Security for Government (State and Local)

# Security for Government (State and Local)

Definition: What Makes SLTT Security Unique

State, local, tribal, and territorial (SLTT) governments hold the most comprehensive collection of citizen data in existence. Every resident's personal information touches government systems at some point: driver's license and vehicle records at the DMV, property tax records at the assessor's office, court records at the clerk's office, benefits data at social services, utility account information at the municipal utility, and criminal justice records at law enforcement agencies. A state government breach does not affect a subset of customers. It can affect every resident.

The security challenge in SLTT government is structural and systemic. Government agencies operate under procurement rules, budget cycles, and workforce constraints that make rapid security investment difficult or impossible. A private sector organization facing a critical vulnerability can buy and deploy a solution in weeks. A municipal government may need six months to initiate a procurement process, a year to award a contract, and a second year to fund and deploy the solution. By then, the vulnerability has likely been exploited.

SLTT governments also face a workforce retention problem with no easy solution. Experienced cybersecurity professionals command salaries that government pay scales cannot match. Security staff who develop expertise often leave for the private sector within two to four years, taking institutional knowledge with them. The result is a chronic skills gap that compounds over time.

Despite these constraints, SLTT governments are among the most thoroughly targeted entities in the country. They hold critical data, operate critical services (911 dispatch, courts, elections, utilities), and are frequently easier to breach than their federal counterparts. They cannot afford to fail: when a city's water treatment supervisory control systems go offline, public health is at stake.

---

The Threat Landscape: Who Attacks SLTT and How

Ransomware

Ransomware has caused more documented financial and operational damage to SLTT government than any other threat type. The cost figures are stark and well-documented:

The City of Atlanta was hit by SamSam ransomware in March 2018. The attackers demanded approximately $51,000 in bitcoin. Atlanta refused to pay and spent an estimated $17 million on recovery, including replacement of computers across multiple departments and restoration of digital services that were taken offline for weeks. Court records, police dashcam footage, and a decade of electronic documents were lost permanently.

The City of Baltimore was struck by RobbinHood ransomware in May 2019. The attackers demanded approximately $76,000 in bitcoin. Baltimore refused to pay and spent approximately $18 million on recovery. City employees lost access to email for weeks. Real estate transactions could not close because title searches require city records that were inaccessible. Emergency services were disrupted.

These two examples bracket the pattern: ransom demand in the tens of thousands, recovery cost in the tens of millions. SLTT governments that pay the ransom typically spend three to five times the ransom amount on recovery regardless. The ransom payment buys a decryption key that may or may not work, from attackers who may or may not honor it.

Smaller municipalities have faced similar dynamics at smaller scale. A county government hit with ransomware loses access to the same critical functions: property records, tax processing, court management, email, and payroll. The ratio of damage to ransom demand holds.

State-Sponsored Pre-Positioning

CISA confirmed that Volt Typhoon, a People's Republic of China-sponsored threat actor, pre-positioned access within U.S. critical infrastructure networks, including government-adjacent systems, with the explicit intent of disrupting communications and services in the event of a conflict. The technique is "living off the land": using legitimate system tools and credentials rather than malware, which makes detection through signature-based tools nearly impossible.

State-sponsored pre-positioning is a TID challenge: the threat actor is already inside, operating within normal parameters, and only detectable through behavioral analysis and anomaly detection. Most SLTT governments lack this detection capability.

Business Email Compromise

BEC targeting government financial operations is a consistent, high-volume threat. Fraudulent vendor invoice schemes are the most common pattern: an attacker who has researched the target agency's vendors sends a convincing email to accounts payable requesting a change to payment banking details. Finance staff, unaware of the request's illegitimacy, update the vendor record. The next payment goes to the attacker's account.

Payroll diversion attacks follow the same logic, targeting HR or finance staff to redirect employee direct deposit payments. Government agencies with manual approval processes and limited controls around banking detail changes are especially vulnerable.

Hacktivism

Government websites and public-facing services are frequent targets for hacktivist disruption. DDoS attacks against city websites, defacement of agency web pages, and data dumps from poorly secured public portals are common tactics. The goal is visibility and political messaging, not financial gain. The damage is reputational and operational rather than data-centric, but service disruption is still a consequence.

Insider Threats

Government environments have elevated insider threat risk. Employees with access to law enforcement databases, benefits systems, and DMV records have historically misused that access for personal benefit or at the direction of organized crime. The access control model in many SLTT agencies relies on job title rather than least privilege, meaning an employee with a need-to-know on one function may have broad access across unrelated systems.

---

Industry-Specific Challenges

Budget constraints governed by political cycles. Cybersecurity investment requires multi-year commitment. City councils and state legislatures operate on annual appropriations cycles, and priorities change with elections. A security initiative approved and funded in one budget year can lose funding the next. There is no reliable mechanism for sustaining a five-year security roadmap in most SLTT environments.

Legacy systems with no clear replacement path. Some state agencies operate mainframe systems from the 1980s and 1990s. DMV systems in multiple states run on COBOL. Benefits administration, court management, and tax systems often predate the modern threat landscape by decades. These systems cannot be patched in the conventional sense: the vendor may no longer exist, the source code may be unavailable, and a replacement program may have been proposed and defunded multiple times. The risk is known and accepted because the alternative is a modernization program costing hundreds of millions of dollars.

Public records requirements creating security tension. FOIA requests and open meeting laws require government to make records publicly available. Security documentation, including network diagrams, vulnerability assessments, and incident response plans, can become subject to disclosure if not properly exempted. Agencies must carefully structure how they document security activities to avoid creating discoverable roadmaps for attackers.

Constituent data sensitivity and scale. A breach of a mid-size state agency can expose the PII of millions of residents. The scope of a government breach is simply larger than the scope of most private sector breaches: there is no opt-out from government record systems. Every resident who has ever registered a vehicle, paid property taxes, accessed government services, or interacted with the court system is in the database.

Critical service continuity requirements. 911 dispatch, traffic management, water treatment process control, court operations, and election systems cannot simply go offline during an incident. The pressure to restore operations quickly is higher than in almost any private sector context, which is precisely why ransomware operators target government. The time pressure creates leverage.

Procurement complexity. Competitive bidding requirements, limited-term appropriations, mandatory vendor registration processes, and sometimes-required legislative approval for large contracts mean that a government agency's decision to engage a security vendor can take six to twelve months to translate into a signed contract. Security threats do not wait for procurement calendars.

Workforce retention. Government cybersecurity salaries are often 30 to 50 percent below private sector equivalents for the same role. Experienced analysts and engineers who build skills in government environments frequently leave for private sector or federal positions within three to five years. The result is a constant training-and-departure cycle that prevents institutional security expertise from compounding.

---

Regulatory Environment

CISA Cybersecurity Performance Goals (CPGs). CISA publishes cross-sector CPGs that represent a minimum baseline of security practices. A free self-assessment tool is available that helps SLTT agencies measure their posture against these goals. The CPGs are not mandatory, but they are the closest thing to a federal standard for SLTT cybersecurity, and adherence is increasingly expected by state auditors and cyber insurers.

State-specific requirements. Most states have enacted mandatory data breach notification laws with specific timelines and content requirements. Many states have gone further, enacting minimum security standards for state agencies, requirements for cyber incident reporting, and in some cases mandatory cyber insurance. The regulatory landscape varies significantly by state and continues to evolve.

FedRAMP for cloud services. Any cloud service that handles federal data processed by a state government must be FedRAMP authorized. For states that administer federal programs (Medicaid, SNAP, unemployment insurance), this creates a binding cloud service selection constraint. FedRAMP authorization also provides useful security assurance for cloud services that state agencies use for non-federal workloads.

CJIS Security Policy. Any government entity that accesses FBI criminal justice information (including criminal history records, the National Crime Information Center, and biometric data) must comply with the Criminal Justice Information Services (CJIS) Security Policy. This is a mandatory, detailed technical and administrative standard. Violations can result in decertification and loss of access to federal criminal justice data. Law enforcement agencies at every level of government are subject to CJIS, and many municipalities that administer jail or court functions handle CJIS-protected data.

NIST Cybersecurity Framework. The NIST CSF is broadly recommended for SLTT government. It is not mandatory, but it is the framework most commonly referenced by state cybersecurity offices, CISA guidance documents, and cyber insurance assessments. It complements the PDM: NIST CSF organizes by function (Identify, Protect, Detect, Respond, Recover); the PDM organizes by domain (what is being protected and where in the defense architecture).

---

All Six PDM Domains Applied to SLTT Government

DPS (Data Protection and Sovereignty): The Geological Core

Constituent PII is the geological core of SLTT government security. DMV records, tax records, court documents, benefits data, and utility account information all represent data that residents cannot remove from government custody. The Sovereign Data Protocol (SDP) asks: where does this data live, who can access it, and what controls govern its handling?

For SLTT, DPS controls include encryption of databases containing PII, data classification (law enforcement records require stricter protection than publicly accessible property records), formal data sharing agreements with federal agencies and contractors (particularly for CJIS-covered data), and policies governing the retention and destruction of records that are no longer needed. CJIS compliance is a DPS-layer obligation with mandatory technical controls including encryption, access logging, and breach notification procedures.

VSD (Vulnerability and Surface Defense): The Oceans

Government attack surfaces are large and frequently poorly inventoried. Internet-facing portals for DMV appointments, tax payments, court filings, and permit applications represent external exposure. Remote access infrastructure for the pandemic-era shift to telework created VPN gateways that remain in place long after the original need. Legacy systems, some with known vulnerabilities that cannot be patched due to vendor support limitations, sit within networks that have often not been comprehensively assessed.

The Continuous Surface Reduction (CSR) methodology requires external attack surface discovery as a first step: finding everything the district exposes to the internet before attempting to reduce it. Government web services are impersonated for phishing and BEC. Government domain spoofing is common. CSR addresses both the technical attack surface (exposed systems) and the brand surface (spoofed domains and lookalike URLs).

SPH (Security Posture and Hygiene): The Terrain

Flat network architecture, inconsistent patch management across departments, aging Windows environments, and ad hoc asset inventories characterize the terrain of most SLTT government networks. Departments that have managed their own IT for decades often have wildly different security postures from one another, even within the same city or county.

The Autonomous Posture Command (APC) methodology in SLTT government requires three foundational steps: comprehensive asset inventory (what does the agency actually own and operate), network segmentation (separating critical systems from general-purpose office networks), and a managed patch management cadence. APC does not require sophisticated tooling to deliver meaningful improvement. In many SLTT environments, getting to consistent patch management and basic network segmentation is a multi-year project and a major posture advance.

IAT (Identity Access and Trust): Civilization

Shared administrative accounts across departments, no MFA on government email or remote access, and contractor access that is never formally revoked are endemic IAT failures in SLTT government. The civilization layer in government is governed by IT teams that have historically prioritized availability over security: shared accounts are easier to manage than individual accounts with least-privilege assignments.

Zero Possession Architecture (ZPA) in SLTT government starts with MFA on all remote access and email. Microsoft 365 and Google Workspace deployments include MFA capability at no additional cost. Beyond MFA, contractor access management is an immediate priority: contractors with broad access who are not actively engaged represent persistent credential risk. A formal contractor offboarding process is an IAT control that costs nothing to implement.

TID (Threat Intelligence and Defense): The Atmosphere

Many smaller municipalities have no SIEM, no managed detection capability, and no threat intelligence subscriptions. They rely entirely on MS-ISAC for threat intelligence. This is not nothing: MS-ISAC provides 24/7 SOC services, the Albert network monitoring sensor deployment, and threat intelligence sharing, all at no cost for SLTT entities. But it is a baseline, not a comprehensive detection posture.

The Predictive Defense Intelligence (PDI) methodology's aspiration is to see the threat before it arrives. In SLTT government, the realistic near-term goal is detection at all: knowing an attack is underway before it completes. State-sponsored pre-positioning (Volt Typhoon-style living-off-the-land techniques) is particularly difficult to detect without behavioral analytics. MS-ISAC enrollment and the Albert sensor deployment provide the minimum viable TID layer for resource-constrained municipalities.

RGA (Risk Governance and Assurance): Outer Space

RGA in SLTT government is governed by state breach notification laws, CJIS compliance requirements, state auditor oversight, cyber insurance requirements, and (increasingly) state-level minimum security standards. The Perpetual Compliance Assurance (PCA) methodology frames compliance as an ongoing operational state, not a periodic checkbox. CJIS audits, state inspector general reviews, and cyber insurance renewals all require documented evidence of continuous compliance.

Incident response planning is a RGA obligation that most SLTT agencies have not fully met. CISA provides free IR plan templates and tabletop exercise facilitation for SLTT entities. A tested IR plan is not just good security practice: it is increasingly required by cyber insurers and expected by state oversight bodies.

---

Related Articles

• Security for Education (K-12) [VS-K12]
• Ransomware [C-RANSOM]
• CJIS Compliance [F-CJIS]
• NIST Cybersecurity Framework 2.0 [F-NISTCSF]
• Incident Response Planning [TID-IRP]
• Business Email Compromise [TID-BEC]

---

Sources

CISA. Cybersecurity Performance Goals. Cybersecurity and Infrastructure Security Agency, 2023. https://www.cisa.gov/cross-sector-cybersecurity-performance-goals

CISA. Volt Typhoon: People's Republic of China State-Sponsored Cyber Actor Living off the Land. Joint Advisory, May 2023. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

Center for Internet Security. MS-ISAC: Multi-State Information Sharing and Analysis Center. CIS, 2024. https://www.cisecurity.org/ms-isac

FBI Criminal Justice Information Services Division. CJIS Security Policy v5.9.4. Federal Bureau of Investigation, 2023. https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

CDA, LLC. Planetary Defense Model Master Reference v1. CDA Canon, April 2026.