PILLAR Act

Protecting Information by Local Leaders for Agency Resilience Act or the PILLAR Act

This bill extends the State and Local Cybersecurity Grant Program through FY2035, expands the scope of the program, and imposes certain limits on the use of grant funds. (The program provides grants to states and Indian tribes to address cybersecurity risks to government information systems.)

The bill expands the scope of systems that may be secured using grant funds to include operational technology systems and specifies that systems using artificial intelligence are included. Such systems must be maintained, owned, or operated by or on behalf of state, local, or tribal governments.

The bill also specifies that grant funds may not be used to purchase software, hardware, or related products or services that do not align with relevant guidance provided by the Cybersecurity and Infrastructure Security Agency (CISA).

Further, the bill increases the federal share of costs available to entities that implement or enable multifactor authentication and identity and access management tools for critical infrastructure by a specified date.

The bill requires annual reports by grant recipients to include a description of recipients’ progress in assuming the cost of continuing cybersecurity programs after grant funds are fully expended.

The Government Accountability Office must periodically review the program. This effort must include a review of artificial intelligence adoption across a sample of grants.

Finally, CISA must implement an outreach plan to inform local governments, including governments in rural areas or areas with small populations, about CISA’s no-cost cybersecurity offerings.