skip navigation

Cybersecurity Resources for Local Governments

This page provides a compilation of information security resources available to local governments in Washington State, including MRSC's Information Security Assessment Tool, along with examples of cybersecurity RFPs.


Overview 

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks that are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Types of cybersecurity threats include:

  • Phishing — sending of fraudulent emails that resemble emails from reputable sources.
  • Ransomware — malicious software designed to extort money by blocking access to files or the computer system until the ransom is paid.
  • Malware — malicious software designed to gain unauthorized access or to cause damage to a computer.
  • Social Engineering — a tactic hackers use to trick the recipient into revealing sensitive information.

Cybersecurity is an ongoing challenge because new threats evolve frequently and rapidly. This page offers some resources to help local governments stay informed and vigilant. In addition, MRSC staff members and contributors occasionally write about cybersecurity.


Audits and Assessments

Regular audits of hardware and software, as well as internal controls, can assess agency readiness and identify unaddressed risks related to cyber attacks. Resources are listed below to assist with this task.

At the Federal Level

  • Department of Homeland Security (DHS) Cyber Resilience Review — These assessments are offered free of charge to local governments. One option is a downloadable self-assessment; the other is a facilitated, onsite 6-hour session with trained DHS representatives. The CRR Fact Sheet is a 2-page document with information on the process and outcomes of a review. The Assessments: Cyber Resilience Review webpage has a comprehensive array of information including 10 resource guides on subjects like Vulnerability Management, Incident Management, and Service Continuity Management.

At the State Level

  • Washington State Auditor's Office (SAO) Cybersecurity Audits — These free audits are available to local governments upon request. The audit identifies areas of risk or vulnerability, recommends best practices tailored to the local government environment, and provides guidance for resolving the risks identified. If you are interested in learning more, please contact the Local IS Audit Program Manager at the State Auditor’s Office; 360-902-0370. Results of the audit are kept confidential under RCW 42.56.420 (4) and in accordance with Generally Accepted Government Auditing Standards, Section 7.40-43.
  • MRSC Information Security Assessment Tool — Developed in 2015 in partnership with the State Auditor's Office Center for Government Innovation and MK Hamilton and Associates (now CI Security), this tool allows local government staff and officials to self-assess their current information security abilities. Read the User Guide before completing the assessment tool.

Organizations

The resources below can help local governments stay up-to-date on cybersecurity guidelines, best practices, threats, and additional tools.

  • Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) — CISA has resources for State, Local, Tribal, and Territorial Governments that includes a best practices case study from Washington State and others, and a toolkit for recognizing and addressing cybersecurity risks. There are resources to address four aspects of cybersecurity: Identify, Protect, Detect, and Respond. CISA’s National Cyber Awareness System Tips has up-to-date information on threats, hoaxes, and safety in plain language for non-technical computer users. You can subscribe to alerts, tips, and updates via the “Subscribe to Alerts” box at the bottom of their webpage.
  • Center for Internet Security (CIS) — CIS offers free cybersecurity tools, membership, and services. The Multi-State Information Sharing and Analysis Center (MS-ISAC) is a part of the CIS and is a resource for state, local, and tribal government information sharing, early warnings and alerts, mitigation strategies, training, and exercises.
  • National Institute of Standards and Technology (NIST) Cybersecurity Resource Center — The Center provides information security tools and practices, acts as a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia. It is also a good portal to find all NIST’s cyber-related standards.
  • National 911 Program — This resource hosts information on policies and implementation guides, training opportunities, fact sheets and newsletters, and reports and studies.
  • Michael Hamilton’s IT Security News Blast — Mike Hamilton, founder and CISO of CI Security, curates the top news stories in cybersecurity, including the latest breaches, security alerts, and industry developments, and sends out a daily report every weekday. Sign up for the newsletter or access email archives at this link.

Plans and Procedures

Cyber security plans and procedures are kept confidential by government agencies to further protect their systems. The information below will help local governments devise their own procedures and responses to cyber events and are meant to be a framework for customizing your IS security.

General Sample Plans

  • Center for Internet Security CIS Controls V7.1 — A set of basic, foundational, and organizational controls to protect, detect, and respond to cyber incidents for organizations of varying sizes. CIS Controls 17-20 are focused on people and processes, covering security awareness and training; application software security; incident response and management; and penetration tests and red team exercises.
  • Cyber Risks to Next Generation 9-1-1 (2018) — Produced by the DHS Office of Emergency Communications, this publication explains the risk landscape, describes the Next Generation 9-1-1 (NG9-1-1) cyber infrastructure, and provides a sample risk assessment plan. Mitigation strategies and response and recovery actions outline potential actions to secure and recover capabilities and services affected in a cybersecurity event. Appendix A is a list of resources for NG9-1-1 administrators and staff.
  • Significant Cyber Incident Annex (2015) — A component of Washington State’s Comprehensive Emergency Management Plan, this section explains the strategic and operational framework for coordination among federal, state, local, tribal, and territorial governments and the private sector.

Sample Plans from Local Governments

  • Bothell CEMP Annex: Major Cyber Incident — A 4-page plan from 2019 that assigns responsibility and critical actions to prepare for and respond to an incident. The Concept of Operations section lists the services and departments served.
  • Shoreline CEMP Annex: Cyber Attack — An 11-page document that includes an appendix entitled Cyber Incident Triggers. It defines minor, major, and moderate attacks as an element to determine the city’s response level.
  • Pierce County
    • CEMP Cyber Incident Annex — A 4-page document that references policies, planning assumptions, concept of operations, and the responsibilities of the primary agency, support agency, South Sound 9-1-1, and County departments and agencies.
    • Response and Incident Management Plan and Procedures: IT Operations — An editable 19-page document that you can customize for your jurisdiction, this sample plan includes policies, procedures, information sharing and reporting, roles and responsibilities, an incident management flowchart, a major incident flowchart, and four appendices. This is a ‘generic’ version that will give you a format for your plans but doesn’t include Pierce County specifics as a security measure.

Insurance

Some insurers have resources that can help local governments prevent, prepare for, and recover from a cyber incident, and some Washington cities and counties have chosen to add cyber insurance to their portfolio.

  • Washington Counties Risk Pool Cyber Policy Sample (2016) — the Cyber and Technology Liability Policy begins on page 16 of the pdf.
  • Kirkland 2016 memo detailing insurance coverage — Items D and E cover Cyber Insurance and Crime Insurance provided by the Washington Counties Insurance Authority through the global insurance company AIG.

Cyber Incident Reporting

Voluntary sharing of incident information between state, local, and tribal law enforcement and the federal government is one way to ensure a safe and secure cyberspace. RCW 42.56.590 defines personal information and reporting requirements for data breaches.

Local governments experiencing a cyber incident might be able to waive competitive bidding requirements during incident since RCW 39.04.280 (1)(c) allows municipalities to waive competitive bidding requirements in the event of an emergency. However, be sure to check with the State Auditor’s Office to confirm that the facts of your situation align with the definition of “emergency,” and contact your legal counsel also.

Reporting agencies are listed below.

  • Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), which provides both information security information and a place to file complaints. These complaints are stored and can be used for prosecution.
  • Washington State Fusion Center (WSFC) is Washington State’s single fusion center and concurrently supports federal, state, and tribal agencies, regional and local law enforcement, public safety and homeland security by providing timely, relevant and high-quality information and intelligence services. Report suspicious activity at this link.

Tools for Monitoring

Many software companies, such as Microsoft, regularly release software patches for their products. Frequently, these patches update malware databases to more effectively protect a computer from well-known viruses.

Microsoft’s Update Catalog is a listing of updates (patches) for Microsoft servers, drivers (for printers and scanners), and critical updates for multiple versions of Office. It is searchable, and the updates can be distributed over your network. The FAQ on this site has an overview of what’s in the catalog, frequency of security update releases, and explains the difference between using the catalog and the Windows Update feature on some versions of Windows. (Cyber insurance policies often require that an agency keeps its systems updated in order to remain covered.)


Training

At the National Level

  • SANS Institute — Established in 1989 as a cooperative research and education organization, it provides intensive, immersion training designed for people to master the practical steps necessary for defending systems and networks against the most dangerous threats.

At the State and Local Level

  • Washington State Emergency Management Division — The Division holds trainings on cyber security preparation, mitigation, and response for emergency managers across the state. This links to the training page and searching for “cyber” in the search box will list any upcoming cyber trainings.
  • Pierce County Region 5 Cyber Planning Team — This page includes an IT Disaster Recovery Plan Template from WATech, tabletop exercises, and useful links.

Examples of Cybersecurity RFPs

Below are some examples of requests for proposals to improve local government cybersecurity capabilities.

In-State

  • Kirkland Network Security Assessment RFP (2017) — Scope includes assessing the city’s data and voice network infrastructure
  • Port of Tacoma Cybersecurity Assessment RFP (2015) — Scope includes assessing vulnerabilities in IT infrastructure, systems, policies, and practices and develop a prioritized set of actions to mitigate the risks
  • Snoqualmie Managed Detection & Response & Security Assessments RFP (2019) — Scope includes an MDR platform and security assessments. Vendor will provide real-time monitoring and analysis of suspicious activity/attempts to breach the system; test and assess existing security and internal/external vulnerabilities; review and/or develop security policies and procedures; assess risk of data breach and develop response plan, and more.

Out-of-State


Last Modified: October 29, 2019