The objective of this NSF-funded project (NSF Award #1623653) is to develop and provide focused and context specific cybersecurity leadership education and training for city and county governments.
Project Summary
The project will develop local government cybersecurity modules to augment existing cybersecurity degree curriculums as well as develop standalone local government cybersecurity education modules. As part of these efforts, the project will develop a cybersecurity toolkit, readiness assessment and roadmap for local governments to better undertake cross jurisdiction collaboration amongst cities, counties and states in cybersecurity leadership, capabilities, technologies, resources and vendor contracts. The project will scale by partnering with cities, counties and universities in a national local government cybersecurity learning community for regional workshops and ongoing training and cybersecurity cross jurisdiction sharing development. Expand to read more about project summary.
The project’s rationale is that local governments often have limited funding and cybersecurity expertise but have major roles in providing citizen services and operating critical infrastructure. Approximately 60% of the U.S. counties have less than 50,000 residents but “nearly all counties play a role in the nation’s critical infrastructure” (Council of State Governments, 2015). Counties own 45% of the U.S. road miles, 40% of the bridges and are involved in the operation of 30% of public airports, 1,550 health departments, 3,105 police and sheriff’s departments, and utilities such as water and electricity (National Association of Counties, 2015). Cities and counties are critical to the nation’s resilience and emergency response.
Building upon experiences in public health, public safety and IT, cross jurisdictional sharing of services is a growing strategy used at local levels to address challenges such as tight budgets and limited expertise. The scalable nature of technology operations makes cybersecurity a good candidate for municipal collaborations. Our initiative develops the curricula and provides the expertise, toolkit, roadmap and training for local governments to strengthen their cybersecurity programs overall and share each other’s cybersecurity capabilities and resources to achieve stronger cybersecurity status.
This project builds upon our research projects, cybersecurity education programs and industry engagement including interviews of local government CISOs and CIOs for the NSF project “Bridging the Cybersecurity Leadership Gap: Assessment, Competencies and Capacity Building” with the objective of developing CISO core competencies and corresponding learning objectives. The project also builds upon Mason’s designation as a DHS Center of Academic Excellence in Information Assurance Education and in Information Assurance Research, and founding partner of the U.S. Government’s CIO University.
Intellectual Merit
This effort will be the first in the nation to explore local government focused cybersecurity education, and the first to highlight cross jurisdictional capacity sharing in cybersecurity for local governments. Specifically, the following questions will be explored and evaluated and products developed:
- How can cybersecurity for local governments especially those with limited budgets and cybersecurity expertise most effectively be addressed?What are the most effective strategies, models and approaches for cybersecurity cross jurisdictional sharing for local governments?
- Local government cybersecurity curriculum and learning modules
- Cybersecurity toolkits for local governments and local government cross-jurisdictional cybersecurity capacity sharing roadmap and readiness assessment.
Broader Impacts
We will make all research findings, including toolkits, roadmaps and curriculums available to local governments and universities and promote the results and adoption through regional workshops and annual conferences. The materials will be utilized in online courses and webinars and George Mason will host a national clearinghouse of resources for local cybersecurity and cross-jurisdictional cybersecurity capacity sharing. In addition, the project will raise awareness of cybersecurity and promote cybersecurity training to rural cities and counties that comprise the U.S.’ largest proportion of local governments.
Cybersecurity Policy Sharing – VA Portal:
One area of cybersecurity partnership that could potentially benefit a large number of local governments, and is relatively quick to implement is sharing cybersecurity policies and regulations, that are transferrable from government to government. Adequate and mature policies and regulations are an important component of cybersecurity governance. Many local governments acknowledge the need for more mature and up-to-date cybersecurity policies and regulations, but cite the lack the resources and experience hinders progress.
Mason-NSF City/County Cybersecurity Partnership Project team collected policy and regulatory recommendations from local cybersecurity experts in Virginia (special credits and thanks are given to Arlington County CISO, David Jordan, for his contribution and guidance) and compiled the following set of policy templates, which is available for reference to all VA governments. Local governments interested to share their specific cybersecurity policies and regulations on this platform can contact Prof. J.P. Auffret at jauffret@gmu.edu.
(Disclaimer: Efforts were made to keep these policy templates generic, or non-specific, in order to benefit a broader range of authorities. When using these policy templates as references, local governments are advised to apply changes that reflect the unique situations of their own localities and appropriate legal reviews.)
Mason – NSF City and County Policy Template 1 – Electronic Communication and Internet Use Policies
Mason – NSF City and County Policy Template 3 – Remote Access Policy and Acceptable Use Agreement
Mason – NSF City and County Policy Template 4 – Mobile Device Use and Management Policy
Mason – NSF City and County Policy Template 5 – Nondisclosure and Data Security Agreement
Mason – NSF City and County Policy Template 6 – Data Security and Protection for Contractors
Mason – NSF City and County Policy Template 7 – VPN Policy
Cybersecurity Advice from a Local CISO
Also a contribution from Dave Jordan, the following pamphlet exemplifies the dynamic messages written and collated by Dave, with which a CISO could communicate with and inspire government employees and constituents.
View and Download Personal Cybersecurity Advice from a Local CISO
Local Cybersecurity Partnership Workshops
To disseminate research findings and engage local government IT officials, a series of local cybersecurity partnership workshops have been held successfully at the following locations:
- Richmond, VA (Oct. 3, 2017) STATE
- Northern Neck and Middle Peninsula, VA (May 3, 2018) REGIONAL
- Purcellville, VA (May 30, 2018) REGIONAL
- Leesburg, VA (Oct. 17, 2018) REGIONAL
- Roanoke, VA (Oct. 25, 2018) REGIONAL
- Caroline County, VA (Nov. 14, 2018) REGIONAL
- Charleston, WV (April 16, 2019) STATE
- Huntington, WV (Oct. 29, 2019) – WV, OH, KY STATE
- Mathews, VA (Nov. 13, 2019) REGIONAL
- West Virginia VIRTUAL (Nov. 18, 2021) STATE
- West Virginia (April 26, 2022) STATE
- Richmond, VA (July 26, 2022) STATE
- Northern Neck and Middle Peninsula, VA (Nov. 17, 2022) REGIONAL
- West Virginia (July 20, 2023) STATE
- Richmond, VA (Aug. 2, 2023) STATE
Local Government Cybersecurity Advisory Board
The project team and key advisors have established the Local Government Cybersecurity Advisory Board with objectives to:
- Recommend and guide the development of the research agenda (current and relevant) and initiatives and priorities (workshop content with local and state governments, associated portal materials/resources content)
- Provide recommendations on tailoring the research agenda to different state and local contexts
- Foster/suggest partnerships to further the initiative
- Recommend paths to scale the initiative (additional local governments and states, nationally, financial sustainability)
- Recommend and engage in outreach, workshops, and conferences.
Local Govt Cybersecurity Advisory Board Members
- Auzzie Brown, Senior Principal Architect AT&T, fmr. Deputy Secretary of Technology and Chief Operations Officer, State of Alabama
- Danielle Cox, CISO, West Virginia
- Ben Gilbert, Supervisory Cybersecurity Advisor, Region III (VA, DC, WV), U.S. Cybersecurity and Infrastructure Security Agency
- John Harrison, Director Information Technology, Franklin County, Virginia
- Greg Herbold, Director, U.S. State / Local Government and Education, Palo Alto Networks
- Bill Hunter, CGCIO, County of Roanoke, Virginia
- Charles Huntley, Director, IT, Essex County, Virginia
- David Jordan, CIO Emeritus, Arlington, County, Virginia
- Jody Ogle, Cybersecurity Advisor, West Virginia, U.S. Cybersecurity and Infrastructure Security Agency
- Marilyn Smith, CIO Advisor, fmr CIO, George Mason University and CIO, MIT
- David Tackett, CIO, West Virginia Secretary of State
- Rick Tracy, Chief Security Officer, Telos
- Maria Ward, IT Applications Manager, County of Roanoke, Virginia
Latest Event:
Virginia State & Local Govt Cybersecurity Partnering Workshop
When: 9:30am- 4:00pm, Wednesday, August 2nd, 2023 (Lunch is included)
Where: Virginia War Memorial 621 S. Belvidere Street, Richmond
Who should attend: State and Local Government Administrators, IT and Cybersecurity Administrators, K-12 IT and Cybersecurity Administrators and Police and Emergency IT Managers
Hosts and Organizers: George Mason University and the National Science Foundation.