The bill amends Section 2220A of the Homeland Security Act to reauthorize the Cybersecurity and Infrastructure Security Agency’s State and Local Cybersecurity Grant Program through FY2033 and to reshape who and what the program funds. It broadens eligible scope from “information systems” to include operational technology (OT) and systems that use artificial intelligence, adds new statutory definitions (AI, AI system, multi-factor authentication, foreign entity of concern), and requires expanded outreach to local governments, including rural and small-population jurisdictions.
Beyond reauthorization, the bill creates concrete incentives and constraints: it raises the federal cost-share ceiling in exchange for implementing identity and access management tools (including multi-factor authentication) by a fixed deadline, prohibits purchases that conflict with CISA guidance or are produced by a foreign entity of concern, and mandates recurring GAO reviews that specifically examine AI adoption in grant-funded projects. These changes push grant recipients toward modern identity controls, greater attention to OT/AI risk, and more CISA-aligned procurement choices — while introducing new compliance and sustainment obligations for states and localities.
At a Glance
What It Does
Reauthorizes the State and Local Cybersecurity Grant Program through FY2033 and expands eligible activity to include operational technology and AI systems. It conditions an improved federal matching rate on implementing multi-factor authentication and identity-and-access-management tools by Oct 1, 2027, imposes procurement limits tied to CISA guidance and certain foreign vendors, and requires outreach and periodic GAO reviews.
Who It Affects
State grant administrators, municipal and county IT/OT operators (including rural and small-population jurisdictions), integrators and vendors of OT and AI-based systems, and CISA as program manager and outreach provider. Critical-infrastructure operators within grant jurisdictions will be directly affected by new funding priorities and procurement constraints.
Why It Matters
The bill redirects grant dollars toward identity controls (MFA/IAM), OT resilience, and AI-related risks — shifting practical priorities for modernization projects. It also creates procurement compliance risks for vendors and changes the economics of projects through conditional matching incentives and sustainment expectations.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The PILLAR Act is a package of targeted edits to the State and Local Cybersecurity Grant Program that do three kinds of work: expand what the program covers, change how grants are paid and distributed, and tighten program rules and oversight. The text inserts statutory definitions for artificial intelligence, AI systems, multi‑factor authentication, and foreign entities of concern; these definitions then feed into expanded eligibility language so grants may be used for cybersecurity measures that protect not only traditional IT but also operational technology and systems that operate with AI.
The practical effect is to authorize funding for things like OT monitoring, AI governance controls, and modernization of legacy systems that previously sat at the margins of the program.
On funding mechanics, the bill keeps a federal cost-share model but makes the federal share conditional. Base federal shares are capped (60% for single eligible entities, 70% for multi-entity groups), but the bill offers higher federal shares (65% and 75%, respectively) for grantees that implement or enable multi-factor authentication and identity-and-access-management tools by October 1, 2027 — specifically applied to critical infrastructure under their jurisdiction.
The amendments also alter how grant support may be combined with in-kind or local contributions, allow an 80% in-kind valuation option with consent, and give local governments the right to petition CISA for direct disbursement if an eligible entity withholds funds for more than 60 days.The bill adds programmatic guardrails and oversight: it forbids grant-funded purchases that conflict with CISA guidance (for example, Secure by Design recommendations) or that involve products from foreign entities of concern; requires CISA to run an outreach plan to inform local governments — especially rural and small jurisdictions — about no‑cost services; and commands a GAO review every three years that must include a review of AI adoption in sampled grants. It also requires eligible entities to plan for sustaining grant-funded programs by incorporating ongoing costs into state and local budgets after grant dollars are spent, and it prevents local cybersecurity planning committees from making binding decisions about an eligible entity’s information or OT systems.
The Five Things You Need to Know
The bill extends the State and Local Cybersecurity Grant Program authorization through fiscal year 2033.
Higher federal match: eligible entities get an elevated federal share (65% single, 75% multi-entity) for FY2028–2033 only if they implement MFA and IAM tools supporting MFA for critical infrastructure by October 1, 2027.
Procurement limits bar use of grant funds to buy software/hardware that contradicts CISA guidance (e.g.
Secure by Design) or that is designed/produced by a ‘foreign entity of concern.’, Local governments may petition the Secretary to receive grant funds directly if the eligible entity fails to distribute required funds within 60 days of the anticipated disbursement date.
The Comptroller General must review the program every three years, explicitly including a review of artificial intelligence adoption in sampled grants.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
New statutory definitions (AI, AI system, MFA, foreign entity of concern)
This amendment inserts four new definitions into the statute: 'artificial intelligence' (cross‑referenced to the National AI Initiative Act), 'artificial intelligence system' (covers any data system, software, hardware, application tool, or utility that uses AI), 'multi-factor authentication' (requires more than one authentication factor), and 'foreign entity of concern' (borrowed from the CHIPS and Science Act). Practically, these definitions expand the statute’s reach and create the vocabulary used throughout the other amendments to control funding, procurement, and oversight related to AI and identity controls.
Scope of eligible systems and permissible uses — IT, OT, AI
The bill replaces repeated references to 'information systems owned' with a broader formulation that explicitly includes operational technology systems and systems using AI, whether maintained, owned, or operated by the eligible entity or on its behalf. It also enlarges permissible uses — listing monitoring, auditing, network traffic analysis, continuous vulnerability assessment prioritized by risk, resilience improvements, and explicit support for legacy and unsupported systems. The practical implication is grant eligibility for OT monitoring, network traffic inspection across OT/IT boundaries, AI‑specific protections, and investments in aging systems that previously fell outside clear grant authority.
Procurement restrictions tied to CISA guidance and foreign vendors
New clauses forbid the use of grant funds to procure software or hardware that does not align with Agency guidance such as Secure by Design or that is designed, developed, manufactured, or sold by a foreign entity of concern. This creates a compliance requirement: grantees must vet purchases against CISA guidance and lists of flagged foreign entities before obligating grant funds, which affects procurement planning and vendor selection for modernization projects.
Federal cost-share and incentive for MFA/IAM adoption
The statute caps the non‑Federal share and establishes baseline federal shares (60% single, 70% multi-entity) through FY2033. It then creates a conditional incentive: if an eligible entity implements or enables MFA and IAM tools that support MFA for critical infrastructure by Oct 1, 2027, the federal share increases by 5 percentage points for each category (to 65%/75%) for FY2028–2033. This is a targeted carrot that links identity controls adoption to grant economics and places a hard compliance date on recipients seeking the enhanced match.
Local distribution rules, in-kind valuation, and direct-funding petitions
The bill clarifies how eligible entities may satisfy local distribution requirements: grants can be combined with in-kind goods and services valued at up to 80% of the grant amount with local consent, and other combinations are permitted down to a 25% floor for required local contributions. Critically, if an eligible entity fails to distribute required funds to a local government within 60 days of the anticipated disbursement date, that local government may petition the Secretary to receive funds directly — a procedural remedy that shifts leverage toward local jurisdictions.
Outreach to local governments, including rural and small jurisdictions
A new subsection requires CISA to implement an outreach plan tailored to local governments, explicitly calling out rural areas and other small‑population jurisdictions. This directs CISA to actively advertise no‑cost services and technical assistance, which may increase uptake of CISA offerings and reduce reliance on grant dollars for basic protections in under‑resourced jurisdictions.
Sustainment expectations and GAO review including AI adoption
The text asks grantees to plan for ongoing program costs (by including programs in state and local budgets after grant funds are exhausted) and requires a GAO review every three years that examines grant selection, sampled awards, and AI adoption in those grants. The change formalizes sustainment expectations and builds periodic federal oversight focused on how AI is being used within grant-funded projects.
Administrative timing, program term changes and planning committee limitation
The bill lengthens certain program time references (e.g., a 3‑year period in one subsection), adjusts dates used elsewhere (2023→2027), and adds a rule preventing cybersecurity planning committees from exercising control over an eligible entity’s information systems or OT systems. These are administrative but practical changes: they alter planning horizons and protect operational control while still requiring coordination.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Rural and small‑population local governments — the bill requires targeted outreach and explicit inclusion in assistance, improving awareness and access to no‑cost CISA services that these jurisdictions often miss.
- State grant administrators and multi‑entity groups — the statute preserves and clarifies flexible matching options (including high‑value in‑kind counting) and provides a clear pathway to a higher federal match if they implement MFA/IAM by the stated deadline.
- Operators of critical infrastructure and OT environments — grants may now finance OT monitoring, legacy-system modernization, network traffic analysis across IT/OT, and AI‑specific controls, addressing previously underfunded risk areas.
- Cybersecurity vendors and contractors that align with CISA guidance — products and services that meet Secure by Design and other Agency guidance will be advantaged in grant-funded procurements.
- Academic institutions and nonprofit technical assistance programs — the bill explicitly calls out academic and nonprofit entities as eligible recipients of technical assistance, opening grant-funded collaboration and clinic-style support.
Who Bears the Cost
- Vendors designated as 'foreign entities of concern' and suppliers whose products ‘do not align’ with CISA guidance — they will face exclusion from grant-funded procurement opportunities and reduced market access in the SLCGP ecosystem.
- State and local governments that cannot implement MFA/IAM by Oct 1, 2027 — they forfeit the higher federal match and therefore may carry a larger share of modernization costs.
- Local governments that accept program sustainment responsibility — the bill expects budgets to absorb recurring costs after grant exhaustion, shifting long‑term fiscal responsibility onto state/local budgets.
- Eligible entities and CISA for administrative overhead — new outreach, direct‑funding petitions, in‑kind valuation tracking, and GAO reviews increase program administration and compliance burdens, potentially creating unfunded mandates for program staff.
- Operators of legacy OT that cannot support standard MFA — they may need costly compensating controls or infrastructure replacement to qualify for the enhanced match.
Key Issues
The Core Tension
The central dilemma is between accelerating security for operational technology and AI via financial and procurement levers, and the practical limits of legacy infrastructure and local budgets: the bill uses the grant purse to push rapid modernization and identity adoption, yet many jurisdictions lack the technical, financial, or procurement capacity to comply without significant additional support.
The bill packs multiple policy levers into the grant statute — incentives (higher match), prohibitions (procurement limits), and new administration (outreach, GAO reviews, sustainment expectations). That mix creates implementation trade-offs.
Conditioning the enhanced federal share on MFA/IAM adoption is a direct policy tool to accelerate identity hardening, but many OT environments (industrial control systems, remote field devices) either lack native MFA support or would require disruptive upgrades to accommodate it. States and localities with many such legacy systems may be pushed to choose between costly replacements and forgoing the match.
The statutory text does not create a clear technical allowance for compensating controls; implementers will need to reconcile engineering constraints with the statutory deadline.
Procurement restrictions that rely on Agency guidance and the concept of a 'foreign entity of concern' raise practical and legal questions. CISA guidance like Secure by Design is often high‑level; vendors and procurement officials will need granular lists or technical standards to determine whether a purchase is permissible.
The foreign‑entity prohibition references a CHIPS‑Act definition, which is helpful, but that list and its applicability across complex supply chains could be contested. Finally, the requirement that grantees plan to absorb ongoing costs after grant funding ends places long‑term budget pressure on subnational governments — the statute encourages sustainability, but without a dedicated federal sustainment stream small jurisdictions could be exposed to ongoing fiscal stress.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.