How States Can Work with Local Entities on Cybersecurity
In “The Responsive State CIO: Connecting to the Customer,” NASCIO’s 2019 survey of state CIOs, 65 percent of states reported providing security infrastructure and services to local governments. However, the scope of such services varies widely from state to state. States are providing Security as a Service programs to local governments, such as managed security services, election security, anti-phishing training, cyber response teams and ransomware response.
For example, the report notes, Colorado has created the Colorado Threat Information Sharing network, which enables the rapid sharing of “threat information, indicators and other pertinent information among state agencies and local governments, industry and other nongovernment entities.” In October 2019, the Colorado Governor’s Office of Information Technology released a cybersecurity guide for local government to assist with cyber preparedness across the state.
Meanwhile, Illinois established its Cyber Navigator Program in 2018 as a partnership between the Department of Innovation and Technology and the Illinois State Board of Elections. Using funding from the Help America Vote Act of 2002, Illinois hired dedicated personnel to help local election officials in “improving their cybersecurity posture, mitigating risks to elections infrastructure and building their resilience.” The navigators “conduct risk assessments, connect local election officials to resources, and seek to demystify cybersecurity by converting jargon into business-friendly terms.”
In neighboring Indiana, the Indiana Executive Council on Cybersecurity created a toolkit for local emergency managers in line with its statewide cybersecurity strategic plan. The toolkit includes an Emergency Manager Cyber Situational Awareness Survey, aimed at facilitating conversations between local emergency management offices and critical infrastructure on cybersecurity; a cybersecurity incident response template for local government entities; and a cybersecurity training and exercise guide to enhance emergency preparedness for IT security incidents.
At the very minimum, the report notes, states should be building relationships with local governments, and IT security leaders should be working via state-municipal leagues and county associations, with emphasis on local IT associations.
States should also aim to raise awareness of existing services offered to local governments. According to the 2019 state CIO survey, just 31 percent of states have a formal awareness and marketing campaign to promote state offerings to local governments. To raise awareness, state governments can hold cyber summits and educate stakeholders.
Additionally, the report says, state governments should be exploring cost savings that can be achieved through including local governments in service contracts.
IT leaders can consult local governments during the contract planning process solicitation and offer “a conduit for discussions about pooling resources among shared risk pools at the local level.”