State and local governments (SLGs) are increasingly targeted by cyber threats, yet they often lack the resources, expertise, and infrastructure to mount an effective defense. From ransomware attacks on city infrastructure to breaches that compromise sensitive citizen data, SLGs face a unique combination of technical, financial, and organizational challenges. Addressing these vulnerabilities is critical not only to protect public services, but also to reinforce national cybersecurity resilience.
In this article, we’ll explore the key obstacles SLGs encounter in strengthening their cybersecurity posture, and examine strategies and frameworks that can help close the gaps.
Table of Contents
- Limited Funding and Resources
- Talent Shortages and Staff Turnover
- Outdated Legacy Systems
- Lack of Standardized Frameworks
- Inadequate Incident Response Capabilities
- Fragmented Governance and Coordination
- Effective Paths Forward
Limited Funding and Resources
One of the most significant challenges facing SLGs is the lack of dedicated cybersecurity budgets. While federal agencies benefit from national funding allocations, smaller jurisdictions often compete for limited funds across all departments.
A 2023 National Association of State Chief Information Officers (NASCIO) survey found that nearly 70% of states cite budget constraints as a barrier to cybersecurity improvements<sup>[1]</sup>. The cost of implementing endpoint protection, zero trust architecture, vulnerability scanning, and continuous monitoring quickly adds up.
Without reliable and consistent funding, cybersecurity becomes reactive rather than proactive. SLGs are often forced to delay critical updates or forego necessary training, leaving them exposed to well-known vulnerabilities.
Talent Shortages and Staff Turnover
Cybersecurity professionals are in high demand, and public sector salaries rarely compete with the private sector. As a result, SLGs face a chronic shortage of skilled personnel to manage and monitor their IT environments.
According to the Center for Digital Government, over 50% of government IT leaders report difficulty recruiting cybersecurity professionals<sup>[2]</sup>. Even when staff are hired, retaining them becomes a challenge due to lower pay and limited advancement opportunities.
This talent gap leads to overburdened IT teams, reduced visibility into threat activity, and slower incident response times. It also hinders the implementation of modern security tools and frameworks, compounding risk over time.
Outdated Legacy Systems
Many SLGs still rely on legacy IT systems that were never designed with modern security in mind. These platforms often lack support for multi-factor authentication, secure encryption, or even regular patching.
Outdated systems introduce numerous risks:
- Incompatibility with current cybersecurity tools
- Unpatched vulnerabilities exploitable by ransomware
- Data stored in unencrypted formats
- Difficulties in achieving compliance with federal standards
The Cybersecurity and Infrastructure Security Agency (CISA) emphasizes that legacy systems present some of the greatest cyber risks to state and local operations<sup>[3]</sup>. However, the high cost of modernization—and the operational disruptions that come with it—make upgrades a significant hurdle.
Lack of Standardized Frameworks
Unlike federal agencies, which are required to comply with standards like FISMA and FedRAMP, state and local governments operate with a patchwork of policies and practices. This decentralization results in uneven security postures and makes it difficult to assess risk uniformly.
Some municipalities adopt the NIST Cybersecurity Framework (CSF), while others develop their own internal guidelines. Without enforced baseline standards, smaller governments are left vulnerable and isolated, often unaware of best practices or emerging threats.
Organizations like the Multi-State Information Sharing and Analysis Center (MS-ISAC) provide guidance and alerts, but adoption varies widely<sup>[4]</sup>.
Inadequate Incident Response Capabilities
Even when detection occurs, many SLGs lack mature incident response (IR) plans or trained teams to manage a cyber crisis. This leaves them unable to contain attacks or recover quickly—prolonging downtime and increasing damage.
Key issues include:
- No documented IR procedures
- Lack of cyber insurance coverage
- Limited use of tabletop exercises
- Poor coordination with law enforcement or federal agencies
CISA reports that fewer than 20% of local governments have a tested IR plan in place<sup>[5]</sup>. Without preparation, even minor incidents can escalate into major disruptions.
Fragmented Governance and Coordination
Cybersecurity responsibilities in SLGs are often distributed across multiple departments, each with varying levels of technical expertise and authority. This fragmentation leads to miscommunication, duplicated efforts, and security gaps.
Unlike a centralized federal agency, local entities must balance cybersecurity with diverse priorities—public safety, transportation, education—all with their own IT infrastructures and vendors.
Efforts like the State and Local Cybersecurity Grant Program (SLCGP) aim to promote coordination and shared services<sup>[6]</sup>. Still, cultural and logistical barriers remain.
Effective Paths Forward
Despite the challenges, several strategies are proving effective for improving SLG cybersecurity:
🛡 Federal Support and Grants
Programs like SLCGP and the American Rescue Plan provide funding opportunities for SLGs to modernize their defenses. Proposals aligned with NIST or CISA recommendations are more likely to receive funding.
🧠 Shared Services and Regional Collaboration
Pooling resources through regional partnerships or state-run SOCs (Security Operations Centers) can reduce costs and improve response capabilities. Examples include Maryland’s MD THINK and California’s Cal-SOC.
📘 Adoption of Best-Practice Frameworks
Encouraging adoption of the NIST CSF, zero trust principles, and secure SDLC practices helps SLGs align with federal standards. MS-ISAC also offers tailored guides for SLGs.
📈 Workforce Development
Upskilling internal staff through certifications, bootcamps, and public-private partnerships can alleviate the talent gap. Programs like CyberStart America and NICCS offer free training to public sector workers.
🚨 Incident Response Planning
Every SLG should develop, test, and refine its IR plan. Coordinating with state-level CERTs and CISA improves access to rapid support during events.
Government Cybersecurity Depends on Local Resilience
Securing state and local governments isn’t just a local issue—it’s a national imperative. These jurisdictions operate critical infrastructure, process sensitive data, and deliver essential services that millions depend on daily. Yet without proper funding, frameworks, and personnel, they remain soft targets for sophisticated cybercriminals.
By investing in modernization, standardizing frameworks, and fostering collaboration between state, local, and federal partners, we can elevate the nation’s cybersecurity posture from the ground up.
References Cited:
- National Association of State CIOs – 2023 Survey on State Cybersecurity
https://www.nascio.org/resource-center/ - Center for Digital Government – State and Local Cyber Workforce Report
https://www.govtech.com/cdg/ - CISA – Legacy System Risks
https://www.cisa.gov/news-events/news/legacy-technology-puts-critical-infrastructure-risk - MS-ISAC – Resources for Local Governments
https://www.cisecurity.org/ms-isac - CISA – State and Local Cybersecurity Improvement Efforts
https://www.cisa.gov/state-local-cybersecurity-grant-program - Cybersecurity Grant Program – Application Overview
https://www.fema.gov/grants/preparedness/state-local-cybersecurity-grant-program
About The Author
