skip navigation

Cybersecurity Resources for Local Governments

This page provides a compilation of information security resources available to local governments in Washington State.


Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks that are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Types of cybersecurity threats include:

  • Phishing — sending of fraudulent emails that resemble emails from reputable sources.
  • Ransomware — malicious software designed to extort money by blocking access to files or the computer system until the ransom is paid.
  • Malware — malicious software designed to gain unauthorized access or to cause damage to a computer.
  • Social Engineering — a tactic hackers use to trick the recipient into revealing sensitive information.

Cybersecurity is an ongoing challenge because new threats evolve frequently and rapidly. This page offers some resources to help local governments stay informed and vigilant. In addition, MRSC staff members and contributors occasionally write about cybersecurity.

Audits and Assessments

Regular audits of hardware and software, as well as internal controls, can assess agency readiness and identify unaddressed risks related to cyber attacks. Resources are listed below to assist with this task.

  • Cybersecurity and Infrastructure Security Agency (CISA): Cyber Resilience Review — Conducts interview-based assessments to evaluate an organization’s operational resilience and cybersecurity practices. Free to local governments.
  • Government Accountability Office (GAO): Cybersecurity Program Audit Guide (2023) — Gives analysts and auditors the methodologies, techniques, and audit procedures they need to evaluate the components of agencies' cybersecurity programs and systems.
  • MRSC: Information Security Assessment Tool (2015) — Developed in partnership with the SAO’s Center for Government Innovation and MK Hamilton and Associates (now CI Security), this tool allows local government staff and officials to self-assess their current information security abilities. Read the User Guide before completing the assessment.
  • Washington State Auditor's Office (SAO) —  Offers free assessments and audits to public agencies, available upon request.
    • BeCyberSmart —  A fast assessment of an agency’s vulnerability to common cyberthreats, along with actionable steps to improve organizational cyber health.
    • Cybersecurity Audits — A thorough audit to identify areas of risk or vulnerability, recommend best practices tailored to the local government environment, and provide guidance for resolving the risks identified. Results of the audit are kept confidential under RCW 42.56.420 (4) and in accordance with Generally Accepted Government Auditing Standards, Section 9.61-67.

Plans and Procedures

Cybersecurity plans and procedures are kept confidential by government agencies to further protect their systems. These plans may address how the agency will protect sensitive data, ensure system integrity, minimize cyber risks, comply with industry regulations, cultivate cyber awareness, and respond to a cyber incident. 

Created by Pierce County, the downloadable Response and Incident Management Plan and Procedures, a generic plan for IT operations that local governments can customize to their needs and resources. It includes policies, procedures, information sharing and reporting, roles and responsibilities, an incident management flowchart, a major incident flowchart, and four appendices. Additionally, resources listed below may also help local governments devise their own procedures.

General Sample Plans

Sample Plans from Local Governments

In the samples below, cybersecurity may be addressed as part of a larger comprehensive emergency management (CEMP) or an integrated information technology (IT) plan, or as a stand-alone policy. 


Some insurers have resources that can help local governments prevent, prepare for, and recover from a cyber incident, and some Washington cities and counties have chosen to add cyber insurance to their portfolio.

Cyber Incident Reporting

State law (RCW 43.09.185) requires local governments to immediately notify the SAO in the event of a known or suspected loss of public resources or other illegal activity. Agencies hit by cyberfraud should be prepared to report loss of funds, financial data affected, ransomware payments, and any unauthorized access to information systems.

Additionally, Washington has two data breach notification laws, RCW 19.255.010 (for individuals and businesses) and RCW 42.56.590 (for state agencies and local governments). These laws require individuals, businesses, and public agencies to notify Washington residents who are at risk of harm because of a security breach that includes personal information. In general, notification must be made "in the most expedient time possible" and not more than 45 days after the breach was discovered. If a breach affects more than 500 residents, notification must also be provided to the Attorney General's Office (AGO) — see the Identity Theft and Privacy Guide webpage. 

Voluntary sharing of cyber incident information between state, local, and tribal law enforcement and the federal government is one way to ensure a safe and secure cyberspace. Additional agencies to consider reporting a cyber incident to include:

  • Internet Crime Complaint Center (IC3) — As a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), IC3 provides both information security and a place to file complaints, the latter of which can be stored and used for prosecution.
  • Washington State Fusion Center (WSFC) — Concurrently supports federal, state, and tribal agencies, regional and local law enforcement, public safety, and homeland security by providing timely, relevant and high-quality information and intelligence services.

Individuals who are victims of identity theft should visit the Federal Trade Commission's website for resources and guidance.

Resources for Monitoring and Updating

Many software companies, such as Microsoft, regularly release software patches for their products. Frequently, these patches update malware databases to protect a computer more effectively from well-known viruses.

  • Microsoft: Update Catalog — Offers updates (patches) for Microsoft servers, drivers (for printers and scanners), and critical updates for multiple versions of Office. It is searchable, and the updates can be distributed over your network. 
  • Multi-State Information Sharing and Analysis Center (MS-ISAC) — Acts as a resource for state, local, and tribal government information sharing, early warnings and alerts, mitigation strategies, training, and exercises. Offers members a free ransomware blocker, the Malicious Domain Blocking & Reporting (MDBR), to limit incidents related to known malware, ransomware, and phishing. 
  • Public Infrastructure Security Cyber Education System (PISCES) — Allows small local governments in Washington (150 employees or less) to connect with universities for free cybersecurity monitoring and investigation. 

Examples of Cybersecurity RFPs

Below are some examples of requests for proposals to improve local government cybersecurity capabilities.

Washington State



The resources below can help local governments stay up-to-date on cybersecurity guidelines, best practices, threats, and additional tools.

Last Modified: April 08, 2024