State and Local Government Cybersecurity Checklist: Are You Meeting Baseline Standards?

Why State and Local Government Cybersecurity Can No Longer Be an Afterthought

Ransomware attacks against municipalities. Data breaches at county health departments. Unauthorized access to voter registration systems. State and local government entities have become prime targets for threat actors precisely because they hold vast amounts of sensitive citizen data and often operate with limited IT security budgets and aging infrastructure.

As President and CISO of Cleared Systems, I work with organizations across the federal and SLED spectrum every day. What I see consistently at the state and local level is a gap between the urgency of the threat environment and the maturity of the security programs in place to address it. That gap is shrinking in some jurisdictions — but not fast enough.

This checklist is designed for compliance managers, IT directors, and senior executives at state and local government agencies who want an honest, practical accounting of where their cybersecurity program stands against baseline standards. It is not theoretical. Every item on this list reflects a real control area where agencies either meet the bar — or don't.

The Regulatory and Framework Landscape for SLED Cybersecurity

Unlike federal agencies, which operate under mandates like FISMA and NIST SP 800-53, state and local governments face a more fragmented regulatory environment. That said, several frameworks and requirements now define what baseline looks like for the SLED sector:

• NIST Cybersecurity Framework (CSF): The most widely adopted voluntary framework for state and local agencies, organized around the five functions of Identify, Protect, Detect, Respond, and Recover.
• CISA guidelines and advisories: The Cybersecurity and Infrastructure Security Agency actively publishes binding operational directives and advisories that increasingly apply to or influence state and local government practices, particularly for critical infrastructure sectors.
• State-specific mandates: Many states now have enacted their own cybersecurity laws requiring agencies to maintain documented security programs, report incidents within defined windows, and conduct regular risk assessments.
• Grant conditions: Federal funding through programs like the State and Local Cybersecurity Grant Program (SLCGP) comes with explicit cybersecurity planning requirements that agencies must meet to remain eligible.

Understanding which frameworks and mandates apply to your agency is the starting point. From there, the checklist below tells you whether your program actually measures up. You can also review our dedicated Federal and SLED Risk Assessment services for a structured approach to evaluating your current posture against applicable standards.

State and Local Government Cybersecurity Checklist

1. Governance and Risk Management

• Documented cybersecurity policy: Your agency has a current, board- or executive-approved information security policy that establishes roles, responsibilities, and accountability.
• Designated security leadership: A specific individual — whether an in-house CISO, IT security director, or regulatory vCISO — owns the cybersecurity program and has authority to act on findings.
• Annual risk assessment: You conduct a formal cybersecurity risk assessment at least annually, documenting identified threats, vulnerabilities, and risk treatment decisions.
• Risk register: Identified risks are tracked in a living document with assigned owners, treatment plans, and target remediation dates.
• Board or executive-level cybersecurity reporting: Leadership receives regular briefings on cybersecurity posture, not just when an incident occurs.

2. Asset Management and Inventory

• Hardware inventory: You maintain an accurate, up-to-date inventory of all devices connected to your network, including endpoints, servers, IoT devices, and mobile devices.
• Software inventory: All authorized software is documented. Unauthorized software installation is restricted and monitored.
• Data classification: Sensitive data — including personally identifiable information (PII), protected health information (PHI), and law enforcement records — is classified and handled according to documented policies.
• Cloud asset visibility: Cloud-hosted systems and data are included in your asset inventory, not treated as outside the scope of your security program.

3. Access Control

• Least privilege enforcement: User accounts are provisioned with the minimum permissions necessary to perform job functions. Administrative privileges are tightly restricted and reviewed regularly.
• Multi-factor authentication (MFA): MFA is enforced for all remote access, privileged accounts, and access to systems containing sensitive data. CISA has made MFA a Baseline Cyber Hygiene requirement, and gaps here are among the most commonly exploited entry points.
• Account lifecycle management: Accounts are disabled or removed promptly when employees leave or change roles. Dormant accounts are reviewed and deprovisioned on a defined schedule.
• Third-party access controls: Vendors and contractors with access to your systems are subject to the same access control standards as internal staff.

4. Vulnerability Management and Patch Management

• Regular vulnerability scanning: Automated vulnerability scans are conducted on a defined schedule — at minimum monthly for internet-facing systems.
• Patch management program: Critical patches are applied within defined timeframes. CISA's Known Exploited Vulnerabilities (KEV) catalog is used to prioritize remediation.
• Penetration testing: Your agency conducts periodic penetration testing to validate that controls are effective, not just present.
• Remediation tracking: Vulnerabilities and findings are tracked to closure, with documented accountability for remediation.

5. Incident Response and Recovery

• Documented incident response plan: You have a written, tested incident response plan that defines roles, escalation procedures, notification requirements, and recovery steps.
• Tabletop exercises: Incident response plans are exercised at least annually through tabletop or simulation exercises. Lessons learned are incorporated into plan updates.
• Backup and recovery capabilities: Critical data is backed up regularly, backups are stored offline or in isolated environments, and restoration procedures are tested.
• State reporting compliance: Your agency understands and meets applicable state-mandated incident reporting deadlines, which in many states now require notification within 72 hours.

6. Security Awareness Training

• Annual security awareness training: All employees complete security awareness training at least annually, covering phishing, social engineering, password hygiene, and acceptable use.
• Phishing simulation: Simulated phishing campaigns are conducted regularly to measure susceptibility and reinforce training outcomes.
• Role-based training: Employees with elevated access or specialized responsibilities — IT staff, finance, HR — receive training tailored to their specific risk exposure.
• New hire onboarding: Security training is included in onboarding before new employees are granted system access.

7. Network Security and Perimeter Controls

• Firewall and perimeter protection: Network firewalls are deployed, configured according to documented standards, and reviewed regularly.
• Network segmentation: Critical systems — especially those containing sensitive citizen data — are logically segmented from general-purpose networks.
• DNS filtering and email security: DNS-layer filtering and email security controls are in place to block malicious content before it reaches endpoints.
• Remote access security: VPN or zero-trust remote access solutions are used for remote work, with MFA enforced at the gateway.

8. Third-Party and Supply Chain Risk

• Vendor security assessments: Technology vendors and managed service providers are evaluated for cybersecurity posture before contract award and periodically during the relationship.
• Contractual security requirements: Vendor contracts include cybersecurity requirements, incident notification obligations, and the right to audit.
• Software supply chain awareness: Your agency has visibility into the software components used in critical systems and monitors for known vulnerabilities in those components.

Common Gaps We See in SLED Cybersecurity Programs

Based on our experience conducting SLED risk assessments, the gaps we encounter most frequently at state and local agencies fall into predictable patterns. Understanding them can help you prioritize where to focus first.

MFA is partially deployed but not universal. Many agencies have enabled MFA for some applications or some users — but critical systems are still accessible with a username and password alone. Partial deployment creates a false sense of security while leaving significant exposure.

Incident response plans exist but have never been tested. A document in a drawer is not an incident response capability. Agencies that have never exercised their plan will discover its gaps during an actual incident — at the worst possible time.

Third-party risk is underestimated. Managed service providers, cloud vendors, and software suppliers represent a significant attack surface for state and local agencies. Many breaches trace back to a compromised vendor rather than a direct attack on the agency.

Patch management is inconsistent across legacy systems. Aging infrastructure creates real constraints, but unsupported and unpatched systems are among the most reliable entry points for threat actors. Agencies need a documented compensating control strategy where patching is not immediately feasible.

Security leadership is underfunded or fragmented. Many smaller jurisdictions lack a dedicated security leader entirely. A regulatory vCISO engagement is often the most cost-effective way to close this gap without the overhead of a full-time executive hire.

Where to Start: Prioritizing Your Remediation Roadmap

Not every agency can address every gap simultaneously. If you are working from a position of limited budget and staffing, prioritize in this order:

1. MFA for privileged and remote access — highest immediate impact on reducing breach risk
2. Tested incident response and backup capabilities — essential for recovery from ransomware and other destructive attacks
3. Vulnerability scanning and critical patch cadence — reduces exploitable attack surface systematically
4. Security awareness training with phishing simulation — addresses the human element, which remains the most common initial attack vector
5. Formal risk assessment with documented findings — provides the baseline for all subsequent planning and resource allocation

A structured approach to compliance program development can help your agency build these capabilities in a logical sequence, with clear milestones and accountability at each stage. Our Compliance Program Development service is specifically designed for organizations building or maturing a program under resource constraints.

The Role of Federal Funding in SLED Cybersecurity

The State and Local Cybersecurity Grant Program administered by CISA provides meaningful funding for eligible jurisdictions — but accessing that funding requires demonstrating that your agency has a cybersecurity plan, a governance structure, and a prioritized set of investments. Agencies that have completed a formal risk assessment and documented their current posture are positioned to make a compelling case for grant funding.

If your agency has not yet completed a risk assessment aligned to NIST CSF or an equivalent framework, that should be your first step — both for the security benefits and for the eligibility documentation it produces.

How Cleared Systems Supports State and Local Government Cybersecurity

Cleared Systems works with state and local government entities across the full lifecycle of cybersecurity program development — from initial risk assessments and gap analysis through policy development, control implementation, and ongoing program management. Our team brings direct experience with the NIST CSF, NIST SP 800-53, and the specific grant and compliance requirements that shape SLED cybersecurity obligations today.

We understand that state and local agencies operate under real budget and staffing constraints. Our engagement models are structured to deliver meaningful outcomes without requiring a six-figure internal headcount to support them. For organizations that need executive-level security leadership without a full-time hire, our Regulatory vCISO Services provide the strategic oversight, board-level reporting, and program accountability your agency needs.

If your agency is also a federal contractor or interacts with federal systems, you may have additional obligations under frameworks like NIST SP 800-171 or CMMC. Our team can help you understand and address those requirements alongside your SLED baseline obligations. Learn more about how we support federal and defense sector organizations and review our Federal and SLED Risk Assessment offerings to understand what a structured assessment engagement looks like in practice.

Take the Next Step

If your agency cannot confidently check every box on this list, you are not alone — and the gaps are fixable with the right roadmap and support. The agencies that are meaningfully improving their cybersecurity posture are not necessarily the ones with the largest budgets. They are the ones with the clearest picture of where they stand and a structured plan to close the distance. Contact Cleared Systems today to request a quote for a SLED risk assessment or compliance program engagement, or explore our engagement models to find the structure that fits your agency's size, budget, and timeline.