HomeAbout usMediaCIS Press ReleasesNationwide Cybersecurity Review Sees Record Participation, Highlights Key Challenges

Nationwide Cybersecurity Review Sees Record Participation, Highlights Key Challenges

2023 NCSR shows funding continues to be the biggest concern for state and local government organizations

EAST GREENBUSH, N.Y.,  December 10, 2024 — The Center for Internet Security, Inc. (CIS®) and the Multi-State Information Sharing and Analysis Center (MS-ISAC®) have released the findings of the 2023 Nationwide Cybersecurity Review (NCSR), a no-cost, voluntary assessment program available to all U.S State, Local, Tribal and Territorial (SLTT) organizations to help measure and improve their cybersecurity.

Key Findings:

  • 4,210 organizations took part, an increase of 14% from the previous year
  • Cyber maturity improved 4% year over year for returning NCSR participants
  • Most state level organizations scored a 4 or higher on a scale of 1-7
  • State level organizations performed better than local levels
  • K-12 school districts had the highest participation in the history of the NCSR

Top 5 Concerns of SLTT organizations remained unchanged for the 9th consecutive year:

  • 70% reported a lack of sufficient funding
  • 64% cited increasing sophistication of threats
  • The remaining concerns included:
    • Emerging technologies
    • Lack of documented processes in the event of an incident
    • Lack of available cybersecurity professionals — 80% reported fewer than five dedicated security employees

What SLTTs are doing well:

  • Detection — monitoring and safeguarding their environment
  • Response — they have a plan to respond to an incident, should there be one
  • Policies are in place to limit access to only authorized users

Where there is room for improvement:

  • Risk management
  • Updating and improving strategies, policies, and procedures
  • Establishing a disaster recovery plan
  • Lack of security professionals

Some recommendations include taking advantage of federally funded programs offered by the Cybersecurity and Infrastructure Security Agency (CISA) and the MS-ISAC, including 24x7x365 threat monitoring; Malicious Domain Blocking and Reporting (MDBR), a highly effective protective domain name system (DNS) service; and annual assessments such as the NCSR.

“We are encouraged by the record high participation in this year’s NCSR,” said Tyler Scarlotta, member programs manager at CIS. “Organizations that participate annually see marked improvement in cyber maturity year over year. Organizations with two or more years of participation saw a 23% higher score compared to first year participants, while those who have participated for nine consecutive years scored 41% higher.”

For more details on the 2023 Nationwide Cybersecurity Review, visit cisecurity.org. To speak with Tyler Scarlotta about the findings, please contact [email protected] or call/text 518-256-6968.

###

About CIS

The Center for Internet Security, Inc. (CIS) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit, responsible for the CIS Critical Security Controls® and CIS Benchmarks™ guidelines, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards and provide products and services to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) organization, the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®) organization, which supports the rapidly changing cybersecurity needs of U.S. election offices. To learn more, visit cisecurity.org or follow us on X: @CISecurity.