The objective of this NSF-funded project (NSF Award #1623653) is to develop and provide focused and context specific cybersecurity leadership education and training for city and county governments.
The project will develop local government cybersecurity modules to augment existing cybersecurity degree curriculums as well as develop standalone local government cybersecurity education modules. As part of these efforts, the project will develop a cybersecurity toolkit, readiness assessment and roadmap for local governments to better undertake cross jurisdiction collaboration amongst cities, counties and states in cybersecurity leadership, capabilities, technologies, resources and vendor contracts. The project will scale by partnering with cities, counties and universities in a national local government cybersecurity learning community for regional workshops and ongoing training and cybersecurity cross jurisdiction sharing development. Expand to read more about project summary.
The project’s rationale is that local governments often have limited funding and cybersecurity expertise but have major roles in providing citizen services and operating critical infrastructure. Approximately 60% of the U.S. counties have less than 50,000 residents but “nearly all counties play a role in the nation’s critical infrastructure” (Council of State Governments, 2015). Counties own 45% of the U.S. road miles, 40% of the bridges and are involved in the operation of 30% of public airports, 1,550 health departments, 3,105 police and sheriff’s departments, and utilities such as water and electricity (National Association of Counties, 2015). Cities and counties are critical to the nation’s resilience and emergency response.
Building upon experiences in public health, public safety and IT, cross jurisdictional sharing of services is a growing strategy used at local levels to address challenges such as tight budgets and limited expertise. The scalable nature of technology operations makes cybersecurity a good candidate for municipal collaborations. Our initiative develops the curricula and provides the expertise, toolkit, roadmap and training for local governments to strengthen their cybersecurity programs overall and share each other’s cybersecurity capabilities and resources to achieve stronger cybersecurity status.
This project builds upon our research projects, cybersecurity education programs and industry engagement including interviews of local government CISOs and CIOs for the NSF project “Bridging the Cybersecurity Leadership Gap: Assessment, Competencies and Capacity Building” with the objective of developing CISO core competencies and corresponding learning objectives. The project also builds upon Mason’s designation as a DHS Center of Academic Excellence in Information Assurance Education and in Information Assurance Research, and founding partner of the U.S. Government’s CIO University.
This effort will be the first in the nation to explore local government focused cybersecurity education, and the first to highlight cross jurisdictional capacity sharing in cybersecurity for local governments. Specifically, the following questions will be explored and evaluated and products developed:
- How can cybersecurity for local governments especially those with limited budgets and cybersecurity expertise most effectively be addressed?What are the most effective strategies, models and approaches for cybersecurity cross jurisdictional sharing for local governments?
- Local government cybersecurity curriculum and learning modules
- Cybersecurity toolkits for local governments and local government cross-jurisdictional cybersecurity capacity sharing roadmap and readiness assessment.
We will make all research findings, including toolkits, roadmaps and curriculums available to local governments and universities and promote the results and adoption through regional workshops and annual conferences. The materials will be utilized in online courses and webinars and George Mason will host a national clearinghouse of resources for local cybersecurity and cross-jurisdictional cybersecurity capacity sharing. In addition, the project will raise awareness of cybersecurity and promote cybersecurity training to rural cities and counties that comprise the U.S.’ largest proportion of local governments.
1. Cybersecurity Policy Sharing – VA Portal:
One area of cybersecurity partnership that could potentially benefit a large number of local governments, and is relatively quick to implement is sharing cybersecurity policies and regulations, that are transferrable from government to government. Adequate and mature policies and regulations are an important component of cybersecurity governance. Many local governments acknowledge the need for more mature and up-to-date cybersecurity policies and regulations, but cite the lack the resources and experience hinders progress.
Mason-NSF City/County Cybersecurity Partnership Project team collected policy and regulatory recommendations from local cybersecurity experts in Virginia (special credits and thanks are given to Arlington County CISO, David Jordan, for his contribution and guidance) and compiled the following set of policy templates, which is available for reference to all VA governments. Local governments interested to share their specific cybersecurity policies and regulations on this platform can contact Prof. J.P. Auffret at email@example.com.
(Disclaimer: Efforts were made to keep these policy templates generic, or non-specific, in order to benefit a broader range of authorities. When using these policy templates as references, local governments are advised to apply changes that reflect the unique situations of their own localities and appropriate legal reviews.)
Mason – NSF City and County Policy Template 1 – Electronic Communication and Internet Use Policies
Mason – NSF City and County Policy Template 2 – Information Governance Certification Requirements for procurement
Mason – NSF City and County Policy Template 3 – Remote Access Policy and Acceptable Use Agreement
Mason – NSF City and County Policy Template 4 – Mobile Device Use and Management Policy
Mason – NSF City and County Policy Template 5 – Nondisclosure and Data Security Agreement
Mason – NSF City and County Policy Template 6 – Data Security and Protection for Contractors
Mason – NSF City and County Policy Template 7 – VPN Policy
2. Cybersecurity Advice from a Local CISO
Also a contribution from Dave Jordan, the following pamphlet exemplifies the dynamic messages written and collated by Dave, with which a CISO could communicate with and inspire government employees and constituents.
View and Download Personal Cybersecurity Advice from a Local CISO
3. Local Cybersecurity Partnership Workshops
To disseminate research findings and engage local government IT officials, a series of local cybersecurity partnership workshops have been held successfully at the following locations:
- Richmond, VA (Oct. 3, 2017)
- Northern Neck and Middle Peninsula, VA (May 3, 2018)
- Purcellville, VA (May 30, 2018)
- Leesburg, VA (Oct. 17, 2018)
- Roanoke, VA (Oct. 25, 2018)
- Caroline County, VA (Nov. 14, 2018)
- Charleston, WV (Apr. 16, 2019)
- Huntington, WV (Oct. 29, 2019) – WV, OH, KY joint
- Mathews, VA (Nov. 13, 2019)
4. Local Cybersecurity Partnership Workshop Report
Oct. 3 2017 Richmond Workshop Report
5. Local Government Cybersecurity Advisory Board
In spring 2020, the project team and key advisors established the Local Government Cybersecurity Advisory Board with objectives to:
- Recommend and guide the development of the research agenda (current and relevant) and initiatives and priorities (workshop content with local and state governments, associated portal materials/resources content)
- Provide recommendations on tailoring the research agenda to different state and local contexts
- Foster/suggest partnerships to further the initiative
- Recommend paths to scale the initiative (additional local governments and states, nationally, financial sustainability)
- Recommend and engage in outreach, workshops, and conferences.
Local Government Cybersecurity Advisory Board Members:
David Tackett, CIO, West Virginia Secretary of State
Danielle Cox, CISO, West Virginia
Bill Hunter, CGCIO, County of Roanoke, Virginia
Charles Huntley, Director, IT, Mathews, Virginia
David Jordan, CIO Emeritus, Arlington, County, Virginia
Ben Gilbert, Cybersecurity Advisor, Region III (VA, DC, WV), U.S.
Cybersecurity and Infrastructure Security Agency, DHS
Greg Herbold, Director, U.S. State / Local Government and Education, Palo Alto Networks
Rick Tracy, Chief Security Officer, Telos
Auzzie Brown, Senior Principal Architect AT&T, fmr. Deputy Secretary of Technology and Chief Operations Officer, State of Alabama
West Virginia-Ohio-Kentucky Local and State Government Cybersecurity Partnership Workshop
When: 9:30am- 4:00pm, Tuesday, October 29th, 2019 (Lunch is included)
Where: BRAD D. SMITH FOUNDATION HALL – 519 John Marshall Drive – Huntington, WV 25703
Who should attend: State and local government administrators, IT and cybersecurity managers and personnel, public school IT and cybersecurity managers and personnel, police and emergency IT managers and personnel, SCADA systems experts (water, sewer, electricity, etc.)
Hosts and Organizers: West Virginia Office of Technology, WVNET, George Mason University, Marshall University Brad D. Smith School of Business and the National Science Foundation.
Registration is free, but required at https://wvcyberworkshop.wvnet.edu/ . Event agenda is available at https://care.gmu.edu/west-virginia-ohio-and-kentucky-local-and-state-government-cybersecurity-partnering-workshop-agenda/
About the Workshop: The objective of the West Virginia-Ohio-Kentucky workshop is to develop specific recommendations to strengthen local and state government cybersecurity governance and to facilitate cybersecurity partnering between local and state governments. The workshop is part of the George Mason-National Science Foundation Cybersecurity City and County Cross Jurisdictional Collaboration project, having the goal of furthering U.S. city and county cybersecurity efforts by developing foundations and policies that enable and foster city and county cybersecurity partnerships.
The workshop will also include talks by Josh Spence, West Virginia Chief Technology Officer; Ben Gilbert, Cybersecurity Advisor – Region III (VA, DC, WV), U.S. Cybersecurity and Infrastructure Security Agency; Greg Herbold, Director, State/Local Government & Education, Palo Alto Networks; Ron Hamilton, CISO and Eric Burgy, Manager from WVNet.
The Mason-NSF project has co-hosted seven successful local government cybersecurity partnership workshops in Virginia and West Virginia between 2017 and 2019.
(BRAD D. SMITH FOUNDATION HALL Picture Source: http://www.marshall.edu/foundationhall/index.html)