State and Local Government Cyber Security

State and Local Government Cyber Security is becoming more and more critical as bad actors are frequently targeting these organizations for exploitation.  A noted cybersecurity research article points out that 44 percent of ransomware attacks worldwide targeted local government bodies like municipalities. Cybersecurity is not a concern that is limited to federal government agencies. The claws of malicious cyber attacks are battering various state and local government bodies.

An expert report by the Center for Internet Security found that many state and local government agencies lack basic security measures, such as multi-factor authentication and encryption. Thus, it is paramount for local and state governments to magnify their focus on their data protection preparedness. Let us take a deep dive into some essential elements related to public sector cybersecurity.

Why are bad actors targeting state and local government agencies frequently?

State and local government agencies are frequent targets of cyber actors due to a combination of diverse factors:

  1. Valuable Data: State and local government agencies often collect and store large amounts of sensitive information, such as social security numbers, tax records, and other personal information. This information is valuable to cyber criminals, who can use it for identity theft or to commit other types of financial fraud.
  2. Limited Resources: State and local government agencies often have limited resources dedicated to cybersecurity. This can make them more vulnerable to cyber attacks, as they may not have the budget to invest in advanced security measures or hire cybersecurity experts.
  3. Critical Infrastructure: State and local government agencies are responsible for managing critical infrastructure, such as transportation systems, water treatment plants, and power grids. These systems are often connected to the internet and can be vulnerable to cyber attacks that could cause widespread disruption and damage.
  4. Political Motivations: Some cyber actors may target state and local government agencies for political reasons. For example, they may want to disrupt elections or steal sensitive government data that could be used for political leverage.
  5. Easy Targets: State and local government agencies may be seen as easier targets by cyber criminals compared to federal agencies or large corporations. This is because they may have less sophisticated security measures in place and may be less likely to detect or respond to cyber attacks.



What are some major State and Local Government Cyber Security compliance mandates?

NIST Cybersecurity Framework: The National Institute of Standards and Technology has developed a cybersecurity framework to help improve state and local government cyber security defenses. This framework provides guidelines for risk management, threat identification, and incident response.

Federal Information Security Modernization Act (FISMA): FISMA mandates that federal agencies, including local and state governments, must have proper security controls in place to protect sensitive information. This includes access controls, network security, and incident response.

Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure: Local and state governments must develop and implement a comprehensive cybersecurity program to protect their networks and critical infrastructure.

FEDRAMP: The Federal Risk and Authorization Management Program (FEDRAMP) is mandatory for cloud service providers to meet security and compliance requirements. Local and state governments can use FEDRAMP-compliant cloud providers to store sensitive information securely.

Cybersecurity Information Sharing Act (CISA): CISA demands local and state governments to share cybersecurity information with the Department of Homeland Security (DHS) and other government agencies to better protect against cyber threats.

State Data Breach Notification Laws: Various US states have laws requiring organizations, including local and state governments, to notify individuals in the event of a data breach. These laws also specify the types of information that must be included in the notification, such as the scope of the breach and steps taken to remediate the issue. Some of the notable state laws include the Calfornia Consumer Privacy Act (CCPA), the Florida Information Protection Act (FIPA), and the Illinois Information Technology Accessibility Act (IITAA). These laws require state government agencies to implement robust cybersecurity measures to protect sensitive information.

Why is Penetration Testing crucial for State and Local Government authorities?

The Center for Internet Security (CIS) found that state and local government cyber security scored significantly lower on assessments compared to private sector organizations. On average, state and local governments scored a 70.7 out of 100 on the CIS Controls, compared to a 83.7 average score for private sector organizations. Therefore, public sector bodies must strengthen their cybersecurity framework using  up-to-date techniques. Penetration testing is an essential component of a comprehensive cybersecurity program for state and local government agencies. Here are some reasons why:

Identifies key vulnerabilities: Penetration testing helps identify vulnerabilities in an organization’s network and systems that cyber criminals could exploit. This information is crucial for prioritizing cybersecurity investments and implementing appropriate safeguards.

Evaluates security Controls: Penetration testing can help evaluate the effectiveness of an organization’s security controls and policies, and identify areas for improvement. This can include reviewing access controls, network segmentation, patch management, and incident response procedures.

Mitigates Risks: By identifying vulnerabilities and evaluating security controls, penetration testing helps organizations mitigate risks and prevent cyber attacks. This can save time, money, and reputational damage that would be incurred if an actual breach occurred.

Ensures regulatory compliance: Penetration testing is often required by regulatory frameworks, such as FISMA or PCI DSS. For state and local government agencies, complying with these regulations is necessary for securing federal grants or maintaining public trust.

Which government funds are available for penetration testing?

There are different government funds available for penetration testing in local and state governments in the United States. The eminent fund programs include:  

Cybersecurity and Infrastructure Security Agency (CISA) funding: CISA provides financial assistance and technical support to improve state and local government cyber security posture. This includes funding for pen-testing and other security assessments.

Department of Homeland Security (DHS) Grant Programs: DHS offers several grant programs to improve state and local government cyber security posture. These grants can be used for a variety of purposes, including pen-testing and other security assessments.

National Science Foundation (NSF) Cybersecurity Grant Programs: NSF offers grants to support cybersecurity research and development, including pen-testing and other security assessments.

Federal Emergency Management Agency (FEMA) Grant Programs: FEMA provides grants to state and local governments to help improve their preparedness and resilience against cyber threats, including funding for pen-testing and other security assessments.

What areas of concern should state and local governments keep in mind while conducting penetration tests?

Regular penetration tests forms a fundamental measure to tackle the atrocities induced by cyber attacks. Public sector agencies must take care of the following aspects before implementing a pentesting program:

  • Obtain appropriate authorization: It is necessary to follow the proper chain of command and take permission for critical procedures like penetration testing. Local and state government agencies must obtain authorization from appropriate officials before conducting a penetration test. This may include obtaining approval from the CIO, legal department, or other appropriate officials.
  • Document and Report Findings: Once the penetration test is complete, the firm should document and report their findings to the appropriate officials. The report should include a detailed description of the vulnerabilities identified, the risks associated with these vulnerabilities, and recommendations for addressing them.
  • Address the Vulnerabilities: Local and state government authorities must take steps to address the vulnerabilities identified in the penetration test. This may include implementing patches or updates, configuring security controls, or implementing other security measures. 
  • Hire a Qualified Penetration Testing provider: A qualified penetration testing firm with experience in conducting tests for government agencies is a must to identify significant weaknesses and risks. Government agencies must collaborate with a firm that possesses the necessary certifications and expertise to conduct the test effectively and provide accurate results.

Find actionable results and upgrade the cybersecurity posture at the local and state government level with NaviSec’s Penetration Testing services!

NaviSec can help improve state and local government cyber security posture by providing customized penetration testing services, expertise in government regulations, actionable recommendations, and ongoing support. By partnering with NaviSec, government agencies can take proactive steps to protect their sensitive data and systems from potential cyber threats. Contact our team now!

Urgent Contact