HR5078-119

Passed House

PILLAR Act

119th Congress Introduced Sep 2, 2025

Summary

What This Bill Does

The PILLAR Act updates section 2220A of the Homeland Security Act, the CISA State and Local Cybersecurity Grant Program. It adds definitions for artificial intelligence, artificial intelligence systems, foreign entities of concern, and multi-factor authentication. It expands the program from information systems alone to information systems and operational technology systems, including systems using artificial intelligence, that are maintained, owned, or operated by eligible entities or by local governments within a state.

The bill rewrites cybersecurity-plan uses to include managing applications, user accounts, legacy systems, unsupported technology, operational technology, and AI-enabled systems; monitoring network traffic; improving incident response; continuous vulnerability assessment; identity and access management such as multi-factor authentication; NIST or CISA cybersecurity frameworks; supply-chain risk management; adversary tactics knowledge bases; AI-related technologies; and automated cybersecurity practices. It allows academic entities, cybersecurity clinics, and nonprofit technical assistance programs to support grant work. It requires direct outreach to rural areas and local governments with small populations.

The bill changes program administration. It replaces a reference to the Multi-State Information Sharing and Analysis Center with Information Sharing and Analysis Organizations. It extends certain grant periods from two years to three years and keeps the program running through fiscal year 2033 subject to appropriations. The federal share may be up to 60 percent for eligible entities and 70 percent for multi-entity groups through 2033, with higher shares of 65 percent and 75 percent beginning in fiscal year 2028 if the entity implements multi-factor authentication and identity-and-access-management tools for critical infrastructure by October 1, 2027. It bars grant funds from purchasing software, hardware, products, or services that do not align with CISA guidance such as Secure by Design guidance, or that are designed, developed, operated, maintained, manufactured, or sold by a foreign entity of concern and do not align with CISA guidance. Local governments may petition the Secretary for direct funding if a required distribution is not made within 60 days of the anticipated disbursement date. GAO must review the program within three years and every three years until termination, including grant selection, a sample of grants, and AI adoption.

Who Benefits and How

State governments, local governments, rural local governments, small-population local governments, critical infrastructure operators under local jurisdiction, CISA, cybersecurity clinics, nonprofit technical assistance programs, domestic cybersecurity vendors, secure-by-design software vendors, identity-and-access-management vendors, multi-factor authentication vendors, Information Sharing and Analysis Organizations, and GAO cybersecurity reviewers benefit because the bill extends funding, broadens eligible system types, raises cost shares for MFA adoption, creates direct-funding leverage for local governments, and steers grants toward secure domestic technology and no-cost CISA services.

Who Bears the Burden and How

State cybersecurity offices, local government IT departments, rural local governments, small-population jurisdictions, CISA grant administrators, the DHS Secretary, the CISA Director, cybersecurity planning committees, foreign-entity-of-concern technology vendors, software vendors that do not align with CISA guidance, hardware vendors that do not align with CISA guidance, critical infrastructure owners, and GAO must comply with expanded plan content, operational-technology and AI reviews, Secure by Design purchasing restrictions, local funding-distribution rules, direct-petition procedures, outreach plans, federal-share conditions, state budget-sustainability requirements, and recurring GAO audits.

Key Provisions

  • Extends the State and Local Cybersecurity Grant Program through fiscal year 2033 subject to appropriations.
  • Defines artificial intelligence, artificial intelligence systems, foreign entities of concern, and multi-factor authentication.
  • Expands grant planning from information systems to operational technology and AI-enabled systems.
  • Requires cybersecurity plans to cover asset tracking, network monitoring, incident response, vulnerability assessment, MFA, supply-chain risk management, and automated cybersecurity practices.
  • Bars grant purchases of nonsecure software or hardware that does not align with CISA guidance.
  • Bars grant purchases from foreign entities of concern when products do not align with CISA guidance.
  • Raises federal cost-share ceilings and provides higher shares for entities that implement MFA and identity-access tools for critical infrastructure by October 1, 2027.
  • Requires local-government distributions, allows direct-funding petitions after a 60-day delay, and mandates rural no-cost-services outreach.
  • Requires GAO reviews every three years, including AI adoption in sampled grants.

Evidence Chain:

This summary is generated from the full bill text using AI analysis. Expand "Detailed Analysis" below for identified beneficiaries/burden bearers with clause-level evidence links.

At a Glance

What This Bill Does

Reauthorizes and rewrites the CISA State and Local Cybersecurity Grant Program through 2033 by adding artificial-intelligence and operational-technology coverage, barring nonsecure or foreign-entity-of-concern technology purchases, extending grant periods, changing federal cost shares, requiring local-government distributions and direct-funding petitions, mandating rural outreach, and adding recurring GAO reviews.

Key Policy Areas

Cybersecurity, Homeland Security, State & Local Government, Artificial Intelligence

Primary Purpose

Reauthorizes and rewrites the CISA State and Local Cybersecurity Grant Program through 2033 by adding artificial-intelligence and operational-technology coverage, barring nonsecure or foreign-entity-of-concern technology purchases, extending grant periods, changing federal cost shares, requiring local-government distributions and direct-funding petitions, mandating rural outreach, and adding recurring GAO reviews.

Policy Domains

Cybersecurity Homeland Security State & Local Government Artificial Intelligence

Substantive provisions

Identified Gains
  • State governments
  • Local governments
  • Rural local governments
  • Small-population local governments
  • Critical infrastructure operators under local jurisdiction
  • Cybersecurity and Infrastructure Security Agency
  • Cybersecurity clinics
  • Nonprofit technical assistance programs
  • Domestic cybersecurity vendors
  • Secure-by-design software vendors
  • Identity-and-access-management vendors
  • Multi-factor authentication vendors
  • Information Sharing and Analysis Organizations
  • GAO cybersecurity reviewers
Model: codex-gpt-5 | Version: bill_summary_v2 | Source: rfs
Local governments: ,
State governments: ,
Cybersecurity clinics: ,
Rural local governments: ,
GAO cybersecurity reviewers: ,
Domestic cybersecurity vendors: ,
Secure-by-design software vendors: ,
Small-population local governments: ,
Multi-factor authentication vendors: ,
Identity-and-access-management vendors: ,
Nonprofit technical assistance programs: ,
Information Sharing and Analysis Organizations: ,
Cybersecurity and Infrastructure Security Agency: ,
Critical infrastructure operators under local jurisdiction: ,
Identified Costs
  • State cybersecurity offices
  • Local government IT departments
  • Rural local governments
  • Small-population jurisdictions
  • CISA grant administrators
  • DHS Secretary
  • CISA Director
  • Cybersecurity planning committees
  • Foreign-entity-of-concern technology vendors
  • Software vendors that do not align with CISA guidance
  • Hardware vendors that do not align with CISA guidance
  • Critical infrastructure owners
  • Government Accountability Office
Model: codex-gpt-5 | Version: bill_summary_v2 | Source: rfs
CISA Director: ,
DHS Secretary: ,
Rural local governments: ,
CISA grant administrators: ,
State cybersecurity offices: ,
Critical infrastructure owners: ,
Small-population jurisdictions: ,
Local government IT departments: ,
Government Accountability Office: ,
Cybersecurity planning committees: ,
Foreign-entity-of-concern technology vendors: ,
Hardware vendors that do not align with CISA guidance: ,
Software vendors that do not align with CISA guidance: ,

Legislative Progress

Passed House
Introduced Committee Passed
Nov 18, 2025

Received; read twice and referred to the Committee on Homeland …

Nov 18, 2025

Received in the Senate and Read twice and referred to …

Nov 18, 2025 (inferred)

Passed House (inferred from eh version)

Nov 17, 2025

Mr. Garbarino moved to suspend the rules and pass the …

Nov 17, 2025

Motion to reconsider laid on the table Agreed to without …

Nov 17, 2025

On motion to suspend the rules and pass the bill, …

Nov 17, 2025

Passed/agreed to in House: On motion to suspend the rules …

Nov 17, 2025

DEBATE - The House proceeded with forty minutes of debate …

Nov 17, 2025

Considered under suspension of the rules. (consideration: CR H4685-4688)

Nov 12, 2025

Committed to the Committee of the Whole House on the …

Stakeholder Effects

cui bono?

How this legislation distributes effects. Mention counts reflect frequency, not effect magnitude.

Technology
40 mentions across 5 clauses
+25 positive -15 negative

Cybersecurity clinics, Domestic cybersecurity vendors, Foreign-entity-of-concern technology vendors

Positive-direction: Cybersecurity clinics, Domestic cybersecurity vendors, Identity-and-access-management vendors, Multi-factor authentication vendors, Secure-by-design software vendors

Negative-direction: Foreign-entity-of-concern technology vendors, Hardware vendors that do not align with CISA guidance, Software vendors that do not align with CISA guidance

State & Local Government
30 mentions across 5 clauses
+20 positive -10 negative

Local government IT departments, Local governments, Rural local governments

Positive-direction: Local governments, Rural local governments, Small-population local governments, State governments

Negative-direction: Local government IT departments, State cybersecurity offices

Government
10 mentions across 5 clauses
-10 negative

Cybersecurity and Infrastructure Security Agency, Government Accountability Office

Nonprofits
5 mentions across 5 clauses
+5 positive

Nonprofit technical assistance programs

2/2
sections analyzed
Full impact breakdown

Bill Structure & Actor Mappings

Who is "The Secretary" in each section?

Domains
Cybersecurity Homeland Security State & Local Government Artificial Intelligence
Actor Mappings
"agency"
→ Cybersecurity and Infrastructure Security Agency
"director"
→ Director of the Cybersecurity and Infrastructure Security Agency
"secretary"
→ Secretary of Homeland Security

We use a combination of our own taxonomy and classification in addition to large language models to assess meaning and potential beneficiaries. High confidence means strong textual evidence. Always verify with the original bill text.

Learn more about our methodology