Non-federal agencies still ride low on the maturity benchmark, but the increased political attention around cybersecurity could improve results in the coming survey period.
Results from a 2016 survey show that, on average, states have yet to break the minimum standards for cybersecurity maturity. (Center for Internet Security)
State and local governments, still playing catch-up in many aspects of cybersecurity, will soon have a chance to re-evaluate their practices and policies as part of the Center for Internet Security's annual review.
This year's Nationwide Cyber Security Review (NCSR) is being advertised by CIS's Multi-State Information Sharing & Analysis Center (MS-ISAC) as a free opportunity for states, local governments, tribes and territories to see how they rank against a national average, while supplying a central authority with a valuable benchmarking tool.
Though results from the 2016 review show improvement over previous years, the average results are still below the minimum maturity level recommended by the review's workgroup.
The 2017 review will open Oct. 2 through Dec. 15, with results expected by the end of the first quarter of 2018, MS-ISAC Member Programs Manager Molly Gifford told StateScoop.
The survey's questions are based on those outlined by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) Core, a collection of functions labeled "identify, protect, detect, respond, and recover." State governments were revealed to be weakest at identifying threats and strongest at responding, while local governments were found to be weakest at detecting and strongest at protecting.
"It really serves as a communication tool and allows entities to measure their progress against the NIST CSF from year to year," Gifford said.
While last year's survey results showed that state governments improved by 3 percent in their overall cybersecurity maturity and localities improved by 11 percent, the average still sits below the minimum recommended standard of a score of 5 or higher using the survey's 1-7 scale.
A shortage of financial and staff resources was identified as the key factor hindering government's progress to develop cybersecurity maturity. 2017, however, has brought to states and localities many new laws, offices and partnerships designed to spur economic activity around cybersecurity and bolster government resources — from new cyber units in Los Angeles and New York City to new unifying governance structures in Oregon, Nevada and Idaho. Whether these new initiatives can drive improved survey results remains to be seen next year.
Born from direction by the U.S. Department of Homeland Security in 2009, the first NCSR was conducted in 2011, with MS-ISAC, the National Association of Chief Information Officers (NASCIO), and the National Association of Counties (NACo) joining as partners in 2013.
The federal call for improved cybersecurity was continued in May when the Trump administration issued an executive order calling for the hardening of federal networks and critical infrastructure — MS-ISAC says its state and local efforts align with the president's rallying call.