PILLAR Act
The PILLAR Act (Protecting Information by Local Leaders for Agency Resilience Act) would reauthorize and expand the State and Local Cybersecurity Grant Program (SLCGP) administered by the Cybersecurity and Infrastructure Security Agency (CISA) within DHS. The bill extends and tightens federal support for state and local governments to bolster cybersecurity, including both information technology (IT) and operational technology (OT) systems, and it broadens the program to incorporate artificial intelligence (AI) considerations and protections against foreign entities of concern. It also introduces requirements to increase security practices (notably multi-factor authentication) and to modernize and integrate cybersecurity planning with regional and local needs. The bill adds new oversight, outreach, and direct-funding options for localities and rural or small-population jurisdictions, while restricting purchases that don’t align with DHS guidance or that involve certain foreign entities. Overall, if enacted, the program would be more AI-aware, more security-centric, more inclusive of small and rural localities, and more tightly overseen, with a higher federal cost share under certain conditions.
Key Points
- 1Reauthorization and scope expansion: Reauthorizes the State and Local Cybersecurity Grant Program under the Homeland Security Act of 2002 and expands coverage to include information systems and operational technology (OT) that use AI, as well as broader definitions of AI and related concepts. It also defines “foreign entity of concern” and “multi-factor authentication” for program purposes.
- 2Security requirements and best practices: Requires eligible entities to adopt and use best practices for cybersecurity, including strong identity and access management and multi-factor authentication. The bill broadens planning and implementation activities to cover AI-enabled IT/OT systems and requires continuous vulnerability assessments and threat mitigation.
- 3Financial terms and incentives: Increases or conditions the federal cost share for grants. The baseline federal share remains 60% for eligible entities and 70% for multi-entity groups through 2035, but if an entity or group implements multi-factor authentication and related access-management measures for critical infrastructure by October 1, 2027, the federal share rises to 65% (entity) and 75% (multi-entity group for 2028–2035).
- 4Procurement restrictions and safeguards: Adds prohibitions on purchasing software, hardware, or services that do not align with DHS guidance (including Secure by Design guidance) and prohibits purchases from foreign entities of concern that do not align with DHS guidance; strengthens permissible and non-permissible procurement considerations.
- 5Outreach and inclusivity: Requires an outreach plan to inform local governments, including rural and small-population jurisdictions, about no-cost cybersecurity services offered by the Agency; expands representation to include rural, suburban, and smaller jurisdictions in grant activities and governance.
- 6Oversight, evaluation, and accountability: Establishes a GAO review mechanism every four years (beginning four years after enactment) to assess the grant program, including the grant selection process, a sample of grants, and AI adoption within the funded projects.
- 7Direct funding option and local distribution: Allows for direct funding to local governments if a required distribution to a local government is not made within 60 days of the anticipated grant disbursement date; provides rules for leveraging local in-kind contributions and in-kind replacements to meet grant value requirements.
- 8Long-term horizon and funding certainty: The bill extends the program through 2035, with ongoing availability of appropriations to support the activities, and adds a plan to ensure continuing program alignment between information technology, operational technology, and AI cybersecurity objectives.