2018 Cybersecurity in State Legislatures Survey

7/23/2018

Overview

Addressing cybersecurity threats is a growing concern for legislative technology managers, according to the results of a July 2018 NALIT survey of key information technology CIOs and managers in state legislatures (key contacts).

The 2018 survey follows surveys in 2017 and 2016 that asked about legislative information technology (IT) priorities. That survey had identified “combating security threats and taking increased security measures” as either the “most important” or an “important” priority for a majority of respondents in the next one to three years. In addition, more than half of respondents (55 percent) indicated that keeping up with security threats was “very challenging,” up from about 45 percent in 2016.

Given the importance of cybersecurity issues, in July 2018, the National Association of Legislative Information Technology surveyed key contacts to gather more details about the current state of cybersecurity staffing, policies and training in legislatures. 

Summary Results

An image of a green circuit board with gold lines with the word "security" over it in silver.The 29 survey respondents represent 28 states. Twenty respondents work in offices serving both chambers and all offices in the legislature. Eight others serve only the upper or lower chamber, and one respondent serves only a legislative agency. Three respondents preferred to remain anonymous (i.e., did not indicate a state).

Staffing

Seven respondents indicated that their office employs a chief information security officer (CISO) or equivalent (a full-time staff person dedicated to and authorized to oversee IT security for the legislature). Five of the seven states indicated the CISO (or equivalent) had been employed in the legislature for five or more years; two for less than one year.

Slightly more than half of the respondents indicated that the executive branch provides some cybersecurity services, such as firewalls or security monitoring. Fifteen indicated that the legislature provides its own security; although two of those indicated that the legislature is a part of a state cybersecurity council that coordinates or collaborates on cybersecurity issues.

Cybersecurity Standards and Policies

The survey asked several questions about security awareness or incident response programs and systems or standards used.

Fifteen of the responding contacts indicated they have a formal, written IT security awareness program in the legislature. Nine respondents have an incident response plan in place.

Six respondents indicated they follow a cybersecurity framework standard, such as the NIST Cybersecurity Framework. (The NIST standard provides guidance for how organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks.)

Budgeting for Cybersecurity

About half of the respondents did not know or preferred not to answer how much of the total IT budget is dedicated to cybersecurity.

Ten respondents indicated that 1 to 3 percent of their total IT budget is dedicated to cybersecurity. Seven respondents indicated that less than 1 percent of the total IT budget was dedicated to cybersecurity.

Only one state legislature indicated that they have a separate budget line item for security training for IT staff.

Cybersecurity Training for Legislators and Legislative Staff

Nine of the survey respondents provide security awareness training to legislators, but only one makes it mandatory (and indicated participation in training is not enforced).

Fourteen provide security awareness training to legislative staff, but only five make it mandatory. Management or supervisors enforce the training for staff.

Detailed Results
Questions Responses (N=29)

1. Which entities does your office support? Check as many as apply.

20 support all entities
8 support one chamber only
1 supports a single agency only

2. Does your legislature/chamber have a Chief Information Security Officer (CISO) or equivalent (i.e., a full time staff person dedicated to and authorized to oversee information technology (IT) security for the legislature)?

Yes: 7

No: 22

2.a.  If yes, how long has he/she been employed by the legislature?

Five or more years: 5

Less than one year: 2

3. Does the legislature have any full time IT security analysts/IT security staff (in addition to or other than a CISO)?

Have additional or other security analysts: 6

Do not have additional or other security analysts: 23

3.a.  If yes, how many full time IT security analysts/IT security staff?

Five or more: 2

Two to three: 3

One: 1

4. Does the executive branch provide any cybersecurity services for the legislature/your chamber?

Yes: 15 (see comments)

No: 14

5. Do you have a formal/written IT security awareness program in the legislature?

Yes: 15

No: 14

5.a. If yes, how many full time staff work on developing or  implementing the security awareness program?

Five or more: 1

Two to three: 8

One: 6

6. Does your legislature/chamber have an IT/cybersecurity incident response plan?

Yes: 9

No: 6

Did not answer: 14

7. Have you implemented a Security Information and Event Management System (SIEM)?

Yes: 5

No: 10

Did not answer: 14

8. Does your legislature use a cybersecurity framework standard (e.g., NIST, CIS, ISO)?

Yes: 6 (five of those indicated they use NIST)

No: 9 

Did not answer: 14

9. How much of your total IT budget is dedicated to cybersecurity?

1-3 percent: 10

Less than 1 percent: 7

Do not know/preferred not to answer: 12

9.a. Do you have a separate budget line item for cybersecurity training for your IT staff?

Only 1 state has a separate budgetary line item for training.

10. Does your office provide IT/cybersecurity training for legislators?

Yes: 9

No: 20

10.a. If yes, is the IT security training for legislators mandatory?

Training is mandatory in only one of the nine that offer training.

10.b. If IT security training for legislators is mandatory, how is it enforced?

Training is not enforced.

11. Does your office provide IT/cybersecurity training for legislative staff?

Yes: 14

No: 15

11.a. If yes, is the IT security training for legislative staff mandatory?

Mandatory: 5

Not mandatory: 9

Did not answer: 1

11.b. If IT security training for legislative staff is mandatory, how is it enforced?

It is enforced by management/supervisors in the five states that have mandatory training.

12. Additional comments or questions?

 

  • Our cybersecurity program is in its infancy. We recently reclassified a position to be dedicated to cybersecurity, however, we've been unsuccessful in filling the position due to budget constraints. While we don't have staff dedicated to cybersecurity, we do have staff that are certified security analysts who have security as part of their other duties. We have a long way to go, but are making strides.
  • We are headed to mandatory awareness training for staff but aren't there yet.
  • We reward legislators and staff for reporting security incidents and phishing emails. The rewards are different each year.
  • Cybersecurity is managed by several people on our staff but no one is dedicated solely for cybersecurity.

 

Additional comments regarding whether the executive branch provides any cybersecurity services for the legislature/ chamber.

  • Information and intelligence sharing. Security training, security monitoring and analysis and security assessments.
  • The executive branch does provide some cybersecurity measures concerning the legislative branch but we are a complete enterprise with our own domain, exchange, firewalls, network, storage, staffing, etc.
  • Perimeter monitoring.
  • There is an office of information security that we can draw expertise from, receive alerts from and occasionally draw training funds from.
  • Firewall and monitoring.
  • Network security, assistance as needed with security incidents, general training. We also have a security council that is an interagency group that meets to share information, draft statewide security policies, arrange training for state IT staff. 
  • Our agency connects to the state's wide area network for Internet and connectivity to other state government technology resources. We connect at a point in their extranet that is serviced by a number firewall and intrusion prevention systems and monitored by their security operations team.
  • The executive branch functions as our internet service provider. They provide some forms of DDOS protection and threat detection.
  • Advanced malware detection.
  • Network firewalls and internet filtering.
  • Executive branch filters email for spam, phishing attacks and monitors for network intrusion.
  • We have the option to use the endpoint protection client that is provided by the executive branch for a nominal fee. The logs from this client are monitored by the security staff at the executive branch. If an incident is detected the executive branch alerts us and provides incident response support to remediate the issue. The executive branch also offers cybersecurity training that we can use to train our users on security threats.
  • Firewalls, some security monitoring, connection to the commodity internet. The legislature rides on the executive branch's architecture.
  • CrowdStrike

Additional Resources