PILLAR Act Extends Cybersecurity Grants to 2035, Requires MFA for Top Federal Match

The Protecting Information by Local Leaders for Agency Resilience Act, or PILLAR Act, is essentially a major overhaul and extension of the CISA State and Local Cybersecurity Grant Program. This bill reauthorizes the program for another decade, pushing its expiration date from 2025 all the way out to 2035. More importantly, it drags state and local government tech security firmly into the modern era, explicitly covering systems that weren’t previously included and defining new security standards they must meet to get the biggest piece of the federal pie.

Modernizing the Digital Shield

One of the biggest takeaways here is that the grant program’s reach is expanding. Previously, funds focused on standard “information systems” (think office computers and networks). Now, the PILLAR Act explicitly expands coverage to include operational technology systems (OT) and any system that uses Artificial Intelligence (AI). OT systems are the hardware and software that run physical infrastructure—like the controls for water treatment plants, traffic lights, or power grids. This is huge because these systems are increasingly targeted by hackers, and now local governments can use federal funds to secure them. The bill also formally defines AI, AI Systems, and Multi-factor Authentication (MFA), making it clear that the government is serious about modernizing defenses.

The MFA Incentive and the Funding Catch

The bill introduces a clear financial incentive tied to security best practices. The standard federal match for these grants is 60% (70% for multi-entity groups) through 2035. However, if a state or local government implements MFA and identity management tools for its critical infrastructure systems by October 1, 2027, the federal share jumps to 65 percent (or 75% for groups). This is the federal government putting its money where its mouth is: use better security, get more funding. For a busy IT director, that extra 5% federal contribution is the kind of leverage needed to push through a major security upgrade.

New Hurdles for Small Towns and Compliance

While the bill is generally good news for security, it introduces a couple of potential snags. First, starting in 2026, the required local match (the state or local government’s share) must equal at least 80 percent of the grant amount, fulfilled through in-kind services or other activities. While this isn't cash out of pocket, for the smallest, most resource-strapped rural local governments, finding the staff time and resources to dedicate 80% of the grant value in services could be a significant administrative lift. It's a trade-off that could potentially make it harder for the smallest entities to access the funds, even though the bill requires CISA to specifically conduct outreach to these groups.

Second, the bill restricts how grant money can be spent. You can’t use these funds to buy software or hardware that doesn’t align with CISA guidance (like their Secure by Design principles), or anything made by a “Foreign Entity of Concern” if it also doesn’t align with CISA guidance. This means any local government currently relying on tech from a designated foreign entity may need to spend money replacing or upgrading that equipment just to stay compliant and eligible for future grants, adding an unexpected cost to their budget.