As chair of the National Governors Association, I am excited to announce that I have selected cybersecurity as the focus of my chair’s initiative. Meet the Threat: States Confront the Cyber Challenge places states at the center of finding solutions to the growing cyber threats facing our country.

A primary goal of the initiative is for states to develop strategies for strengthening cybersecurity practices as they relate to state IT networks, health care, education, safety, energy, transportation, critical infrastructure, economic development and workforce. We will be hosting several regional summits and bringing together policy leaders from every state, as well as private sector experts and federal partners, to highlight innovative practices and identify ways in which state-driven solutions can be replicated nationwide. This website will serve as a library of resources for states. As the year progresses, we will add to the library and encourage state policymakers to use it.

In addition, participating state teams will develop strategies for improving cybersecurity that they will present to their governors for consideration. The initiative will conclude in Virginia with the National Summit on State Cybersecurity, which will bring together representatives from each state, commonwealth and territory to share best practices and lessons learned.

These are ambitious goals. With your engagement, however, I know we can succeed. The initiative has the potential to shape the nation’s response to the growing cyber threats we face by underscoring the critical role state leaders play in securing the cyber environment.

Governor's Guide to Cybersecurity

 

A Compact to Improve State Cybersecurity

At the NGA Summer Meeting in July 2017, 39 governors signed on to this compact, which recognizes the cybersecurity threat facing state government and details a series of recommended promising practices to enhance state cybersecurity.

 

Has your state suffered a significant cyber incident in the last 12 months?

The memo, Cyber Liability Insurance for States, provides a broad overview of cybersecurity insurance products and offers important questions that states should consider before pursuing coverage.

The memo, State Cybersecurity Response Plans, identifies commonalities and differences among the 22 states that established governance bodies tasked with identifying the cyber threats facing their state and the avenues to mitigating those threats.

This memo on the Michigan Civilian Cyber Corps (MiC3) offers a model for states that want to incorporate volunteer cyber experts into cyber disruption response activities.

Does your state have a cyber disruption or incident response plan?

The memo, State Cybersecurity Response Plans, identifies commonalities and differences among the 22 states that established governance bodies tasked with identifying the cyber threats facing their state and the avenues to mitigating those threats.

Have you received a briefing on the cyber threat to your state’s critical infrastructure?

As the first event of his chair’s initiative, Virginia Gov. Terry McAuliffe and the National Governors Association convened more than 30 health care experts, including CEOs, chief information officers and cybersecurity consultants to discuss sector challenges and explore how states and governors can promote stronger cybersecurity throughout the health care sector. This memo provides highlights from that conversation.

This memo, Cybersecurity and Critical Infrastructure, highlights best practices for states interested in improving coordination and information sharing with critical infrastructure owners and operators to enhance cybersecurity practices.

The following memo, Cybersecurity of Election Infrastructure, provides an overview of the cybersecurity threats facing America's voting infrastructure and highlights promising practices governors can adopt to secure voting systems.

This report, State Roles in Enhancing the Cybersecurity of Energy Systems and Infrastructure, identifies the challenges states face in protecting their energy systems and infrastructure from cyber incidents and recommendations on overcoming those challenges.

Does your state have an established cybersecurity governance or planning body?

This memo on Cybersecurity Centers discusses the growing trend of governors establishing integration centers focused on improving the cybersecurity in their state.

The memo, State Cybersecurity Budgets, provides a brief review of how states budget financial resources for cybersecurity and the current levels of funding in many states.

For states interested in developing a cybersecurity governance or planning body, please see our Memo on State Cybersecurity Governance Bodies, which analyzes existing cybersecurity task forces.

For states interested in developing a comprehensive state cybersecurity strategy, please see our Memo on State Cybersecurity Strategies, which analyzes current strategies and details the process for preparing a strategy.

Do you have a cyber security advisor with the necessary authority and resources?

 

Does your state criminal investigative agency have a computer crimes unit?

The following memo, A Review of State Computer Crime Law, provides an overview of state cyber crime laws and discusses what steps states can take to improve cyber crime investigation and prosecution.

The following memo, Cybersecurity and Public Safety, discusses the role of the public safety community in improving state cybersecurity preparedness and response capabilities as well as the threats facing the public safety sector.

This paper, Enhancing the Role of Fusion Centers in Cybersecurity, details the roles of fusion centers in cybersecurity and issues recommendations to enhance those roles.

This paper, Cybercrime: What Can A Governor Do?, explores how governors can help build capacity for cybercrime enforcement.

Does your state require cybersecurity awareness training for all state employees?

These three one-pagers on Ransomware, the Internet-of-Things, and Phishing provide brief summaries of these key topics and identify preliminary actions governors can take to enhance their state’s cybersecurity preparedness.

Throughout the tenure of the Chair’s Initiative, the NGA Resource Center will publish one-pagers for state employees and policymakers on common cybersecurity threats.

Have you received a briefing regarding the higher education community’s cyber workforce programs and whether those programs meet your state’s cyber talent demand?

This memo, Building a Cybersecurity Workforce Pipeline, provides an overview of the challenges of an inadequate cyber workforce pool and how to create a workforce pipeline.

Has your state approached local government and the private sector to assess their security posture and needs?

This memo, Cybersecurity in the Education Sector, identifies challenges and solutions to addressing threats posed to the education community. 

This memo, Small Business and Cybersecurity, identifies challenges and solutions to assisting small and medium sized businesses address their cybersecurity needs.

How does your state find and fix cybersecurity vulnerabilities? 

This short one pager, Crowdsourcing Cybersecurity 101, summarizes the benefits and challenges of vulnerability disclosure policies in state government.

Gov. McAuliffe Issues Cyber Challenge

As part of October’s Cybersecurity Awareness Month, Gov. McAuliffe challenged all of his fellow governors to issue a state proclamation, as he has done in Virginia.

Dear Governors,

As chair of the National Governors Association (NGA), I am writing to you about a topic important to my initiative, Meet the Threat: States Confront the Cyber Challenge. Each year, the President designates October as National Cybersecurity Awareness Month, and I would like to encourage you to issue your own proclamations declaring October to be Cybersecurity Awareness Month in your state.

Taking this small step sends an important message to our constituents, namely that in the face of near constant cybersecurity intrusions, we see the importance of making cybersecurity a top priority in our states. My initiative aims to provide states, with the resources you need to prepare your state to meet the threat and take advantage of the economic opportunities that cybersecurity presents. By making this designation, we can show the nation that our states are on the road to strengthening our nation’s cybersecurity.

Through my NGA initiative website, we’ll track each state’s progress throughout the month as you all issue your proclamations. I signed the Commonwealth of Virginia’s proclamation on October 4, 2016 and I look forward to seeing each of you doing the same.

Sincerely,

Terence R. McAuliffe
Governor
Commonwealth of Virginia
NGA Chair

Governors Issue Cybersecurity Awareness Proclamations

This map will track governors issuing proclamations declaring October to be cybersecurity awareness month in each state.

US Map indicating which states have issued proclimations


Gov. McAuliffe: Cybersecurity Is Key State Issue
March 15, 2017
At the second regional summit for his NGA chair's initiative, Virginia Gov. Terry McAuliffe delivered a keynote address on states' role in strengthening the nation's cybersecurity to protect critical infrastructure and personal data.

Gov. McAuliffe Holds Small Business Cyber Roundtable
December 08, 2016
For the fourth roundtable related to his chair’s initiative, Virginia Gov. Terry McAuliffe met with small business owners for a discussion on how to improve their cybersecurity posture.

Meet the Threat First Regional Summit: Complete Coverage
October 12, 2016
Cybersecurity summit garners press attention from media outlets such as Politico, WBUR Radio Boston and Bloomberg BNA.

Gov. McAuliffe: States Central to Thwarting Cyber Attacks
October 05, 2016
In a keynote address at the first regional summit for his chair’s initiative, Meet The Threat: States Confront the Cyber Challenge, NGA Chair Virginia Gov. Terry McAuliffe said governors and states play a critical role in confronting cyber attacks.

Gov. McAuliffe Holds Second Cyber Roundtable
September 07, 2016
Virginia Gov. Terry McAuliffe hosted an education and workforce cyber event last week as part of a series of roundtables highlighting his chair’s initiative, Meet the Threat: States Confront the Cyber Challenge.

NGA Chair Gov. McAuliffe Sits Down With C-SPAN’s Newsmakers
July 29, 2016
C-SPAN interviewed Virginia Gov. Terry McAuliffe from the Democratic National Convention in Philadelphia for the weekly program Newsmakers. Gov. McAuliffe spoke about his role as chair of the National Governors Association, including his chair’s initiative, Meet the Threat.

Gov. McAuliffe Holds First Cyber Roundtable
July 19, 2016
Virginia Gov. Terry McAuliffe held the first official meeting for his 2016-17 National Governors Association (NGA) chair’s initiative, Meet the Threat: States Confront the Cyber Challenge, where he addressed the intersection of cybersecurity and health care.

Gov. McAuliffe Named NGA Chair, Unveils Cyber Initiative
July 16, 2016
Today at the Closing Session of the 2016 NGA Summer Meeting, Virginia Gov. Terry McAuliffe was named NGA chair and Nevada Gov. Brian Sandoval vice chair. Gov. McAuliffe also announced his chair’s initiative, Meet the Threat: States Confront the Cyber Challenge.

 

Boston Regional State Cybersecurity Summit

As part of his initiative, Meet the Threat: States Confront the Cyber Challenge, Virginia Gov. Terry McAuliffe convened senior state policymakers from across the country for a three-day discussion of promising practices, emerging issues, and continuing challenges in state cybersecurity.

This document summarizes the discussions, conclusions, and action items that resulted from the first Meet the Threat Regional State Cybersecurity Summit in October 2016.

This is the meeting agenda for the Meet the Threat Boston Regional State Cybersecurity Summit.

This document details the media coverage of the Meet the Threat Regional State Cybersecurity Summit.

This site documents the ongoing efforts in the Commonwealth of Virginia to promote strong cybersecurity.

The NIST Framework provides organizational guidelines and benchmarks for critical infrastructure operators seeking to create, implement, and review risk-based cybersecurity programs.

The ISO security framework is a certifiable standard for securing not only information technology systems, but also any kind of information.

This living guide published by the SANS Institute lists 20 high priority, technical measures to stop known cyber attacks. It is constantly updated to reflect new techniques.

Published by the Health Information Trust Alliance (HITRUST), this guide suggests how a particular health care organization can tailor the NIST Cybersecurity Framework to its specific needs.

The ES-C2M2 is a cybersecurity framework created by the Department of Energy specifically for the electricity subsector of the nation's critical infrastructure.

NERC's CIP Standards require operators of the nation's bulk electric system to implement minimal cybersecurity protections.

This memo identifies commonalities and differences among the 22 states that established governance bodies tasked with identifying the cyber threats facing their state and the avenues to mitigating those threats.

This November 2015 report reviews the progress of cybersecurity initiatives in California, Maryland, Michigan, New Jersey, New York, Texas, Virginia, and Washington.

This memo provides an overview of the cybersecurity threats facing America's voting infrastructure and highlights promising practices governors can adopt to secure voting systems.

This letter from Senator Carper (DE) to Gov. McAuliffe highlights some of the issues surrounding election cybersecurity.

This letter responds to Senator Carper and highlights the work being done in states around this issue.

This best practices document was released on September 15 on the NCCIC/US-CERT website and should be useful to state and local election officials in securing their online voter registration databases and any of their other internet-connected systems.

This memo identifies commonalities and differences among 32 cybersecurity incident and disruption response plans within 26 states.

Michigan's cyber response plan delineates roles and responsibilities for state emergency and technology personnel in the event of a major disruption of government services or critical infrastructure.

This guide provides recommendations for any organization seeking to establish or improve a cybersecurity incident response plan.

NASCIO has designed this guide to improve state cyber resiliency: the ability of organizations to sustain government operations in the face of a cyber attack and quickly recover disabled systems.

As the first event of his chair’s initiative, Virginia Gov. Terry McAuliffe and the National Governors Association convened more than 30 health care experts, including CEOs, chief information officers and cybersecurity consultants to discuss sector challenges and explore how states and governors can promote stronger cybersecurity throughout the health care sector.

This document lists major cybersecurity incidents affecting the health care sector.

This draft guidance outlines a potential approach for regulating cybersecurity in hardware and Internet of Things devices used in the health care industry.

The NH-ISAC is advances national health care and health critical infrastructure resilience by distributing all-hazards intelligence and analysis.

This document aims to establish a common taxonomy and lexicon to describe the cybersecurity workforce.

The SFS program provides scholarships that may fully fund the typical costs incurred by full-time students while attending a participating institution that provides such students with cybersecurity training.

This memo provides an overview of the cybersecurity threats facing America's voting infrastructure and highlights promising practices governors can adopt to secure voting systems.

This memo discusses the challenges related to growing and sustaining a cybersecurity trained workforce to meet the economic demands of today’s economy.

This toolkit contains information and resources on planning, building, and advancing policies to recruit and retain cybersecurity personnel.

This memo provides an overview of state cyber crime laws and discusses what steps states can take to improve cyber crime investigation and prosecution.

This memo discusses the role of the public safety community in improving state cybersecurity preparedness and response capabilities as well as the threats facing the public safety sector.

This paper details the roles of fusion centers in cybersecurity and issues recommendations to enhance those roles.

A center that assists safety officials who are investigating and preventing crimes that involve technology.

This report recommends actions and guidance for states and fusion centers to integrate information technology, cybersecurity, and cyber crime prevention intelligence and analytic capabilities.

The NCC continuously monitors national and international incidents and events that may disrupt emergency communications.

This report identifies challenges faced by law enforcement agencies in confronting cyber crimes and best practices to overcoming these challenges.

This memo highlights best practices for states interested in improving coordination and information sharing with critical infrastructure owners and operators to enhance cybersecurity practices.

The Department of Homeland Security has issued recommendations to help designers, manufacturers, users, and regulators of Internet-connected frame how to promote cybersecurity. The guidance is built on six principles and four interagency, cross-sector lines of effort.

This report identifies the challenges states face in protecting their energy systems and infrastructure from cyber incidents and recommendations on overcoming those challenges.

This report outlines recommendations on improving electric grid reliability and resiliency based on best practices from Superstorm Sandy and other extreme events.

This report provides voluntary mechanism for the Federal Communications Commission to manage cybersecurity risks and provides implementation guidance to help communication providers use and adapt the NIST Cybersecurity Framework.

This document lists recommendations for managing the cybersecurity risk to process control systems in the water distribution and management sector.

This report outlines Connecticut's proposed plan to assess the readiness of utility companies to defend against and response to cyber attacks.

The PT-ISAC distributes intelligence and analysis on all threats against the transportation sector.

The E-ISAC offers security services to owner and operator organizations of the North American bulk power grid system.

SANS provides immersion training designed to help staff master the practical steps needed to defend systems and networks against cybersecurity threats.

Stay tuned for Meet the Threat: A Podcast Series