This memo provides an overview of state cybersecurity strategies, as well as information technology and homeland security strategies with cybersecurity components. Possessing and implementing a cybersecurity strategy is critical for the state and assists in garnering more resources. Through this overview, NGA has identified a number of best practices for states considering developing a statewide cybersecurity strategy. Among the 22 plans identified in 18 states, 14 are IT strategic plans, six are cybersecurity strategic plans, and two are homeland security strategic plans. The IT and homeland security agencies’ strategic plans tend to limit their scope to primarily protecting the state’s IT ecosystem and critical infrastructure, respectively. The statewide cybersecurity strategic plans, however, detail specific objectives to achieve a wide range of goals.
Nonetheless, there were recurring goals throughout all the plans: protecting state’s IT infrastructure and data; developing and exercising a cyber response plan to protect critical infrastructure; training employees on cyber hygiene; improving the cybersecurity workforce talent pool; creating a governance structure and metrics; and creating partnerships. The following section highlights states with innovative goals and objectives within these areas.