As I travel the country (in a virtual way of late), I often get asked questions like this from public- and private-sector leaders:
- Where can state and local governments go to learn what’s being done in other parts of the country that is new, innovative and effective?
- What cybersecurity and technology case studies, stories and examples stand out, with metrics to show meaningful business results?
- What methodologies can be used to ensure that people, process and technology aspects are taken into consideration when implementing “disruptive” enterprise-wide cyber projects?
- Where is return on investment (ROI) data shown with clear numbers regarding these “expensive” technology initiatives?
- Where can I get new ideas that work in my government?
While there are many answers to these questions, one of the most enduring sets of solutions have come from the National Association of State Chief Information Officers (NASCIO).
WHO IS NASCIO AND HOW CAN THEY HELP?
Two years ago, I wrote this blog before NASCIO’s 50-year anniversary celebration at the annual conference in Wisconsin. Here’s an excerpt:
“As we head into the 2020s, NASCIO continues to offer a collective voice in congressional testimonies, state procurement initiatives, cybersecurity and so much more. The NASCIO Award website is a treasure trove of great projects that are ‘shovel ready’ (to borrow an older term) for other states and local governments to implement to enhance their services. Note: I have written about NASCIO awards numerous times, in ‘how to’ blogs for the NASCIO Community as well as in after conference summary blogs for govtech.com. To say that governments and private-sector CxOs can gain huge value from the NASCIO best practice white papers and awards website is an understatement.”
The blog goes on to describe the value proposition that NASCIO has provided for over 50 years, as well as additional information on benefits offered.
2021 CYBER BEST PRACTICES LIBRARY
But the focus of this blog is the current year’s NASCIO cybersecurity awards. The list of 2021 cybersecurity award applications can be found here.
While I recommend reading all of these award website submissions from many different states, a recent NASCIO press release announced the three 2021 cybersecurity finalists:
I highly recommend reading these three award-winning submissions. Here are a few excerpts from the executive summary from each state project. Go to the full writeups for the project details and results obtained.
“While state government is not typically perceived as a merchant, ongoing system modernization efforts mean more digital government financial transactions are made with debit and credit cards. That raises our vulnerability risks. Merchants are the main target for financial fraud, enabling criminals to easily steal and use personal consumer financial information from payment card transactions and processing systems. When a merchant is affected by security breaches, it also affects consumers; more than 11,733,087,704 records with sensitive information have been breached since 2005, according to PrivacyRights.org.
“Minnesota IT Services commitment to securing our state is a key tactical priority to 1) better protect applications and citizen data and 2) to mature risk management and communication.
“As the state of Minnesota is a key participant in payment card transactions, the state of Minnesota must use standard security procedures and technologies to thwart theft of cardholder data.
“To achieve the MNIT 2020 Tactical Plan Secure the State goal, this project established a new payment card industry (PCI) program to monitor state compliance and secure cardholder data environments (CDE). The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL entities that accept, process, store or transmit credit card information maintain a secure environment. Compliance with the PCI DSS helps to alleviate these vulnerabilities and protect cardholder data. It also helps to minimize the potential impacts of a breach of cardholder information.
“The project included the development and implementation of a new MNIT PCI Program, including new processes, people, and technologies to assess, manage, and report PCI compliance. The program includes a team with PCI expertise to assist agencies.
“Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of sale devices; mobile devices, personal computers or servers; wireless hotspots; web shopping applications; paper-based storage systems; the transmission of cardholder data to service providers, and in remote access connections. Vulnerabilities may also extend to systems operated by service providers and acquirers, which are the financial institutions that initiate and maintain the relationships with merchants that accept payment cards.”
“Cyber incidents continue to be an increasing concern for state, local, and academic institutions in North Carolina. Every year, there has been a noted increase of attacks in the form of ransomware, data exfiltration and extortion and others, which have a devastating impact to our state’s critical infrastructure. This trend is forecasted to continue and remain a pervasive occurrence in the upcoming years.
“From 2016 to 2019, local governments, community colleges and public school systems in North Carolina reported 17 ransomware attacks of varying degrees to the N.C. Department of Information Technology. In 2020, alone, NCDIT received the same number of reports. Of the 34 attacks since 2016, city or county government entities reported 31 of them.
“While we know there is no way to avoid all attacks, North Carolina has adopted a Whole-of-State approach to cybersecurity that is working to prevent and prepare for incidents, and support entities when they occur. This approach has three main components:1. Data sharing through the NC Information Sharing Analysis Center (NC-ISAC)2. The creation of the N.C. Joint Cybersecurity Task Force, and 3. Implementing mandatory incident reporting.
“Information sharing and collaboration are crucial in fighting cybercrime. All levels of government must communicate with each other to prevent and mitigate the effects of cybersecurity incidents. Cyberattacks are evolving and becoming more sophisticated. It is an all hands on deck approach to fighting it. We cannot be siloed in our collection of information. Information sharing is key to preventing cyberattacks from happening and mitigating their impact when they do.
“Through North Carolina’s comprehensive and collaborative approach, we have been able to provide support to all 100 counties whether it be preventing an event by providing monitoring tools, to providing training and tabletop exercises to actually providing boots on the ground when an incident occurs. The cybersecurity community in NC government has become a big team that supports one another and shares knowledge and experiences.”
“The Ohio Digital eXperience (ODX) was the first iteration of the State of Ohio’s continuous efforts to be a leader in the areas of digital identity, security and privacy, and an intuitive user experience. That goal was built upon and rebranded as Ohio’s Identity system (OH|ID).
“Beginning in January of 2020, as the world became aware of a global pandemic, efforts began on the third iteration of enhancements — OH|ID NEXT — which brought with it many new self-service tools and user account services. Notable among them:
- Audience Manager, a self-service tool for agencies to manage role-based access controls for their web-based applications.
- A secure Application Programming Interface (API) that allows agency applications to interact with Audience Manager and maintains a focus on automation, giving agencies the ability for Just-In-Time provisioning of both course-grained and fine-grained permissions within their applications.
- Within the citizen portal, users can opt to complete three levels of identity assurance, including ‘Basic’ (account creation and email verification), ‘Intermediate’ (verified via third-party identity proofing), and ‘Advanced’ (linked to the valid, State-issued ID card on-file with the Bureau of Motor Vehicles, Ohio Department of Public Safety).
- A ‘Recent Activity’ tab displays the geographic location of logins within the past 12 months and whether it was successful. Users can also report suspicious activity.
- A ‘Devices’ tab shows the device used for each login attempt (desktop, mobile, etc.) and device activity for recent logins. The user can name or hide a listed device.
“Of all the tools and account services in OH|ID NEXT, Audience Manager has proven to be the most revolutionary. Audience Manager provides agencies the ability to manage roles and access for their applications at the appropriate level within their organization. Anyone granted access to the application can create one of two different audience types for either course-grained or fine-grained access and manage ownership, membership, and (optionally) approvals for access to each of their federated applications.
“Those audiences can then be queried through a user token or API interface by an application to ensure that once a user is properly authenticated, they are also only getting the content for which they are authorized. Every action is logged back to a central repository, which provides full audit and compliance functionality that meets or exceeds National Institute of Standards and Technology, other federal, state, and accessibility regulations and standards.
“Citizens and the State workforce are also empowered to control the security surrounding their accounts. Any change to their account is communicated through their verified email address. Every login attempt and device is listed, and any suspicious activity can be immediately reported, without the user having to navigate to another screen. Agency applications for citizens or state employees can also choose to require Multifactor Authentication (MFA) to further protect against malicious activity from bad actors and protect the sensitive functions of integrated applications through the appropriate use of security controls.”
As the former state of Michigan CSO, CTO and CISO, I can tell you that these awards are a big deal to the individual states, and winning offers bragging rights. Our Michigan teams were always proud of our award-winning projects that received national (and even international) recognition as best practices.
The top 2021 award-winning projects will be announced at the awards dinner in Seattle in October during the NASCIO Annual Conference.
But putting the “pat on the back” and kudos aside, the NASCIO awards library offers an amazing treasure trove of projects in so many technology and business categories, including cybersecurity, for others to learn from.
I implore federal, state and local governments to read these submissions before starting major new strategic efforts on the same or similar topics. I encourage making a few phone calls to save money and time, and ultimately deliver better projects (on time and on budget) by learning from others who have gone before you.