Answering the survey—based on the National Institute of Standards and Technology’s cybersecurity framework—is mandatory for certain grant recipients.
A survey the Cybersecurity and Infrastructure Security Agency makes available every year for state, local, tribal and territorial governments to assess their cybersecurity is now open.
The annual survey is a result of legislation Congress passed in 2010 instructing CISA’s predecessor agency to make a “comprehensive effort to assess the security level of cyberspace at all levels of government,’’ according to a notice published in the Federal Register Monday. The notice includes a request for comment in response to the Office of Management and Budget’s routine Paperwork-Reduction-Act review.
The 2010 legislation gave DHS the authority to “develop the necessary tools for all levels of government to complete a cyber network security assessment so that a full measure of gaps and capabilities can be completed in the near future,’’ according to the notice.
Since then, CISA has submitted a summary report to Congress every two years with the results of the survey, which is based on the National Institute of Standards and Technology’s cybersecurity framework and conducted anonymously on a platform called LogicManager.
In 2019, the Federal Emergency Management Agency “made the NCSR a requirement for recipients and subrecipients of the two major programs under the Homeland Security Grant Program—the State Homeland Security Program and the Urban Area Security Initiative,” according to the most recent summary report, from 2020.
The White House recently announced 1 billion in funding for grants FEMA will administer to improve SLTT governments’ cybersecurity. The deadline for applications is Nov. 15.
About 3000 participants have opted to fill out the survey in previous years. While they all consistently demonstrated cybersecurity below the recommended maturity level—by not having cybersecurity policies in place, for example—officials have recently observed improvements, based on their answers.
“Organizations that have mandated cybersecurity reporting to executives score significantly higher than those that do not,” the 2020 report notes.
The review is accessible every year from October through February through the Multistate Information Sharing and Analysis Center and is sometimes extended to increase participation, according to the notice. Respondents will receive links to resources based on their answers.