Key Takeaways
- Florida legislators passed House Bill 1085, which would formalize a permanent state‑run cybersecurity support program for municipalities.
- If signed by Governor Ron DeSantis, the bill would create the Local Government Cybersecurity Protection Program (LGCPP) within the Florida Digital Service, effective July 1, 2026, and run through July 1, 2031.
- The LGCPP would provide cybersecurity software and services—such as asset discovery, endpoint detection and response, and security‑operation platforms—rather than cash grants, in exchange for local governments sharing telemetry data with the state’s cybersecurity operations center.
- The bill enjoyed near‑unanimous support, receiving only a single “no” vote in the House, reflecting broad bipartisan recognition of the growing cyber threat to local governments.
- Although the legislation does not appropriate new funding, it codifies a grant model that has been piloted since FY 2022‑23, during which 199 localities received $65.1 million in state‑provided cybersecurity capabilities.
- The LGCPP differs from the federal State and Local Cybersecurity Grant Program (SLCGP) administered by Florida’s Division of Emergency Management, which is tied to cyclical federal appropriations and national priorities such as critical‑infrastructure protection.
- By requiring data sharing, the state aims to improve situational awareness and enable faster, coordinated responses to cyber incidents across municipal networks.
- Supporters view the program as a success story that brings enterprise‑grade defenses to communities that previously lacked the resources to acquire them.
- Critics may raise concerns about privacy, data sovereignty, and the long‑term sustainability of a program that relies on state‑provided tools without a dedicated funding stream.
Background and Legislative Action
During the 2026 legislative session, Florida lawmakers introduced House Bill 1085, a measure designed to move the state’s ad‑hoc cybersecurity assistance for municipalities onto a permanent statutory footing. The bill garnered overwhelming support, passing with only a single dissenting vote in the House of Representatives. After the session’s close, the legislation was transmitted to Governor Ron DeSantis for his consideration; if signed, it will become law on July 1, 2026. The near‑unanimous approval underscores a shared recognition among legislators that local governments are increasingly vulnerable to ransomware, data breaches, and other cyber threats that can disrupt essential services such as water treatment, emergency response, and public safety.
Core Provisions of HB 1085
At the heart of the bill is the establishment of the Local Government Cybersecurity Protection Program (LGCPP), which will be housed within the Florida Digital Service—the state agency responsible for delivering technology solutions across executive branch entities. The LGCPP is authorized to award grants that consist of cybersecurity tools and services rather than direct monetary allocations. Recipient municipalities will be required to share telemetry data—such as logs, alerts, and threat indicators—with the state’s cybersecurity operations center (CSOC) in exchange for receiving these capabilities. The program is slated to operate for five years, with an automatic sunset date of July 1, 2031, unless extended by future legislation.
Scope of Provided Capabilities
The grant package unveiled in earlier pilot phases includes a suite of defensive technologies commonly employed by larger enterprises. These encompass asset discovery and inventory tools that help localities map their hardware and software footprint, endpoint detection and response (EDR) platforms to monitor and mitigate malicious activity on workstations and servers, security‑operation platforms (SOPs) that centralize alert management, and various security systems such as firewalls, intrusion detection/prevention devices, and secure email gateways. By bundling these services, the state aims to eliminate the procurement complexity and cost barriers that have historically prevented small and medium‑sized municipalities from achieving a baseline cybersecurity posture.
Funding Model and Fiscal Context
Notably, HB 1085 does not itself appropriate new money; instead, it formalizes a grant mechanism that has been funded through annual legislative allocations since fiscal year 2022‑23. In the most recent funded year (FY 2025‑26), the state distributed $65.1 million in cybersecurity support to 199 local governments, covering the aforementioned capabilities. Robert Beach, Director of IT for Palm Bay, highlighted that the earlier pilot was not a cash grant but a provision of tools and services, which he described as a “huge success story” because it delivered defenses that were previously out of reach for many communities. The lack of a dedicated funding stream in the bill means that future appropriations will continue to be decided each budget cycle, potentially creating uncertainty for long‑term planning.
Data‑Sharing Requirement and State‑Level Benefits
A distinctive feature of the LGCPP is the mandated telemetry exchange. Participating municipalities must feed real‑time or near‑real‑time data from their deployed tools into the state CSOC. This bidirectional flow enables the state to gain a panoramic view of cyber activity across its municipal landscape, facilitating early detection of widespread threats, coordinated incident response, and the generation of actionable threat intelligence that can be redistributed to participants. Proponents argue that this collective sensing approach amplifies the defensive power of each individual locality, turning a patchwork of isolated defenses into a more cohesive, state‑wide security fabric.
Comparison with Federal SLCGP
Florida already participates in the federal State and Local Cybersecurity Grant Program (SLCGP), administered through the Division of Emergency Management. Unlike HB 1085, the SLCGP relies on discrete, year‑to‑year federal appropriations that are subject to shifting national priorities—recent emphases have included critical‑infrastructure protection and law‑enforcement cyber capabilities. Consequently, SLCGP funding can fluctuate, and grantees must reapply each cycle, often aligning their projects with federal guidelines rather than local needs. By contrast, the LGCPP is intended to be a stable, state‑controlled program that persists regardless of federal budget cycles, thereby offering municipalities a more predictable source of support.
Impacts on Municipal Cyber Resilience
If enacted, the LGCPP could substantially raise the baseline cyber resilience of Florida’s municipalities. Smaller towns and cities that lack dedicated security staff or the budget to purchase advanced tools would gain access to enterprise‑grade defenses, reducing the likelihood of successful ransomware attacks that can cripple utility billing systems, emergency dispatch networks, or public‑records repositories. Moreover, the centralized telemetry hub could enable faster identification of emerging threats—such as a new malware variant targeting municipal SCADA systems—allowing the state to issue timely advisories and mitigation guidance to all participants.
Potential Challenges and Considerations
Despite its promise, the program raises several considerations. First, the compulsory sharing of telemetry data may provoke privacy concerns among municipalities wary of exposing sensitive operational information to a state agency. Clear governance policies, data‑use limitations, and robust safeguards will be essential to maintain trust. Second, the absence of a guaranteed funding line means that future legislatures must continually allocate resources; a budget shortfall could jeopardize the program’s continuity. Third, there is a risk of over‑reliance on state‑provided tools, potentially discouraging municipalities from developing internal expertise or diversifying their security stacks. Finally, the five‑year sunset clause necessitates a legislative review before 2031 to assess effectiveness, costs, and any needed adjustments.
Conclusion and Outlook
House Bill 1085 represents a significant step toward institutionalizing cybersecurity assistance for Florida’s local governments. By converting a successful pilot into a permanent program, the state seeks to close the capability gap that has left many municipalities exposed to increasingly sophisticated cyber threats. Should Governor DeSantis sign the bill, the LGCPP will begin delivering tools, services, and a centralized intelligence network on July 1, 2026, with the goal of fostering a more secure, resilient municipal sector across the Sunshine State. Continued vigilance regarding funding, data governance, and local capacity‑building will be critical to ensuring that the program’s benefits are sustained well beyond its initial five‑year horizon.