Tag: technology

Categories
Budgeting & Resources

Justifying Cyber Investments: A Guide for Municipal Leaders

Cybersecurity expenditures—whether for infrastructure, software, or third-party services—must be justified, transparent, and aligned with public accountability. For local governments, this isn’t merely an IT budget line item; it’s a strategic investment in public trust, operational continuity, and the resilience of essential services.

Cybersecurity as a Public Trust Investment

Local governments face increasing pressure to defend against cyber threats while maintaining transparency and fiscal responsibility. Cybersecurity is not just a technical expense—it’s a strategic pillar of modern governance. Embedding cybersecurity into public service delivery ensures reliability, equity, and trust in digital government systems.

Building the Business Case

To ensure responsible governance, local leaders must establish robust processes for approving cyber investments. This begins with requiring formal business cases for major IT projects. These cases should clearly tie spending to specific service outcomes and demonstrate how the investment supports continuity, compliance, and risk reduction.

Departments should ask key questions when considering technology procurements—such as how the technology will be used, where data will be stored, and what laws govern its protection. These considerations help frame cybersecurity as an enterprise risk, not just an IT concern.

Governance and Oversight

Typically, the Chief Information Security Officer (CISO) or Chief Information Officer (CIO) presents the business case for recommended solutions. The Board’s role is to evaluate whether the proposed spending is justified and defensible, particularly under public scrutiny. This includes assessing proposed projects within an annual budget and ideally incorporating a 3–5 year roadmap of IT initiatives, each linked to a specific business objective and budget.

Enterprise Governance of Information and Technology (EGIT) ensures that technology delivers value while managing digital risks.

Procurement Integrity and Transparency

Before granting approval, it’s crucial to address potential conflicts of interest and ensure a formal Request for Proposal (RFP) process has been followed. Policies should also outline how cost overruns or emergency funding requests will be handled, maintaining transparency and control.

Municipalities renewing cyber insurance must submit formal applications and may access complimentary services like phishing simulations and incident response planning. This reinforces the need for structured, policy-driven procurement and renewal processes.

Funding Opportunities

Encouragingly, federal and state support is growing. The Department of Homeland Security recently launched over $100 million in funding to strengthen community cyber defenses through the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP). These grants support planning, hiring, and service improvements—critical for smaller municipalities with limited budgets.

Tips for Local Leaders

Here are actionable steps to help municipalities secure and manage cyber expenditures:

  1. Develop a Cybersecurity Roadmap
    Include a 3–5 year schedule of IT initiatives with clear objectives and budget estimates.
  2. Use Templates and Guides
    Leverage resources from the Local Government Guide to Cybersecurity to standardize risk assessments, asset inventories, and incident reporting.
  3. Engage Stakeholders Early
    Include elected officials, department heads, and community representatives in cybersecurity planning to build consensus and transparency.
  4. Monitor Regulatory Changes
    Stay informed about mandates (e.g., requirements for annual cybersecurity training for municipal employees).
  5. Apply for Federal Grants
    Visit CISA’s cyber grants portal to explore funding opportunities.
  6. Track Insurance Requirements
    Ensure compliance with cyber insurance applications and renewal protocols.

Cybersecurity is a shared responsibility and a strategic priority. By embedding it into governance, budgeting, and procurement processes, local governments can build resilient digital ecosystems that protect public services and earn community trust. As stewards of public resources, elected officials must champion cybersecurity not just as a technical safeguard, but as a cornerstone of modern governance.

Categories
Budgeting & Resources

Structuring Your Cyber Budget: Capital vs. Operational Spending in Local Government

Cybersecurity is no longer a discretionary expense—it’s a strategic necessity. But for many local governments, structuring a cybersecurity budget can be challenging. Understanding the difference between capital and operational expenditures is key to building a sustainable and effective cyber program.

Cyber budgeting isn’t just about how much you spend—it’s about how you allocate resources to protect systems, respond to threats, and build long-term resilience.

Capital vs. Operational Cyber Spending

Capital Expenditures (CapEx) refer to long-term investments in infrastructure and assets. In cybersecurity, this might include:

  • Network hardware and firewalls
  • Security software licenses with multi-year terms
  • Data center upgrades
  • Endpoint protection platforms
  • Cloud migration projects

These are typically one-time or infrequent purchases that support strategic goals and are depreciated over time.

Operational Expenditures (OpEx) cover the day-to-day costs of running cybersecurity operations. These include:

  • Staff salaries and benefits
  • Managed security services
  • Threat monitoring and incident response
  • Training and awareness programs
  • Subscription-based security tools
  • Insurance premiums

OpEx is recurring and reflects the ongoing effort to maintain and improve security posture.

Cost Comparison and Budget Planning

When comparing CapEx and OpEx, consider the following:

CategoryCapital (CapEx)Operational (OpEx)
TimeframeLong-term investmentRecurring expense
ExamplesFirewalls, servers, multi-year licensesStaff, training, monitoring services
Budget ImpactOne-time cost, depreciated over timeAnnual or monthly cost
FlexibilityLess flexible, tied to procurement cyclesMore adaptable to changing needs
GovernanceOften requires board or council approvalManaged through departmental budgets

A balanced cyber budget should include both types of spending. Capital investments build the foundation, while operational spending keeps defenses active and responsive.

Strategic Considerations

  • Lifecycle Planning: Capital investments should be paired with operational support. For example, purchasing a new firewall (CapEx) requires ongoing monitoring and maintenance (OpEx).
  • Risk-Based Prioritization: Budget decisions should be guided by risk assessments. Focus spending on the most critical assets and threats.
  • Scalability: Cloud-based tools and managed services offer scalable OpEx models that can grow with your organization.
  • Transparency: Clearly distinguish CapEx and OpEx in budget documents to support oversight and accountability.

Best Practices for Cyber Budget Structuring

  • Conduct annual reviews of cyber spending and outcomes.
  • Align budget categories with cybersecurity frameworks (e.g., NIST CSF).
  • Include cybersecurity in capital improvement plans.
  • Use cost-benefit analysis to justify major investments.
  • Ensure funding supports both prevention and response capabilities.

Structuring your cybersecurity budget is about more than numbers—it’s about strategy, sustainability, and resilience. By understanding the roles of capital and operational spending, local governments can build smarter budgets that protect their communities and adapt to evolving threats.

Categories
Budgeting & Resources

Cybersecurity as Risk Avoidance: Investing in Protection, Preserving Public Trust

Cybersecurity is often viewed as a cost center—an expense that competes with visible service improvements or infrastructure upgrades. But this perception overlooks the true value of cybersecurity: its ability to prevent catastrophic losses. For local governments, where public trust and service continuity are paramount, cybersecurity investments should be understood through the lens of risk avoidance.

The Cost of Inaction

A single cyberattack can trigger a cascade of financial and operational consequences, including:

  • Service disruptions that halt public operations.
  • Emergency response costs for containment and recovery.
  • Increased insurance premiums following a breach.
  • Lower credit ratings due to perceived instability.
  • Regulatory fines for non-compliance.
  • Reputational damage that erodes public confidence.

These impacts often far exceed the cost of proactive cybersecurity measures. Preventing even one incident can save millions and preserve the integrity of public services.

Measuring ROI Through Risk Avoidance

Traditional return on investment (ROI) metrics don’t always apply to cybersecurity. Instead, value is measured by what doesn’t happen—breaches avoided, downtime prevented, and trust maintained. This shift in perspective helps leaders prioritize cybersecurity as a strategic investment rather than a discretionary expense.

Spending Wisely vs. Spending More

Importantly, a larger cybersecurity budget does not automatically translate into better protection. In some cases, higher spending may reflect:

  • A larger digital footprint.
  • Redundant or misaligned tools.
  • Inefficient resource allocation.

The true measure of cybersecurity effectiveness lies in how resources are used, not just how much is spent. Smart investments focus on outcomes—such as improved resilience, faster recovery, and reduced exposure—not just line items.

Key Factors for Cybersecurity Success

To maximize the value of cybersecurity investments, local governments should focus on:

  • Strong governance and executive oversight to align strategy with risk.
  • Clear staff roles and accountability across departments.
  • Ongoing training and awareness to reduce human error.
  • Risk-informed decision-making that prioritizes critical assets.
  • Operational resilience and recovery capabilities to minimize downtime.

These elements ensure that cybersecurity is embedded into daily operations and long-term planning.

Sector-Specific Risks

The severity and impact of a cyberattack vary depending on the environment. In sectors where operational technology (OT) is critical—such as public utilities, transportation, or emergency services—cyber incidents can trigger:

  • Physical service outages.
  • Safety risks for residents.
  • ESG (Environmental, Social, and Governance) concerns.
  • Credit downgrades and financial instability.

These risks are often more complex and far-reaching than those associated with traditional IT systems, making risk avoidance even more critical.

Cybersecurity is not just a technical safeguard—it’s a strategic shield. By investing in risk avoidance, local governments can protect their most valuable assets, maintain public trust, and ensure continuity of service. The question isn’t whether cybersecurity is worth the cost—it’s whether your community can afford the cost of not investing.

Categories
Budgeting & Resources

Cybersecurity Financing: Risk-Based Budgeting for Local Governments

Why risCybersecurity is no longer just a technical line item—it’s a strategic investment in the continuity, safety, and trustworthiness of public services. Yet for many local governments, financing cybersecurity remains a challenge. Limited budgets, competing priorities, and rising threat levels create a complex environment for decision-makers.

To navigate this landscape, municipalities must adopt a risk-based approach to cybersecurity budgeting—one that aligns spending with the potential impact and likelihood of threats.

Why Risk-Based Budgeting Matters

Local governments operate under tight financial constraints, but the risks posed by cyber threats continue to escalate. A reactive or ad hoc approach to cybersecurity spending can leave critical systems exposed while wasting resources on low-impact threats.

Risk-based budgeting helps leaders:

  • Focus resources on the most critical vulnerabilities.
  • Avoid overspending on non-essential tools or services.
  • Align cybersecurity investments with broader public service goals.

Understanding the full financial exposure to cyber risk—including direct costs (e.g., legal fees), indirect costs (e.g., reputational damage), and insurance implications—is essential for informed decision-making.

Key Components of Cybersecurity Financing

1. Centralized and Intentional Budgeting

Cybersecurity should be treated as an enterprise-wide priority. Budgeting must be centralized to ensure consistency, accountability, and strategic alignment across departments.

2. Formal Business Cases

Major cybersecurity expenditures—such as infrastructure upgrades or third-party services—should be justified through formal business cases. These cases should tie spending to specific service outcomes and risk reduction goals.

3. Procurement and Policy Alignment

All cybersecurity purchases must follow established procurement policies and be aligned with public accountability standards. Transparency in vendor selection and contract terms is essential.

4. Cost Exposure Analysis

Local governments should assess the full financial impact of potential cyber incidents. This includes:

  • Direct Costs: Remediation, legal fees, fines.
  • Indirect Costs: Reputational damage, service disruption.
  • Insurance Costs: Premiums and post-incident rate increases.
  • Infrastructure Investments: Ongoing upgrades to secure systems.
  • Incident Response: Emergency teams, forensic investigations.
  • Credit Rating Impact: Potential increases in borrowing costs 2.

Best Practices for Trustees and Budget Officers

  • Require annual reviews of cybersecurity spending and outcomes.
  • Include cybersecurity in capital planning and long-term financial forecasts.
  • Conduct tabletop exercises to test financial readiness for cyber incidents.
  • Ensure that cybersecurity insurance coverage is adequate and up to date.

Cybersecurity financing is not just about protecting data—it’s about protecting the public. By adopting a risk-based budgeting strategy, local governments can make smarter investments, reduce exposure, and build more resilient communities.

Categories
Planning & Policy

Planning for the Unthinkable: Business Continuity in Local Government

Disasters—whether natural, man-made, or digital—don’t wait for convenience. Fires, floods, active shooter incidents, and cybersecurity breaches can disrupt essential services and threaten public safety. That’s why business continuity planning is not just a best practice—it’s a governance imperative.

Local government agencies have increasingly recognized the need to prepare for a wide range of crisis scenarios. Trustees, as fiduciaries, play a critical role in ensuring that continuity plans prioritize the protection and recovery of high-value assets and systems. A well-structured business continuity plan (BCP) helps agencies respond quickly, maintain operations, and communicate effectively during emergencies.

Key Components of a Business Continuity Plan

  1. Establishing a Command Center
    Designate a physical or virtual location where crisis coordination will occur. This center should be equipped to manage communications, decision-making, and resource deployment.
  2. Law Enforcement Notification
    Ensure protocols are in place for timely engagement with law enforcement and emergency responders, especially in cases involving physical threats or criminal activity.
  3. Asset Custody During Investigations
    Define procedures for securing and preserving critical assets—both digital and physical—during forensic investigations or legal proceedings.
  4. Disaster Recovery Process
    Outline the steps for restoring systems, data, and services. Include recovery time objectives (RTOs) and recovery point objectives (RPOs) to guide expectations and resource allocation.

Cybersecurity Breach Response

In the event of a cybersecurity incident, stakeholders—including constituents, voters, and third-party partners—will demand clarity. They’ll want to know:

  • What happened?
  • Was their data compromised?
  • What is being done to contain and resolve the issue?

Employees, vendors, and suppliers may also experience workflow disruptions, affecting service delivery. An effective communication plan is essential for managing internal and external messaging. Poor communication can lead to confusion, mistrust, and reputational damage.

Tabletop Exercises: A Best Practice for Trustees

Trustees should require an annual business continuity tabletop exercise. These simulations test the effectiveness of the continuity plan against specific threat scenarios. Key elements include:

  • Participation from both IT and functional staff.
  • Clear recovery time objectives.
  • Realistic threat scenarios (e.g., ransomware, natural disaster, insider threat).
  • Post-exercise reporting to senior management and the Board.

The exercise should result in a documented assessment of strengths, weaknesses, and recommendations for improvement.

Business continuity planning is not just about technology—it’s about leadership, coordination, and resilience. By preparing for the worst, local governments can ensure they continue to deliver essential services when their communities need them most.

Categories
Leadership & Governance

Governing AI: Ethical Use and Oversight in Local Government

Artificial intelligence (AI) is rapidly transforming how local governments operate—from automating administrative tasks to enhancing public safety and improving service delivery. But as these technologies become more embedded in public systems, so too does the need for thoughtful governance.

AI offers tremendous promise, but it also raises important questions about fairness, accountability, transparency, and privacy. Without clear ethical guidelines and oversight, even well-intentioned AI applications can lead to unintended consequences, such as biased decision-making or erosion of public trust.

Why AI Governance Matters

AI systems often make decisions that affect people’s lives—whether approving permits, prioritizing maintenance, or analyzing public data. Local governments must ensure these systems are used responsibly and align with community values.

Good governance helps:

  • Prevent misuse or overreach.
  • Ensure transparency in how decisions are made.
  • Protect civil liberties and privacy.
  • Build public confidence in digital services.

Key Elements of an AI Governance Framework

1. Ethical Principles

Start with a clear set of guiding values—such as fairness, accountability, transparency, and respect for individual rights. These principles should inform every stage of AI development and deployment.

2. Oversight and Accountability

Establish internal oversight bodies or designate responsible officials to review AI projects. Oversight should include legal, technical, and community perspectives to ensure balanced decision-making.

3. Risk Assessment

Before deploying AI, assess potential risks—such as bias, data privacy concerns, or unintended consequences. Consider how the system might impact different populations and whether safeguards are in place.

4. Transparency and Explainability

Residents should understand how AI systems work and how decisions are made. Use plain language to explain what data is collected, how it’s used, and what rights individuals have.

5. Public Engagement

Involve the community in discussions about AI use. Public input can help shape policies, identify concerns, and ensure that technology serves the public interest.

6. Training and Capacity Building

Ensure staff and leadership understand AI capabilities and limitations. Provide training on ethical considerations, data stewardship, and responsible procurement.

Tools and Frameworks to Guide Implementation

Local governments can draw from established frameworks to guide their AI governance efforts, including:

  • NIST AI Risk Management Framework: Offers a structured approach to identifying and managing AI risks.
  • OECD AI Principles: Promote inclusive growth, human-centered values, and transparency.
  • State and local AI task forces: Some jurisdictions have developed their own guidelines tailored to municipal needs.

These resources can help governments build policies that are both practical and principled.

AI is not just a technical tool—it’s a governance issue. As local governments adopt AI to improve services and efficiency, they must also ensure that these technologies are used ethically and transparently. By establishing clear frameworks, engaging the public, and investing in oversight, municipalities can harness the benefits of AI while safeguarding public trust.

Categories
Planning & Policy

From Deepfakes to Fake News: Local Strategies for Disinformation Response

Disinformation is one of the most pressing challenges facing local governments today. As trusted sources of public information, municipalities are increasingly targeted by campaigns designed to mislead, confuse, or destabilize communities. Whether it’s false claims about election procedures, fabricated emergency alerts, or impersonation of public officials, disinformation can erode public trust and disrupt essential services.

Responding effectively requires more than just correcting falsehoods—it demands a coordinated, proactive strategy that blends cybersecurity, communications, and community engagement.

What Is Disinformation?

Disinformation is deliberately false or misleading information spread with the intent to deceive, manipulate, or cause harm. Unlike misinformation—which is shared unknowingly—disinformation is strategic and often orchestrated to achieve specific outcomes.

In the context of local government, disinformation can take many forms:

  • Fake social media posts impersonating city officials or agencies.
  • False claims about voting procedures, public health mandates, or emergency responses.
  • Manipulated images or videos (e.g., deepfakes) that misrepresent events or statements.
  • Coordinated bot activity amplifying misleading narratives.
  • Fraudulent websites mimicking official portals to spread false information or collect personal data.

These tactics are designed to exploit public trust, create confusion, and undermine confidence in local institutions.

Why Local Governments Are Vulnerable

Local governments are particularly susceptible to disinformation because:

  • They manage critical services like elections, public safety, and health communications.
  • They often operate with limited resources and staffing to monitor digital threats.
  • They are deeply embedded in the daily lives of residents, making them high-impact targets.

Disinformation campaigns may be politically motivated, financially driven, or simply intended to sow chaos. Regardless of the source, the consequences can be severe—ranging from public panic to reputational damage and operational disruption.

Response Strategies for Local Governments

1. Establish a Cross-Functional Response Team

Bring together cybersecurity, communications, legal, and public affairs staff to monitor, assess, and respond to disinformation incidents. This team should be empowered to act quickly and coordinate messaging.

2. Develop a Disinformation Response Playbook

Create a documented plan that outlines how to identify, verify, and respond to disinformation. Include escalation protocols, communication templates, and roles for internal and external stakeholders.

3. Monitor Digital Channels

Use social listening tools and manual monitoring to track emerging narratives. Watch for impersonation, viral misinformation, and coordinated campaigns targeting your community.

4. Engage the Public Proactively

When disinformation arises, respond quickly with clear, factual messaging. Use trusted platforms—official websites, verified social media accounts, and community newsletters—to correct falsehoods and reinforce accurate information.

5. Train Staff and Officials

Educate employees and elected officials on how to recognize disinformation tactics and respond appropriately. Include this in cybersecurity and media training programs.

6. Promote Media Literacy

Support community education efforts that teach residents how to critically evaluate information. Partner with schools, libraries, and civic organizations to build long-term resilience.

7. Leverage Trusted Messengers

Work with local influencers, faith leaders, and community advocates to amplify accurate information and counter false narratives. These voices often carry more weight than official channels alone.

Disinformation is not just a communications issue—it’s a governance challenge. Local governments must treat it as a strategic risk, integrating response efforts into broader cybersecurity and public engagement strategies. By building proactive, coordinated defenses, municipalities can protect their communities, uphold public trust, and ensure that truth remains a cornerstone of civic life.

Categories
Actionable Steps

Protecting the Crown Jewels: How to Secure Mission-Critical Assets

In cybersecurity, not all assets are created equal. Some systems and data are so vital to a government’s mission that their compromise could result in severe disruption, financial loss, or public harm. These are known as high-value assets (HVAs)—the crown jewels of your organization’s digital infrastructure.

According to the Cybersecurity and Infrastructure Security Agency (CISA), HVAs are “information or an information system that is so critical to an organization that the loss or corruption of this information, or loss of access to the system, would have serious impact on the organization’s ability to perform its mission or conduct business.” For state and local governments, protecting HVAs is not optional—it’s foundational.

Step 1: Identifying and Assessing High-Value Assets

Before you can protect HVAs, you must know what they are. This begins with a thorough organizational assessment to identify systems and data that are mission-critical. Once identified, conduct a comprehensive risk assessment to evaluate vulnerabilities, dependencies, and potential impact.

Step 2: Patch Management

Unpatched systems are one of the most common entry points for attackers. While scheduling maintenance windows can be challenging, timely patching is essential to reduce exposure to known vulnerabilities. Prioritize HVAs in your patching schedule and automate where possible.

Step 3: Malware Defense and Anti-Phishing

Deploy automated tools to detect and neutralize malware. Phishing remains a top threat vector—especially for systems that store sensitive data. Implement email filtering, sandboxing, and user training to reduce the risk of infection.

Step 4: Access Control

Limit access to HVAs based on job roles. Avoid shared administrative accounts and enforce logging and monitoring of all key security events. Regular audits help ensure that access privileges remain appropriate and that remote access is tightly controlled.

Step 5: Authentication

Multi-factor authentication (MFA) is a must for all users accessing HVAs. It adds a critical layer of protection against unauthorized access and credential theft. Ensure MFA is enforced across all access points, including remote and mobile connections.

Step 6: Network Segmentation

Segment networks to isolate HVAs from less secure systems. This limits lateral movement in the event of a breach. Define zones with specific rules and restrictions, and monitor traffic between zones to detect anomalies.

Step 7: Employee Education

Human error is a leading cause of cybersecurity incidents. Train staff to recognize phishing attempts, avoid risky behaviors, and follow security protocols. Use awareness campaigns, simulations, and role-specific training to reinforce best practices.

CISA’s Recommended Actions for HVA Protection

CISA outlines five key actions to help organizations secure HVAs:

  1. Establish an Organization-Wide HVA Governance Program
    Make HVA protection a strategic priority across departments.
  2. Identify and Prioritize HVAs
    Focus resources on the most critical systems.
  3. Consider Interconnectivity and Dependencies
    Understand how systems interact and rely on one another.
  4. Develop a Methodology for Prioritizing HVAs
    Use mission impact to guide protection efforts.
  5. Develop an Assessment Approach for HVAs
    Determine how often to assess and whether to use internal or external evaluators.

Protecting mission-critical assets requires more than technical controls—it demands strategic oversight, cross-functional collaboration, and continuous improvement. By identifying HVAs, implementing layered defenses, and following CISA’s guidance, state and local governments can reduce risk and ensure continuity of operations.

Categories
Leadership & Governance

Oversight in Action: Strengthening Cybersecurity Governance for Local Governments

The oversight of a cybersecurity program in a state or local government is a complex, multifaceted responsibility. With limited budgets, minimal staffing, and increasing regulatory demands, ensuring that cybersecurity programs are effective, efficient, and compliant can feel overwhelming. Yet, strong oversight is essential to protecting public assets, maintaining trust, and ensuring operational continuity.

Oversight doesn’t mean elected officials must manage every technical detail. Instead, staff should regularly report on key cybersecurity metrics and activities, enabling leadership to make informed decisions and allocate resources strategically.

Key Oversight Responsibilities

Effective oversight should focus on the following areas:

  • Program Assessment: Regularly evaluate the cybersecurity program’s effectiveness and alignment with organizational goals.
  • Risk Management: Identify and prioritize risks, and ensure mitigation strategies are in place.
  • Compliance Monitoring: Track adherence to applicable laws, regulations, and internal policies.
  • Incident Response Readiness: Review and test the incident response plan to ensure rapid containment and recovery.
  • Stakeholder Communication: Ensure a plan exists to communicate with internal and external stakeholders during and after an incident.
  • Training and Awareness: Confirm that employees receive ongoing cybersecurity education tailored to their roles.

Staffing and Expertise

A key success factor is hiring the right talent—cybersecurity professionals who can implement controls, monitor threats, and communicate risks clearly to leadership. Given the national cybersecurity talent shortage, many governments turn to third-party providers to fill technical gaps, offer independent oversight, and support interim needs.

Whether in-house or outsourced, cybersecurity oversight requires a blend of technical expertise and strategic insight.

Establishing a Cybersecurity Framework

A strong cybersecurity program begins with a well-defined framework. This sets the foundation for governance, risk management, and operational practices. Common frameworks include:

  • NIST Cybersecurity Framework (CSF): Focuses on five core functions—Identify, Protect, Detect, Respond, Recover.
  • CIS Controls: Offers 20 prioritized controls proven to reduce cyber risk.
  • ISO 27001: Provides a global standard for managing sensitive information.
  • COBIT: Focuses on IT governance and service delivery.
  • Cyber Resilience Review (CRR): A DHS-developed tool for assessing organizational resilience.

The choice of framework should reflect the agency’s size, complexity, and regulatory environment.

Conducting a Risk Assessment

Risk assessments help identify vulnerabilities and threats across systems, applications, and networks. Key steps include:

  1. Define scope and assets.
  2. Identify internal and external threats.
  3. Assess vulnerabilities.
  4. Analyze and prioritize risks.
  5. Develop and test mitigation plans.
  6. Review and update assessments regularly.

Cyber insurance should also be reviewed to ensure coverage for significant breaches.

Implementing Security Controls

Security controls are the technical backbone of any cybersecurity program. Implementation should follow a structured process:

  • Define and select controls.
  • Assess current environment.
  • Develop and execute an implementation plan.
  • Train staff on control usage.
  • Monitor, test, and update controls regularly.

Controls may include firewalls, intrusion detection systems, encryption, and access management tools.

Monitoring and Testing

Continuous monitoring and testing are essential to maintaining a strong security posture. Activities include:

  • Vulnerability scanning and penetration testing.
  • Phishing simulations and awareness training.
  • Incident response exercises.
  • Compliance audits and log reviews.

These efforts help detect threats early and validate the effectiveness of existing defenses.

Responding to Incidents

Even with strong defenses, incidents can occur. A well-defined incident response plan should include:

  • Preparation and role assignment.
  • Identification and containment.
  • Mitigation and recovery.
  • Reporting and stakeholder communication.
  • Post-incident analysis and improvement.

Regular testing ensures readiness and minimizes disruption during real events.

Training and Awareness

Cybersecurity is everyone’s responsibility. Training should be role-specific and ongoing. Examples include:

  • Phishing awareness and password hygiene.
  • Internet and remote access policies.
  • Incident reporting procedures.
  • Security awareness campaigns.

Regular updates and refreshers help maintain vigilance across the organization.

Oversight of a cybersecurity program requires more than technical know-how—it demands strategic planning, cross-functional coordination, and continuous improvement. By establishing a framework, conducting risk assessments, implementing controls, and fostering a culture of awareness, state and local governments can build resilient cybersecurity programs that protect public assets and serve their communities.

Categories
Planning & Policy

Cybersecurity Laws Every Local Government Should Know

As local governments expand their digital services and manage increasing volumes of sensitive data, understanding cybersecurity laws and regulations becomes essential. These laws are designed to protect public information, ensure transparency, and reduce risk across critical infrastructure and public-facing systems.

While some regulations apply nationwide, many cybersecurity laws are state-specific and subject to frequent updates. Municipal leaders must stay informed and consult legal counsel or state regulatory agencies to ensure compliance with the laws applicable in their jurisdiction. Staying current is key to avoiding penalties and building resilient cybersecurity programs that align with both federal and state requirements.

Below is an overview of key cybersecurity laws and standards that local governments and affiliated organizations should be familiar with:

Health Insurance Portability and Accountability Act (HIPAA)

Jurisdiction: United States
HIPAA sets national standards for protecting health information. It applies to healthcare providers, insurers, and any entity handling patient data.
Key Provisions:

  • Requires security safeguards for health information.
  • Mandates breach notification and penalties for non-compliance.
  • Grants patients rights to access and correct their records.

Federal Information Security Modernization Act (FISMA)

Jurisdiction: United States
FISMA mandates that federal agencies and contractors secure their information systems using a risk-based approach aligned with NIST standards.
Key Provisions:

  • Establishes security requirements for federal systems.
  • Requires annual assessments and reporting.
  • Aligns with the NIST Cybersecurity Framework.

State and Local Government Cybersecurity Act of 2021

Jurisdiction: United States
This law supports state and local governments with resources to strengthen cybersecurity and defend critical infrastructure.
Key Provisions:

  • Provides grants for cybersecurity improvements.
  • Enhances defense against infrastructure threats.
  • Encourages collaboration across government levels.

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

Jurisdiction: United States
CIRCIA requires timely reporting of cyber incidents and ransomware payments by critical infrastructure entities.
Key Provisions:

  • Cyber incidents must be reported within 72 hours.
  • Ransomware payments must be reported within 24 hours.
  • Supports federal tracking and response efforts.

Gramm-Leach-Bliley Act (GLBA)

Jurisdiction: United States
GLBA governs how financial institutions collect, use, and protect consumer financial data.
Key Provisions:

  • Requires data security and privacy policies.
  • Regulates data sharing and disclosure practices.

Payment Card Industry Data Security Standard (PCI DSS)

Jurisdiction: Global
PCI DSS sets security standards for organizations handling payment card data.
Key Provisions:

  • Requires encryption and secure transmission protocols.
  • Mandates regular security assessments and audits.

Cybersecurity Enhancement Act of 2014

Jurisdiction: United States
This act promotes cybersecurity R&D and public-private collaboration to protect critical infrastructure.
Key Provisions:

  • Encourages joint efforts between government and industry.
  • Supports development of cybersecurity technologies.
  • Establishes national protection standards.

California Consumer Privacy Act (CCPA)

Jurisdiction: California
CCPA gives residents control over their personal data and applies to businesses meeting certain thresholds.
Key Provisions:

  • Right to access, delete, and opt out of data sale.
  • Requires disclosure of data collection practices.
  • Enforces penalties for mishandling personal data.

California Privacy Rights Act (CPRA)

Jurisdiction: California
CPRA expands CCPA protections and establishes a dedicated enforcement agency.
Key Provisions:

  • Adds rights to correct inaccurate data.
  • Limits use of sensitive personal information.
  • Creates the California Privacy Protection Agency.

Cybersecurity compliance is a moving target. Local governments must stay informed, build governance structures that support accountability, and ensure that cybersecurity policies reflect current legal requirements. Understanding these laws is the first step toward building a secure, resilient digital environment for public service.