The US Department of Homeland Security (DHS), and the National Association of State Chief Information Officers (NASCIO) have released a joint report and supporting case studies identifying how five states - Georgia, Michigan, New Jersey, Virginia, and Washington - use laws, policies, structures, and processes to help govern cybersecurity as an enterprise-wide, strategic issue across state government and other public and private sector stakeholders.
Every day, states and territories rely on networks and systems to ensure continuity of commerce and delivery of mission critical services. These systems are at risk of disruption from cyber attacks from adversaries and from natural events. Addressing these risks requires a mix of capabilities across people, processes, and technology, including governance – the ability to prioritize, plan, and make decisions about cybersecurity across multiple organizations.
The report and case studies explore cross-enterprise governance mechanisms (i.e., laws, policies, structures, and processes) used by states to help prioritize, plan, and make cross-enterprise decisions about cybersecurity across:
- Strategy and planning;
- Budget and acquisition;
- Risk identification and mitigation;
- Incident response;
- Information sharing; and
- Workforce and education.
The report identifies common trends in how cybersecurity governance is addressed across the five states, with supporting examples from the case studies highlighting specific mechanisms states used to implement the governance. The report offers concepts and approaches to states and organizations who face similar challenges.
The states who participated in this project recognized the importance of governance when addressing cyber risks and have taken important steps to strengthen how they govern cybersecurity. DHS and NASCIO appreciate their willingness to share their stories. Other states, local, tribal, and territorial governments are encouraged to reference and leverage these studies to assist them when considering governance mechanisms for their own organizations.