There is no national standard for cybersecurity practices. Rather, various industries, states and agencies have taken steps to define reasonable cybersecurity practices and what should be done to notify potentially-impacted persons and agencies if there is a data security incident.

This patchwork cybersecurity landscape may be changing. Following President Trump’s Executive Order providing for increased cohesiveness between federal agencies with respect to cybersecurity, at least 39 governors from different U.S. states and territories have also decided that uniformity in cybersecurity practices at the state government level is a preferred approach.

In July 2017, at the National Governors Association (“NGA”) meeting, it was announced that 39 governors had signed “A Compact to Improve State Cybersecurity” (“Compact”). The signing U.S. states and territories include:

  • Alabama
  • Alaska
  • Arizona
  • Arkansas
  • California
  • Colorado
  • Connecticut
  • Delaware
  • Guam
  • Hawaii
  • Idaho
  • Indiana
  • Iowa
  • Kentucky
  • Louisiana
  • Maryland
  • Massachusetts
  • Michigan
  • Minnesota
  • Missouri
  • Montana
  • Nevada
  • New Hampshire
  • New Jersey
  • North Carolina
  • North Dakota
  • Oklahoma
  • Oregon
  • Pennsylvania
  • Puerto Rico
  • Rhode Island
  • U.S. Virgin Islands
  • Utah
  • Vermont
  • Virginia
  • Washington
  • West Virginia
  • Wisconsin
  • Wyoming

In announcing the Compact, Virginia Governor Terry McAuliffe said his goal was to highlight that cybersecurity is more than just an information technology issue. The goal is to “elevate the importance of cybersecurity on every governor’s agenda.”

The Compact is based on three core principles:

1. Cybersecurity Governance

The Compact addresses the importance of states performing cyber risk assessments in order to identify cyberthreats and recommends the development of a statewide cybersecurity strategy for protecting critical infrastructure and mitigating cyberthreats. It also recommends creating a cybersecurity governance structure and selecting members of the governance body for these 39 U.S. states and territories based on their ability to implement change.

2. State Protection from Cybersecurity Events

The Compact highlights the importance of states having a cybersecurity incident response plan and a public communications plan. It also calls for better integration between state information technology, homeland security, key critical infrastructure operators and emergency management officials, including incorporating procedures for using the National Guard’s cyber capabilities when required. 

3. Cybersecurity Workforce Education

The Compact promotes cybersecurity education through various initiatives such as partnering with colleges to increase the availability of transferable two-year cybersecurity degrees, creating a cybersecurity internship program in state agencies, and placing veterans into cybersecurity certification programs.