Governors recognize that the foundation of today’s economy, national security and the daily operations of government are increasingly dependent upon the security and reliability of communications technology and other digital infrastructure. With rapidly evolving and increasingly complex cyber incidents on the rise, governors support a comprehensive approach to protect critical infrastructure assets and sensitive information systems at the national, state and local level. All levels of government and the private sector must work together and share responsibility to ensure appropriate policies and processes are in place to detect and avoid disruptions as well as provide a coordinated response to and recovery in the event of a cyber attack.

2.1.1 Principles

  • The federal government should view states as full-fledged partners in the intelligence process. States should be considered primary sources of cybersecurity threat intelligence to the federal government and recipients of federal threats assessments and intelligence. Federal policies should clarify roles and responsibilities for cyber incident response that recognize governors’ authorities.
  • Processes should be established and tested to ensure coordination and communications between federal and state authorities during cyber incidents are effective and consistent. Alignment of state cybersecurity plans with the National Cyber Incident Response Plan will facilitate an efficient and coordinated government response to serious cyber incidents.
  • The federal government should provide states with maximum flexibility to develop and implement innovative cybersecurity practices at the state level, including use of state National Guard resources in State Active and/or Title 32 duty status to defend critical infrastructure.
  • The federal government should work with states to identify resources states can bring to bear, including private and nongovernmental organizations within states, to improve cybersecurity preparedness.
  • The federal government should anticipate that cybersecurity incidents may result in consequences triggering state emergency response processes, plans and investigations that could lead to requests for assistance.

Time limited (effective Winter Meeting 2017 – Winter Meeting 2019).
Adopted Winter Meeting 2017.