Analyses / Impact Analysis / 119 · HR 5078 Impact Analysis

119-HR-5078 Data-Driven Journalist Impact Analysis

119 · HR 5078 PILLAR Act

science Science, Technology, Communications
Protecting Information by Local Leaders for Agency Resilience Act or the PILLAR ActThis bill extends the State and Local Cybersecurity Grant Program through FY2035, expands the scope of the...
Bottom-line assessment
Overall stance is an analytical roll‑up, not advocacy.
Total SLCGP appropriation (IIJA, 2022–2025)
1000$ million
FY2025 SLCGP available
91.75$ million
Local pass-through (≥)
80% of state allocation
Rural set-aside (≥)
25% of state allocation
Analyzed as
Data-Driven Journalist
Published
13 Nov 2025
Updated
13 Nov 2025
Tags
impact-analysis · cybersecurity · US-legislation
Unvetted
01 · Section

Summary

Scope. The bill reauthorizes and modernizes the SLCGP by (a) explicitly covering operational technology (OT) and AI-enabled systems; (b) tightening eligible purchases via alignment to CISA’s Secure by Design guidance and prohibitions on products tied to “foreign entities of concern”; (c) extending cost-share rules through FY2035, with higher federal share if MFA/IdAM is in place by Oct 1, 2027; (d) clarifying outreach to small/rural localities and enabling direct federal disbursement if states delay subawards. Expected effects are directionally positive for cyber resilience where MFA, asset management, and OT controls are implemented, but overall outcomes depend on future appropriations and states’ ability to sustain projects beyond grant windows. [7]CISA — Secure by Design[8]LII / Cornell Law School — 15 U.S.C. § 9401 - National AI Initiative Act defini…[9]LII / Cornell Law School — 42 U.S.C. § 19237 - CHIPS and Science Act definition…

Total SLCGP appropriation (IIJA, 2022–2025)
1000$ million
FY2025 SLCGP available
91.75$ million
Local pass-through (≥)
80% of state allocation
Rural set-aside (≥)
25% of state allocation
Projects funded to Aug 1, 2024
839projects
Grants obligated to 33 states/territories (as of Aug 1, 2024)
172$ million
Typical risk reduction from CISA Cyber Hygiene (12 months)
40% reduction (self-reported)

Sources for metrics: CISA/FEMA program pages and GAO’s 2025 review. [10]CISA — Cyber Grants (SLCGP/TCGP overview)[2]FEMA — Fiscal Year 2025 State and Local Cybersecurity Grant Program Fact Sheet[3]U.S. GAO — GAO-25-107313: DHS Implemented a Grant Program to Enable SLTT Govern…[5]CISA — Cyber Hygiene Services

02 · Section

Economic Effects

Key channels: avoided incident losses and downtime; capital/operating costs to comply; procurement constraints; distribution efficiency; and labor market effects.

  • Incident loss avoidance is plausible where funds accelerate MFA, asset inventories, logging, and OT segmentation. FBI IC3 data show a 9% rise in critical-infrastructure ransomware complaints in 2024 and record cybercrime losses ($16.6B), indicating large upside for prevention. [11]Reuters — Complaints about ransomware attacks on U.S. infrastructure rise 9%, F…
  • Grant continuity matters. GAO finds 839 approved projects across 33 states/territories and flags sustainability concerns post-program—reauthorization to 2035 could stabilize planning, contingent on appropriations. [3]U.S. GAO — GAO-25-107313: DHS Implemented a Grant Program to Enable SLTT Govern…
  • Cost shares shift. Extending the 60–70% federal share (with 65–75% if MFA/IdAM by 10/1/2027) reduces state/local match needs but requires upfront identity investments that some jurisdictions currently lack capacity to deploy. CISA emphasizes phishing‑resistant MFA as among the highest‑impact controls. [4]CISA — Require MFA in Government (SLTT)
  • Procurement guardrails. Aligning purchases to CISA Secure by Design guidance may improve lifecycle security but can raise near‑term costs if cheaper, insecure options are excluded; restricting “foreign entities of concern” aligns cyber supply chains with broader national‑security policy. [7]CISA — Secure by Design[9]LII / Cornell Law School — 42 U.S.C. § 19237 - CHIPS and Science Act definition…
  • Distribution efficiency. Maintaining the ≥80% local pass‑through and ≥25% rural allocation—with direct federal disbursement if states delay—should speed resources to smaller governments that face the brunt of incidents. [2]FEMA — Fiscal Year 2025 State and Local Cybersecurity Grant Program Fact Sheet
  • Market structure. The bill’s shift from MS‑ISAC‑specific references to broader ISAOs coincides with MS‑ISAC’s transition to fee‑based membership, potentially changing cost assumptions for localities that previously relied on no‑cost services. [6]Center for Internet Security — MS-ISAC Membership FAQ
  • Macrosector signals. External tracking shows 2024 ransomware impacted 117 U.S. governments and 116 K‑12 districts, underscoring potential avoided costs if resilience improves; figures are indicative and underreporting is likely. [12]Emsisoft — The State of Ransomware in the U.S.: Report and Statistics 2024
03 · Section

Social Effects

Potential consequences for communities, especially vulnerable and rural populations.

  • Continuity of essential services. Water systems face rising attacks with operational consequences; EPA reports >70% of inspected systems since Sept 2023 violated basic cyber requirements and is increasing enforcement. Reducing vulnerabilities protects public health and service availability. [13]U.S. EPA — Enforcement Alert: Drinking Water Systems to Address Cybersecurity V…
  • Healthcare spillovers. Sector‑wide disruptions (e.g., Change Healthcare, 2024) caused delays to prescriptions, prior authorizations, and cash flow—risking care access for smaller providers; stronger SLTT cyber baselines can mitigate cascading effects from vendor incidents. [14]Reuters — US pharmacy outage triggered by 'Blackcat' ransomware at UnitedHealth…[15]American Hospital Association — Change Healthcare cyberattack: AHA analysis of…
  • Education impacts. K‑12 disruptions from ransomware can close schools and expose student data; grants that fund MFA, endpoint detection, and incident response may reduce closures and recovery costs. [16]Web search · turn 12 #5
  • Equity lens. Rural/small localities often lack cyber staff and sustained budgets; CISA’s no‑cost services (e.g., Cyber Hygiene, CPG assessments) plus the bill’s explicit rural outreach can narrow disparities if taken up. [5]CISA — Cyber Hygiene Services[17]CISA — Cross-Sector Cybersecurity Performance Goals (CPGs)
04 · Section

Environmental Effects

Cyber incidents on OT can translate into physical and ecological harm; this bill’s explicit coverage of OT/AI systems is relevant.

  • Water OT risk. CISA documented exploitation of Unitronics PLCs at U.S. water facilities; recommended MFA, internet exposure reduction, and network controls—precisely the types of investments SLCGP can fund. [18]CISA — Exploitation of Unitronics PLCs used in Water and Wastewater Systems
  • Potential contamination events. The Oldsmar, FL incident (2021) shows how insecure remote access could have altered chemical dosing; strengthening OT security reduces risk of ecological releases and public‑health hazards. [19]Washington Post — A hacker tried to poison the water supply in Oldsmar, Florida…
  • Nation‑state pre‑positioning. Joint advisories warn PRC‑linked actors (Volt Typhoon) are seeking persistence in U.S. critical infrastructure; improved logging, MFA, asset lifecycle planning, and patching are prioritized mitigations relevant to grant‑funded projects. [20]CISA — PRC State-Sponsored Actors Compromise and Maintain Persistent Access to…
05 · Section

Temporal Analysis

Short‑term vs. long‑term consequences and milestones.

Horizon Likely effects
0–12 months after enactment Administrative updates to cyber plans and committees; early project mix focused on MFA, asset inventories, and monitoring; rapid uptake of CISA no‑cost services; potential procurement friction as Secure‑by‑Design/FOEC screens are applied.
1–3 years Operational improvements in identity, logging, and OT segmentation lower frequency/severity of disruptions; direct‑to‑local funding backstops states that delay subawards; workforce gaps persist, requiring training/managed services.
3–10 years (through 2035) If appropriations persist, cumulative risk reduction and incident cost avoidance increase; states must budget to sustain capabilities post‑grant (a GAO‑flagged challenge).

Evidence basis: CISA guidance on prioritized mitigations (CPGs, phishing‑resistant MFA), GAO findings on sustainability, and EPA’s stepped‑up enforcement in water systems. [17]CISA — Cross-Sector Cybersecurity Performance Goals (CPGs)[4]CISA — Require MFA in Government (SLTT)[3]U.S. GAO — GAO-25-107313: DHS Implemented a Grant Program to Enable SLTT Govern…[13]U.S. EPA — Enforcement Alert: Drinking Water Systems to Address Cybersecurity V…

06 · Section

Unintended Consequences and Risks

  • Supply‑chain exclusions tied to “foreign entities of concern” may shrink vendor pools and lengthen lead times, especially for OT components; agencies should plan for alternates and lifecycle costs. [9]LII / Cornell Law School — 42 U.S.C. § 19237 - CHIPS and Science Act definition…
  • Implementation burden. Smaller SLTTs may struggle with MFA rollout and identity governance; phased adoption of phishing‑resistant methods is recommended to avoid usability pushback. [4]CISA — Require MFA in Government (SLTT)
  • Information‑sharing transition. Replacing explicit MS‑ISAC references with broader ISAOs could diversify options but may fragment participation unless states designate clear vehicles (e.g., state ISAOs). [21]Web search · turn 7 #0
  • Over‑focusing on IT while OT remains exposed; water/energy operators need asset discovery and network segmentation to avoid physical‑world consequences. [18]CISA — Exploitation of Unitronics PLCs used in Water and Wastewater Systems
07 · Section

Assessment

Overall stance is an analytical roll‑up, not advocacy.

Neutral. The PILLAR Act likely improves SLTT cyber resilience—especially for water and other OT‑dependent services—by aligning funds to high‑impact controls (MFA, asset lifecycle, logging) and by facilitating rural outreach and timelier local funding. However, net benefits depend on year‑over‑year appropriations, jurisdictions’ capacity to implement and sustain identity/OT controls, and how procurement guardrails affect costs and vendor availability. [17]CISA — Cross-Sector Cybersecurity Performance Goals (CPGs)[4]CISA — Require MFA in Government (SLTT)[2]FEMA — Fiscal Year 2025 State and Local Cybersecurity Grant Program Fact Sheet

08 · Section

Sourcing (selected)

Core program facts, risk context, and implementation guidance drew on the following references.

  1. CISA SLCGP overview and grants administration; IIJA background. [10]CISA — Cyber Grants (SLCGP/TCGP overview)
  2. FEMA FY2025 SLCGP fact sheet (allocations and pass‑throughs). [2]FEMA — Fiscal Year 2025 State and Local Cybersecurity Grant Program Fact Sheet
  3. GAO 2025 review of SLCGP implementation and sustainability concerns. [3]U.S. GAO — GAO-25-107313: DHS Implemented a Grant Program to Enable SLTT Govern…
  4. EPA enforcement alert on water‑sector cybersecurity and violations. [13]U.S. EPA — Enforcement Alert: Drinking Water Systems to Address Cybersecurity V…
  5. CISA advisories on Volt Typhoon and OT/PLC threats. [20]CISA — PRC State-Sponsored Actors Compromise and Maintain Persistent Access to…[18]CISA — Exploitation of Unitronics PLCs used in Water and Wastewater Systems
  6. CISA Secure by Design and phishing‑resistant MFA guidance. [7]CISA — Secure by Design[4]CISA — Require MFA in Government (SLTT)
  7. FBI IC3/Reuters synthesis on ransomware trends and losses. [11]Reuters — Complaints about ransomware attacks on U.S. infrastructure rise 9%, F…
  8. Emsisoft 2024 ransomware counts for governments and schools (indicative). [12]Emsisoft — The State of Ransomware in the U.S.: Report and Statistics 2024
  9. Legal definitions: 15 U.S.C. §9401 (AI); 42 U.S.C. §19237 (foreign entity of concern). [8]LII / Cornell Law School — 15 U.S.C. § 9401 - National AI Initiative Act defini…[9]LII / Cornell Law School — 42 U.S.C. § 19237 - CHIPS and Science Act definition…
  10. CISA Cyber Hygiene no‑cost services and risk‑reduction statistics. [5]CISA — Cyber Hygiene Services
  11. MS‑ISAC membership shift to fee‑based model and timing. [6]Center for Internet Security — MS-ISAC Membership FAQ
Sources cited
  1. [1] State and Local Cybersecurity Grant Program | CISA CISA
  2. [2] Fiscal Year 2025 State and Local Cybersecurity Grant Program Fact Sheet FEMA
  3. [3] GAO-25-107313: DHS Implemented a Grant Program to Enable SLTT Governments to Improve Security U.S. GAO
  4. [4] Require MFA in Government (SLTT) CISA
  5. [5] Cyber Hygiene Services CISA
  6. [6] MS-ISAC Membership FAQ Center for Internet Security
  7. [7] Secure by Design CISA
  8. [8] 15 U.S.C. § 9401 - National AI Initiative Act definitions LII / Cornell Law School
  9. [9] 42 U.S.C. § 19237 - CHIPS and Science Act definitions (including foreign entity of concern) LII / Cornell Law School
  10. [10] Cyber Grants (SLCGP/TCGP overview) CISA
  11. [11] Complaints about ransomware attacks on U.S. infrastructure rise 9%, FBI says Reuters
  12. [12] The State of Ransomware in the U.S.: Report and Statistics 2024 Emsisoft
  13. [13] Enforcement Alert: Drinking Water Systems to Address Cybersecurity Vulnerabilities U.S. EPA
  14. [14] US pharmacy outage triggered by 'Blackcat' ransomware at UnitedHealth unit, sources say Reuters
  15. [15] Change Healthcare cyberattack: AHA analysis of impacts American Hospital Association
  16. [16] Web search · turn 12 #5
  17. [17] Cross-Sector Cybersecurity Performance Goals (CPGs) CISA
  18. [18] Exploitation of Unitronics PLCs used in Water and Wastewater Systems CISA
  19. [19] A hacker tried to poison the water supply in Oldsmar, Florida, police said Washington Post
  20. [20] PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (AA24-038A) CISA
  21. [21] Web search · turn 7 #0

Discussion