Cybersecurity Resources for Local Governments

Overview

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks that are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Types of cybersecurity threats include:

• Phishing — sending of fraudulent emails that resemble emails from reputable sources.
• Ransomware — malicious software designed to extort money by blocking access to files or the computer system until the ransom is paid.
• Malware — malicious software designed to gain unauthorized access or to cause damage to a computer.
• Social Engineering — a tactic hackers use to trick the recipient into revealing sensitive information.

Cybersecurity is an ongoing challenge because new threats evolve frequently and rapidly. This page offers some resources to help local governments stay informed and vigilant. In addition, MRSC staff members and contributors occasionally write about cybersecurity.

Audits and Assessments

Regular audits of hardware and software, as well as internal controls, can assess agency readiness and identify unaddressed risks related to cyber attacks. Resources are listed below to assist with this task.

• Cybersecurity and Infrastructure Security Agency (CISA): Cyber Resilience Review — Conducts interview-based assessments to evaluate an organization’s operational resilience and cybersecurity practices. Free to local governments.
• Government Accountability Office (GAO): Cybersecurity Program Audit Guide (2023) — Gives analysts and auditors the methodologies, techniques, and audit procedures they need to evaluate the components of agencies' cybersecurity programs and systems.
• MRSC: Information Security Assessment Tool (2015) — Developed in partnership with the SAO’s Center for Government Innovation and MK Hamilton and Associates (now CI Security), this tool allows local government staff and officials to self-assess their current information security abilities. Read the User Guide before completing the assessment.
• Washington State Auditor's Office (SAO) —  Offers free assessments and audits to public agencies, available upon request.
  • BeCyberSmart —  A fast assessment of an agency’s vulnerability to common cyberthreats, along with actionable steps to improve organizational cyber health.
  • Cybersecurity Audits — A thorough audit to identify areas of risk or vulnerability, recommend best practices tailored to the local government environment, and provide guidance for resolving the risks identified. Results of the audit are kept confidential under RCW 42.56.420 (4) and in accordance with Generally Accepted Government Auditing Standards, Section 9.61-67.

Plans and Procedures

Cybersecurity plans and procedures are kept confidential by government agencies to further protect their systems. These plans may address how the agency will protect sensitive data, ensure system integrity, minimize cyber risks, comply with industry regulations, cultivate cyber awareness, and respond to a cyber incident. 

Created by Pierce County, the downloadable Response and Incident Management Plan and Procedures, a generic plan for IT operations that local governments can customize to their needs and resources. It includes policies, procedures, information sharing and reporting, roles and responsibilities, an incident management flowchart, a major incident flowchart, and four appendices. Additionally, resources listed below may also help local governments devise their own procedures.

General Sample Plans

• Center for Internet Security: Critical Security Controls — Offers prescriptive, prioritized, and simplified set of best practices to strengthen organizational cybersecurity.  
• CISA: Incident Response Plan Basics — Offers a quick overview of steps to take before, during, and after a cybersecurity incident.
• Federal Emergency Management Agency (FEMA): Planning Considerations for Cyber Incidents, Guidance for Emergency Managers (2023) — Intended to help emergency management personnel collaboratively prepare for a cyber incident and support the development of a cyber incident response plan.
• Washington State Comprehensive Emergency Management Plan; Significant Cyber Incident Annex (2015) — Offers an overarching policy and approach to cyber incidents occurring or directly impacting Washington State.

Sample Plans from Local Governments

In the samples below, cybersecurity may be addressed as part of a larger comprehensive emergency management (CEMP) or an integrated information technology (IT) plan, or as a stand-alone policy. 

• Bothell CEMP Annex: Major Cyber Incident (2019) — Assigns responsibility and critical actions to prepare for and respond to an incident. The Concept of Operations section lists the services and departments served.
• Enumclaw: Acceptable Use of City Information Technology Resources Policy 800-006 (2018) — Covers many topics related to IT security, including the staffperson in charge of developing security protocols, city staff responsibilities regarding IT security and device use, and procedures to follow if a cyber incident takes place.
• Kirkland: Information Technology Strategic Plan (2018) — Integrates regulatory, security, and privacy issues into all aspects of the plan. Includes enacting resolution.
• Pierce County CEMP Cyber Incident Annex (2020) — References policies, planning assumptions, concept of operations, and the responsibilities of the primary agency, support agency, South Sound 911, and county departments and agencies.
• Shoreline CEMP Annex: Cyber Attack (2015) — Defines minor, major, and moderate attacks as an element to determine the city’s response level.
• Snohomish County Integrated Preparedness Plan 2023-2026 (2023) — Identifies cybersecurity as among the agency's five highest priorities.
• Tumwater: Policy Manual, Operating Policies - Information Technology Use (2018) — Offers security protocols for the use of the city technology, including telephone, cell phone, voice mail, computers, software, and computer-related networks.

Insurance

Some insurers have resources that can help local governments prevent, prepare for, and recover from a cyber incident, and some Washington cities and counties have chosen to add cyber insurance to their portfolio.

• Washington Counties Risk Pool Cyber Policy Sample (2016) — Offers a detailed cyber and technology liability policy.
• Kirkland Memo: Insurance Coverage Overview (2016) — Items D and E cover cyber insurance and crime insurance provided by the Washington Counties Insurance Authority (WCIA) through the global insurance company AIG.

Cyber Incident Reporting

State law (RCW 43.09.185) requires local governments to immediately notify the SAO in the event of a known or suspected loss of public resources or other illegal activity. Agencies hit by cyberfraud should be prepared to report loss of funds, financial data affected, ransomware payments, and any unauthorized access to information systems.

Additionally, Washington has two data breach notification laws, RCW 19.255.010 (for individuals and businesses) and RCW 42.56.590 (for state agencies and local governments). These laws require individuals, businesses, and public agencies to notify Washington residents who are at risk of harm because of a security breach that includes personal information. In general, notification must be made "in the most expedient time possible" and not more than 45 days after the breach was discovered. If a breach affects more than 500 residents, notification must also be provided to the Attorney General's Office (AGO) — see the Identity Theft and Privacy Guide webpage. 

Voluntary sharing of cyber incident information between state, local, and tribal law enforcement and the federal government is one way to ensure a safe and secure cyberspace. Additional agencies to consider reporting a cyber incident to include:

• Internet Crime Complaint Center (IC3) — As a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), IC3 provides both information security and a place to file complaints, the latter of which can be stored and used for prosecution.
• Washington State Fusion Center (WSFC) — Concurrently supports federal, state, and tribal agencies, regional and local law enforcement, public safety, and homeland security by providing timely, relevant and high-quality information and intelligence services.

Individuals who are victims of identity theft should visit the Federal Trade Commission's IdentifyTheft.gov website for resources and guidance.

Resources for Monitoring and Updating

Many software companies, such as Microsoft, regularly release software patches for their products. Frequently, these patches update malware databases to protect a computer more effectively from well-known viruses.

• Microsoft: Update Catalog — Offers updates (patches) for Microsoft servers, drivers (for printers and scanners), and critical updates for multiple versions of Office. It is searchable, and the updates can be distributed over your network. 
• Multi-State Information Sharing and Analysis Center (MS-ISAC) — Acts as a resource for state, local, and tribal government information sharing, early warnings and alerts, mitigation strategies, training, and exercises. Offers members a free ransomware blocker, the Malicious Domain Blocking & Reporting (MDBR), to limit incidents related to known malware, ransomware, and phishing. 
• Public Infrastructure Security Cyber Education System (PISCES) — Allows small local governments in Washington (150 employees or less) to connect with universities for free cybersecurity monitoring and investigation. 

Examples of Cybersecurity RFPs

Below are some examples of requests for proposals to improve local government cybersecurity capabilities.

Washington State

• Kirkland 
  • Network Security Assessment RFP (2017) — Scope includes assessing the city’s data and voice network infrastructure.
  • Security Incident and Event Management (SIEM) Solution and Professional Services for Implementation RFP (2021) — Scope includes installation of SIEM solutions, cloud service (SaaS) SIEM solutions and managed detection and response SIEM solutions.
• Maple Valley IT Consulting Services RFP (2021) — Scope includes assisting city’s IT department with workload and improving cybersecurity through direct action and security incident preparedness. 
• Port of Tacoma Cybersecurity Assessment RFP (2015) — Scope includes assessing vulnerabilities in IT infrastructure, systems, policies, and practices and develop a prioritized set of actions to mitigate the risks.
• Snoqualmie Managed Detection & Response & Security Assessments RFP (2019) — Scope includes platform and security assessments. Vendor will provide real-time monitoring/analysis of suspicious activity; test and assess existing security and internal/external vulnerabilities; review and/or develop security policies and procedures; assess risk of data breach; and develop an incident response plan.

Out-of-State

• Phoenix, AZ: Information Security Assessment RFP (2016) – Scope includes assessing IT infrastructure and developing a plan to improve cybersecurity capabilities and address any deficiencies or weaknesses.
• Springfield, MO: Cybersecurity Awareness Training RFP (2016) – Scope include developing a cloud-based training program with a variety of courses for employees to take to increase cybersecurity awareness.

Resources

The resources below can help local governments stay up-to-date on cybersecurity guidelines, best practices, threats, and additional tools.

• Association of County and City Information Systems (ACCIS) — Composed of the Chief Information Systems Officers of counties and cities statewide. Also welcomes state agencies, special purpose districts, commissions, and ports as affiliate members.
• Center for Internet Security (CIS) — Offers free cybersecurity tools and services.
• Cyber Readiness Institute — Offers free cybersecurity resources focused on small and medium-sized businesses, including local governments.
• Cybersecurity and Infrastructure Security Agency (CISA) — Leads the federal effort to understand, manage, and reduce risk to the national cyber and physical infrastructure.
  • StopRansomware.gov — Centralized federal government resources to help public and private organizations understand the ransomware threat, mitigate risk, and know what steps to take in the event of an attack
  • National Cyber Awareness System Tips — Offers up-to-date information on threats, hoaxes, and safety in plain language for non-technical computer users. 
  • Telework Essentials Toolkit (2020) — Offers best practices and links to resources to help an organization transition to a secure, permanent telework environment by targeting administrators, IT professionals, and everyday telecommuting employees. 
  • Free Cybersecurity Services and Tools
• National Institute of Standards and Technology (NIST) Computer Security Resource Center — Provides information security tools and practices, acts as a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia.
• National 911 Program: Cybersecurity — Collaborates with the 911 community and other federal agencies to provide support for the development of cybersecurity resources aimed at keeping emergency communications technology safe.
• Washington Technology Solutions (WaTech) — Offers a variety of resources for local governments, including training (live and recorded), a guide to minimizing data collection, breach notification requirements, and methods for designing more secure systems.