Close

New Workspace Modernization Research from CDW

See how IT leaders are tackling workspace modernization opportunities and challenges.

Click Here to Read the Report
Dec 15 2025
Security

7 Tips for How State and Local Governments Can Shop MDR Wisely

Managed detection and response can fill security gaps with the right tools for the job.
Eric Marchewitz
by

Eric Marchewitz is a field solution architect with a 23-year career in cybersecurity solutions, working for such companies as PGP Security, McAfee, Cisco and Check Point. He is a recovering CISSP and cloud practitioner. Marchewitz helps architect solutions and bring in the proper resources and specialists to solve security challenges in all areas.

If you work in state or local government, you already know the problem: Attackers work around the clock, but maybe your team can’t due to budget or manpower limitations. Managed detection and response (MDR) can close that gap — but only if you buy the right service for your environment. Here’s a guide to shopping MDR wisely, with steps you can act on during this budget cycle. 

1. Start With a Quick Controls Check

Before comparing vendors, do a lightweight controls review against a common framework. Consider the 18 CIS Critical Security Controls, a prioritized set of best-practice safeguards for cybersecurity by the Center for Internet Security. These assessments can be done internally, externally or in a workshop format to set a baseline.

Click the banner below to consider steps to boost cyber resilience.

x-cyberattack-static-2024-clickhere-desktop x-cyberattack-static-2024-clickhere-mobile

 

You’ll learn what’s solid, what’s missing and which gaps MDR might cover. That keeps you from buying a service to solve the wrong problem and gives you a to-do list for day one with the provider.

A clear baseline prevents scope creep, reduces onboarding friction and helps measure whether MDR is covering the environment comprehensively.

2. Decide What 24/7 Really Means for You

Not all around-the-clock offers are equal. Ask vendors to define after-hours coverage in writing: who watches your environment, where they sit, how they escalate and what authority they have to act without waiting for your approval.

Ask for:

  • Average time to human engagement on critical incidents
  • Preapproved actions (host isolation, account disablement, blocking indicators)
  • Holiday and weekend surge plans and on-call playbooks

3. Demand Fit for the Environment — Not Just a Logo Salad

Government networks aren’t all the same. A county with public Wi-Fi and a community college campus look very different from a water or power utility. Look for MDR providers that can handle your mix of endpoints, identity systems, email, cloud workloads and any operational technology you run.

Red flags: One-size-fits-all pricing, thin identity response, or no real answer for operational technology and industrial control system use cases.

LEARN HOW: Regional security operations centers can support shared services.

4. Baseline Normal With a Compromise Assessment

MDR works best when “normal” is well understood. Like a penetration test, ask for a brief compromise assessment upfront — focused on Active Directory and a few critical servers — to find bad actors before the MDR is deployed. Compromise assessments assure that the environment is reasonably free from compromise prior to deploying the new service. This ensures traffic is not compromised, appearing as “normal” to the MDR vendor.

Deliverables to expect: a report that key servers and resources are free from indicators of compromise to baseline the network, servers and applications as free from threat actors.

5. Match Reporting to Your Obligations

You’ll need incident summaries that satisfy executives, auditors and — sometimes — cyber insurance. Preview the actual report format during the sales process. Make sure it includes timeline, root cause, actions taken, evidence and recommended follow-ups mapped to your controls framework.

Ask for a redacted example from a real engagement, not a marketing slide.

6. Pressure-Test Authority and Handoffs

Speed dies in the gap between detection and action. Nail down who can isolate a device, kill a process or revoke a session after hours and how that authority is documented. Ensure that the organization has a detailed incident response plan that defines roles, actions and reporting. If you co-manage, clarify which alerts your team handles versus those to which the MDR provider responds.

Run a scenario test and a full incident response tabletop: “It’s Saturday at 3:12 a.m. An admin token is abused. What happens next — minute by minute?”

READ MORE: CISA helps local governments run tabletop exercises.

7. Price the Outcomes

MDR pricing and packaging vary wildly. Compare providers on a common grid: coverage scope (endpoint, identity, email, cloud), time-to-human metrics, included response actions, onboarding timeline and exit terms. Bundles from endpoint vendors can be great, but verify they meet your use cases, not just your procurement deadline.

Beware of a low base price with expensive add-ons for the actions you actually need.

A simple RFP sniff test:

  • 24/7 human engagement service-level agreement (in minutes)
  • Preapproved action list and legal sign-offs
  • Compromise assessment included (or discounted)
  • Identity response that goes beyond resetting passwords
  • Reporting that satisfies auditors and cyber insurance
  • Clear co-managed roles and emergency takeover steps

The bottom line is that the right MDR deal gives you outcomes you can measure: faster detection, decisive off-hours action, cleaner handoffs and reports that stand up to scrutiny. Do a quick controls check, baseline “normal” and buy the service that fits your environment, not the one with the shiniest logo.

This article is part of StateTech’s CITizen blog series.

CITizen_blog_cropped_0.jpg

Jacob Wackerhausen/Getty Images

More On

Related Articles