Four Recommendations for State and Tribal Governments Formulating Their Cybersecurity Plans
October 03, 2023 by Kelsey Gaudette (ITI) View all posts by Kelsey Gaudette

In 2021, the U.S. Congress passed a landmark piece of legislation, the Infrastructure Investment and Jobs Act (IIJA), which took a critical step towards modernizing state, local, tribal, and territorial governments information technology (IT) systems. For the first time in history, this law aimed to ensure dedicated investments in key areas of state and tribal governments cybersecurity. As state and tribal governments continue to face increasingly sophisticated cybersecurity threats, prioritization of technological investments must be targeted and resolute. To ensure governments get the most benefit from this funding, ITI offers the following steps for state and tribal governments to consider when developing their cybersecurity plans:

  1. Focus on shared services using available leading-edge industry tools to assess environments and identify vulnerabilities.

Ensuring the success of both state and tribal cybersecurity plans begins with proper resource allocation that will empower local agencies to comprehensively assess their existing cybersecurity environment. State and tribal governments can best support localities by developing whole-of-government shared services in foundational capabilities such as identity and access management and cybersecurity. Prioritizing initiatives like these, where local entities can leverage government-supported tools to autonomously assess their unique risks, will establish a cohesive whole-of-government approach to identifying vulnerabilities throughout the state and tribe —a key first step to developing mitigation strategies.

  1. Measure the existing cybersecurity environment within state and tribal government executive agencies.

Once state and tribes have determined the condition of their local entities’ cybersecurity footing, state and tribal governments must then adopt their own strategic approach to discern what resides within their existing cybersecurity environment, what is actively utilized, and what is deemed critical. To facilitate this process, states and tribes must provide clear and detailed guidance to their respective agencies, including specific instructions and criteria on how to accurately catalog all hardware, software, data sources, and networks in use. States and tribes must also foster open communication within their agencies to help identify and define what constitutes critical systems and data. This collaborative effort ensures a comprehensive understanding of the cybersecurity landscape both on the local and executive level. By providing clear instructions and fostering interagency collaboration throughout the evaluation of their digital infrastructure, governments can begin to map out the distribution of their efforts and resources.

  1. Conduct tribal and state-wide risk assessments.

Risk assessments serve as a critical tool for states and tribes to use while they develop an understanding of their unique digital vulnerabilities and threats. By identifying what is interconnected within their cybersecurity environment, states and tribes can proactively identify the potential consequences of a cyber threat if critical components were to go offline as well as discern who would be impacted in the event of such disruptions. This insight would not only enable state and tribal governments to fortify their defenses against cyber threats, but also keenly position them to form a strategic roadmap for cybersecurity improvements as well as robust contingency plans to ensure the continuity of essential digital services to citizens.

  1. Establish criteria for agencies to develop and maintain improvements to their cybersecurity environments beyond this initial federal funding.

States and tribes must establish a well-defined set of criteria to guide the enhancement of their cybersecurity networks after thoroughly assessing their existing environments and conducting comprehensive risk assessments. The recommended assessments listed above will provide states and tribes with clear objectives and benchmarks for improving their cybersecurity posture while ensuring the most critical aspects of their digital infrastructure receive proper prioritization and funding. By having explicit criteria in place, state and tribal governments can and should continuously evaluate the effectiveness of their cybersecurity measures, adapt to new emerging threats, and measure their success over time. In an era of increasing cyberattacks, defining, and adhering to clear criteria is essential for state and tribal governments to build a resilient, adaptable, and robust cybersecurity network that can protect the state and tribe’s interests and the security of their constituents.

In conclusion, as states and tribes develop their cybersecurity plans, adopting a holistic, long-term approach to building resilient cybersecurity infrastructure and efficient resource allocation is crucial. Cybersecurity is an ongoing process that requires constant monitoring and adaptation. As technology evolves and threat actors adjust their techniques, states and tribes must maintain their commitment to good cybersecurity hygiene beyond federal funding timelines. This includes dedicating sufficient funding, adopting cutting-edge commercial technologies, and supporting long-term workforce expertise. State and tribal governments must proactively maintain their systems and collaborate closely with industry partners to ensure their cybersecurity posture remains current and effective. ITI remains committed to working with our state and tribal government partners in this important effort.

Public Policy Tags: Cybersecurity, Public Sector

Related