As the U.S. government shifts cybersecurity responsibilities to state and local governments, here are ten steps officials can take to quickly improve the cyber readiness of their public and private institutions.
By Sasha Pailet Koff
With the Trump administration’s executive order shifting more cybersecurity responsibilities to state and local governments, the need for strong and proactive approaches to cyber defense at the state and local level has never been greater.
U.S. adversaries have already demonstrated their ability to infiltrate key sectors, including telecom, water, and power. Risks are no longer limited to data breaches and espionage—they now extend to disrupting critical infrastructure that supports daily life. States simply cannot wait for another catastrophic attack to act; they must take decisive action now to fortify their defenses against cyber threats.
Here are ten easy-to-implement steps that state officials can take to improve cybersecurity:
1. Enhance Public-Private Collaboration
Public-private partnerships provide effective ways to leverage expertise and resources without being cost-prohibitive. Create advisory boards with cybersecurity experts from the private sector and academia and hold regular threat-sharing meetings to keep officials informed of emerging cyber threats and improve communication.
2. Invest in Cyber Workforce Development
Create workforce development programs to attract and retain top cybersecurity talent. Offer competitive salaries and benefits for cybersecurity personnel in government roles. Reach out to IT professionals recently cut from the federal workforce, partner with colleges to create cybersecurity training programs, provide scholarships or loan forgiveness for students who commit to working in state cybersecurity roles, and establish apprenticeship programs to help train individuals who possess the aptitude and willingness to learn.
3. Mandate Stronger Cybersecurity Standards for Critical Infrastructure
Ensure that private companies managing critical infrastructure—such as water utilities, ports, and power plants—adhere to strict cybersecurity standards. For example, require regular cybersecurity audits and cyber readiness training for employees of critical infrastructure providers. Mandate that all cyber incidents are reported to state cybersecurity offices. Provide incentives, such as tax breaks, grants, or favored supplier status to companies that meet rigorous cybersecurity benchmarks, and encourage businesses to participate in threat intelligence-sharing initiatives to increase overall situational awareness.
4. Expand Cyber Awareness and Training for Government Employees
Human error remains the largest vulnerability in cybersecurity as employees fall victim to phishing attacks and other social engineering tactics that can lead to data breaches and system compromises. States should require basic cybersecurity training for all government employees, periodically simulate phishing attacks to test and improve employee vigilance, establish clear business continuity plans in the event of cyber incidents, and make cyber security awareness a routine part of workplace discussions.
5. Establish a Centralized State Cyber Command
A centralized state cyber command enhances coordination and response capabilities, improves threat detection and response times, streamlines communication between government agencies and private sector partners, reduces redundancy, and improves efficiency in cybersecurity investments.
6. Bolster National Guard Cyber Units
Expand National Guard cyber units to ensure that they have necessary funding, personnel, and training to operate proactively as a first line of defense against cyber threats instead of in response to a crisis, as they do now. Establish emergency response protocols integrating these units with state IT departments and local law enforcement, and run joint cybersecurity drills to ensure that all relevant agencies coordinate effectively in the event of an attack.
Secure Election Infrastructure
Ensure that voting systems and databases are safeguarded against cyber threats by replacing outdated machines with secure, verifiable paper ballot systems; conduct regular penetration testing; train election officials on best practices; and establish rapid response teams to address suspected incidents.
trengthen Cybersecurity for Public Health Systems and in K-12 Schools
Healthcare systems and K-12 schools are prime targets for ransomware attacks and data breaches that compromise sensitive patient and student information. States should require that schools and public health organizations implement basic cybersecurity best practices such as multi-factor authentication (MFA) and regular data backups; provide funding for cybersecurity upgrades and staff training; and mandate regular cybersecurity audits and penetration testing.
Provide Practical Cybersecurity Guidance for SMBs
Many small and medium-sized businesses (SMBs) lack the resources for advanced cybersecurity tools, but they can still benefit from simple, actionable cybersecurity guidance focused on human behavior. States should provide free cybersecurity training materials to educate employees on phishing and social engineering tactics; encourage strong password policies, MFA adoption, and regular software updates/system patches; and promote cyber incident response planning.
Promote SMB Cybersecurity Certification Programs
Introduce voluntary cybersecurity certification programs such as those offered by the Cyber Readiness Institute to help SMBs educate employees on phishing and social engineering tactics. Certification serves as a badge of quality assurance, boosts customer and partner confidence, and drives broader adoption of cybersecxurity best practices across industries.
The Time to Act Is Now
The shift in cybersecurity responsibilities to state and local governments is a wake-up call. While some well-resourced states and cities are making progress in this war, many remain underprepared for the evolving threat landscape. Cyberattacks on critical infrastructure are no longer hypothetical—they are happening daily.
Robust cybersecurity doesn’t require huge budgets. Rather, smart policies, collaboration, and proactive risk management make a huge difference. The cyber battlefield is expanding, and adversaries are growing smarter and bolder, so states can no longer afford to be reactive. The time for action is now.
