Nationwide Cyber Security Review (NCSR) Summary Report

August 17, 2017

East Greenbush, NY

Annual Survey Measures Cybersecurity Maturity and Risk Awareness Within State, Local, Tribal, and Territorial Governments

CIS’ Multi-State Information Sharing & Analysis Center (MS-ISAC®) offers a valuable free cybersecurity assessment resource for state, local, tribal, and territorial (SLTT) governments.

The NCSR question set was built upon the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) Core, with some minor alterations. The Core consists of a collection of cybersecurity-related activities organized into five main functions: Identify, Protect, Detect, Respond, and Recover. Using the NIST Framework, entities are provided scores within the NIST CSF functions and categories.

The 2016 NCSR survey reported:

  • The SLTT community continues to show improvement in their overall cybersecurity maturity. There was modest improvement identified amongst state governments (3 percent) in comparison with local governments, which reported substantial improvement (11 percent).
  • The local government community, although improving at a faster rate, continues to lag behind states in overall security maturity level.
  • Lack of financial and staff resources continues to be a key factor hindering the ability of the SLTT community to improve security programs to an acceptable minimum recommended maturity level.
  • State governments continue to be weakest in the Identify Function and strongest in the Respond Function.
  • Local governments continue to be weakest in the Detect Function and strongest in the Protect Function.
  • Tribal governments are similar to local governments in that they are strongest in the Protect Function.
  • The Detect Function continues to represent the largest maturity gap between state and local governments.

Tom Duffy, Chair of the MS-ISAC, noted: “It is great to see progress in the cyber maturity level of the state, local, tribal, and territorial governments. However, there is still a long road to go before a majority of the SLTTs meet the recommended minimum level of cybersecurity maturity.”

View the most recent Summary Report, for the 2016 Nationwide Cyber Security Review, here.

The 2017 Nationwide Cyber Security Review is open between Oct. 2 and Dec. 15, 2017. Please visit MS-ISAC Services page to register and learn more!


The NCSR utilizes a maturity scale that assesses how an organization is addressing the different activities within the NIST CSF. The maturity scale allows participants to indicate how formalized these cybersecurity activities are within their organization. In order to provide a target for the SLTT community, a team of SLTT cybersecurity professionals developed a recommended minimum maturity level as a common baseline for the NCSR.

The 2016 Summary Report provides a point-in-time comparison, based upon respondents’ input, which allows SLTT entities to compare their responses to others within their peer groups.

For more information on the NIST CSF, please visit: NIST Cybersecurity Framework.

Benefits for an SLTT to Participate in the NCSR

  • Acquires metrics to assist in cybersecurity investment justifications
  • Anonymously measures results against peers
  • Receives recommendations to improve cybersecurity posture via NIST, COBIT, ISO, and CIS Controls
  • For HIPAA-compliant agencies, translates NCSR scores to the HIPAA Security Rule scores for an automatic self-assessment tool
  • Measures progress against the NIST Framework
  • Develops a benchmark to gauge year-to-year progress
  • Metrics serve as a communication tool for users to express their needs to key stakeholders
  • Contributes to the nation’s cyber risk assessment process
  • Aligns with the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (NIST CSF):

About CIS

CIS is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. Our CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals. CIS is home to the Multi-State Information Sharing & Analysis Center (MS-ISAC), the go-to resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities.