Memo on State Cybersecurity Governance Bodies

This memo identifies commonalities and differences among the 22 states that established governance bodies tasked with identifying the cyber threats facing their state and the avenues to mitigating those threats. These governance bodies are called various names (councils, task forces, advisory councils, working groups, review boards, committees, and teams), and their classifications tend to matter for the state in terms of their lifespan, authorities and public reporting requirements.

The number of members on each body ranged from as many as 18 to as few as two, with a state information technology representative as the only common member across all the bodies. Outside that community, the second-most commonly represented sector was the higher education community, which was present on 12 bodies. Other common agencies included homeland security departments, emergency management agencies, the National Guard and departments of revenue and commerce. Agencies and departments identified as chairs or designated with oversight over the bodies included state’s IT departments, departments of homeland security, departments of public safety, emergency management agencies and offices of attorneys general.

These bodies were established through various techniques: 10 were created through executive orders, six were created ad hoc, five were legislatively enacted and one was created through a combination of an executive order and legislation. These bodies’ authorities tend to vary, but those with legislative support appear to have more authority than the others. In West Virginia, the governor’s Executive Information Security Team is responsible for “reviewing any deficient audit findings and rectifying the conditions to a satisfactory status.” Likewise, Maryland’s Cybersecurity Council is responsible for assisting infrastructure entities in complying with federal cybersecurity guidance and assisting private sector cybersecurity businesses in adopting, adapting and implementing the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The other bodies’ roles and responsibilities ranged from broad mandates to specific roles. For example, 13 bodies were tasked with developing policy guidance, goals or recommendations to improve the state’s cybersecurity posture, which was the most commonly identified responsibility. In contrast, the Connecticut and Iowa bodies were specifically tasked with creating a strategic document. Overall, the bodies are tasked with developing recommendations for a host of issues, but they are usually not given any authority to implement their recommendations.

Lastly, there were no clear metrics to measure the effectiveness of the bodies other than the production of a report that contains recommendations. Further, there are a lack of standards to hold the recommendations to, such as assessing a recommendation’s ability to fulfill a NIST Cybersecurity Framework standard.