Cybersecurity Update – January 2022

Updates from the Resource Center for State Cybersecurity team, January 24, 2022

Resource Center Announcements

NGA Request for Information: 

When Colorado’s Department of Transportation came under ransomware attack in 2018, its response/recovery included a successful Emergency Management Assistance Compact (EMAC) request answered by California’s Office of Emergency Services. This was the first use of EMAC for a cybersecurity mission. Has your state had occasion to consider requesting assistance under EMAC? What considerations counseled in favor or against making such a request? Please contact Steve Fugelsang here to discuss. 

Kansas Cybersecurity Task Force – Final Report Published 

On January 4, Kansas Governor Laura Kelly announced the release of the state Cybersecurity Task Force’s final report. The Task Force’s forty-one recommendations—organized by subject area like Cybersecurity Governance and Strategy and Incident Response Exercises and Training—include seventeen identified as critical. Kansas is among the five states that participated in NGA’s 2021 Cybersecurity Policy Academy

Indiana’s Cybersecurity Initiatives – Recent Publications 

Indiana is among the five states that participated in NGA’s 2021 Cybersecurity Policy Academy.  Recent publications stemming from the work of its Indiana Executive Council on Cybersecurity (IECC) include: 

NGA Publication on Executive Authority During Energy Emergencies  

In December, the NGA Center for Best Practices published a report entitled “Executive Authority During Energy Emergencies.” The report functions as a roadmap to help Governors prepare in advance of an energy emergency (such as one precipitated by a cyberattack) to identify pertinent emergency authorities and coordinate with state, industry, and federal partners. 

Cybersecurity Resources 

CISA Insights on “Implementing Urgent Cybersecurity Measures Now to Protect Against Critical Threats” 

CISA recentlyreleased this product, which complements the recent report “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S Critical Infrastructure.” Several entities in Ukraine have suffered a malicious cyber incident. This insight is to ensure that U.S. senior leaders are equipped with the information to prevent potentially damaging cyberattacks. 


Cyber Action Plan: Infrastructure Implementation Recommendations for State and Local Governments 

In November, President Biden signed the Bipartisan Infrastructure Deal into law. This legislation features a series of cyber-related provisions as well as a new State and Local Cybersecurity Grant Program. The Information Technology Industry Council (ITIC) and BSA – The Software Alliance have each released a set of cyber policy recommendations for state and local governments as they prepare to allocate resources under this law.  


BCG Resource for State Government Cybersecurity Improvement 

Click here for a resource from Boston Consulting Group (BCG) on the cybersecurity challenges facing states and strategies for navigating them. An appendix details relevant federal funding streams including the new State and Local Cybersecurity Grant Program. 

Incident Reporting to U.S. CYBERCOM — “Cyber 9-Line” 

The U.S. Cyber Command (CYBERCOM) welcomes efforts to integrate its Cyber 9-Line paradigm into states’ emergency cyber incident response plans, citing national security benefits including improved event detection and increased preparedness.  This effort seeks to standardize and integrate state response with federal efforts, to improve real-time tracking of emerging threats.  For more information, see this slide or email Steve Fugelsang

January 26 ITI Cyber Planning Event for State and Local Governments  

The Information Technology Industry Council (ITIC) will host a digital event on January 26 at 2PM ET to discuss the new infrastructure law and its effects on state and local governments. There will be a virtual discussion on pending investments in these areas. Please RSVP for the event here.   

January 27 State and Local 2022 Tech Forecast: Opportunities for Growth 

CompTIA Public Technology Institute and NASCIO will host their annual webinar on January 27 at 2PM ET. This event will provide an overview of coming technology issues implicating state and local governments. Please register for the webinar here.   

January 27 Washington State Data Privacy Webinar  

Data Privacy Day is recognized nationally and internationally on January 28 to raise awareness about the importance of privacy and safeguarding data. To celebrate and recognize the day, Washington’s Office of Privacy and Data Protection is hosting a free webinar on privacy legislation and trends at the state and federal levels on January 27 at 10 – 11AM PST. For the meeting link, please email The webinar will also be posted at the office’s website for those who cannot make it. 

Cybersecurity News 

CISA to Increase Cybersecurity Support for State Governments  

CISA has added 42 new state coordinators to its team. Utilizing federal and local resources, coordinators will assist states in developing plans and creating best practices. Because state coordinators are essential to strengthening cybersecurity infrastructure, CISA has allocated $5 million for the state cybersecurity coordinators program. Please read the full article here.  

U.S. Senate Passes Bill to Increase Cybersecurity Coordination Between States, DHS 

On January 11, the Senate approved bipartisan legislation to increase cybersecurity coordination between the Department of Homeland Security and state and local governments. The State and Local Government Cybersecurity Act authorizes CISA to provide state and local actors resources to upgrade security tools and procedures. The bill is now under consideration in the House of Representatives. Please read the full article here

10 Senators Request Information on Nations’s Plans for Critical Infrastructure  

On January 3, 10 Senators sent a letter to the secretaries of the Department of Homeland Security and the Department of Transportation requesting an update on plans for responding to a cyberattack on the nation’s critical infrastructure. The senators’ letter seeks details on DHS and DoT plans to meet new requirements under the National Defense Authorization Act. Please read the full article here.  

Senate Passes Bills Aimed at Ransomware, Data Breaches 

On January 19, Pennsylvania’s state senate passed a package of legislation aimed at preventing data security breaches and requiring victims and law enforcement officials to be notified when they do happen. The first bill would require the state to strategize to prevent ransomware attacks. The second bill would require any state agency, school, or local government to notify individuals of any breach of personal information. Please read the full article here.   

Maryland Officials Want Answers as Problems Persist a Month After Cyberattack 

Maryland health workers are still unable to use computers following the cyberattack on Maryland’s health Department. This roadblock is preventing medical response to the pandemic and routine medical responses. Lawmakers have provided the public with incomplete explanations from the administration of Gov. Larry Hogan (R). Legislative leaders have acknowledged that sensitive details may need to be handled in a closed session. Please read the full article here.  

New Mexico Experiences Local Government Ransomware Attack 

On January 5, Bernalillo County in New Mexico experienced the first ransomware attack of the year. The attack seemed to be directed at its computer systems, and in response the county government took all systems offline. Last year, at least 76 municipalities reported debilitating ransomware attacks. Please read the full article here.    

5000 School Websites Affected by Ransomware Attack 

Software provider Finalsite suffered a ransomware attack that affected the websites of about 4,500 U.S. schools. In response, the technology firm shut down and rebuilt its systems. Nationwide, remote learning has been disrupted on several occasions due to ransomware attacks, most notably Baltimore County’s public school system in November 2020. The Government Accountability Office recently called on the Department of Education to do more to protect schools. Please read the full article here.