Maryland selected for NGA partnership on enhanced cybersecurity strategies

The National Governors Association (NGA) has expressed new interest in state information technology issues particularly around the subject of cybersecurity. This year NGA instituted a process whereby states are competitively selected for partnerships with the organization to work together on cybersecurity challenges.

Just last month NGA announced that it would partner with seven states to help enhance their cybersecurity strategies. NGA staff from the Homeland Security and Public Safety division of NGA Solutions: The Center for Best Practices will partner with Arkansas, Guam, Louisiana, Maryland, Massachusetts, Ohio and Washington to “develop action plans to advance and refine key priorities in cybersecurity,” according to the NGA press release.

It is intended that participants from “governors’ offices, state information technology departments, homeland security agencies, National Guard units and others will work collaboratively to improve interagency coordination and collaboration.” For its part NGA staff will offer technical assistance for overall cybersecurity governance, targeting strategies to support critical infrastructure and localities across the states.

Maryland goes for NGA program

We spoke with representatives from one of the selected states, Maryland Secretary of Information Technology and state Chief Information Officer Michael Leahy, and state Chief Information Security Officer John Evans, about how they became involved in this program.

According to Leahy, Maryland, like so many other jurisdictions, has taken renewed interest in overall security issues. Gov. Larry Hogan very recently issued an executive order elevating John Evans from merely being the CISO for the Department of Information Technology to be CISO statewide. In addition, there have been numerous discussions with state agencies and other parts of the government about coordinating efforts and improving the state’s approach to cyber and to defending the assets of the state in terms of data and the physical assets.

“So we have had ongoing conversations with folks from the NGA and when this particular program rose, it was very consistent with our overview,” Evans said. “We made a specific proposal and luckily for us, they determined that our proposal was in line with their broader desire to make this topic available.”

Evans also offered his insight as to why the NGA program was worth exploring especially since Maryland operates in a federated model which can make things like transparency and consistency challenging at times. There was a need for some overall guidance and Hogan was supportive.

“Thankfully the governor understands the need for cybersecurity and consistency in its operations and application,” Evans added.

However, the issue that had to be tackled was what should this guidance look like. They put out a Maryland information security manual at the enterprise level, with standards and policies that have to be followed within the state, along with practical implementation information as well. Evans explained, “I also really wanted assistance from NGA to provide input on how effective they think these standards were. Did we even go with the right standards?”

The NGA’s independent validation and verification would provide added value and Maryland greatly appreciated the opportunity for the external collaboration and constructive criticism the NGA program offered.

Getting local government involved

In addition to the state government approach developed under this NGA program by Maryland, key priorities in cybersecurity will involve a statewide, intergovernmental approach with local government entities. Typically the local jurisdictions — the counties and the municipalities — don’t have the resources to address these issues themselves. “Maryland is looking at not only providing a road map for these folks and setting up best practices, but we’re potentially looking at ways to incorporate their participation into our system so that ultimately there would be the opportunity to have the state provide a blanket cybersecurity baseline for everyone,” according to Leahy.

“Maybe we even offer that as a managed service for them with configuration of some of their security incident, event management tools,” Evans added. “We’d be able to see event correlation, not just among things within the executive branch, but things that are happening out in the local jurisdictions across the state. We see a lot of upside both for them and for the state with those integrations.”

This NGA program comes right on the heels of the National Association of State Chief Information Officers-endorsed Senate Bill 1846 — the State and Local Governments Cybersecurity Act of 2019. This legislation provides for engagements with states, with additional federal grant opportunities for states to safeguard against cyber threats. Maryland had taken notice.

“The principle difficulty is that all states and the federal government also are dealing with limited resources, but unlimited potential threats,” Leahy said. “And so by coordinating those efforts and looking at best practices, we can fundamentally shift some of the burden with assistance from the federal government.”

Maryland believes this NGA program dovetails perfectly with the direction and strategy for their cybersecurity office, and their decision to participate was easy.

“When this opportunity came along it was kind of a no brainer. So we are very grateful that we were picked and really looking forward to continue to move the ball forward and make progress on those key areas we discussed,” Evans said.

Hogan was elected chair of NGA for this coming year, and Leahy said his boss is focused on the improvement and protection of infrastructure, including roads and water systems as well as digital infrastructure. Now this NGA opportunity is just one of many that Leahy said he thinks we will see under Hogan’s leadership.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.