Fewer Than Half the States Meet Recommended Cybersecurity Goals

Cyber attacks are a huge concern for state and local governments. Falling victim can mean downed services, compromised sensitive information, stolen money, and costly response and recovery work. Cybersecurity tops state chief information officers’ priority lists for 2025, according to the National Association of State Chief Information Officers.

But governments at all levels face challenges in this area, with funding and cyber professionals often in short supply. Figuring out the next steps for ramping up cybersecurity — and getting executive buy-in to do so — can be easier if the government knows what its strengths and weaknesses are and how it matches up against its peers.

The Nationwide Cybersecurity Review (NCSR) aims to provide that kind of information. The NCSR is a voluntary self-assessment that helps state, local, tribal and territorial governments, as well as state agencies and local departments, understand how well they're prepared to deter and respond to cyber attacks. It’s sponsored by the Department of Homeland Security and the Multi-State Information Sharing and Analysis Center and offered at no cost.

Last year, 48 states participated in the NCSR, which ranks governments on a scale from 1 to 7. Twenty-two achieved a score of 5 or higher. Getting such a score reflects that states have documented policies and procedures and are in the process of of aligning them with a formal security framework. States scoring below 5 might not yet have a formal cybersecurity policy in place, or may still be working on documenting standards and procedures that support the policy.

Local governments averaged just above 4 on the scale. These respondents included counties and cities, as well as K-12 public school districts, local police, public utilities and others. About 1,248 out of 3,122 participating local government entities (or 40 percent) hit the recommended score of 5 or more. A significant portion of other respondents appeared either to not conduct cybersecurity activities or do so with “informal, ad hoc processes.”

In general, state, local, tribal and territorial participants showed strengths in identity management and access control, restricting access to facilities and assets to only authorized users or devices. Many were also prepared to respond to contain a cyber incident and limit its impact. Participants also commonly had some level of continuous security monitoring in place.

But governments overall showed weaknesses when it came to having more advanced threat detection capabilities. Many lacked a formal strategy for assessing risks. They didn’t always analyze cyber incidents after they occurred, which would allow them to learn and then update their strategies, policies or procedures. And many in the government sector didn’t formally review and update their disaster recovery plans.

An Ongoing Problem

Governments are facing off against hackers who keep upping their game, launching more sophisticated ransomware and phishing attacks. Public-sector entities worry about emerging technologies, including malicious parties using artificial intelligence against them. They worry about their own potentially harmful mistakes when using AI to automate operations. They’re also concerned about how security will be affected if existing vendors incorporate emerging technologies, says Tyler Scarlotta, senior member programs analyst at the Multi-State Information Sharing and Analysis Center.

Just this month, a ransomware attack forced Rhode Island to take systems offline that are used to handle enrollment and eligibility verification for health and human services. This forced residents to resort to paper applications and disrupted access during the annual open-enrollment period for health insurance. Hackers also stole Social Security numbers, bank information and other personal data about 500,000 residents, putting those people at risk of monetary theft and identity theft.

On the opposite coast, hackers hitting Marin County, Calif., stole money the county had set aside for rehabilitating public housing. A cyber attack last January caused a New Jersey school district to cancel classes, and a February denial-of-service attack downed various online services for Pennsylvania’s court system.

Governments don’t have all the tools they want to fight back. Seventy percent of NCSR participants said lack of sufficient funding was one of their biggest challenges. They’d like to be able to hire more people and adopt solutions that won’t require much upkeep or maintenance on their part. Respondents listed lack of cyber professionals as another of their top-five challenges.

Many state chief information security officers have said they want the federal government to provide recurring, long-term funding for cyber. It remains to be seen whether that will happen. Observers are uncertain if the new Trump administration will renew the four-year State and Local Cybersecurity Grant Program, which sunsets in 2025. Kristi Noem, President-elect Donald Trump’s pick for secretary of Homeland Security, has called the program “wasteful” spending.

Groups including the Multi-State Information Sharing and Analysis Center and the federal Cybersecurity and Infrastructure Security Agency do offer free cyber tools and services. And governments can find some staffing relief through programs such as the federal Scholarship for Service, which gives students cybersecurity higher education support if they agree to work in government after graduating.

Just participating in the NCSR can be a helpful step for public-sector organizations. Government entities that have participated in prior years tend to score higher than those taking the NCSR for the first time, suggesting it may help them monitor progress and guide their investments and priorities.