It is not hyperbolic to go all out and assert that cybersecurity continues to be a growing concern for governments and businesses alike. These entities continue to suffer massive threats from the ever-sophisticated threat actors. Add the vulnerabilities introduced with the adoption of remote work and increased reliance on e-commerce, and these growing concerns are undoubtedly warranted. Here is a guide to state and local government cybersecurity regulations.
Federal Cybersecurity Regulations
There’s been a more significant focus on federal regulations around security and privacy in the past. A federal regulation that immediately comes to mind is Executive Order 14028 and CMMC. The latter, Executive Order 14028, dubbed Improving the Nation’s Cybersecurity, was signed into law in May of 2021. It mandates the different agencies to enhance cybersecurity. This is, indeed, done through the different initiatives on the security and integrity of software and data. Further, this executive order came in the backdrop of some high-profile information security and ransomware attacks in 2020/21, including the attack targeted at SolarWinds.
An additional federal regulation that has taken prominence is the Cybersecurity Maturity Model Certification (CMMC). This program sets cybersecurity standards for companies in the defense industrial base (DIB). These standards then assure the Department that contractors and subcontractors they work with meet the DoD’s cybersecurity requirements.
In retrospect, Executive Order 14028 and CMMC provide a security framework for federal agencies and the public sector working in unison with the private sector. These establish standard operating procedures at the federal level. Thus, creating a gap that state and local government cybersecurity regulations need to fill. These codify a sustainable relationship enabling local businesses and governments to navigate the murky cybersecurity landscape.
In 2021, there were over 60 state-level laws passed which creates a challenge for SLG agencies when it comes to their navigation. Further, it is incredibly difficult for contractors who transverse the different states as they now have to ensure their compliance across state lines. Here’s a breakdown of the most exciting state cybersecurity laws passed in 2021.
Keeping Up With New State Cybersecurity Regulations
Arkansas Cybersecurity Regulations
This list starts with the Arkansas cybersecurity law. It is dubbed AR S.B. 149 and is an amendment to the Fair Mortgage Lending Act. This bill stipulates that a mortgage broker, banker, or service has the right to establish, implement, update and enforce written physical security and cybersecurity policies and procedures. It, indeed, establishes the cybersecurity policy and procedures that regulate the mortgage industry.
The cybersecurity bill to watch out for in California is CA A.B. 128. In fact, it established a $2,000,000 budgetary allocation to create and operate the Office of Elections Cybersecurity. This newly established office is expected to help minimize overlaps and coordinate statewide cybersecurity efforts performed by the California Cybersecurity Integration Center. In addition to this two million budgetary allocation, the bill also appropriates 10 million dollars to address and maintain projects that represent critical infrastructure deficiencies.
Additional state law to be on the lookout for in Colorado is CO H.B. 1236, which makes provisions for coordinating and setting strategic statewide cybersecurity goals, best practices, and roadmaps. It also enacts the Colorado cybersecurity council, which reviews the need to conduct a risk assessment of any local government systems. Additionally, this council provides any additional cybersecurity services to the local governments.
In Florida, three cybersecurity bills passed in 2021. FL H.B. 1137 was the first, although it is yet to be appended. This bill mandates the Department of Management Services to develop project management and oversight standards for state agency compliance. The DMS also mandates project oversight and approval of vendor bidding. Finally, it is expected to prequalify the contractors and subcontractors that provide services to the state.
FL H.B. 1297 is the second bill that directly relates to cybersecurity. This bill mandates that audit plans from the Inspector General include certain information. Additionally, it establishes the State Cybersecurity Advisory Council within the Department of Management Services that governs DMS.
The final bill from Florida that you should be aware of is FL S.B. 7074, which relates to social media activities and public records. This bill provides information exemptions that come into play when dealing with information on social media platforms.
Hawaii Cybersecurity Regulations
Hawaii has the HI S.B. 1100 that’s awaiting the Governor’s signature. This bill strengthens the existing data security laws and license obligations. In the event that a cybersecurity event occurs, this bill should sufficiently cater to such eventuality.
Iowa had two major cybersecurity bills passed in 2021. The first is IA H.B. 719, which pertains to data security standards. This bill, indeed, handles the investigations and notifications of cybersecurity events. The second Iowa cybersecurity bill is IA H.B. 861, which handles the justice system’s appropriations. This bill handles the gambling regulatory fees and establishes a bureau of cybercrimes expected to handle cybercrime events.
In Illinois, all previous legislation within the state did not define or make provisions for cyber threats. That’s where IL H.B. 3523 comes in. While it is yet to be mandated, it does mandate the expansion of the definition of disaster to include cyberattacks. You also have the IL S.B. 825, which amends the Election Code regarding cybersecurity. The bill mandates that each election authority maintaining a website begin utilizing a .gov website address and electronic mail address.
Indiana’s cybersecurity bill is dubbed IN H.B. 1169, which requires a repository of cybersecurity incidents to be maintained by the office of technology. Additionally, it mandates that all cybersecurity incidences need reporting without unreasonable delays.
In Missouri, the cybersecurity bill is still pending the Governor’s signature. Still, once appended, the bill makes provisions for establishing the Missouri Cybersecurity Commission that will operate under the Department of Public Safety. This commission will analyze all the data from the various state agencies, schools, and higher education institutions to quickly identify risks and vulnerabilities.
Maine mirrored the National Association of Insurance cybersecurity law model. This then saw the establishment of investigation procedures and standards related to data security. Further, the bill aims at protecting the security and confidentiality of all state and non-public information.
Louisiana Cybersecurity Regulations
In Louisiana, you have the LA H.B. 374, which establishes the exception to public records requirements regarding some information from the Secretary of State. An additional bill is the LA H.B. 128, which deals with the state’s financial security and cybersecurity plans and procedures. This bill then provides a cybersecurity playbook for all financial institutions within the state.
Finally, following the 2019 ransomware attack suffered by the Baltimore City government in Maryland, Governor Lee sponsored the primary Maryland cybersecurity law. This bill prohibits the use of ransomware with the intention of disrupting any state infrastructure.
The Main Types of Legislation That Impact IT Teams
Privacy laws govern the collection, storage, safeguarding, use, and disposal of data collected by any entity, including local governments. Indeed, the most comprehensive state data privacy legislation that you ought to be aware of is the California Consumer Privacy Act (CCPA). Signed into law in 2018 and effected in January of 2020, the CCPA is cross-sector privacy legislation that safeguards the individual consumer rights of all California residents.
Upcoming privacy legislation you should be on the lookout for is the Massachusetts Information Privacy and Security Act. Massachusetts will then be the sixth state to enact a comprehensive data privacy law that will see Massachusetts residents’ personal information inviolable. An opt-in consent must occur for any entity to sell the personal information of any of the state’s residents. Overall, the Act puts stringent rules on collecting and selling personal data.
Security legislations encompass legal provisions that apply to IT teams. These also include policies, methods, means, and standards meant to protect data and other IT infrastructure from unauthorized access, use, disclosure, modifications, or destruction. Further, this type of legislation aims to ensure confidentiality, availability, and integrity of all data and IT assets. Concisely, security legislation helps govern information acquisition, transmission, and storage.
Reporting acts aim to remove a piece of advantage by requiring businesses and governments to employ greater cybersecurity transparency, especially following a cyber event. An example of reporting legislation is the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law in March of 2022. The latter mandates businesses and local governments to report any cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) as soon as they occur.
In retrospect, reporting legislation help with fine-tuning cyber crisis management programs across the different programs by increasing regulatory requirements. Essentially, these provide a cybersecurity incident and response playbook that helps prevent the compromise of essential services.
Appropriations and Funding
Being aware of when the different states have budget carve-outs for cybersecurity is vital. This information comes in handy when the business is looking to compete for contracts or applying for grants to complete its cybersecurity initiatives. An example of an appropriation and funding legislation is the CA A.B. 128.
Learn More About State and Local Government Cybersecurity Regulations
Agile IT has experts in implementing State and Local Government Cybersecurity Regulations. In fact, they help organizations and contractors create unified security plans to reduce the amount of duplicated work across compliance initiatives. Contact us today, and let’s walk your organization through state and local government cybersecurity regulations.