Perhaps somewhere in an alternate universe public sector IT teams don’t have to spend valuable time and resources on cybersecurity regulatory compliance. Your full focus could go into implementing new citizen services, supporting more efficient workflows, and taking advantage of advanced technologies. But in our universe, ongoing cyber threats to infrastructure, communities, and individuals have led to a growing list of compliance regulations that fall under the purview of cybersecurity and IT teams.
In that alternate universe there may also be IT teams that are flush with funds and people who can tackle every project and still make it home by dinner time. Meanwhile in the real world, you need to figure out a way to manage an increasingly sophisticated IT environment, detect and protect against cyberattacks, and demonstrate compliance for multiple agencies.
Short of major modifications to the time-space continuum, you’re going to have to figure out how to do it all with the time and resources on hand. That means a little multi-tasking is in order. With a little planning you’ll find that it is possible to combine cybersecurity and compliance initiatives, securing your infrastructure and a passing grade from regulatory agencies at the same time.
Blumira SIEM (security information and event management) is a SaaS cybersecurity detection and response solution that includes robust support for compliance frameworks. So you can build out cybersecurity plans that meet regulatory requirements without a lot of additional resources. This guide will get you started with your planning.
First, know what you’re dealing with.
Gather the most current versions of each compliance guide that applies to your situation. Local and state governments need to be aware of what’s required in the following frameworks:
Compliance parameters for protecting criminal justice information, as well as added protection for criminal history record information (CHRI).
Any government entity that handles healthcare data, like a jail or prison, must demonstrate that it’s properly protecting health information while making sure data is readily available to patients and providers.
This requires that federal, state, and local agencies protect federal tax information (FTI) and any personally identifiable information (PII) related to the IRS, so that it can only be disclosed to authorized people.
While the National Institute of Standards and Technology (NIST) Cybersecurity Framework is a voluntary guide for most private sector companies, the Federal Information Security Modernization Act (FISMA) requires state or local agencies with federal programs to implement its security controls. NIST also provides 1800-series publications that can be used as a how-to guide to implement these standards.
If you’ve ever worked on compliance mandates, you may already be pouring yourself another dose of caffeine so you can stay conscious while reading through the documents listed here. But before you get started, we’d like to propose a methodology.
Find the commonalities, and map your compliance requirements.
Rather than addressing each regulation separately, you’ll find that many compliance requirements overlap across frameworks. That means the work you do for one regulation can apply to others. So the next step is to get organized. And that can be done by breaking individual requirements down into a spreadsheet.
Digging into the different compliance requirements for state and local governments, you’ll start to identify commonalities. These can be put into categories:
Use these major categories to organize your spreadsheet. Then, lay out a column for each framework that applies and sort specific requirements within the categories. To get started, you can take a look at this example of how the U.S. Department of Justice maps CJIS Security Policy to NIST SP800-53. Commonalities will be sorted across the rows. Add more categories if needed for your specific situation. Note, the categories above are a modification of what is in the CJIS example.
Chances are you’re not starting cybersecurity compliance at zero. You’ve already got activities and protocols in place. Once you’ve laid out all the requirements on your spreadsheet, you can identify what you’re doing well and what needs attention. Now you’re building the foundation of your cybersecurity compliance plan.
Just add these columns to your spreadsheet:
Cybercriminals have local and regional government entities in their sights. They believe, often rightly, that smaller organizations lack the funding and sophistication to detect and repel threats. They also understand the importance of the data and infrastructure you’re charged with protecting. Compliance isn’t just a matter of satisfying auditors. It can mean avoiding a damaging ransom event or a highly publicized data breach.
Now that you’ve identified the gaps, let’s look at ways to close them.
Next to-do: Apply for a cybersecurity grant
If you finished your spreadsheet exercise asking, How exactly are we going to pay for all this?, you can now add one more thing to the list: Apply for a grant. The Infrastructure Investment and Jobs Act (IIJA) of 2021 established the State and Local Cybersecurity Improvement Act. This federal law includes a grant program that’s awarding $1 billion over four years. The program includes the State and Local Cybersecurity Grant Program (SLCGP), and the Tribal Cybersecurity Grant Program (TCGP).
Grant funds are being made available to state, local, territorial, and tribal governments in order to address cybersecurity risks and threats to information systems. You can learn more about applying for a grant on the CISA website. In addition to grants targeted at closing the cybersecurity gap, the Government Accountability Office (GAO) identified 27 grants available from eight agencies that could also be used to support cybersecurity. These are the departments and the number of grants available as of November, 2023:
None of these grant programs exclusively support cybersecurity activities, so you should look carefully at application guidelines to make sure you’re targeting your request to what the program is trying to accomplish. Now that you’re organized, it’s time to get things done.
While the hub of cybersecurity compliance will likely reside within IT, its effectiveness will require the involvement of people across the organization. By building a culture of security, everyone understands how they play a role in protecting vital resources – whether that means data, infrastructure, or public trust. Make a plan for educating and involving these stakeholders:
Engaging your cybersecurity compliance team – In the spreadsheet you developed above, you identified the individuals who will be responsible for each component of your cybersecurity compliance plan (and hopefully it’s not just the usual suspects). Gather your team and identify the specific activities they’ll be responsible for in order to meet the organization’s goals.
Training employees and vendors – The more you build awareness of potential cybersecurity vulnerabilities, the more individual team members can act as your frontline eyes and ears to potential threats. Ongoing training, coupled with easy ways to report suspicious activity, makes cybersecurity part of everyone’s job.
Educating Constituents – The citizens, organizations, and companies you serve can play a vital role in protecting their own data and shared resources when provided with helpful tips and education. This can be done through everything from workshops to social media and messages on billing statements.
At the end of the day, with all your cybersecurity compliance plans in place, you’re still living in this real world of finite resources. Your team still has a lot on their plate, and it’s unlikely that you’re going to be able to bring on experts to just stare at a threat detection tool all day. That’s where automation comes in. Blumira SIEM + XDR, for example, will automatically contain endpoint threats and block malicious traffic, any time of day or night. That means a threat is stopped before it’s able to move around your systems.
Other Blumira automation tools include pre-written workflows for faster threat responses and SIEM for logging and monitoring. Mike Morrow, Technical Infrastructure Manager for Ottawa County, Michigan, told us how using Blumira for compliance saves on time and personnel:
“We’re required by CJIS and IRS Pub 1075 compliance to review our logs daily. There’s no way we can watch all of our infrastructure. Blumira has saved us time because we can’t monitor all of our logs—we would need a team of 100 to go through all of these logs manually.”
Blumira SIEM + XDR users have access to expertise from Blumira support teams who help them tune the platform for focused results, interpret findings, and design automated reports for compliance or other purposes.
As you develop your business case for a comprehensive cybersecurity compliance solution, here are some factors you’ll want to consider:
While Blumira is easy to set up and use, it includes robust features that help you and your team save time and efficiently meet regulatory compliance frameworks. As you build out your cybersecurity compliance plan, be sure to let us know how we can help. Blumira SIEM + XDR is already protecting many local and state governments while also helping them streamline compliance.
Check out our guide on How State and Local Governments Can Choose the Right Cloud SIEM for NIST to read more about compliance strategies for the public sector.