PILLAR Act

This bill renews the federal cybersecurity grant program run by the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security. It helps states and local governments strengthen their computer networks and the equipment they rely on, including systems that use artificial intelligence .

Key points

• Who is affected: State and local governments, with extra outreach to rural and small communities to connect them to no‑cost cybersecurity services from the agency.
• What’s covered: The program clearly includes both traditional IT and the equipment that runs services (like control systems), including AI-enabled systems. It emphasizes best practices such as multi‑factor authentication and ongoing checks for security gaps .
• Funding share: The federal share can be up to 60% for a single state and 70% for multi‑state or regional groups through fiscal year 2035. If states put multi‑factor authentication and identity tools in place for critical infrastructure by October 1, 2027, the federal share can rise to 65% and 75%.
• Safe spending rules: Grant money can’t be used to buy software or hardware that goes against DHS/CISA security guidance, or from “foreign entities of concern” if it doesn’t align with that guidance. The bill also lets plans cover the cost of needed cybersecurity investments identified in the plan .
• Getting funds to communities: At least 80% of each grant must reach local governments; states can meet this by sending money, services, equipment, or a mix. If a state doesn’t pass funds through within 60 days of the expected date, a local government can ask DHS to send the money directly.
• Planning and oversight: The program’s planning cycle shifts from two years to three. The Government Accountability Office must review the program every four years, including how grantees are using AI, to keep tabs on progress and results .