Sponsors (5)
The bill meaningfully strengthens cybersecurity and inclusion for state and local systems but shifts ongoing costs, tightens procurement rules, and may complicate or slow implementation for local governments and communities.
State and local governments will be required to monitor and continuously assess vulnerabilities in IT, OT, and AI-enabled systems and prioritize threat mitigation, improving protection of critical infrastructure.
State and local governments and utilities that adopt NIST/Agency cybersecurity frameworks and supply‑chain risk practices will reduce exposure to adversary tools and foreign-sourced vulnerabilities.
State and local governments will be barred from purchasing certain designated 'foreign entities of concern' products and must align procurements with 'Secure by Design' principles, reducing vendor-related security risks.
State and local governments (and therefore local taxpayers) will likely have to assume some or all ongoing costs of cybersecurity investments after federal grant funds end, creating sustained budget pressures.
State and local governments may face higher procurement costs and fewer vendor options because restrictions on purchases from certain foreign vendors could limit suppliers and make replacing legacy systems more expensive.
Eligible entities will contend with more complex grant conditions—new matching/funding floor rules and valuation requirements—which could require additional in‑kind contributions or local approval processes and complicate grant use.
Based on analysis of 2 sections of legislative text.
Expands CISA state/local cybersecurity grant definitions and coverage to include OT and AI systems and requires stronger inventory, continuous monitoring, MFA, and supply-chain risk practices.
Expands the scope and definitions of the CISA State and Local Cybersecurity Grant Program to cover information systems and operational technology systems — including systems that use artificial intelligence — and strengthens required cybersecurity practices for grant-eligible entities. It adds new definitions (including AI, AI systems, foreign entity of concern, and multi-factor authentication) and updates the program’s required activities to emphasize inventory and management of systems and accounts, continuous vulnerability assessment, network monitoring, supply-chain risk management, and identity and access controls such as multi-factor authentication. The changes increase the kinds of systems that states and localities must address with grant-funded activities and sharpen programmatic expectations for preparedness, resiliency, and mitigation. That will shift technical and administrative priorities for state and local governments, their IT/OT operators, and supporting vendors, while aligning allowable activities with NIST- or agency-developed frameworks and adversary knowledge bases.
Introduced September 2, 2025 by Andy Ogles · Last progress November 18, 2025