federal Advocacy Priorities

Issue and Background

• It is well understood that cybersecurity is no longer an IT issue; it is a business risk that impacts the daily functioning of our society and economy, as well as a potential threat to our nation’s security.
• Cybersecurity has remained a top priority for the state CIOs for the past ten years, according to the 2026 NASCIO State CIO Top 10 Priorities.
• The inclusion of the State and Local Cybersecurity Grant Program (SLCGP) in the Infrastructure Investment and Jobs Act recognized this tremendous need. With this grant, states and localities have an unprecedented opportunity to improve their security posture, increase collaboration between state, local and federal governments and promote a whole-of-state approach to cybersecurity.
• Rural communities have used SLCGP funds to strengthen long-overlooked defenses, modernizing outdated systems, training local IT staff and expanding shared security services, dramatically improving their ability to prevent, detect and respond to cyber threats with limited resources.
• States have worked diligently to put the $1 billion provided through the four-year program to good use. It has been used to provide cybersecurity training, migrate to .gov domains, install multi-factor authentication and other vital cyber hygiene goals.
• NASCIO has worked proactively with other state and local associations to highlight how this money is being used.
• Congress has recognized the value of the SLCGP and included a temporary extension in an agreement to reopen the federal government, and the House passed the PILLAR Act, which would re-authorize SLCGP for 10 years, under a suspension of the rules.

Recommendation

• Congress should quickly pass long-term reauthorization of the SLCGP, and the president should sign it into law immediately. The final version of this legislation must be one that states can actually implement, should include attainable financial requirements for recipients and be accompanied by appropriate funding levels.
• Work with FEMA and CISA to ensure grant guidance includes flexibility for states, promotes whole-of-state cybersecurity, emphasizes cyber hygiene, places an emphasis on shared services models and establishes minimum requirements for local government eligibility to receive grant funding.
• Continue to advocate for states to budget for cybersecurity. The State and Local Cybersecurity Grant Program requires states to match a portion of federal funding, which increases by 10 percent each year. NASCIO contends this grant program should serve as a change agent for states to either begin to include cybersecurity in their state budget or increase their allocation. In line with Congressional intent and through federal assistance, state governments must realize cybersecurity cannot be solved with a one-time appropriation. Inclusion of a cybersecurity line item is the minimum states should do to meet the seriousness and sophistication of the current threat environment.
• Ensure state CIOs and CISOs set policy for the grant program. While State CIOs and CISOs should not serve as grant administrators, they understand the unique cybersecurity challenges facing their state. In consultation with their planning committees, they should set policy parameters and prioritize funding opportunities for this grant program.

Issue and Background

• The .gov domain provides enhanced security features and increases public trust in government.
• With rampant misinformation and disinformation campaigns happening everyday, it is paramount that citizens receive accurate and trusted information from government websites.
• While much progress has been made in making .gov available to state and local governments, thousands of local government entities have still not made this important transition, and some don’t even know that it’s an option to improve their cybersecurity defenses. 
• In April 2021, administration of the .gov top-level domain (TLD) was transferred from the General Services Administration to the Cybersecurity and Infrastructure Security Agency (CISA), reflecting the inherent linkage between domain registration and cybersecurity.
• NASCIO’s advocacy was instrumental in CISA’s announcement to waive the annual $400 registration fee for .gov, which was cost prohibitive and unnecessarily burdensome for the majority of local governments.
• While waiving the registration fee was a key step in the right direction to increase migration to .gov, there needs to be increased education, outreach and advocacy to local governments.

Recommendation

• CISA should establish a stakeholder advisory group to work with key stakeholders and educate local governments on the business case and security benefits of migrating to .gov. CISA should utilize state CIOs and CISOs to assist in this educational campaign and to highlight a 24/7 help desk and other inherent operational benefits of the .gov program, which will provide tremendous support to resource and personnel-constrained local governments.
• CISA can expand opt-in centralized cybersecurity services for .gov and provide technical support and information to SLTTs. With ownership of the .gov program, they can now make available opt-in cybersecurity shared services on top of the .gov TLD. Doing so will create a compelling case for local governments to migrate to a .gov domain and leverage the additional capabilities CISA can make available.
• Allow flexible use of State Homeland Security Grant Program funds for .gov domain migration. This includes non-technical transition costs such as public outreach, marketing materials and updates to stationery, business cards and other printed collateral.

Issue and Background

• As the primary agent of the federal government, states administer dozens of crucial federal programs and deliver vital services to citizens. As a result, state governments must store and exchange data with federal programmatic agencies and thus become subject to federal security regulations that govern the use and protection of shared data.
• Federal cybersecurity regulations largely address the same controls and outcomes but differ in their specific requirements. Compliance with disparate regulations is an obstacle for state CIOs who are actively seeking savings for taxpayers through IT initiatives like consolidation/optimization. Further, when state data centers are audited for compliance, states receive inconsistent findings from federal auditors despite reviewing the same IT environment.
• As state IT agencies have become increasingly centralized across the country—whereby the state CIO has greater purview over the IT operations of each state agency—compliance with duplicative requirements of federal cybersecurity regulations has grown significantly in cost, both financial and in personnel time.
• In 2018, Congress tasked the Government Accountability Office (GAO) to study the various federal cybersecurity regulations and to issue corresponding recommendations.
• In May 2020, GAO issued their report, Selected Federal Agencies Need to Coordinate on Requirements and Assessments of States, which found that between 49 and 79 percent of federal agency cybersecurity requirements had conflicting parameters and urged the federal agencies to collaborate on cybersecurity requirements.
• At this time, only four of the twelve recommendations for strengthening cybersecurity have been addressed, and much additional work remains.
• NASCIO has been encouraged by recent attempts in both Congress and at the Office of the National Cyber Director to address cybersecurity regulatory harmonization at the federal level and looks forward to continuing these efforts in 2026.

Recommendation

• Congress and federal agencies should continue to implement the recommendations of the GAO report and urge the Office of Management and Budget (OMB) to coordinate collaboration among federal agencies on the development and implementation of cybersecurity regulations.
• Congress should empower OMB with requisite authorities to ensure OMB can mandate consultation by federal agencies before updating their cybersecurity regulations.
• Federal agencies should work with state CIOs and CISOs to streamline cybersecurity regulations. Addressing duplicative regulations and inconsistent audit practices will not only save taxpayer funds but will also improve our nation’s cybersecurity posture. State CIOs and CISOs remain committed to working with federal agencies and auditors to harmonize disparate interpretations of security regulations and to normalize the audit process.

Issue and Background

• FirstNet was established by Congress in 2012 in response to the communication problems identified during the attacks of September 11th. It was intended to be a dedicated, nationwide broadband network for first responders, implemented and maintained through a public-private partnership.
• Since its launch, FirstNet has become an essential component of America’s emergency-response infrastructure. The network now supports more than 29,000 public-safety agencies and provides coverage across nearly the entire country. It has proven invaluable to states when responding to hurricanes, wildfires and other disasters, allowing responders to maintain communications when commercial networks are damaged or congested.
• Chief information officers rely on FirstNet during times of crisis to ensure their state’s first responders have the technological recourse they need to assist in disaster response and recovery.
• The statutory authority for FirstNet will expire on February 22, 2027. Without prompt reauthorization, Congress risks disrupting the nationwide interoperable communications network that police, fire, EMS and other first responders rely on during emergencies.

Recommendation

• Congress should reauthorize FirstNet before it expires. NASCIO will work with its strategic partners to convey why FirstNet is critical for ensuring that states can respond effectively to disasters, both natural and man-made and ensure that CIOs are represented in the reauthorization conversation.