AWS Public Sector Blog

Whole-of-state cybersecurity: How to implement and build a sustainable program

Whole-of-state cybersecurity: How to implement and build a sustainable program

In 2021, US President Joe Biden signed the Infrastructure Investment and Jobs Act (IIJA) that created the State and Local Cybersecurity Grant Program (SLCGP). Now in its second year, the SLCGP provides funding to eligible entities to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, state, local, or tribal governments. The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) recently released the FY23 Notice of Funding Opportunity (NOFO) in July 2023. This funding opportunity allocates $374.9M to states, local government, and territories to aid them in building and strengthening their cyber posture.

At Amazon Web Services (AWS), in conversations with state security professionals, many have voiced concerns and hesitancy to use these funds because they are non-recurring. Other state chief information security officers (CISOs) have cited legacy friction and lack of authority between state and local government entities as a blocker to developing a more holistic whole-of-state (WOS) cybersecurity program. While SLCGP is a four-year program, the whole-of-state effort needs to be sustained and optimized long after the four years of funding expires.

But now is the time for state and local government agencies to act quickly and think strategically about their approach to building a resilient WOS strategy.

Some trailblazing states such as Arizona and New York have had measures of success in establishing a WOS footprint. These states addressed concerns using best practices and by thinking strategically about short and long-term outcomes to support secure digital transformations and protect constituent data and services.

This blog post outlines some of these best practices that organizations can consider in their WOS cybersecurity approach.

Best practices to building a sustainable whole-of-state cybersecurity program

 1. Establish the appropriate governance model

For the most part, when it comes to implementing a WOS approach to cybersecurity, there are two main mechanisms: bottom-up and top-down.

The bottom-up approach assumes that the local government or K12 entity will procure, manage, and report on their implementation and security posture at a pre-defined time—not unlike the system many states use today. The bottom-up approach is the most flexible, though it can lead to security blind spots in the statewide cyber ecosystem, since it does not give broad visibility to risks, and does not allow for rapid response to threats. Additionally, without governance, this model can introduce technology sprawl and inconsistent deployment and management of security controls. However, there are ways to mitigate this risk, such as developing a set of agreed upon technical specifications that allows for interoperability, data ingestion, and/or reporting up to the statewide governing body. But without a formalized approach, organizations may continue to struggle with incident response, as evidenced by the continuous increased attacks against state and local government agencies.

In a top-down approach, an executive sponsor agency at the state level takes the lead in procuring security control solutions. The sponsoring agency manages and maintains the environment at the enterprise level (if technically feasible), and provides services to local government and/or academic institutions, including K12. The State of Arizona adopted a similar model when it established the Arizona Statewide Cyber Readiness Program. The top-down model supports best practices such as information technology (IT) standardization, cost management, enterprise reporting, and centralized contract and licensing visibility—supporting the consuming agency’s autonomy of operations while still maintaining enterprise governance.

States can also implement hybrid variations of these two models, but may find difficulties in managing interoperability and governance.

 2. Use federal and state funds to kickstart and sustain your statewide efforts

The concerns that organizations have around implementing a WOS program without a recurring budget are understandable. When recurring budget is a concern, organizations can consider implementing only those essential security controls that will have a high degree of success.

An example may be a security capability that has been previously deployed, for which there are trained subject matter experts to support broader expansion relatively simply and quickly. These capabilities should support visibility, interoperability, education, and risk reduction. They should also align with business needs and outcomes. Examples of these may include endpoint detection and response (EDR), cyber awareness, identity and access management, incident response, and vulnerability management. These capabilities are basic foundational security needs that are often unavailable throughout local government entities. When building the WOS strategy, organizations should make sure plans fully address people and processes, not just the technology.

To help sustain a WOS cybersecurity program, organizations can use a phased approach starting with the SLCGP funds. The plan should factor key elements such as time to socialize and promote the program, and time to make sure there is enough buffer to actualize return on investment before contracts expire and legislative budget asks are anticipated.

In a parallel effort, begin the necessary steps to obtain long-term funding by engaging key state and local government leadership. Having state leadership and legislative support can lend itself to future state funding, and a means to sustain the efforts underway with the federal funds. This effort starts with educating those in the positions to support, and making sure they fully understand the value of their investment, and the current risks and threats faced by government entities. Educational sessions can take many forms; however, a comprehensive education plan includes immersive sessions for state and local government leaders and other C-suite executives that covers financial, procurement, business outcomes and risk mitigation strategies. Make your state leaders your cheerleader and remember an important rule in security planning: never leave money on the table.

3. Create a whole-of-state relationship strategy across the public and private sectors

To be effective in a WOS cybersecurity strategy, it is important to build private-public collaborations. Organizations can work with vendors that are willing to be flexible and creative in ways that facilitate the best outcomes for state investments. Developing a strategy with your vendor and your government stakeholders can help to get buy-in; right size the procurement; maximize the funds; and reduce time to deployment. Agencies can collaborate with vendors to assist with proof of value (POV) engagements to better understand product capabilities and reduce procurement delays. In doing so, teams can be trained as part of the process, but more importantly, states can establish a footprint that can then be expanded across and to local government agencies.

An important aspect to a successful deployment strategy is alignment with stakeholders. The supporting agency, whether it is a state consolidated IT or other shared services organization, needs to start by building the relationship based on shared risks. The supporting and supported agency must agree on time and capacity to consume the licenses as part of the overall project plan. In doing so, organizations mitigate the risks of customer friction, deployment delays, and loss of operational time.

Project management and reporting is key to supporting the overall success during the planned deployment phase. Taking a crawl, walk, run approach supports a license usage model that is efficient and cost effective, and reduces risks of waste. Shared service organizations should also identify upfront what the overall deployment goals are, and which key metrics define a successful deployment. Examples may include deployment frequency and percent to completion, and others prior to engaging potential customers.

Another consideration is to discuss whether a solution or service will be offered managed or unmanaged. Very often, organizations do not understand the heavy lifting associated with a new technology. Constraints like personnel and skills shortages can quickly become an issue. For WOS deployments, the shared service IT agency should make sure that managed options are made available for less mature organizations, shifting the heavy-lifting to better resourced organizations, freeing agencies to focus on the more mission-critical goals

4. Build a foundation for visibility and observability across your ecosystem

States can implement a WOS cybersecurity program in various ways. However, those who have been successful have all aligned their practices to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and its principles, i.e. identify, detect, protect, respond, and recover; or other frameworks like the Center for Internet Security (CIS) Critical Security Controls. When implementing WOS efforts, focus on measures to reduce risks and infrastructure complexities, while obtaining threat intelligence. A common trend in a WOS cybersecurity initiative is the prioritization of response efforts. States are implementing measures to understand the threat landscape by aggregating security logs in a central repository for analysis and triage within a security operations center (SOC).

Organizations embarking on this effort may consider using the cloud for its ability to scale, process, secure, and store the high volume of logs necessary to give deep insights and threat-hunting opportunities. Traditional on-premises models typically do not fully offer the ability to adequately provide zero trust architecture, compliance, visibility, and scalability that the cloud offers, such as native security services from AWS. In addition, if not planned upfront, organizations with on-premises infrastructure can quickly find themselves overwhelmed by the cost associated with the large amounts of data that requires parsing, analysis, triage, and long-term storage. More mature organizations are now looking into leveraging data lakes, such as Amazon Security Lake, to provide a cost effective environment to provide retention and manage storage costs.

5. Implement a modern approach to procurement

As state and local government organizations move toward adopting a WOS cybersecurity program, one of the first things to consider is procurement. Procurement delays have long been a cause of concern for state and local agencies. The Best Practice Guide for Cloud and As-A-Service Procurement report from GovTech highlights ways to adopt efficient procurement strategies.

Once an organization has established a procurement mechanism for WOS efforts, the next step is to track and report on progress. Specific areas such as license utilization, cost management, and organization gaps and successes, are key metrics for reporting to leadership when looking to achieve recurring budget to sustain the program. An effective way to do this is to create a digital marketplace for the selected security products and services. A digital marketplace is a one-stop shop that enables program governance, visibility, cost optimization, and in some cases volume discounts and accelerated deployment. The State of Arizona used AWS Marketplace in their WOS effort to support a more agile and efficient experience. Organizations interested in pursuing this mechanism should begin discussions with their procurement offices sooner rather than later to remove blockers and mitigate friction.

Next steps for building a whole-of-state cybersecurity program

State and local government agencies must provide essential services to their residents. It is incumbent on the entire cyber ecosystem, private and public sector, to protect the confidentiality, integrity, and availability of these services against unauthorized access and compromise. Cybersecurity funding has traditionally been a barrier in the past for state and local governments to implement cybersecurity strategies—but with federal support, there is funding available for use.

Regardless of which approach is used to implement a WOS cybersecurity program, visibility, governance, collaboration, and information-sharing will be overall key indicators of success. The organizations that will have far reaching success are those that leverage and create cybersecurity committees or governing risk boards; meet regularly and work across the state divide; gather data to understand the risk landscape; leverage opportunities to consolidate contracts and reduce costs; and continually optimize for effectiveness.

To learn more about how state and local government customers can increase their governance, visibility, and security of their services in the cloud, contact us directly with your questions.

Read more about AWS for state and local government:

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.

Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.

TAGS: , , , , , , ,
Maria S. Thompson

Maria S. Thompson

Maria S. Thompson is the state and local government executive government advisor for cybersecurity at Amazon Web Services (AWS). In this role, she brings over 20 years of experience in information technology, strategic planning, computer network defense and risk management. Prior to her role with AWS, Maria served as North Carolina’s first State Chief Risk and Security Officer. There, she was instrumental in establishing the Whole of State Approach to Cyber. This included the development and implementation of the state’s first Cyber Disruption Plan, and the Joint Cyber Task Force (JCTF). Maria also served 20 years in the United States Marine Corps and retired as the cybersecurity chief/information assurance chief for the Marine Corps. Other security roles held include certification and accreditation (C&A) lead for the Multi-National Forces – Iraq and senior security engineer in a joint military organization and Security Operations Center lead for a federal agency.