Providing cybersecurity for state and local governments recently became a little easier. Signed in November 2021, the $1 trillion Infrastructure Investment and Jobs Act includes a $1 billion grant program for state, local, tribal, and territorial governments over four years. Many government leaders want to leverage this available funding, but where do they start? A recent California program provides one possible model.
In October 2021, the state released Cal-Secure, California’s first multi-year cybersecurity roadmap. This is a big step toward improving the state’s cyber hygiene and vision, as it outlines actionable phases — with measurable success criteria — to foster a world-class cybersecurity workforce, an empowered cybersecurity oversight governance structure, and effective defenses to all technology.
Broken into three pillars — people, process and technology — Cal-Secure fosters a standardization of requirements and efforts, and reduces the overall risk of cyberattacks for state, federal, local, tribal, and private sector stakeholders. This also leads to the development of Security-as-a-Service offerings and implementation of a unified risk management platform, among other initiatives.
In particular, the technology pillar prioritizes defining baseline security capabilities for state entities, and fosters cybersecurity through IT modernization, and collaborative threat mitigation — all critical for a successful cybersecurity framework.
Security-as-a-Service enterprise solutions that promote standardization across the state and local levels will help California stakeholders meet the goals of Cal-Secure and strengthen the State’s overall cyber hygiene. In addition, an enterprise service will enable organizations that lack the funding, resources and expertise to align with this plan.
A good model of cyber improvement for state and local governments
California has taken a proactive approach to addressing and enhancing cybersecurity. States with a strong focus on cyber hygiene will likely adopt similar strategies. Preferably, there should be one plan that all government agencies follow to maintain consistency. The more partnerships and common processes that an organization has, the more prepared and proactive it will be against cyber incidents and breaches.
Agencies working to comply with Cal-Secure or a similar initiative should consider:
· Performing an IT hygiene assessment to assess the level of cyber maturity in meeting these goals and objectives
· Determining gaps in the entity’s delivery model and developing performance metrics that align with this plan
· Ensuring security governance that allows for communication within the agency is in place, and leadership is aligned with the state managing the strategy
Agency IT teams and administrators working on a cyber roadmap model should develop a security governance structure that provides a mechanism for communicating and making decisions that involve cybersecurity policy direction.
A structure of this nature helps to standardize on enterprise solutions/tools that are less complex to operate and provide automated monitoring and control into the enterprise. IT teams will gain better insights, using real-time data, into the health of their network, helping them make informed decisions in an expedited manner to better manage the overall IT hygiene.
For state and local governments that hope to use Federal grant money, the elements of the Cal-Secure program can provide a useful starting point.
