, and nation-state threats they have no capacity to fight alone.
The warning came during a House Committee on Homeland Security hearing that laid bare a widening gap between the sophistication of modern cyber threats and the resources available to state and local governments to fight them. The testimony was stark, specific, and — for compliance and data privacy professionals — deeply relevant.
Here’s what happened, why it matters, and what it means for organizations that handle citizen data.
What Is the State and Local Cybersecurity Grant Program?
The State and Local Cybersecurity Grant Program (SLCGP) was established under the State and Local Cybersecurity Improvement Act, enacted as part of the Infrastructure Investment and Jobs Act of 2021. It created a $1 billion federal grant initiative specifically designed to help state, local, tribal, and territorial (SLTT) governments plan, implement, and improve their cybersecurity defenses.
Unlike previous federal cybersecurity programs that focused primarily on federal agencies, the SLCGP was designed to flow funding directly to the entities that operate the hospitals, school districts, water utilities, and emergency services that ordinary Americans depend on every day. It is administered by the Cybersecurity and Infrastructure Security Agency (CISA) and requires states to develop a Cybersecurity Plan approved at the federal level before receiving funds.
The program has now been running for four years — and it is set to expire unless Congress acts to reauthorize it.
What State Officials Told Congress
The congressional hearing featured testimony from three state technology and security officials, each of whom painted a picture of a threat environment that has fundamentally changed since the program was first funded.
Tennessee: 90,000 Endpoints, 21,000 Employees Trained — And Still Not Enough
Tennessee Chief Information Officer Kristin Darby offered perhaps the most concrete data of the hearing. Under the SLCGP, Tennessee has secured approximately 90,000 endpoints across local governments and trained more than 21,000 local government employees in cybersecurity practices. The state expanded access to cybersecurity training, firewalls, and recovery services across jurisdictions that previously had no such resources.
“Many of these local governments simply could not deploy or sustain these capabilities on their own.”
— Kristin Darby, Chief Information Officer, State of Tennessee
But Darby’s most alarming testimony wasn’t about what the program has achieved — it was about what’s coming. She pointed to a surge in AI-powered cyberattacks targeting individuals’ personal data across Tennessee’s local governments, describing “a dangerous imbalance between highly sophisticated attackers and severely resource-constrained defenders.” The pace of threats, she said, “continues to accelerate.”
Without federal funding, Darby argued that many local governments would lose access to basic security services overnight. Federal grants provide, in her words, the “type of flexibility to allow us to come to the table with any solution to help the local communities in need in the time of an attack.”
New York: Nation-State Threats With Federal Partners Stepping Back
New York Director of Security and Intelligence Colin Ahern delivered a pointed message about the federal government’s recent retreat from cybersecurity. States, he said, are “being asked to manage nation-state risks while our federal partners step back.”
Ahern specifically flagged budget cuts to CISA and their downstream impact on multistate information-sharing programs — cooperative networks that allow states to share threat intelligence in near-real time. When those programs are weakened, every state becomes more vulnerable, because threat actors exploiting a vulnerability in one state’s infrastructure are frequently probing identical systems in other states simultaneously.
Florida: No State Can Replace Federal Intelligence Visibility
Florida Chief Information Officer Warren Sponholtz echoed Ahern’s concerns about information-sharing programs, warning of “downstream implications” from potential cuts to federal threat intelligence sharing. The federal government, he noted, provides “national visibility that no individual state can replicate.”
This is a critical point: no matter how well-funded a state’s cybersecurity program is, it cannot independently monitor the global threat landscape the way federal agencies can. States depend on that intelligence to prioritize defenses and respond quickly when new attack vectors emerge.
The Congressional Debate: Renew, Reform, or Both?
The hearing made clear that there is bipartisan agreement that the grant program should continue in some form — but there are real disagreements about whether to simply reauthorize it or use the renewal as an opportunity to restructure how the money is allocated and monitored.
Rep. Delia Ramirez (D-IL) was direct in her call for renewal:
“If Congress doesn’t reauthorize the State and Local Cybersecurity Grant Program, the message will be reinforcing that you are on your own, and I find that to be unacceptable. We have to change course, and we need to renew the state and local cybersecurity grant program, because that is a step in the right direction.”
— U.S. Rep. Delia Ramirez, D-Ill.
Rep. Andy Ogles (R-TN), however, advocated for a more measured approach through the proposed Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act, which would reauthorize the grant program while modifying aspects of its structure and oversight. His position: reauthorization alone isn’t enough.
“We have four years of program history now, and we owe it to taxpayers to ask whether the money is being spent well, whether the structure is right, and whether the outcomes match the investment.”
— U.S. Rep. Andy Ogles, R-Tenn.
This tension between urgency and accountability is real — and it’s likely to define the legislative debate in the weeks ahead. The four-year track record Ogles referenced (90,000 secured endpoints, 21,000 employees trained, expanded firewall coverage) suggests the program is working. Whether Congress will demand structural reforms as the price of renewal remains an open question.
The AI Threat Multiplier: Why This Is Different From Before
The most forward-looking testimony came from Samir Jain, Vice President of Policy at the Center for Democracy and Technology, who addressed the rapidly evolving role of artificial intelligence in the offensive cyber landscape.
Jain pointed to frontier AI systems that are already demonstrating the ability to autonomously detect and exploit cybersecurity vulnerabilities at a scale and speed no human attacker can match. He warned that “the offensive cyber landscape is poised to change dramatically, and small and under-resourced jurisdictions are likely to be particularly vulnerable to that change.”
This is not a hypothetical future threat. State and local governments are already experiencing AI-enhanced attacks — Tennessee’s Darby confirmed this directly in her testimony. The difference AI makes is one of scale and speed: attacks that previously required significant human expertise and time can now be automated, replicated, and deployed against hundreds of targets simultaneously.
For local governments managing hospitals, school districts, water systems, and emergency services, this is an existential-level challenge. Their IT teams are typically small, underfunded, and already stretched. The gap between what attackers can deploy and what defenders can sustain is growing — not shrinking.
Why Citizen Data Is at the Center of This Fight
One of the most important moments in the hearing came when Jain shifted the conversation from infrastructure risk to personal data risk. He made a point that compliance professionals need to internalize:
“Information that people have no choice but to provide to state and local governments to participate in getting benefits or to get critical services, is not a voluntary relationship necessarily in all cases.”
— Samir Jain, VP of Policy, Center for Democracy and Technology
This is the privacy dimension of the cybersecurity crisis. When a citizen applies for unemployment benefits, registers a vehicle, accesses Medicaid services, or enrolls their child in a public school, they are compelled to provide sensitive personal information to government systems. They have no alternative. They cannot choose a more secure provider. They cannot opt out.
When those systems are breached — and increasingly, they are — the personal data compromised is among the most sensitive that exists: Social Security numbers, medical histories, financial records, immigration status, and criminal records. And the individuals whose data is exposed often have no idea it happened until they become victims of identity theft months or years later.
Jain also addressed the broader societal cost of government data breaches:
“When Americans see a county hospital or their child’s school district suffer a major breach, their confidence that the government can serve them effectively and protect their personal information necessarily is shaken. That erosion of trust has consequences far beyond any single incident.”
— Samir Jain, VP of Policy, Center for Democracy and Technology
Trust, once eroded, is not easily rebuilt. For government agencies at any level, a major data breach doesn’t just create legal liability — it fundamentally damages the relationship between citizens and the institutions meant to serve them.
What Is Being Cut: CISA Reductions and the Information Sharing Gap
Both Ahern (New York) and Sponholtz (Florida) referenced recent cuts to CISA — the federal agency that serves as the central hub for cybersecurity coordination between the federal government and states. CISA operates the Automated Indicator Sharing (AIS) program, which allows states to receive and share machine-speed threat intelligence. It also runs the Multi-State Information Sharing and Analysis Center (MS-ISAC), which provides 24/7 security operations center support to state and local governments that could not otherwise afford it.
Reductions to CISA’s budget and staffing don’t just affect federal systems — they ripple directly into state and local cybersecurity capacity. When CISA analysts are cut, the volume and quality of threat intelligence flowing to states decreases. When MS-ISAC support is reduced, local government IT teams lose their most important safety net.
The combination of an expiring grant program and a weakened CISA creates what Ahern’s testimony implied: a situation where states are being handed more responsibility for nation-state-level threats while simultaneously being stripped of the federal tools and resources to address them.
What This Means for Private Sector Organizations
While the hearing focused on government entities, the implications extend significantly into the private sector. Here’s why:
- Third-party and vendor risk: Many private organizations work closely with state and local government agencies, exchanging data, sharing systems, or operating as service providers. When a government system is breached, vendor and partner data is often compromised too.
- Shared infrastructure vulnerabilities: State and local government systems frequently share network infrastructure with private healthcare providers, utilities, and financial institutions. Vulnerabilities in one sector can be entry points into another.
- AI attack patterns cross sectors: The AI-powered attack techniques being used against state governments are not exclusive to public targets. The same tools targeting a county hospital’s network will be used against a private hospital the following week.
- Consumer trust spillover: When citizens lose trust in government systems’ ability to protect their data, that skepticism extends to private organizations too. Regulatory pressure intensifies, and the bar for what constitutes “reasonable security” rises across the board.
- Data breach notification ripple effects: A breach of state government systems containing citizen data can trigger complex multi-party notification obligations affecting private entities that shared that data.
The Compliance Angle: What Organizations Should Be Watching
For compliance and privacy professionals, the congressional debate over the SLCGP is a leading indicator of where the regulatory and threat environment is heading. Specifically, watch for:
1. Increased AI-Related Cybersecurity Regulation
The testimony at this hearing will feed into ongoing legislative efforts to address AI-powered cyber threats. Organizations should expect new requirements around AI risk assessment in the context of cybersecurity — particularly for those handling sensitive personal information on behalf of government entities or consumers. The GDPR’s existing requirements around appropriate technical and organizational measures will increasingly be interpreted to include AI threat modeling.
2. Stronger State-Level Cybersecurity Laws
As the federal government’s cybersecurity posture fluctuates, states are increasingly legislating independently. Several states have already enacted or are considering comprehensive cybersecurity laws that go beyond federal minimums. Organizations operating across multiple states — particularly those handling government data — should be conducting gap analyses against emerging state frameworks, not just federal ones. Our guide to new state privacy laws is a useful starting point.
3. Heightened Expectations Around Sensitive Personal Information
Jain’s testimony about the non-voluntary nature of government data collection is a reminder that sensitive personal information held by government entities carries a different legal and ethical weight than commercial data. Organizations that process, store, or transmit data on behalf of government agencies should review their Data Processing Agreements (DPAs) and ensure their security controls meet the heightened expectations that apply to this category of data.
4. Ransomware Response and Business Continuity Planning
The hearing underscored that ransomware remains the dominant threat vector for state and local governments. Any organization that serves government clients — or that relies on government systems for part of its operations — should have documented business continuity and incident response plans that account for a ransomware event in a connected government system. This is increasingly expected in government procurement requirements and audits.
Key Takeaways for Privacy and Compliance Professionals
- The SLCGP expires unless Congress acts. A $1 billion program that trained 21,000+ government employees and secured 90,000 endpoints is at risk. Watch the legislative calendar closely — the outcome will affect the overall threat environment for everyone.
- AI is changing the attack equation permanently. AI-powered offensive tools are making previously resource-intensive cyberattacks cheap, fast, and scalable. Defenses that were adequate two years ago may not be adequate today.
- CISA budget cuts have real downstream effects. Reductions to the federal cybersecurity hub reduce the quality and volume of threat intelligence reaching state and local governments — and by extension, the private organizations that depend on them.
- Government data breaches are a citizen privacy crisis. When state systems holding non-voluntary sensitive personal information are compromised, the harm is categorically different from a commercial data breach. Regulators and courts are beginning to treat it that way.
- The right response is not to wait for Congress. Whether or not the SLCGP is renewed, the threat landscape described in this hearing is real and worsening. Organizations should be strengthening their own defenses and their vendor oversight now, not after the next major breach.
How Captain Compliance Can Help
The convergence of AI-powered cyber threats, evolving privacy regulations, and shifting federal cybersecurity support creates a genuinely complex compliance environment. Captain Compliance helps organizations navigate it — from GDPR compliance and CPRA obligations to Data Protection Impact Assessments that account for modern threat vectors.
If your organization handles sensitive personal data on behalf of government entities, or if you’re concerned about how the changing federal cybersecurity landscape affects your obligations, contact us for a free consultation. The time to assess your exposure is before the next breach — not after.
