With cyber risk for state and local governments remaining top of mind, digital leaders within these entities are looking to assess and protect their systems for the dark days ahead — cue the beginning of a government digital transformation.
Unlike the federal government, not all state governments have mandates outlining the steps they need to take to assess and secure their information. A range of private sector approaches exist, but state governments especially would do well to consider adopting the federal standards outlined in the National Institute of Standards and Technology (NIST) Risk Management Framework.
The Risk Management Framework (RMF) provides “a process that integrates security, privacy, and cyber risk for supply chain management activities into the system development life cycle.” According to NIST, the RMF approach can be applied to “new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.”
Assessing organizational risk to all systems is vital to establishing the safest and most effective information security and privacy programs. And in DMI's experience, implementing NIST's Risk Management Framework at the state level is the recommended practice.
Those state governments that do implement the NIST RMF benefit in several ways:
Government employees – specifically knowledgeable digital leaders – can enjoy peace of mind. Their governments are using a framework that the federal government has adopted, so they can be reasonably sure that – if followed – the RMF will put them in the best position to secure their systems from bad actors.
Government employees working in information security have a road map. Navigating the new standard of relentless cyberattacks is terrifying for many state employees. Following the NIST RMF eliminates guesswork and provides a clear path forward for government entities. It can also help to guide governments in selecting systems and platforms during future government digital transformation initiatives.
State governments that adopt the RMF have a better chance of securing federal funding for cyber security efforts. The Department of Homeland Security is familiar with the NIST RMF implementation. Knowing a state or local government applicant is implementing – or has implemented – the NIST RMF can help build confidence that an investment of federal dollars by DHS will be well-spent.
State governments can ensure a swift ATO process by encapsulating a cyber risk assessment process as a pre-requisite for the ATO approval process.
By implementing a NIST RMF, state governments can gain an agile security foundation that can scale quickly with frequently changing security needs.
State government data collides with federal government data. Since the cyber framework for the federal government is the NIST RMF, the standard framework allows for a lower cyber risk posture as data transfers between state and federal governments.
Taking the right steps to eliminate risk and secure state government systems can be challenging. After all, so much is at stake.
DMI has experience building a NIST RMF structure from the ground up at the state level. We absolutely love talking with state and local digital leaders who are exploring how RMF would benefit their systems, sharing our lessons learned and best practices.
We help our state and local partners to understand their risk tolerance and to prioritize cybersecurity activities so that they can make informed decisions about cybersecurity expenditures. We also build effective cyber risk management strategies that seamlessly integrate security into existing organizational processes. NIST RMF is designed to be highly tailorable in its application. DMI can assist you in tailoring this framework to make sense for your environment.