Many state CIOs and their teams have spent countless hours trying to create their own cybersecurity frameworks from scratch. Reflecting enormous amounts of research, planning and implementation, these bespoke cybersecurity frameworks distract from the state’s core mission of providing citizen services.
Yet according to the Public Technology Institute, only 42 percent of local governments have successfully adopted a cybersecurity framework based on national standards and guidelines. That’s a missed opportunity. Indeed, state agencies could be saving themselves a lot of time, money and effort by looking toward their federal brethren, who are here to help. For decades, the federal government has painstakingly developed cybersecurity frameworks to thwart a rise in ransomware attempts, software vulnerabilities and other malicious actions by hackers and rogue states seeking to gain access to U.S. assets.
States, on the other hand, frequently had other priorities to attend to, and cybersecurity was often not at the top of their lists. However, that attitude has sharply changed. Over the past few years, election hacks and data breaches have become a new normal, and state CIOs have begun to realize just how big of a priority security has to be.
But are they ready? Do they have the appropriate resources and plans in place to face a cybersecurity storm they may not truly understand?
Since states are often easier targets for hackers than federal agencies with bigger security budgets, ascertaining the answers to these questions is becoming increasingly important as states find themselves in hackers’ crosshairs.
State CIOs Face Waves of Cybersecurity Pressure
State CIOs can be overwhelmed with the sheer volume and magnitude of cybersecurity information coming their way. Indeed, they may feel as if a tidal wave has hit them, for a few reasons.
First, states are attractive targets to hackers who feel they can infiltrate a state’s infrastructure and cause massive disruption. These hackers are becoming more sophisticated every day; every time an attempted attack fails, they learn something new — an undiscovered vulnerability, a previously undetected access point — that is ripe for exploitation. It is hard for states to keep up, let alone plan effectively.
Second, they are under close scrutiny. Many state CIOs worry about receiving a failing grade from Security Scorecard, an organization that gives letter grades to states based on their overall cyber readiness. Of course, the public and media are also paying close attention, with news of security breaches making frequent appearances in the headlines.
Third, constituents are engaging electronically with state and local governments at an increasing rate. They expect the same type of service from their state agencies as they would from Amazon, Apple, or a similar private sector company. It can be difficult for state IT teams to keep up with these expectations and still take the time to maintain good security postures.
Unfortunately, many state CIOs are appointed officials who may not have previously had to focus on cybersecurity. As such, they may be unfamiliar with the history of cyber events that they are now being asked to use to inform their approaches to security. They may not even be aware of the cybersecurity work done by the federal government, let alone the ever-evolving threat landscape.
States Can Follow Federal Cybersecurity Templates
Fortunately, federal agencies have already developed several reliable cybersecurity templates that states can adopt for their own needs, saving them time, money and bolstering their security profiles.
The National Institute of Standards and Technology Cybersecurity Framework and the Federal Risk and Authorization Management Program, or FedRAMP, are two prime examples of federal programs that have guided cybersecurity efforts at a national level.
Also, the federal government passed the Federal Information Security Management Act, or FISMA, which codifies and updates the federal government’s cybersecurity practices.
Each of these examples includes aspects that states should embrace and include in their own plans. FedRAMP, for example, offers a blueprint for the security of cloud services and products, and was never intended exclusively for federal agencies. FISMA offers a single model, process and set of security controls that can ease the burden of security management regardless of whether an agency is at the federal, state, or local level.
Understand Open Source Involvement
Many of these initiatives started in the open-source software community, which came together to build standardized cybersecurity programs that could work at all levels. The community is currently working with National Guard units and the Army Cyber School to create a cybersecurity training curriculum. The community also worked with the FBI to author cybersecurity standards that states could use to inform cyber policies in their local court systems and police departments, and with agencies such as NIST, NSA Information Assurance, and the General Services Administration’s 18F organization to create the OpenSCAP, ComplianceAsCode and OpenControl projects to document security protocols in standardized ways.
Long ago, the federal government realized the need for a uniform, standardized approach to tackle state cybersecurity concerns. It turned to the open-source community to turn that need into a viable reality. Now, states can take that reality and make it their own.
State CIOs Should Not Reinvent the Wheel
For far too long, people have thought of big business and federal agencies solely when they think of the need to protect cyber assets. State governments are just as vulnerable. It’s time they apply best practices and lessons learned to their own cybersecurity challenges.
But it makes no sense to reinvent the wheel. Already existing federal standards can be just as effective on a state level as they are on a national level. It’s time for states to take a close look at incorporating these standards into their own cybersecurity plans.