Cybersecurity Grants Get Major Overhaul: AI, OT Added, But Local Cost-Share Jumps to 80% Starting 2026

The PILLAR Act reauthorizes the federal State and Local Cybersecurity Grant Program, extending it until 2033, but it’s far more than a simple renewal. This legislation is a significant modernization effort aimed at dragging local government IT security into the age of artificial intelligence and industrial systems, while simultaneously introducing some serious changes to how federal money is distributed.

The New Cybersecurity Checklist: AI and OT

If you thought cybersecurity was just about protecting your email and spreadsheets, think again. The PILLAR Act dramatically expands the scope of what state and local governments must protect under the grant program. Specifically, it adds Operational Technology (OT) systems—think the computers running water treatment plants, traffic lights, or power grids—and Artificial Intelligence (AI) systems to the list of things that must be managed, monitored, and modernized. For a city that uses AI to optimize its transit system, or a county that relies on networked industrial controls for its utilities, this is huge. The bill mandates that cybersecurity planning committees must now track and monitor these expanded systems, including adopting best practices like continuous vulnerability assessments and implementing an IT/OT/AI modernization review process. This is the government acknowledging that a hacker taking down a city’s finance server is bad, but taking down a hospital’s environmental controls or a dam’s floodgates is catastrophic.

The MFA Incentive and the Foreign Entity Ban

The bill uses a classic carrot-and-stick approach to push better security practices. The “carrot” is a funding boost: if a government entity implements Multi-Factor Authentication (MFA) for its critical infrastructure (including AI-enabled systems) by October 1, 2027, its federal cost-share increases by 5 percentage points, up to 65% for single entities. That’s a direct financial incentive to adopt one of the most effective security measures available. The “stick” is a restriction on grant use. Funds cannot be used to purchase hardware or software from a “foreign entity of concern,” nor can they be used for products that don’t align with Agency guidance, including “Secure by Design” principles. This tightens the supply chain, which is good for national security, but it could limit choices and potentially increase costs for local IT directors if their preferred vendors are suddenly off-limits.

The 80% Local Contribution Problem

Here’s the provision that will cause the most heartburn for local government budgets: the local cost-sharing requirement. Currently, local governments contribute a relatively small percentage of the grant cost. However, the PILLAR Act drastically increases this requirement for grants awarded on or after January 1, 2026. For distributions made with a local government’s consent, the required contribution (in-kind services, capabilities, or cash) must have a value of not less than 80% of the grant amount. To put it simply, if a small town gets a $100,000 grant, they must show they are spending $80,000 worth of resources themselves. This massive jump to an 80% local match could effectively price out smaller, cash-strapped local governments—especially those in rural areas—from participating in this crucial program, even though the bill maintains a requirement for outreach to those areas. While the bill includes a provision allowing local governments to petition the Secretary for direct funding if the state fails to disburse funds within 60 days, the 80% contribution hurdle remains a significant barrier to entry for many communities trying to modernize their defenses against increasingly sophisticated threats.