Discover NASCIOs top five federal advocacy priorities and how they impact your state regulatory agency. GL Solutions interviews Alex Whitaker, Director of Government Affairs and Strategic Partnerships at the National Association of State Chief Information Officers. He unpacks the five federal advocacy priorities—from AI to cybersecurity—and shares his top concern for states.
NASCIO’s 2025 Federal Advocacy Priorities list includes:
NASCIO explains that “each year NASCIO releases our federal advocacy priorities, which are a collection of initiatives approved by NASCIO’s Executive Committee. These priorities represent significant areas of focus – largely on cybersecurity and information technology (IT) needs – for NASCIO to highlight and collaborate with federal agencies, Congress, the White House and our strategic partners.”
Listen to the entire interview with Alex Whitaker on our Talkin’ SaaS podcast.
Alex Whitaker: This is a yearly package of federal advocacy priorities that help guide our government affairs, interactions with Congress and federal agencies. The list is not long. We only have five priorities. That does not mean that that’s all that we do, but we pick based on a combination of things. What the federal government is likely to discuss, be that through legislation or regulation. When it comes to the Hill, is it bipartisan? Is it bicameral? Is this something that’s going to be relevant to our CIOs and CISOs and membership? So, this year, the list did not change. We kept the same five from last year.
Alex Whitaker: Most of the states are all there. There may be some agencies that don’t have it for whatever reason. But generally, where we really see a challenge is local governments. And there’s a few reasons that local governments haven’t adopted DotGov. One is an information issue and just sort of not knowing that it’s an option. I think sometimes too, it’s an issue of being a little concerned about, associating a service with the government. We have a lot of states, and folks in local areas, that are a little bit stressful of the government. So, there may be a practical reason to not want to go to DotGov; and in the past, it’s been cost. But NASCIO has advocated and really helped to eliminate the cost of adopting DotGov. There’s now no fee for it. So, there’s a lot of reasons why local governments are not adopting or have not adopted DotGov and we get all those reasons; we respect them.
You know, NASCIO does not come in heavy handed on this stuff, but where we can, we want to explain why it’s important. We’ve really seen it is one of the absolute most effective and easiest ways to prevent fraud and to safeguard user data. So, we are always going to be pushing DotGov as long as we can.
Alex Whitaker: As you said, this was passed with IIJA (Infrastructure Investment and Jobs Act), and it’s a separate sort of little carve out program that was created brand new to focus really explicitly on state and local cybersecurity preparedness and really focus on local. But this is a program that NASCIO has advocated for for years and years, to some way get some dedicated funding to the states so that they can address some of these cybersecurity issues. Because states are doing really well on their own. They’re taking it very seriously on their own to address cybersecurity. But certainly, federal funding is something that is really going to help. And sometimes without a specific appropriation from your state legislature, it’s just not possible to do some of these improvements given the way that the office of the CISO and the CIO are set up. And they usually don’t have the funds to pull out to address cybersecurity.
So, this grant program was included in IIJA, and it’s a billion dollars over four years, with I think about 80% supposed to go to the locals. And this is where we bring in DotGov again. One of the services can be helping local governments do more DotGov adoption. Or it could be assessments or training or what have you. So, it’s a way that Congress has really tried to put some money down to the local level to improve cybersecurity.
Alex Whitaker: It’s kind of both. States are taking a hybrid approach with this money, because, again, the money has to ultimately (80%) go to local governments. But there are three paths you can get there. One, you could just write a check to local governments that apply. But if you just write a check to every local entity, that could be hundreds of local entities. And then at that point, as one of our CIOs jokes, that’s basically a t-shirt that says: Don’t forget to update your password. It’s not really the way to maximize the money. So, there are some states that are writing substantial checks to individual local entities, but they might also be providing services as well. Most states are doing kind of a hybrid approach. They’ll select a few local governments that apply and provide the money for X services. But infrastructure is also something that’s applicable or allowable under the money. So, states and local governments are getting a lot of leeway to decide how to use this funding. And we’ve already seen all kinds of wonderful success programs that we can point to.
Again, going back to DotGov, New Hampshire has this awesome program that they’ve stood up using state and local cybersecurity grant funding. They call it DotGov in a box. So, your local governments apply, and you get all the tools to get your city over to DotGov pretty quickly and efficiently. And they’re using state and local cybersecurity grant money for that.
And we’ve seen a lot of other examples, too, of states being able to improve their cybersecurity posture. They are preventing cybersecurity attacks, and they can trace that directly back to that state and local cybersecurity grant money.
It’s a really effective program, and we hope it continues. We are coming up on the end of the program under IIJA so NASCIO is very clear that we’d like to see this program reauthorized in some way. You know, we were certainly open to changes and ways to make it better, but we really want to make sure that it’s continued. Additionally, though, we’ve had conversations with folks on the Hill about making sure that the last year of funding is also not targeted for any clawbacks. We see this money as very important. We want the program to continue. We’ve got metrics to say X governments have adopted DotGov or prevented X attacks.
But there’s a couple other metrics that we think are really important too, that are a little harder to quantify. One of those is just the relationships that have been improved between state and local governments when it comes to cybersecurity; because the plan requires that these entities talk to each other. So, you have folks in the states and the local governments who have never spoken to each other before, but now they get on the phone and they have meetings together to really talk about why this stuff is important. So that’s one thing. The other thing too is that states are really desperate for stability with this program, because they don’t want to create things that are going to need funding in years five, six and seven. So that’s what’s really important, to give some certainty and stability to cybersecurity grant funding. Because I think there unfortunately are some folks on the Hill who say, Look, you know, we passed that grant program. Didn’t we fix cybersecurity at the local level? So that’s what NASCIO is doing, and we want to be out there to make sure that folks know this is a great program. However, it’s continued, whatever it’s called, we want to make sure that it stays out there, because we’ve seen so much success with it.
Alex Whitaker: At the state level we know that we cannot ever really compete with the big tech companies when it comes to recruiting tech workers, and frankly, sometimes we can’t even compete as much with the federal government. But states are wonderful places to work. I mean, there is so much that can be done, especially if you’re a young person coming right out of college. So, what we like to do is just make sure that our federal partners are aware of things that states are doing to attract folks, and make sure that they know that there are solutions at the state level as they consider the same problem at the federal level. Because even though at that point, the states and the feds are competing for the same workers. It’s all kind of the same goal, right? And that’s to increase and improve the state of the cyber workforce. What we’re requesting from the federal government is just to make sure that incentives that are available to agencies to hire at the federal level are also being afforded to state workers too, be those scholarship programs or what have you.
Alex Whitaker: Last year, we added some language about artificial intelligence and NASCIO really makes two asks of the federal government, be that Congress and the Federal agencies when it comes to AI. The first is to please look to the states and work in consultation with them when you are developing federal AI policy. And the reason for that is because states have not been able to just kind of wait on the Feds when it comes to AI policy. They are so close to their citizens that they have to really start thinking about these things for two reasons, one to make government services better, but two, to protect data. So, states have already developed some really interesting policies when it comes to AI. Those policies range from here’s the cool way we’re using AI to we’re not using AI, because we’re worried about state data. And it’s not really an either or. I just use this as the two extremes.
That first one is saying to the federal government, hey, please look to us and work with us, because we’ve been doing a lot here. The second ask to the feds is, if you are going to create mandates, if you are going to make requirements of states, then those requirements are going to require both people and resources to execute on them. So please be aware of that. Don’t create this federal policy saying states have to do all this, but then not help them with the tools to do that. So that’s kind of where NASCIO is on it.
Alex Whitaker: I’m not going to say that DOGE is good or bad, positive or negative, because I think it’s difficult to tell with any organization, particularly government organizations, what the net impact will be. But there are states that rely on federal funding and federal services for a lot of cybersecurity related initiatives and measures. So, when you see large-scale cuts to government at CISA and other places that are resulting in a reduction of staff we do have to ask: what is that impact going to be? Is it going to make it more difficult for a state cybersecurity analysis to report a breach or to confer with their federal colleague when it comes to a cybersecurity attack? And, you know, I certainly understand the urge to streamline and improve efficiency and cut costs. And we’ve seen governors are setting up their own versions of DOGE to identify cost savings. I just worry a little bit about the pace. I worry a little bit about the slash and burn, just because we don’t always know what the effects are going to be. So, we’ll see. Again, I am loath to say whether something is good or bad, but we certainly have some questions. And yeah, so we’ll see. That’s my two cents on it right now.
Alex Whitaker: It’s so hard to just pick one. As you said, the state and local cybersecurity grant informs a lot, not just with the grant, but it has a lot of tentacles out to other things. I mean, I can connect the grant to so many other issues, even though it’s not the most important funding stream for a CIO office. But it is sort of a bellwether for some other things. But, you know, we’re always wanting to increase and improve the state cybersecurity workforce. AI, we’ll see. Harmonization of federal cybersecurity regulations is really interesting, too, meaning streamlining the amount of audits that go on at state agencies, and the ability to kind of transmit data to the federal government.
The biggest issue is not necessarily something that we’ve outlined in our advocacy priorities, but it’s kind of that broader issue of what we just spoke about when it comes to DOGE and the impact and the posture of Congress and their appetite to fund more state cybersecurity initiatives. So, I think that’s kind of where the biggest things are for us right now too. We have these specific policy points, but all of those are dictated by the appetite of Congress and the administration and what have you to help and to work with states on these issues.
Alex Whitaker: If you are a state employee, and you work for a CIO or one of those offices, you probably have access to NASCIO, if you haven’t checked that out already. But if you are not, check out our website; we have a lot of materials and resources that are there, most of which are available to download for free. If anyone ever has questions, I’m very accessible too. My information is on our website, and I am always happy to chat more about federal priorities and that sort of thing.
Editor’s note: Answers edited for clarity and brevity. To hear the entire interview, listen to our interview on our Talkin’ SaaS podcast.
