2022 NCSR: SLTTs Excel in Recovery Planning and Mitigation

Between the first eight months of 2022 and the same period in 2023, the Multi-State Information Sharing and Analysis Center (MS-ISAC) witnessed an increase in several types of cyber attacks affecting U.S. State, Local, Tribal, and Territorial (SLTT) government organizations. These categories included the following:

Malware – Cyber attacks involving remote access trojans (RATs) increased 148% during the reporting period. By comparison, attacks involving cryptominers grew just 27%, while infostealers were 35% more prevalent in 2023 than they were the previous year.
Non-Malware – Command shell activity rose 37% between 2022 and 2023, according to the MS-ISAC. Suspicious SSL certificates weren't too far behind at 30% growth, while cyber attacks leveraging pentesting software were 9% more frequent.
ESS Incidents – Over the first eight months of 2023, the MS-ISAC documented a 313% increase in security incidents detected by CIS Endpoint Security Services (ESS).
Ransomware Incidents – Ransomware incidents were 51% more prominent during the first eight months of 2023 than they were during the same period a year earlier.

The MS-ISAC’s findings highlight SLTTs need to evaluate their cybersecurity maturity and make improvements on an ongoing basis. Fortunately, they can do both using the Nationwide Cybersecurity Review (NCSR).

In this blog post, we’ll share some findings from the 2022 NCSR and provide some recommendations that SLTTs can use to strengthen their cyber defenses going forward.

Notable Data Points of the 2022 NCSR

The NCSR is an annual, no-cost, and anonymous self-assessment that you can use to measure gaps and capabilities in your SLTT government’s cybersecurity program. You can also use the NCSR to gauge your cybersecurity posture relative to your peers.

Want to learn more about planning out your cybersecurity program using the NCSR? Check out our video below.

A total of 3,681 SLTT government organizations participated in the 2022 NCSR. That's up from 3,267 participants in the previous year's report. Of those that participated, 3,122 were local organizations, 466 were state agencies, and 15 were tribal organizations.

Return Participants Strengthen Their Cybersecurity

NCSR participants who returned in 2022 saw a 6% average increase in maturity scoring. According to the MS-ISAC team, this benefit traces back to improved visibility and the availability of supporting resources.

“The NCSR program provides automated data reporting and visuals to each end-user which show cybersecurity activities that are currently formalized as well as activities that are not being performed," the team explained. "The NCSR program also provides an automated report to each end-user. It displays no-cost resources that can assist with the deficient areas identified within their organization’s NCSR assessment. Finally, best practice resources are provided alongside the NCSR reporting to assist an organization with reviewing, communicating, and utilizing the applicable metrics. This enables a participant to create a roadmap for prioritizing and implementing cybersecurity actions on an annual basis.”

Four Categories Where SLTTs Excelled in Cybersecurity

In the 2022 NCSR, participants performed well in two "Protect" security categories: Protect – Identity Management and Access Control (PR.AC) and Protect – Awareness and Training (PR.AT). Additionally, they demonstrated a high level of maturity in both Respond – Mitigation (RS.MI) and Recover – Recovery Planning (RC.RP).

These categories might be tangible for most SLTT government organizations, the MS-ISAC team noted. But there might be another reason for these findings.

"The higher-scoring categories may also be a current focus area for many organizations," they clarified. "For example, the ‘Respond – Mitigation’ category focuses on processes to lessen the severity of an incident. It is possible that more organizations nationwide are focusing time and resources on these types of processes and activities, as knowledge of cyber incidents and their impacts have become more common in recent years."

The same may apply for 'Recover – Recovery Planning,’ as more NCSR participants could be working to have a disaster recovery plan in place that they can use after an incident.

One Category Where SLTTs Struggled with Their Cybersecurity

Among some of the other NCSR categories, Protect – Information Protection Processes and Procedures (PR.IP) stood out as an area where SLTTs struggled. This finding reveals that many SLTT government organizations are still in the process of formalizing their cybersecurity programs.

“Several of the activities within the ‘Protect – Information Protection Processes & Procedures’ category require testing and formalization of certain processes," the MS-ISAC team observed. "This includes formal development and implementation of a vulnerability management plan as well as testing of response and recovery plans. Based on MS-ISAC member feedback, an organization may have a process in place to address vulnerabilities, and there may be response/recovery plans in place, but these various activities may not have been formalized or tested consistently. This could be due to factors such as time, staffing, and resources.”

That's a strong possibility, as lack of sufficient funding and inadequate availability of cybersecurity professionals remain key challenges for SLTT government organizations.

Top 5 Cybersecurity Concerns (Source: 2022 NCSR)

The 2022 NCSR Overview

High Performance Cybersecurity Activities for the SLTT Community

Issuing, Managing, and Verifying Identities/Credentials for Authorized Devices, Users, and Processes
Maintaining Inventories of Physical Devices and Systems
Managing and Protecting Physical Access to Assets
Managing Remote Access
Protecting Network Integrity

Cybersecurity Areas of Deficiency for the SLTT Community

Testing Response and Recovery Plans
Usage of Integrity-Checking Mechanisms to Verify Hardware Integrity
Separating Development and Testing Environments from the Production Environment
Implementing a System Development Life Cycle to Manage Systems
Developing and Implementing a Vulnerability Management Plan

The MS-ISAC team has some thoughts on how to turn the last finding around:

"One of the deficient activities is specific to having a vulnerability management plan developed and implemented. This has been a topic of discussion and interest from the SLTT community. CIS and the MS-ISAC compiled no-cost resources for continuous vulnerability management within the following guide: Establishing Essential Cyber Hygiene. A vulnerability management policy template is also publicly available. Having capabilities in place and then a policy/plan documented can improve this activity for the SLTT community."

Recommendations for SLTTs Going Forward

Regardless of whether they participated in the 2022 NCSR, SLTT organizations can look to strengthen their cybersecurity posture by implementing the following steps:

Utilize federally-funded services from organizations such as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the MS-ISAC along with open-source tools to establish performance of cybersecurity activities.
Create security policies and communicate the policy information to executives, employees, and third-party stakeholders.
Report organizational cybersecurity metrics to management or executive teams as a means of justifying and prioritizing future cyber investments.
Identify necessary improvements and capabilities to measure changes in maturity over time.
Evaluate practices within a formal cybersecurity framework, such as the CIS Critical Security Controls (CIS Controls) or NIST's Cybersecurity Framework (CSF), and plan for implementation.

Look to the Future of Your Cybersecurity

“I was responsible for creating a security program, mostly from the ground up. The NCSR has been extremely valuable as a roadmap and gap assessment over the past 3-4 years.”
– A 2022 NCSR participant

The 2023 NCSR will be available from October 1, 2023, through February 29, 2024.

Ready to gain access to no-cost cybersecurity assessment and automated reporting?