SLCGP: Key Takeaways from Congress—And What Local Leaders Should Do Now
- Read Time: 3 mins
In this article...
- Why the SLCGP matters now more than ever
- How local leaders can strengthen cybersecurity and advocate for future funding
- Practical steps to prepare for the next phase of SLCGP
- How HBS supports public sector organizations in building stronger cybersecurity programs
Cybersecurity threats are no longer distant risks. They’re local. They’re real. And they’re growing.
Just ask the 911 call centers that have to fend off ransomware attacks—or the small towns that have stopped phishing campaigns before they spread. These successes were made possible by the tools and training funded through the State and Local Cybersecurity Grant Program (SLCGP).
But that funding is in danger. The SLCGP expires in September 2025 unless Congress acts. A recent House Homeland Security subcommittee hearing unpacked the stakes. We’ve compiled some key takeaways you should know about—and what you can do now to prepare, protect and advocate.
SLCGP Hearing Recap: What We Learned
Takeaway #1: The Threat Landscape Is Escalating
Ransomware. Business email compromise. Fake IT support calls. AI-powered phishing. Nation-state attackers. Speakers repeatedly emphasized: threats are up, and stakes are higher than ever.
Ransomware attacks doubled between 2018 and 2024, causing over $1 billion in operational downtime for state and local governments.
- Robert Huber (CSO, Tenable)
Takeaway #2: The SLCGP Is Working—But It Needs Fixes
The grant program has helped local governments:
- Stop active attacks
- Fund endpoint protection for thousands of devices
- Launch statewide tabletop exercises
- Deliver cyber training to millions of employees
- Stand up shared threat intel platforms like Kentucky’s Intelligence Fusion Center
But it’s not perfect. Improvements proposed:
- Simplify the application process
- Standardize match requirements
- Add direct funding paths for larger cities
- Expand multijurisdictional grant eligibility
- Make the program permanent to enable long-term planning
Takeaway #3: Smaller Communities Are Most at Risk
Many cities and counties have no dedicated IT staff—let alone cybersecurity experts. And yet, attackers know these are easy targets. That’s why the SLCGP matters.
We had an incident where we had over 400 phishing emails—every one a different subject line, every one a different text—all written beautifully. Unfortunately, all bearing malware that could compromise systems.
-Alan Fuller (CIO, State of Utah)
Takeaway #4: Reauthorization Has Bipartisan Support—But Action Is Urgent
Both parties agree: this program works. But lawmakers also acknowledged the risks of delays, cuts or political interference. Several states have already hesitated to participate out of fear that the funding would disappear mid-program.
Without swift reauthorization, the momentum built over the past two years could stall—putting critical cybersecurity improvements at risk. Lawmakers will need to move quickly to maintain trust and keep state and local governments moving forward.
What You Can Do Now to Prepare for the Next Phase of SLCGP
Here’s how local IT leaders, city managers, and public sector CIOs can act now—before SLCGP funding runs dry:
- Make a Cybersecurity Risk Assessment Your Top Priority
When it comes to strengthening cybersecurity—and preparing for funding opportunities like the SLCGP — a cybersecurity risk assessment is often the best place to start. It gives you a clear picture of where your defenses are strong, where gaps exist, and where to focus your efforts next. We’ve seen time and again that an assessment puts organizations on firm footing not only for grant proposals but also for building a more resilient, future-ready cybersecurity program overall. It’s a smart investment no matter what the funding landscape looks like. - Focus on Building Strong Relationships
One theme echoed throughout the hearing: collaboration drives better outcomes. Whether it’s working with your state, your regional ISAC, or neighboring municipalities, creating connections will only strengthen your efforts. For smaller towns or agencies, it can help to partner with larger organizations or trusted vendors who’ve navigated these waters before. Relationships built now can open doors to new resources, knowledge-sharing, and a more unified defense. - Be an Advocate for Cybersecurity Funding
Policymakers listen to their constituents—and many need to hear directly from the communities that rely on programs like the SLCGP. A respectful note to your congressional delegation, sharing how this funding strengthens local security, can make an impact.
If you don’t spend the money upfront to know what’s coming, you’re going to spend the money on the back end.
-Kevin Kramer (VP, National League of Cities Councilman—Louisville, Kentucky)
- Use the Tools You Have
If you have already received SLCGP funds, review your deployment:- Are tools being used correctly?
- Is training happening?
- Have you practiced incident response?
Grants are great for preventative action—they should also prepare you to respond and recover when incidents do occur.
You can’t manage what you don’t measure. Understanding what that cyber risk looks like is critical to this ongoing success.
-Mark Raymond (CIO, State of Connecticut)
Final Word: Why This Matters—And How HBS Can Support You
At the end of the day, this is about protecting the systems that keep our communities running: schools, water supplies, emergency response networks, and more.
That’s why we care so much about making sure local governments and organizations have the support they need to navigate programs like the SLCGP. We’ve helped hundreds of public sector teams build stronger cybersecurity foundations—from conducting NIST-aligned risk assessments to building scalable cyber training programs to preparing measurable, competitive grant applications.
If you’re looking for guidance, we’re here to share what we’ve learned and help you move forward with confidence.
HBS partners with public sector organizations to:
- Conduct NIST-aligned risk assessments
- Deploy right-sized endpoint protection and monitoring
- Develop incident response plans
- Build scalable cyber training programs
- Assist you in preparing strong, measurable grant applications
We’ve helped hundreds of local governments build real cybersecurity plans, and secure funding to execute them. Reach out today.
Related Content
Risk Assessment: Likelihood and Impact
Assess risk effectively with the risk assessment likelihood and impact matrix. This decision-making matrix assesses risk based on the likelihood and impact of threats in your organization.
How Microsoft Is Helping Rural Hospitals Combat Cyberattacks
Learn how Microsoft’s new program helps rural hospitals defend against rising cyber threats with grants, discounts, and advanced security.
Cybersecurity Risk Assessment
Optimize your security with an HBS Cybersecurity Risk Assessment. Identify vulnerabilities, manage risks, improve your cybersecurity posture.
