FACT SHEET

Level Up Your Defenses—Five Cybersecurity Best Practices for SLTTs

Publish Date
Related topics:
Cybersecurity Best Practices

Cyberattacks can cause widespread disruption. Cybersecurity isn’t just best practice—it’s civic duty. State, local, tribal and territorial (SLTT) governments should level up policies by implementing these critical behaviors:

Use Logging on Government Systems

someone shown logging and monitoring their system from their device

Keeping sensitive data secure is a responsibility. Without logging and monitoring in place, attackers may lurk in your systems unnoticed for weeks or months. Logging refers to automatically recording events on your systems. Monitoring means reviewing and analyzing those logs to spot suspicious activity, system misuse or early signs of attack.

  1. Set up logging.

    Determine what to log, such as admin actions, network traffic, system events and more. Enable logging on servers, firewalls, endpoint devices, and cloud services. CISA’s free Logging Made Easy tool can help. Centralize your logs to make it easier to detect unusual activity.  

  2. Monitor logs regularly.

    Set up alerts for high-risk events such as failed login attempts, privilege escalation. Review logs manually or with automated tools where possible.

  3. Establish logging & monitoring policies and procedures.

    • Follow best practices when setting up logging and monitoring.
    • Protect logs from unauthorized access/deletion (restrict/monitor access, store securely).
    • Retain logs in accordance with your policies and compliance needs.
    • Designate a crisis-response team including responsibilities for technology, communications, legal and business continuity.
       

Return to top

Back Up Government Data

someone shown backing up data

Regularly backing up data and testing your ability to restore it is a critical part of your cybersecurity strategy. A backup is a secure copy of your critical data, stored separately from your primary systems. Backups are your best hope of recovery from a ransomware attack. Work with your IT team to create a reliable strategy that protects your organization.

  1. Decide what to back up.

    Identify what data your organization can’t operate without—like public safety and emergency services data, public records and legal documents, education infrastructure, critical infrastructure system data—and prioritize those for protection.

  2. Follow the 3-2-1 backup rule.

    Once you know what needs to be protected, protect your data with 3 copies of important files on 2 different types of storage media (like a hard drive and the cloud) with 1 copy stored off-site, away from your location.

  3. Secure, test and train.

    Leverage protections for backups, including physical security, encryption, and offline copies. Test backup procedures to make sure your team can rapidly restore data both fully and partially, and to ensure you can roll back data at least seven days if needed. Know how to access critical files even without an internet connection. Finally, ensure your team is trained. A backup plan is only helpful if everyone knows how to use it. Write down your procedures and make sure your team can recover systems, networks and data from your backups.

Return to top

Encrypt Government Data

someone shown with their data encrypted

Encryption is one of the most powerful tools you can use to protect sensitive data. It’s a critical defense against attacks like ransomware and malware. Encryption scrambles sensitive information—like tax records, voter information and critical infrastructure operations—into unreadable code so that only authorized users can access it.

  1. Know types of encryption.

    System encryption protects a device’s entire hard drive, including operating system. Drive encryption protects data stored in on-premises servers or removable media. File encryption prevents threat actors from accessing the contents of a document.

  2. Identify what to encrypt.

    Prioritize what type information to secure, such as personally identifiable information (PII), protected health information (PHI), criminal justice/law enforcement data, financial/tax information, operational/infrastructure data, education records, internal communications.

  3. Apply encryption best practices.

    • Encrypt all devices, hard drives, removable media, and relevant documents. Encrypt data both at rest and in transit.
    • Back up data to a vetted cloud service or external hard drive and encrypt your backups. Maintain offline, encrypted backups of data and regularly test them.
    • Develop a culture of cybersecurity that trains staff on data protection and include encryption in cybersecurity policies.
       

Return to top

Share Cyber Incidents with CISA

someone shown reporting an incident

Reporting cyber incident information to CISA helps protect not just your organization, but others across the country. CISA can then analyze the threat, alert other SLTTs and partners and share actionable guidance to help prevent similar attacks. The sooner you report, the sooner CISA and others can act.

What is cyber incident information sharing? 

Cyber incident information sharing means reporting suspected or confirmed cyberattacks, system vulnerabilities or suspicious activity to CISA. In return, CISA shares threat intelligence, mitigation tips and technical assistance.

Why does it matter for SLTTs? 

When you share this information, you protect your network and help defend interconnected infrastructure across your state, region and the nation. It helps you respond more quickly to current threats, warn peers, prevent repeat attacks, and get federal expertise/assistance.

How do you report to CISA?  

Don’t wait for a major breach to share with CISA. Even suspected activity can be valuable.

  • Use CISA’s Cyber Incident Reporting System.
  • Report incidents early—don’t wait until full investigation.
  • Include relevant details like indicators of compromise, system impacts and attacker behavior.
  • Designate a point of contact on your IT or emergency management team.

Return to top

Migrate to the .Gov Domain

someone shown updating their domain

Having a .gov domain tells the public that your website is an official source of information. Only verified U.S. government organizations can register for a .gov domain. CISA verifies the identity of everyone who applies. When people see .gov, they know it’s a website they can trust—and it’s free!

What is a .gov domain? 

.Gov is a “top-level” domain—the last part of an internet address like Acme.com or StateU.edu. Unlike other domains, .gov is reserved exclusively for verified, U.S.-based federal, state, local, tribal or territorial entities.

Why migrate? 

Migrating helps the public identify your website as official, trusted information; reduces the risk of impersonation attacks that put your constituents at risk of scams; and improves your email security. And—it’s free.

How do you get started? 

Apply at get.gov and follow the instructions. To submit an application, you’ll need to register for a login.gov account (if you don’t already have one) and provide basic verification of your government status. Contact CISA (on get.gov) if you need help.

How will CISA support you? 

CISA manages the .gov domain space and provides technical support, guidance, and tools. They can help you choose your domain name, process your domain request, manage your domain(s), and provide information on domain security best practices.

Return to top

CISA has free resources, tools and guidance to help SLTT governments implement these best practices. Share these tips with your team!

 

Printer Friendly Version

Tags

Language: English
Topics: Cybersecurity Best Practices

Related Resources