Cybersecurity Resources for Local Governments

Overview

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks that are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Types of cybersecurity threats include:

• Phishing — sending of fraudulent emails that resemble emails from reputable sources.
• Ransomware — malicious software designed to extort money by blocking access to files or the computer system until the ransom is paid.
• Malware — malicious software designed to gain unauthorized access or to cause damage to a computer.
• Social Engineering — a tactic hackers use to trick the recipient into revealing sensitive information.

Cybersecurity is an ongoing challenge because new threats evolve frequently and rapidly. This page offers some resources to help local governments stay informed and vigilant. In addition, MRSC staff members and contributors occasionally write about cybersecurity.

Audits and Assessments

Regular audits of hardware and software, as well as internal controls, can assess agency readiness and identify unaddressed risks related to cyber attacks. Resources are listed below to assist with this task.

At the Federal Level

• U.S. Department of Homeland Security (DHS) Cyber Resilience Review — These assessments are offered free of charge to local governments. One option is a downloadable self-assessment; the other is a facilitated, onsite 6-hour session with trained DHS representatives. The CRR Fact Sheet is a 2-page document with information on the process and outcomes of a review. The Assessments: Cyber Resilience Review webpage has a comprehensive array of information including 10 resource guides on subjects like Vulnerability Management, Incident Management, and Service Continuity Management.

At the State Level

• MRSC: Information Security Assessment Tool (2015) — Developed in partnership with the SAO’s Center for Government Innovation and MK Hamilton and Associates (now CI Security), this tool allows local government staff and officials to self-assess their current information security abilities. Read the User Guide before completing the assessment.
• Washington State Auditor's Office (SAO) Cybersecurity Audits — These free audits are available to local governments upon request. The audit identifies areas of risk or vulnerability, recommends best practices tailored to the local government environment, and provides guidance for resolving the risks identified. If you are interested in learning more or would like to request an audit for your local government, please contact the SAO via email (SAOITAudit@sao.wa.gov). Results of the audit are kept confidential under RCW 42.56.420 (4) and in accordance with Generally Accepted Government Auditing Standards, Section 9.61-67.

Organizations

The resources below can help local governments stay up-to-date on cybersecurity guidelines, best practices, threats, and additional tools.

• DHS Cybersecurity and Infrastructure Security Agency (CISA) — Resources for State, Local, Tribal, and Territorial Governments includes a best practices case study from Washington State and others, a toolkit for recognizing/addressing cybersecurity risks, and an overview of four aspects of cybersecurity: identify, protect, detect, and respond. 
  • StopRansomware.gov — Centralized federal government resources to help public and private organizations understand the ransomware threat, mitigate risk, and know what steps to take in the event of an attack
  • National Cyber Awareness System Tips — Offers up-to-date information on threats, hoaxes, and safety in plain language for non-technical computer users. 
  • Telework Essentials Toolkit (2020) — Offers best practices and links to resources to help an organization transition to a secure, permanent telework environment by targeting administrators, IT professionals, and everyday telecommuting employees. 
• Center for Internet Security (CIS) — Offers free cybersecurity tools, membership, and services. CIS' Multi-State Information Sharing and Analysis Center (MS-ISAC) is a resource for state, local, and tribal government information sharing, early warnings and alerts, mitigation strategies, training, and exercises.
• National Institute of Standards and Technology (NIST) Computer Security Resource Center — Provides information security tools and practices, acts as a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia. It is also a good portal to find all NIST’s cyber-related standards.
• National 911 Program — Hosts information on policies and implementation guides, training opportunities, fact sheets and newsletters, and reports and studies.
• Michael Hamilton’s IT Security News Blast — Curates the top news stories in cybersecurity, including the latest breaches, security alerts, and industry developments.

Plans and Procedures

Cyber security plans and procedures are kept confidential by government agencies to further protect their systems. The information below will help local governments devise their own procedures and responses to cyber events and are meant to be a framework for customizing IS security.

Created by Pierce County, the Response and Incident Management Plan and Procedures is a downloadable generic plan for IT operations that local governments can customize to their needs and resources. It includes policies, procedures, information sharing and reporting, roles and responsibilities, an incident management flowchart, a major incident flowchart, and four appendices. 

General Sample Plans

• Center for Internet Security 
  • Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 — Provides basic, foundational, and organizational controls to protect, detect, and respond to cyber incidents for organizations of varying sizes. 
  • Policy Template Guide (2020) — Offers a series of templates (hyperlinked to download) that can be customized and used as an outline for organizational policies. 
• CISA: Cyber Risks to Next Generation 9-1-1 (2019) — Explains the risk landscape, describes the Next Generation 9-1-1 (NG9-1-1) cyber infrastructure, and provides a sample risk assessment plan. Mitigation strategies and response and recovery actions outline potential actions to secure and recover capabilities and services affected in a cybersecurity event. Appendix A lists resources for NG9-1-1 administrators and staff.
• Washington State Comprehensive Emergency Management Plan; Significant Cyber Incident Annex (2015) — Explains the strategic and operational framework for coordination among federal, state, local, tribal, and territorial governments, and the private sector.

Sample Plans from Local Governments

• Bothell CEMP Annex: Major Cyber Incident (2019) — Assigns responsibility and critical actions to prepare for and respond to an incident. The Concept of Operations section lists the services and departments served.
• Pierce County CEMP Cyber Incident Annex (2020) — References policies, planning assumptions, concept of operations, and the responsibilities of the primary agency, support agency, South Sound 9-1-1, and county departments and agencies.
• Shoreline CEMP Annex: Cyber Attack (2015) — Defines minor, major, and moderate attacks as an element to determine the city’s response level.

Insurance

Some insurers have resources that can help local governments prevent, prepare for, and recover from a cyber incident, and some Washington cities and counties have chosen to add cyber insurance to their portfolio.

• Washington Counties Risk Pool Cyber Policy Sample (2016) — Offers a detailed cyber and technology liability policy beginning on page 16.
• Kirkland Memo: Insurance Coverage Overview (2016) — Items D and E cover cyber insurance and crime insurance provided by the Washington Counties Insurance Authority (WCIA) through the global insurance company AIG.

Cyber Incident Reporting

State law (RCW 43.09.185) requires local governments to immediately notify the SAO in the event of a known or suspected loss of public resources or other illegal activity. Agencies hit by cyberfraud should be prepared to report loss of funds; financial data affected; ransomware payments; and any unauthorized access to information systems.

Additionally, Washington has two data breach notification laws, RCW 19.255.010 (for individuals and businesses) and RCW 42.56.590 (for state agencies and local governments). Broadly, these laws require individuals, businesses, and public agencies to notify Washington residents who are at risk of harm because of a security breach that includes personal information. In general, notification must be made "in the most expedient time possible" and not more than 45 days after the breach was discovered. If a security breach affects more than 500 Washington residents, notification must also be provided to the Attorney General's Office (AGO), and can be done via the AGO's Identity Theft and Privacy Guide webpage. 

Voluntary sharing of incident information between state, local, and tribal law enforcement and the federal government is one way to ensure a safe and secure cyberspace. Additional agencies to consider reporting a cyber incident to include:

• Internet Crime Complaint Center (IC3) — As a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), IC3 provides both information security and a place to file complaints, the latter of which can be stored and used for prosecution.
• Washington State Fusion Center (WSFC) — Concurrently supports federal, state, and tribal agencies, regional and local law enforcement, public safety, and homeland security by providing timely, relevant and high-quality information and intelligence services. Users may report suspicious activity. 

Individuals who are victims of identity theft should visit the Federal Trade Commission's IdentifyTheft.gov website for resources and guidance.

Resources for Monitoring and Updating

Many software companies, such as Microsoft, regularly release software patches for their products. Frequently, these patches update malware databases to protect a computer more effectively from well-known viruses.

Microsoft’s Update Catalog is a listing of updates (patches) for Microsoft servers, drivers (for printers and scanners), and critical updates for multiple versions of Office. It is searchable, and the updates can be distributed over your network. The FAQ has an overview of what’s in the catalog, frequency of security update releases, and explains the difference between using the catalog and the Windows Update feature. Cyber insurance policies may require that an agency keep its systems updated in order to remain covered.

The Public Infrastructure Security Cyber Education System (PISCES) allows small local governments in Washington (150 employees or less) to connect with universities for free cybersecurity monitoring and investigation. The only charge is a one-time computer purchase. For details on the service, see the PISCES Community Partners page.

The Cyber Readiness Institute has free, downloadable resources for small and medium-sized businesses, including local governments.

WashingtonTechnology Solutions (WaTech), in partnership with the Office of Privacy and Data Protection (OPDP), offers privacy resources for local governments. Their website hosts OPDP resources, including recorded training sessions, a guide to minimizing data collection, breach notification requirements, and methods for designing more secure systems.

MS-ISAC offers its federal, state, and local government members a free ransomware blocker, the Malicious Domain Blocking & Reporting (MDBR). MDBR helps to block malicious domain requests before a connection is established, helping to limit infections related to known malware, ransomware, and phishing. It is intended as an additional layer of security. 

Training

At the National Level

• SANS Institute — Provides intensive, immersion cybersecurity training.

At the State and Local Level

• Washington State Emergency Management Division — Offers trainings on, among other things, cyber security preparation, mitigation, and response for emergency managers across the state.
• Pierce County Region 5 Cyber Planning Team — TProvides guidance and recommendations to all disciplines and sectors within Region 5. 

Examples of Cybersecurity RFPs

Below are some examples of requests for proposals to improve local government cybersecurity capabilities.

Washington State

• Kirkland 
  • Network Security Assessment RFP (2017) — Scope includes assessing the city’s data and voice network infrastructure.
  • Security Incident and Event Management (SIEM) Solution and Professional Services for Implementation RFP (2021) — Scope includes installation of SIEM solutions, cloud service (SaaS) SIEM solutions and managed detection and response SIEM solutions.
• Maple Valley IT Consulting Services RFP (2021) — Scope includes assisting city’s IT department with workload and improving cybersecurity through direct action and security incident preparedness. 
• Port of Tacoma Cybersecurity Assessment RFP (2015) — Scope includes assessing vulnerabilities in IT infrastructure, systems, policies, and practices and develop a prioritized set of actions to mitigate the risks.
• Snoqualmie Managed Detection & Response & Security Assessments RFP (2019) — Scope includes an MDR platform and security assessments. Vendor will provide real-time monitoring and analysis of suspicious activity/attempts to breach the system; test and assess existing security and internal/external vulnerabilities; review and/or develop security policies and procedures; assess risk of data breach and develop response plan, and more.

Out-of-State

• Phoenix, AZ: Information Security Assessment RFP (2016) – Scope includes assessing IT infrastructure and developing a plan to improve cybersecurity capabilities and address any deficiencies or weaknesses.
• Springfield, MO: Cybersecurity Awareness Training RFP (2016) – Scope include developing a cloud-based training program with a variety of courses for employees to take to increase cybersecurity awareness.