Relevant Laws & Compliance Checklists: What Local Governments Need to Know

Cybersecurity laws and regulations are evolving rapidly. For local governments, staying compliant isn’t just about checking boxes—it’s about protecting public trust, ensuring operational continuity, and avoiding costly legal exposure. As the threat landscape changes, so do the legal obligations that govern how municipalities handle data, respond to incidents, and manage third-party risks.

Why Legal Review Matters

Boards and senior leaders must be regularly updated on both existing laws and proposed legislation that could impact current practices. This includes federal mandates, state-specific statutes, and sector-based requirements. Engaging your general counsel or external legal advisors is essential to ensure that your organization remains compliant and prepared.

Legal teams can help:

• Interpret new regulations and assess their applicability.
• Identify gaps in current policies and procedures.
• Draft or revise internal compliance checklists.
• Advise on risk exposure and liability mitigation.

Federal Laws to Watch

Several federal statutes directly affect state and local governments:

• Federal Information Security Modernization Act (FISMA): Now applies more stringently to local governments, requiring robust protections for information systems and timely incident reporting.
• Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA): Requires organizations in critical infrastructure sectors—including many municipal services—to report cyber incidents within 72 hours and ransomware payments within 24 hours.
• State and Local Government Cybersecurity Act of 2021: Provides federal support through grants, cooperative agreements, and training programs.
• Federal Rotational Cyber Workforce Program Act of 2021: Encourages talent development and resource sharing across government agencies.

These laws are designed to improve coordination, transparency, and resilience across public sector entities.

State-Level Regulations

Cybersecurity legislation continues to evolve rapidly across the United States. In 2025, 48 states and Puerto Rico introduced or considered more than 500 bills or resolutions related to cybersecurity. These laws reflect growing concerns about ransomware, data breaches, and the need for stronger digital infrastructure in government.

Key Trends and Examples

• New York: Updated procurement laws now require endpoint device purchases to align with the NIST Cybersecurity Framework. As of 2025/2026, there is a .gov web domain mandate, incident reporting requirements, and a training mandate for local governments.
• Arkansas: Mandated the Division of Information Systems to maintain cybersecurity policies aligned with state standards.
• Idaho: Requires all state agencies to implement multifactor authentication and maintain cybersecurity best practices.
• Mississippi: Established limits on cyber liability claims and introduced new requirements for cybersecurity insurance.
• Montana: Expanded its workforce development program to include cybersecurity roles beyond entry-level analysts.
• Hawaii: Adopted resolutions to build cybersecurity education pipelines and strengthen its innovation economy.

These laws vary widely in scope and applicability. Some focus on procurement, others on workforce development, insurance, or incident reporting. Local governments must consult legal counsel to determine which laws apply and how to comply.

Compliance Checklists and Internal Oversight

To manage compliance effectively, local governments should maintain internal checklists that cover:

• Data classification and retention policies.
• Incident response and reporting protocols.
• Vendor risk assessments and contract language.
• Employee training and awareness programs.
• Access controls and audit trails.
• Insurance coverage and legal disclosures.

These checklists should be reviewed and updated regularly, especially when new laws are enacted or existing ones are amended. Legal advisors can help tailor these tools to your organization’s structure, risk profile, and regulatory environment.

Cybersecurity compliance is not one-size-fits-all. Each state may have different laws, and local governments must navigate these requirements with care. Legal review should be a standing agenda item for boards and councils, and compliance checklists should be living documents that evolve with the law.

If your organization hasn’t conducted a legal review recently, now is the time. Engage your legal team, update your checklists, and ensure that your cybersecurity practices are aligned with current and emerging regulations.