Nearly four months after a ransomware attack forced the closure of municipal buildings and prompted a local jail to lock down inmates, officials in Bernalillo County, New Mexico, this week approved their first governmentwide cybersecurity policy.
The county, which contains Albuquerque and is New Mexico’s most populous, disclosed the incident Jan. 5, the first U.S. public-sector ransomware victim to do so in 2022. The ransomware, which has not been publicly attributed to any known malicious actor, knocked out county websites, shut down internal systems and resulted in numerous public services being unavailable for days.
The impacts were even more pronounced at Bernalillo County’s Metropolitan Detention Center, where officials, unable to use automated doors or access surveillance cameras, responded by keeping some 1,200 inmates confined to their cells all day. Those conditions were eventually lifted after complaints in federal court.
Bernalillo County’s new cybersecurity policy is based off the framework developed by the National Institute of Standards and Technology. Chief Information Officer Robert Benavidez told county commissioners, who approved the policy unanimously, that the two most immediate changes from the 11-page plan are a countywide implementation of multi-factor authentication for nearly all employee accounts and monitoring of county networks by a 24-hour security operations center.
The policy also imposes new requirements for virus-scanning software and endpoint detection and response capabilities on all computers connected to the county’s systems.
Bernalillo County officials have said they did not pay their hackers’ ransom demand. The Albuquerque Journal reported that the county had a $2 million cyber insurance policy to cover the costs of mitigation and recovery.