Analyses / Impact Analysis / 119 · HR 5078 Impact Analysis

119-HR-5078 Investigative Journalist Impact Analysis

119 · HR 5078 PILLAR Act

science Science, Technology, Communications
Protecting Information by Local Leaders for Agency Resilience Act or the PILLAR ActThis bill extends the State and Local Cybersecurity Grant Program through FY2035, expands the scope of the...
Bottom-line assessment
Overall stance: Neutral to cautiously favorable. If adequately funded and executed, the Act should modestly improve SLTT cyber resilience—especially for rural and OT‑heavy sectors—via identity incentives, procurement quality bars, and pass‑through enforcement. However, benefits are contingent on appropriations and administrative capacity; procurement restrictions and AI governance needs introduce execution risk. [1]Congress.gov / Library of Congress — Text - H.R.5078 - 119th Congress (2025-202…[2]FEMA — Fiscal Year 2025 State and Local Cybersecurity Grant Program Fact Sheet
Program horizon
2035through FY
FY2025 SLCGP funding
91.75USD (million)
Original SLCGP appropriation under IIJA (FY2022–FY2025)
1000USD (million)
Minimum pass‑through to locals
80percent of award
Analyzed as
Investigative Journalist
Published
13 Nov 2025
Updated
13 Nov 2025
Tags
Impact Analysis · Cybersecurity · Grants
Unvetted
01 · Section

Summary

The PILLAR Act reauthorizes and updates CISA’s State and Local Cybersecurity Grant Program (SLCGP) by: (1) extending the program to 2035, (2) explicitly covering operational technology (OT) and AI systems, (3) conditioning purchases on CISA Secure‑by‑Design guidance and restricting use of “foreign entities of concern,” (4) increasing federal cost share to 65% (75% for multi‑entity groups) if MFA/IAM are implemented by October 1, 2027, (5) enhancing rural inclusion and outreach, and (6) adding a direct‑funding backstop if states do not pass through funds promptly. Because the Act states activities are “subject to the availability of appropriations,” realized impact hinges on future annual funding; for reference, FY2025 SLCGP available funding was about $91.75 million, compared with the original IIJA’s $1B four‑year authorization. [1]Congress.gov / Library of Congress — Text - H.R.5078 - 119th Congress (2025-202…[4]CISA — Secure-by-Design: Shifting the Balance of Cybersecurity Risk (Guidance)[5]Legal Information Institute (Cornell University) — 42 U.S.C. § 19237 (Definitio…[2]FEMA — Fiscal Year 2025 State and Local Cybersecurity Grant Program Fact Sheet[3]CISA — Cyber Grants overview (SLCGP/TCGP)

Program horizon
2035through FY
FY2025 SLCGP funding
91.75USD (million)
Original SLCGP appropriation under IIJA (FY2022–FY2025)
1000USD (million)
Minimum pass‑through to locals
80percent of award
Rural minimum within pass‑through
25percent of award
Pass‑through clock
45days from funds release
Enhanced federal cost share with MFA/IAM (entity / multi‑entity)
65% / 75%
02 · Section

Economic Effects

  • Targeted risk‑reduction investments: GAO found that as of Aug. 1, 2024, DHS had provided about $172M to 33 states and territories, funding 839 projects (e.g., MFA rollouts, equipment upgrades, contractor support). These activities align with NIST CSF functions and address high‑incidence attack vectors. [6]U.S. Government Accountability Office — GAO-25-107313: DHS Implemented a Grant…
  • Reduced local match where MFA/IAM are implemented: raising the federal share from 60%/70% to 65%/75% (entity/multi‑entity) from FY2028–FY2035 lowers state/local out‑of‑pocket costs for compliant jurisdictions, potentially accelerating identity modernization. [1]Congress.gov / Library of Congress — Text - H.R.5078 - 119th Congress (2025-202…
  • Downside risk if appropriations lag: the Act’s benefits are contingent on annual funding; FY2025 SLCGP allocations totaled about $91.75M, far below initial IIJA peaks—implying thinner near‑term economic stimulus unless Congress appropriates more. [2]FEMA — Fiscal Year 2025 State and Local Cybersecurity Grant Program Fact Sheet[3]CISA — Cyber Grants overview (SLCGP/TCGP)
  • Procurement guardrails could shift vendor mix and pricing: conditioning purchases on CISA Secure‑by‑Design guidance and barring misaligned products from foreign entities of concern may increase due‑diligence and compliance costs and narrow supplier pools—especially for low‑cost OT/IT components—but can lower lifecycle risk. [4]CISA — Secure-by-Design: Shifting the Balance of Cybersecurity Risk (Guidance)[1]Congress.gov / Library of Congress — Text - H.R.5078 - 119th Congress (2025-202…[5]Legal Information Institute (Cornell University) — 42 U.S.C. § 19237 (Definitio…
  • Local fiscal exposure from cyber incidents remains material: e.g., Baltimore’s 2019 ransomware event ultimately exceeded $19M in damages, underscoring potential avoided losses when identity, segmentation, and backup projects are funded. [7]Reuters — Iranian man pleads guilty in U.S. to 2019 Baltimore ransomware attack
  • Market demand signals: emphasis on identity, vulnerability management, OT monitoring, and NIST CSF 2.0 governance aligns with breach patterns in which credential abuse and vulnerability exploitation are leading entry points, likely boosting spend on IAM, patching, and managed detection. [8]Verizon — Verizon 2025 Data Breach Investigations Report — Press release[9]NIST — NIST releases Cybersecurity Framework (CSF) 2.0 — News
03 · Section

Social Effects

  • Continuity of essential services: Grants targeting OT in water, wastewater, and other local infrastructure can reduce service disruptions that disproportionately affect vulnerable communities. Federal alerts cite rising, disruptive attacks on water systems and recommend concrete mitigations. [10]U.S. EPA — EPA Enforcement Alert: Drinking Water Systems to Address Cybersecuri…[11]CISA / EPA / FBI — CISA, EPA, and FBI: Top Cyber Actions for Securing Water Sys…
  • Rural equity: The 25% rural allocation plus mandated outreach to small‑population jurisdictions aim to correct unequal cyber capacity; the bill codifies outreach and representation requirements in planning. [2]FEMA — Fiscal Year 2025 State and Local Cybersecurity Grant Program Fact Sheet[1]Congress.gov / Library of Congress — Text - H.R.5078 - 119th Congress (2025-202…
  • Faster relief to locals: If a state does not distribute required funds within the statutory window, local governments can petition DHS for direct disbursement—mitigating bottlenecks that otherwise delay community protections. [1]Congress.gov / Library of Congress — Text - H.R.5078 - 119th Congress (2025-202…
  • Workforce and capacity: GAO notes use of funds for contractors and policy development, indicating near‑term reliance on external expertise while local staff capacity is built. [6]U.S. Government Accountability Office — GAO-25-107313: DHS Implemented a Grant…
  • AI use in local government: By explicitly referencing AI systems and scheduling GAO reviews of AI adoption, the bill surfaces governance needs; pairing projects with NIST’s AI Risk Management Framework can mitigate risks to privacy, fairness, and civil liberties. [1]Congress.gov / Library of Congress — Text - H.R.5078 - 119th Congress (2025-202…[12]NIST — Artificial Intelligence Risk Management Framework (AI RMF 1.0)
04 · Section

Environmental Effects

  • Lower risk of environmental harm from OT compromise: EPA reports increasing violations and alarming vulnerabilities at drinking‑water systems; adversaries can manipulate chemical dosing or disrupt operations. Hardening OT and implementing basic cyber hygiene directly reduce pollution/spill risks. [10]U.S. EPA — EPA Enforcement Alert: Drinking Water Systems to Address Cybersecuri…
  • Specific water‑sector OT mitigations: CISA/EPA warn that internet‑exposed HMIs in water/wastewater systems enable unauthorized changes; grants that fund asset inventory, network isolation, MFA, and secured remote access can prevent manual fallbacks and unsafe states. [13]CISA / EPA — CISA and EPA fact sheet: Internet‑Exposed HMIs Pose Risks to Water…
05 · Section

Temporal Analysis

Horizon Likely outcomes
Immediate (0–12 months) States update Cybersecurity Plans, reassess procurements against Secure‑by‑Design/FOEC guardrails, and execute pass‑throughs to locals within 45 days of funds release; locals begin near‑term identity/OT hardening projects. [4]CISA — Secure-by-Design: Shifting the Balance of Cybersecurity Risk (Guidance)[1]Congress.gov / Library of Congress — Text - H.R.5078 - 119th Congress (2025-202…[14]CISA — SLCGP Frequently Asked Questions (pass-through rules)
Near term (2026–2027) Deployment of funded controls, with focus on MFA/IAM to qualify for enhanced cost shares by the Oct. 1, 2027 deadline; early evidence of reduced credential‑based incidents if adoption is broad. [1]Congress.gov / Library of Congress — Text - H.R.5078 - 119th Congress (2025-202…[8]Verizon — Verizon 2025 Data Breach Investigations Report — Press release
Long term (2028–2035) Sustained governance alignment with NIST CSF 2.0; recurring GAO evaluations every four years; outcomes depend on continued appropriations and state/local budgeting to assume ongoing cyber program costs after grants. [9]NIST — NIST releases Cybersecurity Framework (CSF) 2.0 — News[1]Congress.gov / Library of Congress — Text - H.R.5078 - 119th Congress (2025-202…[6]U.S. Government Accountability Office — GAO-25-107313: DHS Implemented a Grant…
06 · Section

Unintended Consequences

07 · Section

Assessment

Overall stance: Neutral to cautiously favorable. If adequately funded and executed, the Act should modestly improve SLTT cyber resilience—especially for rural and OT‑heavy sectors—via identity incentives, procurement quality bars, and pass‑through enforcement. However, benefits are contingent on appropriations and administrative capacity; procurement restrictions and AI governance needs introduce execution risk. [1]Congress.gov / Library of Congress — Text - H.R.5078 - 119th Congress (2025-202…[2]FEMA — Fiscal Year 2025 State and Local Cybersecurity Grant Program Fact Sheet

08 · Section

Sourcing

Key references underpinning this analysis.

  • Bill text and provisions: Congress.gov H.R. 5078 (PILLAR Act). [1]Congress.gov / Library of Congress — Text - H.R.5078 - 119th Congress (2025-202…
  • Program context and allocations: CISA SLCGP pages; FEMA FY2025 SLCGP fact sheet; IIJA four‑year funding. [15]CISA — State and Local Cybersecurity Grant Program (program page)[2]FEMA — Fiscal Year 2025 State and Local Cybersecurity Grant Program Fact Sheet[3]CISA — Cyber Grants overview (SLCGP/TCGP)
  • Oversight and implementation evidence: GAO report on SLCGP projects and sustainability challenges. [6]U.S. Government Accountability Office — GAO-25-107313: DHS Implemented a Grant…
  • Cyber risk baselines: Verizon DBIR 2025 (initial vectors); NIST CSF 2.0 governance focus. [8]Verizon — Verizon 2025 Data Breach Investigations Report — Press release[9]NIST — NIST releases Cybersecurity Framework (CSF) 2.0 — News
  • Water/OT risk: EPA enforcement alert; CISA/EPA HMI exposure fact sheet; joint Top Actions for water systems. [10]U.S. EPA — EPA Enforcement Alert: Drinking Water Systems to Address Cybersecuri…[13]CISA / EPA — CISA and EPA fact sheet: Internet‑Exposed HMIs Pose Risks to Water…[11]CISA / EPA / FBI — CISA, EPA, and FBI: Top Cyber Actions for Securing Water Sys…
  • Secure‑by‑Design guidance referenced in procurement limits. [4]CISA — Secure-by-Design: Shifting the Balance of Cybersecurity Risk (Guidance)
  • Definition of “foreign entity of concern” (CHIPS Act). [5]Legal Information Institute (Cornell University) — 42 U.S.C. § 19237 (Definitio…
  • Illustrative municipal loss magnitudes from ransomware (to estimate avoided costs). [7]Reuters — Iranian man pleads guilty in U.S. to 2019 Baltimore ransomware attack
  • AI governance considerations for SLTT deployments. [12]NIST — Artificial Intelligence Risk Management Framework (AI RMF 1.0)
Sources cited
  1. [1] Text - H.R.5078 - 119th Congress (2025-2026): PILLAR Act Congress.gov / Library of Congress
  2. [2] Fiscal Year 2025 State and Local Cybersecurity Grant Program Fact Sheet FEMA
  3. [3] Cyber Grants overview (SLCGP/TCGP) CISA
  4. [4] Secure-by-Design: Shifting the Balance of Cybersecurity Risk (Guidance) CISA
  5. [5] 42 U.S.C. § 19237 (Definitions; Foreign entity of concern) Legal Information Institute (Cornell University)
  6. [6] GAO-25-107313: DHS Implemented a Grant Program to Enable SLTT Governments to Improve Security U.S. Government Accountability Office
  7. [7] Iranian man pleads guilty in U.S. to 2019 Baltimore ransomware attack Reuters
  8. [8] Verizon 2025 Data Breach Investigations Report — Press release Verizon
  9. [9] NIST releases Cybersecurity Framework (CSF) 2.0 — News NIST
  10. [10] EPA Enforcement Alert: Drinking Water Systems to Address Cybersecurity Vulnerabilities U.S. EPA
  11. [11] CISA, EPA, and FBI: Top Cyber Actions for Securing Water Systems CISA / EPA / FBI
  12. [12] Artificial Intelligence Risk Management Framework (AI RMF 1.0) NIST
  13. [13] CISA and EPA fact sheet: Internet‑Exposed HMIs Pose Risks to Water/Wastewater Systems CISA / EPA
  14. [14] SLCGP Frequently Asked Questions (pass-through rules) CISA
  15. [15] State and Local Cybersecurity Grant Program (program page) CISA

Discussion