Public sector organizations face higher than ever risks of cybersecurity breaches, and it is important to conduct regular self-assessments to identify vulnerabilities and mature cybersecurity programs over time. The Nationwide Cybersecurity Review (NCSR) is a no-cost assessment, sponsored by the U.S. Department of Homeland Security (DHS) and conducted by the Multi-State Information Sharing and Analysis Center (MS-ISAC®). It is open to all U.S. public sector organizations at the state, local, tribal, and territorial (SLTT) level. Using the results of the assessment, DHS delivers a bi-yearly, anonymous summary report to Congress, providing a broad picture of the cybersecurity maturity across the SLTT communities.
The assessment and resulting report provide IT directors and cybersecurity employees at public sector organizations with actionable recommendations to drive improvements in cybersecurity practices. Repeat participants of the NCSR saw an average six percent increase in maturity scoring year over year.
The current NCSR summary report features aggregate data findings from assessments conducted anonymously, between October 2022 and February 2023. This year had record participation of more than 3,600 organizations.
Nationwide Cybersecurity Review (NCSR) Findings:
State, local, tribal, and territorial (SLTT) organizations are showing year-to-year improvements in their cybersecurity maturity, as shown in data findings within the Nationwide Cybersecurity Review (NCSR) program.
Higher-scoring areas from the NCSR assessment included identity management and access control, awareness and training, and recovery planning. The report suggests this may indicate areas of primary focus. The MS-ISAC team noted, “It is possible that more organizations nationwide are focusing time and resources on these types of processes and activities, as knowledge of cyber incidents and their impacts have become more common in recent years.”
Lower-scoring areas included risk management activities, testing of response and recovery plans, and implementation of vulnerability management plans. While the organizations may have response and recovery plans in place, the report suggests that “these various activities may not have been formalized or tested consistently. This could be due to factors such as time, staffing, and resources.”
79% percent of NCSR respondents stated they have fewer than five dedicated security employees, and 72% identified “lack of sufficient funding” as their top security concern.
Recommendations:
SLTT organizations can look to strengthen their cybersecurity posture by implementing the following steps:
- Utilize federally funded services from organizations such as the MS-ISAC and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to establish the performance of cybersecurity activities.
- Create security policies and communicate the policy information to executives, employees, and third-party stakeholders.
- Report organizational cybersecurity metrics to management or executive teams as a means of justifying and prioritizing future cyber investments.
- Identify necessary improvements and capabilities to measure changes in maturity over time.
- Evaluate practices within a formal cybersecurity framework, such as the CIS Critical Security Controls (CIS Controls) or NIST’s Cybersecurity Framework (CSF), and plan for implementation.
The NCSR serves as a valuable tool, empowering SLTT organizations to navigate the complex cybersecurity landscape. With customized findings and actionable steps, the NCSR guides entities toward a more secure environment. At the Center for Internet Security, we encourage all SLTT entities to take part in the assessment and to take advantage of the valuable insights it offers.
