Category: Planning & Policy

Categories
Budgeting & Resources Key Questions for Boards Leadership & Governance Planning & Policy

A Cyber Insurance Briefing for Elected Leaders

In today’s digital landscape, a local government’s data—from citizen records and utility operations to internal communications—is a prime target for cybercriminals. A single ransomware attack or data breach can cripple services, drain resources, and erode public trust.

While strong cybersecurity measures are your first line of defense, Cyber Insurance acts as a crucial safety net, helping your municipality manage the massive financial fallout of a successful attack.

If your village, town, city, county, or public utility is considering or renewing a policy, here is a look at what local governments can expect, the vital differences between what is typically covered versus what isn’t, and the critical questions you must ask your municipality and your broker.

The Six Critical Questions Elected Leaders Must Answer

As an elected leader, your top priority is the continuity of public service and the protection of taxpayer funds. Cyber risk is no longer an “IT problem”—it is a governance and financial crisis waiting to happen. Before you sign a policy, your governing body must confront these fundamental questions about your municipality’s readiness and resilience.

Focus AreaThe Core Question for the Governing BodyThe Bottom Line for Taxpayers
Operational ImpactIf our critical digital systems (email, payroll, utility controls) were locked down by an attack tomorrow, what essential public service would fail immediately?We must know which services—from 911 dispatch to water quality monitoring—are immediately jeopardized. If the lights go out, your response must be immediate.
Downtime ToleranceHow many hours can our municipality sustain a complete disruption of public records and digital services before the damage to the community becomes irreversible?Every hour of downtime multiplies the cost, halts services, and directly erodes public trust. This defines your operational breaking point.
Financial CostWhat is the documented, unbudgeted cost our municipality would face for recovery, separate from any ransom demand?The true expense is in forensic investigation, legal fees, and system restoration. You need a transparent figure on the financial exposure, which often runs into the millions.
Budget ResilienceDo we have an explicitly dedicated and sufficient reserve fund that can absorb an unbudgeted recovery cost of at least $250,000?Most local governments do not. This question forces a review of whether a cyber event would force painful cuts to essential public programs.
Risk StrategyAre we relying only on our technology defenses, or have we established a financial safety net for when those defenses inevitably fail?Technology is a tool, but cyber insurance is the risk transfer mechanism. It is a layer of resilience for a modern public entity.
Governance & AccountabilityWho is the executive-level owner of cyber risk in this municipality, and is a tested incident response plan in place?Cyber risk is a leadership issue. Insurance helps ensure that the highest levels of governance have a clear, tested plan to guide the community through the chaos of a breach.

What is Typically INCLUDED in a Policy?

Cyber policies generally cover three distinct areas:

Coverage AreaWhat is Covered?Examples
First-Party (Breach Response)Who pays the costs for us to recover from the attack?Fees for forensic investigators, legal counsel, system restoration, and paying cyber extortion (ransom) demands (subject to limits).
Third-Party (Liability to Others)Who pays if we get sued or fined for exposing citizen data?Defense costs, settlements, damages from citizen lawsuits, regulatory fines, and costs for notifying all affected individuals.
E-Crime & Financial LossWho pays if a criminal tricks an employee into sending public funds to a fraudulent account?Financial loss from Computer Fraud, Funds Transfer Fraud (e.g., fraudulent vendor invoices), and Social Engineering Fraud.

What is EXCLUDED?

Exclusions can be policy-specific, but there are several common areas where cyber insurance will not provide coverage:

  • Failure to Maintain Minimum Security: Claims can be denied if the breach is traced to your municipality failing to implement a required security measure, such as an unpatched server or not enforcing Multi-Factor Authentication (MFA).
  • Property Damage or Bodily Injury: Physical damage caused by a cyber event (e.g., a hack on a utility system causing a physical failure) may be covered by a General Liability or Property policy, not the cyber policy, unless specifically added.
  • Acts of War or Terrorism: Losses stemming from hostilities or state-sponsored cyber-attacks are often explicitly excluded.
  • Cost of Hardware/Software Upgrades: The policy will pay to restore systems, but generally not for the cost of upgrading to newer technology.
  • Known Vulnerabilities: If a claim arises from a vulnerability your municipality was aware of before the policy inception date, coverage may be denied.

Where Are the Hidden Traps?

The real risk often lies in the fine print. You need to look beyond the general coverage summary and scrutinize the endorsements and warranties within the policy. These items can act as “trap doors” that allow insurers to legally deny a claim.

1. The “Failure to Maintain Security” Clause

This is the most common and dangerous reason for denial today. Many policies contain a clause that makes coverage conditional upon maintaining specific security controls, most notably Multi-Factor Authentication (MFA).

  • The Warranty Trap: If your municipality warrants (guarantees) in the application that 100% of privileged users or remote access points use MFA, and an attack happens through an account that didn’t have it, the insurer may reject the entire claim based on a breach of warranty.
  • The No-MFA Endorsement: A particularly insidious version of this is the MFA Exclusion Endorsement. This endorsement is added to a policy to state that the insurer will not pay any claim that arises from or is attributed to the lack of MFA on specific systems (e.g., all email, remote access, or privileged accounts).
    • What does the No-MFA Endorsement mean for our paid policy? It means you could pay your full premium for a $1 million policy, but if the claim is traced back to a compromised employee email account that lacked MFA, the insurer can legally reject the entire claim. You have the policy, but no coverage for your greatest risk.

Action: Ensure your policy defines required security controls clearly and realistically. If an MFA endorsement is present, treat it as a policy killer unless you are 100% certain every covered access point complies.

2. The Retroactive Date

All policies have a date—the Retroactive Date—before which the insurer will not cover any incident, even if the loss is discovered during the policy period. If a hacker has been in your system for six months and you purchase a policy today, you may not be covered for the full extent of the intrusion. This prevents coverage for “silent data breaches.”

3. The Exclusion for Software/Hardware “Betterment”

After an attack, forensic experts often recommend system upgrades (e.g., replacing an old server or moving to cloud services). Insurers will only pay for the cost of restoring the old system, not the cost of making it “better” or new. Your municipality must be prepared to budget for these betterment costs, which can be substantial and unexpected.

The Six Critical Questions to Ask Your Broker

Cyber insurance should be a true safety net, not a piece of paper. Use these questions to determine if your policy provides the coverage, expertise, and support your community needs.

1. What does the policy cover? What specific security controls are mandatory, and what happens if we fail to maintain them?

Demand a clear list of mandatory controls (like MFA for all remote access). Clarify if non-compliance with a warranty will void the entire policy or only exclude payment for claims related to that specific missing control.

2. What is the annual premium and deductible, and how does this fit our budget risk?

Understand the financial spread: Premiums for municipalities often range from $600 to over $100,000 annually, with deductibles from $1,000 to $100,000. Ensure these costs are sustainable and that the deductible is affordable in a crisis.

3. Does the insurer have demonstrated experience specifically with the public sector?

Government entities have unique challenges: tight budgets, complex regulatory compliance (like state breach laws), and critical services. An experienced insurer will offer tailored coverage that respects these public sector obligations.

4. What loss prevention and risk mitigation services are provided in addition to the coverage?

Look for high-value extras included in the policy: access to incident response hotlines, employee training platforms, vulnerability scans, and tabletop exercises. These proactive services reduce risk and can help lower future premiums.

5. If we report a breach, what is the guaranteed response time, and who is our dedicated contact?

Day to day or in a crisis, you need human support, not an automated line. Ask for a commitment to a response within hours, not days. Confirm you will have access to a cyber specialist or dedicated claims manager or 24/7 breach response team.

6. What is the likely impact of making a claim on our future premiums and coverage availability?

Ask for candor: Will premiums spike after a claim, or will the insurer consider non-renewal? Understanding the long-term relationship ensures you are not penalized for using the safety net you paid for.

Categories
Actionable Steps Budgeting & Resources Cybersecurity Basics Leadership & Governance Planning & Policy Press Release Tools & Guidance

Announcing the Local Government Officials Guide to Cybersecurity

We are thrilled to announce the official publication of a critical new resource: the Local Government Officials Guide to Cybersecurity (LGOGC)!

This project was developed by the Local Government Cybersecurity Alliance (LGCA) specifically to empower elected and appointed officials—from supervisors and council members to city managers and agency heads—to effectively navigate the increasingly complex world of cyber risk.

Moving Beyond the Technical Jargon

Cybersecurity is not just an IT department problem; it is an enterprise-wide, whole-of-government issue that impacts finance, legal compliance, emergency services, and public trust.

The LGOGC cuts through technical jargon to focus on what matters most to community leaders: governance, accountability, and resilience. This guide was truly built by and for local government professionals, ensuring every concept is practical and immediately relevant to your fiduciary duty to protect the systems that serve your communities.

LGOGC Cybersecurity Guide (October 2025)Download

What the Guide Will Help You Achieve

The LGOGC provides a clear, actionable framework to help local leaders translate responsibility into practical action. Inside, you’ll find guidance to:

  • Integrate cybersecurity into your strategic and budget planning.
  • Strengthen oversight and reporting mechanisms.
  • Align your efforts with nationally recognized frameworks, such as NIST CSF 2.0.
  • Build a culture of cyber resilience that spans all departments and elected offices.

Download and Share Your Feedback

We believe that making cybersecurity governance as natural and necessary as financial oversight is achievable in every county, city, town, village, and district. This guide is a huge step toward that goal.

Download the Local Government Officials Guide to Cybersecurity (LGOGC) now.

We invite your feedback! Tell us how your jurisdiction is addressing these challenges and what resources would be most valuable to you next in our community forum or white paper.

Categories
Planning & Policy

Relevant Laws & Compliance Checklists: What Local Governments Need to Know

Cybersecurity laws and regulations are evolving rapidly. For local governments, staying compliant isn’t just about checking boxes—it’s about protecting public trust, ensuring operational continuity, and avoiding costly legal exposure. As the threat landscape changes, so do the legal obligations that govern how municipalities handle data, respond to incidents, and manage third-party risks.

Why Legal Review Matters

Boards and senior leaders must be regularly updated on both existing laws and proposed legislation that could impact current practices. This includes federal mandates, state-specific statutes, and sector-based requirements. Engaging your general counsel or external legal advisors is essential to ensure that your organization remains compliant and prepared.

Legal teams can help:

  • Interpret new regulations and assess their applicability.
  • Identify gaps in current policies and procedures.
  • Draft or revise internal compliance checklists.
  • Advise on risk exposure and liability mitigation.

Federal Laws to Watch

Several federal statutes directly affect state and local governments:

  • Federal Information Security Modernization Act (FISMA): Now applies more stringently to local governments, requiring robust protections for information systems and timely incident reporting.
  • Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA): Requires organizations in critical infrastructure sectors—including many municipal services—to report cyber incidents within 72 hours and ransomware payments within 24 hours.
  • State and Local Government Cybersecurity Act of 2021: Provides federal support through grants, cooperative agreements, and training programs.
  • Federal Rotational Cyber Workforce Program Act of 2021: Encourages talent development and resource sharing across government agencies.

These laws are designed to improve coordination, transparency, and resilience across public sector entities.

State-Level Regulations

Cybersecurity legislation continues to evolve rapidly across the United States. In 2025, 48 states and Puerto Rico introduced or considered more than 500 bills or resolutions related to cybersecurity. These laws reflect growing concerns about ransomware, data breaches, and the need for stronger digital infrastructure in government.

Key Trends and Examples
  • New York: Updated procurement laws now require endpoint device purchases to align with the NIST Cybersecurity Framework. As of 2025/2026, there is a .gov web domain mandate, incident reporting requirements, and a training mandate for local governments.
  • Arkansas: Mandated the Division of Information Systems to maintain cybersecurity policies aligned with state standards.
  • Idaho: Requires all state agencies to implement multifactor authentication and maintain cybersecurity best practices.
  • Mississippi: Established limits on cyber liability claims and introduced new requirements for cybersecurity insurance.
  • Montana: Expanded its workforce development program to include cybersecurity roles beyond entry-level analysts.
  • Hawaii: Adopted resolutions to build cybersecurity education pipelines and strengthen its innovation economy.

These laws vary widely in scope and applicability. Some focus on procurement, others on workforce development, insurance, or incident reporting. Local governments must consult legal counsel to determine which laws apply and how to comply.

Compliance Checklists and Internal Oversight

To manage compliance effectively, local governments should maintain internal checklists that cover:

  • Data classification and retention policies.
  • Incident response and reporting protocols.
  • Vendor risk assessments and contract language.
  • Employee training and awareness programs.
  • Access controls and audit trails.
  • Insurance coverage and legal disclosures.

These checklists should be reviewed and updated regularly, especially when new laws are enacted or existing ones are amended. Legal advisors can help tailor these tools to your organization’s structure, risk profile, and regulatory environment.

Cybersecurity compliance is not one-size-fits-all. Each state may have different laws, and local governments must navigate these requirements with care. Legal review should be a standing agenda item for boards and councils, and compliance checklists should be living documents that evolve with the law.

If your organization hasn’t conducted a legal review recently, now is the time. Engage your legal team, update your checklists, and ensure that your cybersecurity practices are aligned with current and emerging regulations.

Categories
Planning & Policy

Cybersecurity on a Budget: How Small Governments Can Implement NIST CSF

For smaller local governments, adopting a cybersecurity framework like the NIST Cybersecurity Framework (CSF) can feel daunting. Limited budgets, lean IT teams, and competing priorities often make comprehensive implementation seem out of reach. Yet the benefits—risk reduction, operational resilience, and insurance alignment—are too significant to ignore.

Why Frameworks Matter

Cybersecurity frameworks provide structure, consistency, and a shared language for managing digital risk. They help local governments:

  • Integrate cybersecurity into enterprise risk management.
  • Improve communication across departments and with external partners.
  • Support regulatory compliance and demonstrate due diligence.
  • Adapt to evolving threats through continuous improvement.

Even partial adoption of a framework can yield meaningful improvements in security posture and incident readiness.

Right-Sizing the Approach

Smaller jurisdictions don’t need to implement every control at once. Instead, they can focus on foundational practices that offer high impact with minimal cost:

  • Enforce strong password policies.
  • Implement multi-factor authentication.
  • Conduct regular backups.
  • Provide basic cybersecurity training for staff.

These steps align with the NIST CSF’s core functions—Identify, Protect, Detect, Respond, and Recover—and can be scaled over time.

Outsourcing and Shared Services

To overcome staffing and expertise gaps, smaller governments can explore:

  • CISO-as-a-Service: Contracting a virtual Chief Information Security Officer to guide strategy and compliance.
  • Managed Service Providers (MSPs): Outsourcing monitoring, patching, and incident response.
  • Regional Partnerships: Collaborating with neighboring towns, counties, or councils to share cybersecurity functions and reduce costs.

These models allow governments to maintain high standards of protection without the overhead of building full in-house teams.

Ensuring Accountability

When outsourcing, it’s essential to:

  • Align vendor responsibilities with internal policies.
  • Establish clear reporting structures.
  • Require accountability for protecting systems and data.

Framework adoption should be accompanied by governance practices that ensure transparency and control.

Continuous Improvement

Cybersecurity is not a one-time project. Even without a full-time IT or security team, smaller governments can:

  • Schedule periodic reviews of cybersecurity practices.
  • Update policies based on new threats and technologies.
  • Use tabletop exercises to test incident response readiness.

These efforts build resilience and demonstrate a commitment to protecting public assets.

Categories
Planning & Policy

Cyber Framework Comparison: Choosing the Right Path for Your Organization

Selecting and implementing a cybersecurity framework is one of the most strategic decisions a local government or public entity can make. Frameworks provide structure, consistency, and a shared language for managing cyber risks across departments, vendors, and leadership. They also help align cybersecurity efforts with regulatory requirements, funding eligibility, and enterprise risk management.

Why Frameworks Matter

Cybersecurity frameworks:

  • Standardize practices across departments.
  • Support communication between technical teams and leadership.
  • Enable benchmarking and continuous improvement.
  • Align with compliance mandates and funding requirements.

For smaller governments, frameworks can feel overwhelming. But right-sizing your approach—through shared services, outsourcing, or phased adoption—can make implementation realistic and effective 

Key Frameworks to Consider

FrameworkFocus AreaBest ForHighlights
NIST CSFRisk-based cybersecurity managementPublic and private sectorsFlexible, scalable, organized into five core functions: Identify, Protect, Detect, Respond, Recover. Widely adopted and regularly updated.
NIST SP 800-53Security and privacy controlsFederal agencies and contractorsDense and detailed. Provides hundreds of specific controls. Ideal for organizations needing granular technical guidance.
NIST CIS (Critical Infrastructure Security)Sector-specific protectionsEnergy, healthcare, transportationTailored to critical infrastructure sectors. Often used in conjunction with CSF.
PCI DSSPayment card data protectionFinance, retail, municipalities handling paymentsMandates encryption, access control, and regular audits.
HIPAAPatient data protectionHealthcare providersRequires safeguards for electronic protected health information (ePHI).
CJISCriminal justice data securityLaw enforcement, courtsStrict access control and audit requirements.
CCPAConsumer privacy rightsCalifornia-based entitiesFocuses on data transparency, access, and deletion rights.
FAA/EPASector-specific cybersecurityAviation, environmental agenciesIncludes operational and compliance mandates.
OWASPApplication securityDevelopers, IT teamsFocuses on common vulnerabilities like injection, broken authentication, and misconfigurations.

How to Choose the Right Framework

Ask these guiding questions:

  • Does the framework align with our size, mission, and regulatory environment?
  • Can we integrate it into our enterprise risk management strategy?
  • Are there opportunities to share services or outsource functions?
  • Does it support communication with leadership and external stakeholders?
  • Are there clear guidelines for incident response and recovery?
  • Is the framework regularly updated to reflect evolving threats?
Categories
Planning & Policy

Planning for the Unthinkable: Business Continuity in Local Government

Disasters—whether natural, man-made, or digital—don’t wait for convenience. Fires, floods, active shooter incidents, and cybersecurity breaches can disrupt essential services and threaten public safety. That’s why business continuity planning is not just a best practice—it’s a governance imperative.

Local government agencies have increasingly recognized the need to prepare for a wide range of crisis scenarios. Trustees, as fiduciaries, play a critical role in ensuring that continuity plans prioritize the protection and recovery of high-value assets and systems. A well-structured business continuity plan (BCP) helps agencies respond quickly, maintain operations, and communicate effectively during emergencies.

Key Components of a Business Continuity Plan

  1. Establishing a Command Center
    Designate a physical or virtual location where crisis coordination will occur. This center should be equipped to manage communications, decision-making, and resource deployment.
  2. Law Enforcement Notification
    Ensure protocols are in place for timely engagement with law enforcement and emergency responders, especially in cases involving physical threats or criminal activity.
  3. Asset Custody During Investigations
    Define procedures for securing and preserving critical assets—both digital and physical—during forensic investigations or legal proceedings.
  4. Disaster Recovery Process
    Outline the steps for restoring systems, data, and services. Include recovery time objectives (RTOs) and recovery point objectives (RPOs) to guide expectations and resource allocation.

Cybersecurity Breach Response

In the event of a cybersecurity incident, stakeholders—including constituents, voters, and third-party partners—will demand clarity. They’ll want to know:

  • What happened?
  • Was their data compromised?
  • What is being done to contain and resolve the issue?

Employees, vendors, and suppliers may also experience workflow disruptions, affecting service delivery. An effective communication plan is essential for managing internal and external messaging. Poor communication can lead to confusion, mistrust, and reputational damage.

Tabletop Exercises: A Best Practice for Trustees

Trustees should require an annual business continuity tabletop exercise. These simulations test the effectiveness of the continuity plan against specific threat scenarios. Key elements include:

  • Participation from both IT and functional staff.
  • Clear recovery time objectives.
  • Realistic threat scenarios (e.g., ransomware, natural disaster, insider threat).
  • Post-exercise reporting to senior management and the Board.

The exercise should result in a documented assessment of strengths, weaknesses, and recommendations for improvement.

Business continuity planning is not just about technology—it’s about leadership, coordination, and resilience. By preparing for the worst, local governments can ensure they continue to deliver essential services when their communities need them most.

Categories
Planning & Policy

From Deepfakes to Fake News: Local Strategies for Disinformation Response

Disinformation is one of the most pressing challenges facing local governments today. As trusted sources of public information, municipalities are increasingly targeted by campaigns designed to mislead, confuse, or destabilize communities. Whether it’s false claims about election procedures, fabricated emergency alerts, or impersonation of public officials, disinformation can erode public trust and disrupt essential services.

Responding effectively requires more than just correcting falsehoods—it demands a coordinated, proactive strategy that blends cybersecurity, communications, and community engagement.

What Is Disinformation?

Disinformation is deliberately false or misleading information spread with the intent to deceive, manipulate, or cause harm. Unlike misinformation—which is shared unknowingly—disinformation is strategic and often orchestrated to achieve specific outcomes.

In the context of local government, disinformation can take many forms:

  • Fake social media posts impersonating city officials or agencies.
  • False claims about voting procedures, public health mandates, or emergency responses.
  • Manipulated images or videos (e.g., deepfakes) that misrepresent events or statements.
  • Coordinated bot activity amplifying misleading narratives.
  • Fraudulent websites mimicking official portals to spread false information or collect personal data.

These tactics are designed to exploit public trust, create confusion, and undermine confidence in local institutions.

Why Local Governments Are Vulnerable

Local governments are particularly susceptible to disinformation because:

  • They manage critical services like elections, public safety, and health communications.
  • They often operate with limited resources and staffing to monitor digital threats.
  • They are deeply embedded in the daily lives of residents, making them high-impact targets.

Disinformation campaigns may be politically motivated, financially driven, or simply intended to sow chaos. Regardless of the source, the consequences can be severe—ranging from public panic to reputational damage and operational disruption.

Response Strategies for Local Governments

1. Establish a Cross-Functional Response Team

Bring together cybersecurity, communications, legal, and public affairs staff to monitor, assess, and respond to disinformation incidents. This team should be empowered to act quickly and coordinate messaging.

2. Develop a Disinformation Response Playbook

Create a documented plan that outlines how to identify, verify, and respond to disinformation. Include escalation protocols, communication templates, and roles for internal and external stakeholders.

3. Monitor Digital Channels

Use social listening tools and manual monitoring to track emerging narratives. Watch for impersonation, viral misinformation, and coordinated campaigns targeting your community.

4. Engage the Public Proactively

When disinformation arises, respond quickly with clear, factual messaging. Use trusted platforms—official websites, verified social media accounts, and community newsletters—to correct falsehoods and reinforce accurate information.

5. Train Staff and Officials

Educate employees and elected officials on how to recognize disinformation tactics and respond appropriately. Include this in cybersecurity and media training programs.

6. Promote Media Literacy

Support community education efforts that teach residents how to critically evaluate information. Partner with schools, libraries, and civic organizations to build long-term resilience.

7. Leverage Trusted Messengers

Work with local influencers, faith leaders, and community advocates to amplify accurate information and counter false narratives. These voices often carry more weight than official channels alone.

Disinformation is not just a communications issue—it’s a governance challenge. Local governments must treat it as a strategic risk, integrating response efforts into broader cybersecurity and public engagement strategies. By building proactive, coordinated defenses, municipalities can protect their communities, uphold public trust, and ensure that truth remains a cornerstone of civic life.

Categories
Planning & Policy

Cybersecurity Laws Every Local Government Should Know

As local governments expand their digital services and manage increasing volumes of sensitive data, understanding cybersecurity laws and regulations becomes essential. These laws are designed to protect public information, ensure transparency, and reduce risk across critical infrastructure and public-facing systems.

While some regulations apply nationwide, many cybersecurity laws are state-specific and subject to frequent updates. Municipal leaders must stay informed and consult legal counsel or state regulatory agencies to ensure compliance with the laws applicable in their jurisdiction. Staying current is key to avoiding penalties and building resilient cybersecurity programs that align with both federal and state requirements.

Below is an overview of key cybersecurity laws and standards that local governments and affiliated organizations should be familiar with:

Health Insurance Portability and Accountability Act (HIPAA)

Jurisdiction: United States
HIPAA sets national standards for protecting health information. It applies to healthcare providers, insurers, and any entity handling patient data.
Key Provisions:

  • Requires security safeguards for health information.
  • Mandates breach notification and penalties for non-compliance.
  • Grants patients rights to access and correct their records.

Federal Information Security Modernization Act (FISMA)

Jurisdiction: United States
FISMA mandates that federal agencies and contractors secure their information systems using a risk-based approach aligned with NIST standards.
Key Provisions:

  • Establishes security requirements for federal systems.
  • Requires annual assessments and reporting.
  • Aligns with the NIST Cybersecurity Framework.

State and Local Government Cybersecurity Act of 2021

Jurisdiction: United States
This law supports state and local governments with resources to strengthen cybersecurity and defend critical infrastructure.
Key Provisions:

  • Provides grants for cybersecurity improvements.
  • Enhances defense against infrastructure threats.
  • Encourages collaboration across government levels.

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

Jurisdiction: United States
CIRCIA requires timely reporting of cyber incidents and ransomware payments by critical infrastructure entities.
Key Provisions:

  • Cyber incidents must be reported within 72 hours.
  • Ransomware payments must be reported within 24 hours.
  • Supports federal tracking and response efforts.

Gramm-Leach-Bliley Act (GLBA)

Jurisdiction: United States
GLBA governs how financial institutions collect, use, and protect consumer financial data.
Key Provisions:

  • Requires data security and privacy policies.
  • Regulates data sharing and disclosure practices.

Payment Card Industry Data Security Standard (PCI DSS)

Jurisdiction: Global
PCI DSS sets security standards for organizations handling payment card data.
Key Provisions:

  • Requires encryption and secure transmission protocols.
  • Mandates regular security assessments and audits.

Cybersecurity Enhancement Act of 2014

Jurisdiction: United States
This act promotes cybersecurity R&D and public-private collaboration to protect critical infrastructure.
Key Provisions:

  • Encourages joint efforts between government and industry.
  • Supports development of cybersecurity technologies.
  • Establishes national protection standards.

California Consumer Privacy Act (CCPA)

Jurisdiction: California
CCPA gives residents control over their personal data and applies to businesses meeting certain thresholds.
Key Provisions:

  • Right to access, delete, and opt out of data sale.
  • Requires disclosure of data collection practices.
  • Enforces penalties for mishandling personal data.

California Privacy Rights Act (CPRA)

Jurisdiction: California
CPRA expands CCPA protections and establishes a dedicated enforcement agency.
Key Provisions:

  • Adds rights to correct inaccurate data.
  • Limits use of sensitive personal information.
  • Creates the California Privacy Protection Agency.

Cybersecurity compliance is a moving target. Local governments must stay informed, build governance structures that support accountability, and ensure that cybersecurity policies reflect current legal requirements. Understanding these laws is the first step toward building a secure, resilient digital environment for public service.

Categories
Planning & Policy

Defining and Structuring IT and Cybersecurity Roles for Local Governments

As local governments modernize their operations and expand digital services, the need for clear, well-structured roles in IT and cybersecurity has never been more urgent. From online permitting platforms to cloud-based data systems, municipalities are increasingly reliant on technology to deliver public services. But with this reliance comes risk—and the responsibility to manage it effectively.

One of the most important steps in building cyber resilience is clarifying the distinction between IT and cybersecurity functions. While these domains are closely related, they serve fundamentally different purposes and must be structured accordingly.

Why Role Clarity Matters

Strong governance depends on clear role definitions. When IT and cybersecurity responsibilities are blurred, security can be compromised by operational urgency or budget constraints. For example, if a city launches a new online permitting system, the IT team may focus on uptime and user experience, while cybersecurity professionals ensure that sensitive resident data is encrypted, access is controlled, and third-party risks are assessed.

This separation allows cybersecurity teams to assess risk independently and advocate for protections that may not align with short-term operational goals—but are essential for long-term resilience.

Structuring Roles: A Governance-Aligned Approach

The Enterprise Governance of Information and Technology (EGIT) framework provides a model for structuring IT and cybersecurity roles in a way that supports strategic alignment and risk-informed decision-making.

1. Functional Separation

  • IT Departments: Focus on deploying and maintaining technology systems that support operations.
  • Cybersecurity Teams: Focus on protecting data, systems, and infrastructure from threats.

This separation ensures that cybersecurity professionals can operate without being subordinated to project timelines or budget pressures.

2. Leadership Accountability

Cybersecurity is not just a technical issue—it’s a leadership responsibility. Elected officials, department heads, and senior executives must recognize that cyber risk affects their ability to deliver services and maintain public trust.

3. Defined Responsibilities Across Roles

Every employee in local government has a role in cybersecurity—from locking devices and reporting suspicious activity to completing training and following data protection protocols.

Examples of Role Definitions

RolePrimary FocusKey Responsibilities
IT DirectorOperational technologySystem uptime, software deployment, vendor management
Cybersecurity OfficerRisk managementThreat detection, incident response, policy enforcement
Department HeadsStrategic oversightAligning tech use with service goals, ensuring compliance
Frontline StaffDaily operationsFollowing security protocols, reporting incidents

Local governments must build governance structures that support both innovation and protection. By clearly defining and separating IT and cybersecurity roles, municipalities can:

  • Make unbiased, risk-informed decisions.
  • Respond more effectively to threats.
  • Build a culture of cybersecurity across all departments.