Cybersecurity Resources for Local Governments

Overview

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks that are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Types of cybersecurity threats include:

• Phishing—sending of fraudulent emails that resemble emails from reputable sources.
• Ransomware—malicious software designed to extort money by blocking access to files or the computer system until the ransom is paid.
• Malware—malicious software designed to gain unauthorized access or to cause damage to a computer.
• Social Engineering—a tactic to trick the recipient into revealing sensitive information.

Cybersecurity is an ongoing challenge because new threats evolve frequently and rapidly. This page offers some resources to help local governments stay informed and vigilant. In addition, MRSC staff members and contributors occasionally write about cybersecurity.

Audits and Assessments

Regular audits of hardware and software, as well as internal controls, can assess agency readiness and identify unaddressed risks related to cyber attacks. Resources are listed below to assist with this task.

• Cybersecurity and Infrastructure Security Agency (CISA) Cyber Resilience Review – Conducts interview-based assessments to evaluate an organization’s operational resilience and cybersecurity practices. Free to local governments.
• Government Accountability Office Cybersecurity Program Audit Guide (2023) – Gives analysts and auditors the methodologies, techniques, and audit procedures they need to evaluate the components of agencies' cybersecurity programs and systems.
• Washington State Auditor's Office (SAO) – Offers free assessments and audits to public agencies, available upon request.
  • BeCyberSmart – A fast assessment of an agency’s vulnerability to common cyberthreats, along with actionable steps to improve organizational cyber health.
  • Cybersecurity Audits – A thorough audit to identify areas of risk or vulnerability, recommend best practices tailored to the local government environment, and provide guidance for resolving the risks identified. Results of the audit are kept confidential under RCW 42.56.420 (4) and in accordance with Generally Accepted Government Auditing Standards, Section 9.61-67.
  • Cybersecurity Resource Library – Offers guides to improve awareness of cyber schemes and protective measures to adopt based on current best practices in cybersecurity.

Plans and Procedures

Cybersecurity plans and procedures are kept confidential by government agencies to further protect their systems. SAO recommends that local governments address eight areas to create a solid foundation for a cybersecurity program, including:

• Acceptable IT use policies
• Policies and practices that support strong password-protection
• Policies detailing the specific accounts that are required to use multifactor authentication
• A cyberattack incident response policy
• Strong policies and practices for use of agency issued email accounts
• Policies covering how/when/under what circumstances a staff can use their personal devices on the agency’s IT network
• Policies covering use of agency social media accounts, as well as restrictions on disclosure of agency-related information on personal social media accounts
• Policies covering AI use

Examples of Federal, State, and Other Cybersecurity Plans

• CISA Critical Security Controls – Offers prescriptive, prioritized, and simplified set of best practices to strengthen organizational cybersecurity
• Cybersecurity and Infrastructure Security Agency Incident Response Plan Basics – Offers a quick overview of steps to take before, during, and after a cybersecurity incident
• Federal Emergency Management Agency Planning Considerations for Cyber Incidents, Guidance for Emergency Managers (2023) – Intended to help emergency management personnel collaboratively prepare for a cyber incident and support the development of a cyber incident response plan
• Washington State
  • Significant Cyber Incident Response Plan (2024) – Offers an overarching policy and approach to cyber incidents occurring or directly impacting Washington State
  • Cybersecurity Program Policy – Requires all state agencies adhere to WaTech policies and standards

Examples of Local Government Plans and Policies

In the samples below, cybersecurity may be addressed as part of a larger comprehensive emergency management (CEMP) or an integrated information technology (IT) plan, or as a stand-alone policy.

• Bothell Hazard Mitigation Plan Annex (2025) Includes cyberattacks among major risk factors and evaluates risk level of attack for various facilities, programs, and services; authorizes Employee and IT Services Dept and includes a cybersecurity plan overview.
• King County
  • Acceptable Use Policy (2021) Describes the acceptable use of King County’s technology, assets (e.g., hardware, software, data, and authentication information)
  • 2025-2030 Hazard Mitigation Plan: Chapter 7, Cyber Incidents (2025)
• Snohomish County Integrated Preparedness Plan 2023-2026 (2023) – Identifies cybersecurity as among the agency's five highest priorities

Insurance

Most Washington local governments address cyber insurance in the following ways:

• By requiring it in contracts with vendors that handle specific sensitive information,
• Adding cyber insurance to their insurance portfolio if they are enrolled in an insurance pool, or 
• Seeking general insurance procurement rather than explicit IT policy requirements

The examples below call out contracted work that involves specific sensitive information, such as protected health information (PHI), personal identifiable information (PII), and data connected to online payments, as work needing cyber liability coverage.

• Everett Cyberliability Insurance Requirements (2023) requires vendors/contractors handling data containing PHI and PII to maintain cyber security liability insurance; coverage must include computer forensics, notification services, credit monitoring, breach resolution, and regulatory penalties.
• King County Insurance Requirements – Requires cyber liability coverage for contractors when the Statement of Work involves access to, handling, and/or storage of sensitive data (including payment card information, PII, and PHI) of 1,000 or more records

Data Sharing Agreements

If one public agency requests confidential information from another public agency through an interlocal or intergovernmental agreement under chapter 39.34 RCW, the agencies must have a data sharing agreement (DSA) in place that conforms to state cybersecurity policies (RCW 39.34.240). This applies to Category 3 and Category 4 data.

Category 4 covers confidential information requiring special handling, such as data that falls under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or information that could result in legal sanctions or threats to health and safety.

Category 3 covers confidential information such as Social Security numbers, driver’s license numbers, account numbers, credit card numbers, security codes, passwords, certain personal information held in personnel files, or information about infrastructure and security of computer or telecommunication networks.

There is a similar requirement for state agency vendor contracts under RCW 39.26.340, which does not apply to local governments since local governments are not included within the definition of "agency" in RCW 39.26.010. However, if local governments are piggybacking on state procurement contracts or otherwise passing through or participating in state contracts, they will likely need to comply with this statute.

Even if it is not required by statute, it is a good idea for local governments to enter into data sharing agreements with contractors if the agency will be sharing confidential data, especially since local governments have an obligation to disclose personal information data breaches as discussed later.

For more information, see the following resources from WaTech:

• Categorizing Data for a State Agency – Checklist to help categorize data sensitivity
• Data Sharing Agreement Implementation Guidance (2022) – Provides privacy and cybersecurity best practices to implement data sharing agreements
• Sample Data Sharing Agreement for Defined Extract or System Access – DSA example when sharing involves system access or a pre-defined extract that can be described in detail
• Sample Data Sharing Agreement for Multiparty Relationship with Broad Sharing – DSA example when there are several parties involved and the nature of the sharing makes it infeasible to document each data transmission with specificity

Cyber Incident & Data Breach Reporting

State law (RCW 43.09.185) requires local governments to immediately notify the SAO in the event of a known or suspected loss of public resources or other illegal activity. Agencies hit by cyberfraud should be prepared to report loss of funds, financial data affected, ransomware payments, and any unauthorized access to information systems.

Additionally, Washington has two data breach notification laws, RCW 19.255.010 (for individuals and businesses) and RCW 42.56.590 (for state agencies and local governments). These laws require individuals, businesses, and public agencies to notify Washington residents who are at risk of harm because of a security breach that includes personal information. In general, notification must be made "in the most expedient time possible" and not more than 45 days after the breach was discovered. If a breach affects more than 500 residents, notification must also be provided to the Washington State Attorney General's Office—see the Identity Theft and Privacy Guide webpage.

Voluntary sharing of cyber incident information between state, local, and tribal law enforcement and the federal government is one way to ensure a safe and secure cyberspace. Additional agencies to consider reporting a cyber incident to include:

• Internet Crime Complaint Center (IC3) – As a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), IC3 provides both information security and a place to file complaints, the latter of which can be stored and used for prosecution
• Washington State Fusion Center – Concurrently supports federal, state, and tribal agencies, regional and local law enforcement, public safety, and homeland security by providing timely, relevant, and high-quality information and intelligence services

Individuals who are victims of identity theft should visit the Federal Trade Commission's IdentifyTheft.gov website for resources and guidance.

Cybersecurity Monitoring and Updating

Many software companies, such as Microsoft, regularly release software patches for their products. Frequently, these patches update malware databases to protect a computer more effectively from well-known viruses.

• Microsoft Update Catalog – Offers updates (patches) for Microsoft servers, drivers (for printers and scanners), and critical updates for multiple versions of Office
• Multi-State Information Sharing and Analysis Center (MS-ISAC) – Acts as a resource for state, local, and tribal government information sharing, early warnings and alerts, mitigation strategies, training, and exercises; the state currently covers membership costs for all county auditors and election offices. 
  • Malicious Domain Blocking & Reporting – Free ransomware blocker available to MS-ISAC members
• Public Infrastructure Security Cyber Education System – Allows small local governments in Washington (150 employees or less) to connect with universities for free cybersecurity monitoring and investigation

Examples of Cybersecurity RFPs

Below are some examples of requests for proposals to improve local government cybersecurity capabilities.

Washington State

• Kirkland
  • Managed Detection and Response (MDR) Solution and Professional Services for Implementation and Security Services RFP (2026) – Scope includes installation of MDR solution and assistance with implementation
  • Security Incident and Event Management (SIEM) Solution and Professional Services for Implementation RFP (2021) – Scope includes installation of SIEM solutions, cloud service (SaaS) SIEM solutions and managed detection and response SIEM solutions.
• Stevenson Managed IT Services RFP (2026) – Includes cybersecurity among IT services requested; includes questions contractors must answer regarding plans for implementation and support/maintenance.

Recommended Resources

The resources below can help local governments stay up to date on cybersecurity guidelines, best practices, threats, and additional tools.

• Association of County and City Information Systems – Composed of the Chief Information Systems Officers of counties and cities statewide; also welcomes state agencies, special purpose districts, commissions, and ports as affiliate members.
• Center for Internet Security – Offers free cybersecurity tools and services
• Cyber Readiness Institute – Offers free cybersecurity resources focused on small and medium-sized businesses, including local governments
• CISA – Leads the federal effort to understand, manage, and reduce risk to the national cyber and physical infrastructure
  • StopRansomware.gov – Centralized federal government resources to help public and private organizations understand the ransomware threat, mitigate risk, and know what steps to take in the event of an attack
  • National Cyber Awareness System Tips – Offers up-to-date information on threats, hoaxes, and safety in plain language for non-technical computer users
  • Free Cybersecurity Services and Tools
• National Institute of Standards and Technology Computer Security Resource Center – Provides information security tools and practices, acts as a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia
• National 911 Program Cybersecurity – Collaborates with the 911 community and other federal agencies to provide support for the development of cybersecurity resources aimed at keeping emergency communications technology safe