Congress Could Consolidate Two Cybersecurity Programs Into Single Bill, Think Tank Argues

Congress should merge federal funding for a state and local cybersecurity information sharing program into the renewal of a major grant program, creating a single legislative solution to two separate funding gaps, according to a June 26, 2026, blog post by the Information Technology & Innovation Foundation (ITIF). The proposal responds to recent federal funding cuts that left state and local governments scrambling for cybersecurity resources, with two separate bills now pending in Congress to address different pieces of the same problem.

Sen. Mark Warner (D-VA) introduced the Guaranteeing Universal Access to Cybersecurity Act in early June 2026, which would provide $50 million in annual grants to the Center for Internet Security (CIS) to operate the Multi-State Information Sharing and Analysis Center (MS-ISAC), allowing state and local governments to access cybersecurity advisories, network monitoring, and other security services at no cost. Separately, the Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act, introduced by Rep. Andrew Ogles (R-TN), would extend the State and Local Cybersecurity Grant Program (SLGCP) through fiscal year 2035 while expanding eligibility to cover operational technology and AI-powered platforms, tightening accountability requirements, and broadening outreach to underserved and rural communities. The PILLAR Act passed the House in November 2025 but hasn't reached the Senate floor.

The report notes that the Cybersecurity and Infrastructure Security Agency (CISA) cut federal support for CIS-operated programs in 2025, arguing that some services overlapped with assistance CISA already provided directly to state and local governments through the SLGCP. According to ITIF, previous grant guidance had allowed SLGCP recipients to use funds for MS-ISAC participation, showing the two programs "have already operated within the same framework." The authors write that rather than creating a separate funding mechanism for CIS, Congress should incorporate MS-ISAC funding into the PILLAR Act, which would "preserve access to critical CIS services without creating another standalone cybersecurity funding program."

The report argues this consolidation matters because CISA faces mounting pressure that limits its capacity to serve smaller communities. In recent years, staffing reductions, contract cuts, and growing mission demands have strained CISA's ability to keep pace with evolving cyber threats, leaving smaller jurisdictions that lack staffing, procurement capacity, and operational resources particularly vulnerable. The authors say Congress should require CISA and CIS to establish a clearer division of labor through the combined program: CISA would handle operational cybersecurity assistance, incident response coordination, and federal cyber defense, while MS-ISAC would focus on information sharing, advisories, and support services for state and local governments. This structured partnership would let CISA concentrate resources on national coordination while MS-ISAC provides no-cost services to local entities, reducing duplication while preserving each organization's strengths.

The report recommends pairing long-term SLGCP reauthorization with dedicated MS-ISAC support and a clearly defined partnership between CISA and CIS, letting Congress address two cybersecurity funding challenges through one legislative vehicle. The authors frame the question facing lawmakers not as whether MS-ISAC deserves renewed support, but how to deliver that support in ways that strengthen the broader cybersecurity ecosystem. Such an approach would preserve critical cybersecurity services, avoid unnecessary duplication, and give state and local governments the support they need to address evolving cyber threats.