The House passage of the PILLAR Act is an important step toward improving the cyber resilience of state, local, tribal, and territorial (SLTT) governments. It provides initial funding and support to help smaller jurisdictions understand their risk and strengthen their defenses. It should be welcomed as progress. But it should not be mistaken for the finish line.
SLTT entities remain the most vulnerable part of America’s digital infrastructure. The gap is not only financial. It is operational. Many counties and municipalities still lack basic visibility into their external-facing assets, their vendors, and the supply chain pathways that connect them to larger state systems.
Threat actors understand this better than anyone. They continue to target the smallest organizations because they provide the least resistance and the greatest opportunity.
Counties and smaller local governments in particular are struggling to keep up with the scale and sophistication of modern cyber threats. State agencies may have the funding and personnel to maintain their resilience, but many counties do not. The result is an uneven security landscape that adversaries exploit with precision.
When threat actors find a weakness in a small jurisdiction, they can use that opening to reach larger state systems and critical infrastructure operators. A single compromise at the local level can escalate into a statewide disruption.
This is why the central challenge facing SLTTs is a visibility gap rather than a technology gap. Even when organizations invest in new tools, many still cannot see the full extent of their digital ecosystem. They do not know all of their third parties. They do not know their fourth, fifth, or sixth parties. They cannot see the vulnerabilities that are visible from the outside. They cannot track how weaknesses in one vendor can create exposure across an entire community.
If an organization cannot see its environment, it cannot secure it.
Visibility is the starting point for resilience. It allows leaders to understand where their most significant risks originate. It helps teams identify misconfigurations before adversaries find them. It expands the perimeter of protection by illuminating the external conditions that shape an organization’s attack surface. Without visibility, counties are left to guess which gaps matter most and which adversaries are already probing their networks.
The stakes are national. Local governments are responsible for essential services that citizens cannot afford to lose. Water treatment facilities, public health systems, emergency communications, and transportation networks all depend on SLTT operators.
These systems are also connected to broader state and regional infrastructures. A compromise in one county can disrupt services far beyond its borders. The United States cannot build national resilience on top of local blind spots.
The PILLAR Act helps address this problem by giving SLTTs resources to improve their situational awareness. It gives smaller jurisdictions a path to understand their risk and to build a foundation for stronger security.
It is, however, only one piece of a larger policy landscape that is taking shape. Congress is considering multiple efforts focused on critical infrastructure protection, cyber resilience, and improved coordination between public and private stakeholders. Together these efforts represent a shift toward a more unified national approach.
The next phase should focus on ensuring that every SLTT government can see its vulnerabilities clearly and act on them quickly. Policymakers should continue developing frameworks that promote ongoing visibility, support consistent reporting, and encourage collaboration across agencies and sectors.
Funding mechanisms should be paired with clear expectations for measurable improvements in risk reduction. Cyber resilience is not achieved through compliance alone. It requires continuous awareness and the ability to take informed action.
If I could deliver one message to Congress, it would be this. Local governments are on the front line of national cybersecurity. They are also the easiest targets for nation-state actors and organized criminal groups that are looking for a single weak link. A compromise at the county level can expose an entire state. Strengthening SLTT visibility is not a technical preference or a local matter. It is a national security priority.
The PILLAR Act creates momentum. Now we need to build on it. The faster SLTTs gain the visibility they need, the stronger our collective defense will become.
