Skip to content
Get A Demo
Sign Up Free
    April 19, 2024

    A Guide to Cybersecurity Compliance for State and Local Governments

    Perhaps somewhere in an alternate universe public sector IT teams don’t have to spend valuable time and resources on cybersecurity regulatory compliance. Your full focus could go into implementing new citizen services, supporting more efficient workflows, and taking advantage of advanced technologies. But in our universe, ongoing cyber threats to infrastructure, communities, and individuals have led to a growing list of compliance regulations that fall under the purview of cybersecurity and IT teams.  

    In that alternate universe there may also be IT teams that are flush with funds and people who can tackle every project and still make it home by dinner time. Meanwhile in the real world, you need to figure out a way to manage an increasingly sophisticated IT environment, detect and protect against cyberattacks, and demonstrate compliance for multiple agencies.

    The Importance of Combining Cybersecurity and Compliance Initiatives

    Short of major modifications to the time-space continuum, you’re going to have to figure out how to do it all with the time and resources on hand. That means a little multi-tasking is in order. With a little planning you’ll find that it is possible to combine cybersecurity and compliance initiatives, securing your infrastructure and a passing grade from regulatory agencies at the same time.

    Blumira SIEM (security information and event management) is a SaaS cybersecurity detection and response solution that includes robust support for compliance frameworks. So you can build out cybersecurity plans that meet regulatory requirements without a lot of additional resources. This guide will get you started with your planning. 

    First, know what you’re dealing with.

    Understanding Compliance Frameworks

    Gather the most current versions of each compliance guide that applies to your situation. Local and state governments need to be aware of what’s required in the following frameworks:

    Criminal Justice Information Services (CJIS)

    Compliance parameters for protecting criminal justice information, as well as added protection for criminal history record information (CHRI). 

    Health Insurance Portability and Accountability Act (HIPAA)

    Any government entity that handles healthcare data, like a jail or prison, must demonstrate that it’s properly protecting health information while making sure data is readily available to patients and providers.

    IRS Publication 1075

    This requires that federal, state, and local agencies protect federal tax information (FTI) and any personally identifiable information (PII) related to the IRS, so that it can only be disclosed to authorized people.

    NIST SP 800-53

    While the National Institute of Standards and Technology (NIST) Cybersecurity Framework is a voluntary guide for most private sector companies, the Federal Information Security Modernization Act (FISMA) requires state or local agencies with federal programs to implement its security controls. NIST also provides 1800-series publications that can be used as a how-to guide to implement these standards.

    If you’ve ever worked on compliance mandates, you may already be pouring yourself another dose of caffeine so you can stay conscious while reading through the documents listed here. But before you get started, we’d like to propose a methodology. 

    Mapping Your Compliance Requirements

    Find the commonalities, and map your compliance requirements.

    Rather than addressing each regulation separately, you’ll find that many compliance requirements overlap across frameworks. That means the work you do for one regulation can apply to others. So the next step is to get organized. And that can be done by breaking individual requirements down into a spreadsheet.

    Creating a Compliance Spreadsheet

    Digging into the different compliance requirements for state and local governments, you’ll start to identify commonalities. These can be put into categories:

    • Implementing strong access controls
    • Rolling out awareness training
    • Auditing system activities
    • Encrypting sensitive data 
    • Securing systems and communication, such as applications and endpoints
    • Keeping up with updates and patching
    • Establishing an incident response plan
    • Undergoing periodic formal audits
    • Ensuring that third-party business associates and contractors adhere to the same standards as internal staff

    Use these major categories to organize your spreadsheet. Then, lay out a column for each framework that applies and sort specific requirements within the categories. To get started, you can take a look at this example of how the U.S. Department of Justice maps CJIS Security Policy to NIST SP800-53. Commonalities will be sorted across the rows. Add more categories if needed for your specific situation. Note, the categories above are a modification of what is in the CJIS example.

    Conducting a Gap Analysis Leads to Planning for the Future

    Chances are you’re not starting cybersecurity compliance at zero. You’ve already got activities and protocols in place. Once you’ve laid out all the requirements on your spreadsheet, you can identify what you’re doing well and what needs attention. Now you’re building the foundation of your cybersecurity compliance plan.

    Just add these columns to your spreadsheet:

    • Doing well – This is where you get to congratulate yourself (and your team) for the measures that are already in place.
    • Assigned to – Document the individual or position that’s responsible for maintaining each compliance standard. This list will make up your cybersecurity compliance team. (Sanity tip: Don’t assign everything to yourself).
    • Audit timing – While regulatory agencies will always reserve the right to surprise you, you should at least make sure your team is aware of any scheduled audits or data requirements. This will help you prioritize tasks.
    • Near-term priority – This is where your gap analysis comes in. Any mandatory regulation that didn’t make it onto the ‘Doing well’ list needs to become a near-term goal. These gaps will become your to-do list for allocating time and resources. 
    • Long-term goal – While you may be able to implement stop-gap measures so that you’re technically in compliance, there are potentially more effective or efficient ways to protect your systems and data. This column helps you outline those opportunities.
    • Future planning – Cybersecurity threats are constantly evolving, which means you need to stay ahead of potential threats. This column can help you outline resource requests and potential grant funding. 

    Cybercriminals have local and regional government entities in their sights. They believe, often rightly, that smaller organizations lack the funding and sophistication to detect and repel threats. They also understand the importance of the data and infrastructure you’re charged with protecting. Compliance isn’t just a matter of satisfying auditors. It can mean avoiding a damaging ransom event or a highly publicized data breach. 

    Now that you’ve identified the gaps, let’s look at ways to close them. 

    Securing Funding for Cybersecurity Initiatives

    Next to-do: Apply for a cybersecurity grant

    If you finished your spreadsheet exercise asking, How exactly are we going to pay for all this?, you can now add one more thing to the list: Apply for a grant. The Infrastructure Investment and Jobs Act (IIJA) of 2021 established the State and Local Cybersecurity Improvement Act. This federal law includes a grant program that’s awarding $1 billion over four years. The program includes the State and Local Cybersecurity Grant Program (SLCGP), and the Tribal Cybersecurity Grant Program (TCGP).

    Grant funds are being made available to state, local, territorial, and tribal governments in order to address cybersecurity risks and threats to information systems. You can learn more about applying for a grant on the CISA website. In addition to grants targeted at closing the cybersecurity gap, the Government Accountability Office (GAO) identified 27 grants available from eight agencies that could also be used to support cybersecurity. These are the departments and the number of grants available as of November, 2023:

    • Department of Interior (1)
    • Department of Justice (4)
    • Department of Labor (2)
    • Department of Transportation (9)
    • Election Assistance Commission (2)
    • Environmental Protection Agency (5)
    • Institute of Museum and Library Services (2)

    None of these grant programs exclusively support cybersecurity activities, so you should look carefully at application guidelines to make sure you’re targeting your request to what the program is trying to accomplish. Now that you’re organized, it’s time to get things done.

    Everyone gets involved in state and local cybersecurity

    Building a Culture of Security

    While the hub of cybersecurity compliance will likely reside within IT, its effectiveness will require the involvement of people across the organization. By building a culture of security, everyone understands how they play a role in protecting vital resources – whether that means data, infrastructure, or public trust. Make a plan for educating and involving these stakeholders: 

    Engaging your cybersecurity compliance team – In the spreadsheet you developed above, you identified the individuals who will be responsible for each component of your cybersecurity compliance plan (and hopefully it’s not just the usual suspects). Gather your team and identify the specific activities they’ll be responsible for in order to meet the organization’s goals.

    Training employees and vendors – The more you build awareness of potential cybersecurity vulnerabilities, the more individual team members can act as your frontline eyes and ears to potential threats. Ongoing training, coupled with easy ways to report suspicious activity, makes cybersecurity part of everyone’s job.

    Educating Constituents – The citizens, organizations, and companies you serve can play a vital role in protecting their own data and shared resources when provided with helpful tips and education. This can be done through everything from workshops to social media and messages on billing statements.

    Multiply Your Team and Your Compliance with Smart Automation

    At the end of the day, with all your cybersecurity compliance plans in place, you’re still living in this real world of finite resources. Your team still has a lot on their plate, and it’s unlikely that you’re going to be able to bring on experts to just stare at a threat detection tool all day. That’s where automation comes in. Blumira SIEM + XDR, for example, will automatically contain endpoint threats and block malicious traffic, any time of day or night. That means a threat is stopped before it’s able to move around your systems. 

    Customer Success Story: Ottawa County, Michigan

    Other Blumira automation tools include pre-written workflows for faster threat responses and SIEM for logging and monitoring. Mike Morrow, Technical Infrastructure Manager for Ottawa County, Michigan, told us how using Blumira for compliance saves on time and personnel:

    “We’re required by CJIS and IRS Pub 1075 compliance to review our logs daily. There’s no way we can watch all of our infrastructure. Blumira has saved us time because we can’t monitor all of our logs—we would need a team of 100 to go through all of these logs manually.”

    Blumira SIEM + XDR users have access to expertise from Blumira support teams who help them tune the platform for focused results, interpret findings, and design automated reports for compliance or other purposes. 

    checklistChecklist for Evaluating a Cybersecurity Compliance Solution

    As you develop your business case for a comprehensive cybersecurity compliance solution, here are some factors you’ll want to consider:

    • Easy setup – Getting started should happen in a day, not weeks. And you shouldn’t have to hire an expensive consulting team to install the solution.
    • Easy to use – Multiple members of your team should be able to navigate the platform, understand the alerts, and follow response templates.
    • Advanced detection and response – Some platforms only detect endpoint threats. Look for a solution that provides comprehensive coverage and includes multiple integrations.
    • Expert support – Be sure the people behind the product are cybersecurity experts, and available when you need them.
    • Time-saving automations – A solution isn’t a solution if you’re still doing all the work. Make sure you understand how automations will make your life easier.
    • Logging and reporting – Cybersecurity compliance frameworks require that logs are retained for specified periods of time. And when auditors are on the way, you’ll want to be able to produce reports without setting aside other work.

    How Blumira Can Help State and Local Governments Meet Regulatory Requirements

    While Blumira is easy to set up and use, it includes robust features that help you and your team save time and efficiently meet regulatory compliance frameworks. As you build out your cybersecurity compliance plan, be sure to let us know how we can help. Blumira SIEM + XDR is already protecting many local and state governments while also helping them streamline compliance.  

    Check out our guide on How State and Local Governments Can Choose the Right Cloud SIEM for NIST to read more about compliance strategies for the public sector.

    More from the blog

    View All Posts