Skip to content
Subscribe

Local Cybersecurity: Rural Utility Act and Cybersecurity Grant Program

Bola Ogbara
Bola Ogbara Connect on LinkedIn
4 min. read

 The Rural and Municipal Utility Cybersecurity Act & the State and Local Cybersecurity Grant Program may fund cybersecurity for resource-poor critical infrastructure. 

Rural Utility Act and the SLGCP

On June 29th 2026, the House of Representatives passed the Rural and Municipal Utility Cybersecurity Act, a law by Iowa representative Congresswoman Mariannette Miller-Meeks. According to the press release, the act “reauthorizes the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program, providing critical resources to help smaller utilities deploy advanced cybersecurity technologies, strengthen information sharing, and protect the infrastructure millions of Americans rely on every day.”

 

Rural areas have been known to have poor cybersecurity posture, with disastrous consequences. According to the Aspen Institute, “rural communities often fall below what’s called the Cyber Poverty Line, not able to afford basic cybersecurity protections.” Put simply, this means that these areas often lack the resources to achieve adequate cybersecurity. Critical infrastructure organizations that are “target rich, resource poor”, (a phrase coined by the Cybersecurity Infrastructure Security Agency (CISA) in their FY2024-2026 Cybersecurity Strategy) are often attacked by hackers. Rural hospitals, for example, have been famously vulnerable to cyberattacks. Another sector subject to malicious cyber activity is energy, particularly the electricity grid.

 

As early as March 2021, cybersecurity for the electrical grid was identified as an area that required investment. A 2021 study by the Government Accountability Office (GAO) discovered that “U.S. grid’s distribution systems—which carry electricity from transmission systems to consumers and are regulated primarily by states—are increasingly at risk from cyberattacks.” Though the study called the potential impact of these cyberattacks “unclear”, it did conclude that even a localized attack could become a much bigger issue: “While a cyberattack on distribution systems may be less significant than one on the bulk power system, the impacts of such an attack could still result in outages of national significance.”

 

The Rural and Municipal Utility Cybersecurity Act is the natural continuation of the Rural and Municipal Utility Advanced Cybersecurity (RMUC) Grant and Technical Assistance Program. The Program was established by the Infrastructure Investment and Jobs Act, which became law in November 2021. Over five years, the law gave the RMUC Program $250 million to improve the cybersecurity preparedness of rural, municipal, and small-investor-owned electric utility owners.

 

Organizations that received the grant money, have supported the push for the Rural and Municipal Utility Act. For example, the American Public Power Association (APPA) received $4 million to launch the Cyber Pathways Program, a program that “is designed to support public power utilities with cybersecurity assessments, training, and a new cybersecurity designation program to recognize utilities implementing cybersecurity best practices.” The Senior Vice President of Grid Security, Technical, and Operations Services at APPA, Adrienne Lotto, called the 2021 act “a once in a generation opportunity to improve cybersecurity” for rural and small utility organizations.

 

Leaders like Lotto will likely be glad to learn that the act continues to offer this priority to under-resourced groups. The act states that “In providing technical assistance and awarding funding, including grants, cooperative agreements, and prizes, under the Program, the Secretary shall give priority to an eligible entity that, as determined by the Secretary— (A) has limited cybersecurity resources; (B) owns assets critical to the reliability of the bulk-power system; or (C) owns or operates defense critical electric infrastructure.”

 

Chairman of the House Committee on Energy and Commerce, Rep. Brett Gruthie, praised the act as one step to outcompete US opponents: “By strengthening our security planning, ensuring the Department of Energy has the leadership necessary to confront threats, providing utilities with the tools necessary to protect the grid, and supporting increased collaboration between grid operators and the federal government, we can stay ahead of adversaries and ensure reliable, secure energy for American families and businesses.”

 

The Rural and Municipal Utility Cybersecurity Act is just one part of the movement for cybersecurity funding on a smaller level than the federal government. On June 23, 2026, leaders from the National Association of State Chief Information Officers, National Conference of State legislatures, the US Conference of Mayors, the National League of Cities, the International City/County Management Association, and the National Association of Counties, signed a letter urging congress to “provide $300 million in Fiscal Year 2027 funding for the State and Local Cybersecurity Grant Program (SLCGP).”

 

Like the RMUC Grant and Technical Assistance Program, the SLCGP was established by the 2021 Infrastructure Investment and Jobs Act. In the allotted four years for the initiative, the SLGCP gave state and local governments $1 billion to support cybersecurity planning and implementation efforts. In the letter, the impact of the program was emphasized: “SLCGP investments have strengthened coordination between state and local governments, improved cyber readiness, and helped protect essential services such as emergency communications, public health systems, elections, transportation, and education. As state and local governments continue to face persistent threats from nation-state actors, ransomware groups, and other cybercriminals, sustained federal investment remains essential to ensuring every community has access to baseline cybersecurity capabilities.”

 

Despite funding 839 state and local cybersecurity projects across the US in 2024, the SLCGP expiration date wasn’t adjusted until the end of the program in September 2025. After expiring, the future of the SLCGP hung in the balance during the October 2025 government shutdown, until it was reauthorized in November. Still, the amount of funding the project was set to receive was unclear, especially with the significant budget and staff cuts - some of which may be reneged on soon - endured by CISA since the start of President Trump’s second term. According to the letter, the requested $300 million stems from a bipartisan piece of legislation to reauthorize the program. On top of the funding, the authors of the letter also ask for a long-term reauthorization to account for the extended time required to build and implement cybersecurity strategies.

 

While the letter has not yet received a response from any of the addressees on the Senate Committee on Appropriations, the timing of the release, coinciding with Rural and Municipal Utility Cybersecurity Act, suggests that the need for cybersecurity funding on a local level may be gaining more awareness nationwide. The popularity of the SLCGP, along with the bipartisan support for Miller-Meek’s act, may be enough to strengthen the cybersecurity of previously overlooked organizations in critical infrastructure.