The National Association of Counties announced this week that it’s offering a cybersecurity risk evaluation tool for its members to test on their public networks, cloud vendors and other third-party providers.
The organization is partnering with SecurityScorecard, a platform that assigns letter grades, ranging from A to F, based on how many vulnerabilities are detected on a network or other system. SecurityScorecard will now be offered over NACo’s County Tech Xchange, a portal used by nearly 900 IT and security officials from the organization’s member counties.
Rita Reynolds, NACo‘s chief information officer, said SecurityScorecard was selected earlier this year for a pilot project aimed at helping county governments get a better grasp on their cybersecurity risks as governments navigate an increasingly complex — and expensive — insurance market. The questionnaires that insurers send out to potential clients can be long and complex, which Reynolds said was causing “lots of angst” among her members.
The pilot period for the cyber risk monitoring tool began in late March, with 38 counties participating, Reynolds said. In addition to reviewing county governments’ core networks, SecurityScorecard also provided the participants with insights about other networks they’re connected to, like fire and emergency-management departments.
Scores were based on a questionnaire that ran more than 30 items, Reynolds said.
“The public domain assessment is just a piece of the security puzzle,” she said. “There’s a lot of other best practices counties should have in place, such as multi-factor authentication.”
The counties that participated in the SecurityScorecard saw their individual scores go up, Reynolds said, though the aggregate grade — which she declined to reveal — “has room for improvement.”
NACo’s addition of SecurityScorecard to its software portal comes as the organization’s members prepare to meet this week in Colorado, and as counties wait for the latest details on the U.S. Department of Homeland Security’s new $1 billion cybersecurity grant program, 80% of which is meant to be distributed to local governments.
“Everyone’s anxious,” Reynolds said. “It’s a huge opportunity.”
As states, counties and cities continue to wait for DHS to publish its guidance on the program, Reynolds said she’s advising NACo’s member CIOs to keep making their own preparations, including having a “3-by-5 card” ready with the top priorities they’d use a grant on. The SecurityScorecard grades, she said, could help.
“For the pilot counties, they can use some of the results to put in their requests to the state,” she said.