《互聯網安全中心（CIS）：2023年美國網絡安全概覽報告（英文版）（78頁）.pdf》由會員分享，可在線閱讀，更多相關《互聯網安全中心（CIS）：2023年美國網絡安全概覽報告（英文版）（78頁）.pdf（78頁珍藏版）》請在三個皮匠報告上搜索。

1、 2023 Nationwide Cybersecurity ReviewNationwide Cybersecurity Review2023 Summary Report 2023 Nationwide Cybersecurity Review AcknowledgmentsThe Multi-State Information Sharing and Analysis Center(MS-ISAC)and Elections Infrastructure Information Sharing and Analysis Center(EI-ISAC)would like to thank

2、 everyone who has previously participated and continues to participate in the Nationwide Cybersecurity Review(NCSR).Your continued support helps us work toward our mission of improving the overall cybersecurity posture of the nations state,local,tribal,and territorial(SLTT)governments.The MS-ISAC an

3、d EI-ISAC would like to thank all our partners.With partner support and increased participation,we can continue to improve cybersecurity maturity across the nation.The MS-ISAC and EI-ISAC would like to acknowledge the Department of Homeland Security(DHS)Cybersecurity and Infrastructure Security Agen

4、cy(CISA)for their continued partnership.CISA provides funding for MS-ISAC and EI-ISAC services through a Cooperative Agreement,making progress toward the mission a reality.We would also like to acknowledge and thank the members of the MS-ISAC Metrics Working Group for their continued support.Their k

5、nowledge,expertise,and dedication assist in the continued success of the NCSR.The following MS-ISAC Metrics Working Group members contributed to this report:Gary Coverdale Jim Cusson Greg Bown Donna Gomez Kim LaCroix Dustin Stark Catherine WildFinally,we would like to recognize the following individ

6、uals for their support in creating this report:MS-ISAC Authors Tyler Scarlotta Niyah Pack Matt PipkinCenter for Internet Security(CIS)Contributors Tom Michelli Kelly Hall Kelly MorrisThis material is based upon work supported by the U.S.Department of Homeland Security under Grant Award Number23CISMS

7、I00003-01-00.The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies,either expressed or implied,of the U.S.Department of Homeland Security.2023 Nationwide Cybersecurity Review iContentsContentsAcro

8、nyms iiTerms iiiPreface ivExecutive Summary 1Summary Report 9Higher Scoring Areas 10Lower Scoring Areas and Key Deficiencies 11Recommendations for Federal Stakeholders 13Recommendations for SLTT Organizations 15Current Capabilities and Future Planning 17Current SLTT Cybersecurity Maturity at a Glanc

9、e 19Performance Levels of Cybersecurity Program Activities 23Returning Participant Analysis 28NCSR Participation 31State&Local Distribution Summary 34Demographic Summaries 36Analysis by Function 41Identify Function 42Protect Function 46Detect Function 50Respond Function 54Recover Function 58Peer Gro

10、up Subsectors 62Noteworthy Subsector Findings 66Partners 68 2023 Nationwide Cybersecurity Review ii AcronymsAcronymsCISACybersecurity and Infrastructure Security AgencyDHSU.S.Department of Homeland SecurityEI-ISACElections Infrastructure Information Sharing and Analysis CenterHSGPHomeland Security G

11、rant ProgramMS-ISACMulti-State Information Sharing and Analysis CenterNACoNational Association of CountiesNASCIONational Association of State Chief Information OfficersNCSRNationwide Cybersecurity ReviewNISTNational Institute of Standards and TechnologyNIST CSFNational Institute of Standards and Tec

12、hnology Cybersecurity FrameworkSLCGPState and Local Cybersecurity Grant ProgramSLTTState,Local,Tribal,and TerritorialUASIUrban Area Security Initiative 2023 Nationwide Cybersecurity Review Terms iiiTermsCybersecurity FrameworksNational Institute of Standards&Technology(NIST)Cybersecurity Framework(C

13、SF)Center for Internet Security(CIS)ControlsInternational Organization for Standardization(ISO)27001Information Technology Infrastructure Library(ITIL)Baseline Cybersecurity Performance Goals for Critical InfrastructureCybersecurity Performance Goals(CPGs)Combinations of the above terms will be refe

14、rred to as“security controls”within this NCSR Summary Report.References to the“MS-ISAC”in this report will also include the election organizations that are part of the EI-ISAC,as an EI-ISAC member is also considered an MS-ISAC member.2023 Nationwide Cybersecurity Review iv PrefacePrefaceIn June of 2

15、009,the United States Congress directed DHS to develop a cyber-network security assessment that would measure gaps and capabilities of SLTT governments cybersecurity programs.DHS conducted the first Nationwide Cybersecurity Review(NCSR)in 2011.In 2013,DHS partnered with the MS-ISAC,NASCIO,and NACo t

16、o develop and conduct the second NCSR.Since 2013,the NCSR has been conducted on an annual basis,with 2023 marking the twelfth year of the self-assessment.In 2019,the U.S.Federal Emergency Management Agency(FEMA)made the NCSR a requirement for recipients and sub-recipients of the two major programs u

17、nder the Homeland Security Grant Program(HSGP)the State Homeland Security Program(SHSP)and the Urban Area Security Initiative(UASI).The NCSR measures maturity according to the NIST CSF function areas and categories to provide insight on the level of maturity and risk awareness of SLTT governments in

18、formation security programs.This allows decision-makers to understand how their risk tolerance and maturity compare with similar organizations and how they facilitate self-comparison from year-to-year.The NCSR is scored on a seven-point scale,with“7”being the highest possible and“1”being the lowest.

19、The recommended maturity level for SLTT governments to aspire to is a score of“5”on the NCSR scale.Individual organization data is kept anonymous within the NCSR program,allowing respondents to input data points that reflect accurate levels of maturity.Data across all NCSR respondent organizations i

20、s aggregated and provided within this report.2023 Nationwide Cybersecurity Review Preface vFigure 1.The NCSR maturity level response scale with descriptions and associated numeric values.Individual respondents will select a maturity level text option within the NCSR assessment for the NIST CSF subca

21、tegory activities.ScoreMaturity LevelDescription7OptimizedYour organization is executing the activity or process and has formally documented policies,standards,and procedures.Implementation is tested,verified,and reviewed regularly to ensure continued effectiveness.6Tested and VerifiedYour organizat

22、ion is executing the activity or process and has formally documented policies,standards,and procedures.Implementation is tested and verified.5Implementation in ProcessYour organization has an activity or process defined within documented policies,standards,and/or procedures.Your organization is in t

23、he process of implementing and aligning the documentation to a formal security framework and/or methodology.4Partially Documented Standards and/or ProceduresYour organization has a formal policy in place and has begun the process of developing documented standards and/or procedures to support the po

24、licy.3Documented PolicyYour organization has a formal policy in place that has been approved by senior management.2Informally DoneActivities and processes may be substantially performed,and technologies may be available to achieve this objective,but they are undocumented and/or not formally approved

25、 by senior management.1Not PerformedActivities,processes,and technologies are not in place to achieve the referenced objective.The MS-ISAC Metrics Working Group of cybersecurity subject matter experts identifies a level of“5,”“Implementation in Process,”as the recommended minimum maturity level to a

26、chieve.Historical data has shown that the process to reach an average score of“5”is a long-term project for the majority of organizations.This maturity level denotes that the organization has a technology or process in place for a given activity as well as documented policies and procedures.The orga

27、nization also has a formal security framework either established or in progress.This is a significantly higher level of maturity overall that indicates an organization is working toward consistent policy practice and performance of a cybersecurity activity.This maturity level is recommended as an or

28、ganizational target,as the level denotes a formalized security program that has the capabilities and processes to mitigate arising threats.2023 Nationwide Cybersecurity ReviewExecutive Summary 2023 Nationwide Cybersecurity Review 2 Executive SummaryThe NCSR had a record-high participation rate from

29、the SLTT community during the 2023 assessment submission cycle which occurred between October 2023 and February 2024.NCSR results represent 4,210 organizations from across the entire SLTT community.This is a 14%increase from the 2022 assessment submission cycle.The majority of 2023 NCSR participants

30、 were local level organizations,as 3,609 of the 4,210 participant organizations were local entities(86%).Figure 2 depicts the overall year-to-year maturity averages across all NIST CSF functions for the Local peer group when viewing the full data set for each year.Figure 2.Year-to-year average acros

31、s all NIST CSF functions for the Local peer group.Average Maturity Level76543210 3.80 3.95 4.03 4.06Local 2020 2021 2022 2023Figure 3 depicts the overall year-to-year maturity averages across all NIST CSF functions when viewing repeat NCSR participants within the State,Local,and Tribal peer groups.F

32、igure 3.Year-to-year average across all NIST CSF functions for the State,Local,and Tribal peer groups when viewing only organizations that participated in each of the 2021,2022,and 2023 NCSR cycles.Average Maturity Level76543210 4.91 5.07 5.03 4.04 4.29 4.43 3.82 4.12 4.01StateLocalTribal 2021 2022

33、2023 2023 Nationwide Cybersecurity Review Executive Summary 3The State and Tribal peer groups are similar to their prior year maturity level,but showed slight average scoring decreases.Organizations do have the option to adjust answers downward,which can be attributed to a range of factors.These inc

34、lude changing environments,new internal technologies or processes,new threats,and an increased awareness of applicable activities.The 2023 State peer group included 22 of 48 states(46%)that scored at or above the recommended minimum maturity level of“Implementation in Process,”which is denoted by a

35、numerical score of“5.”This indicates that at least half of the states are performing cybersecurity activities within the NIST CSF,have implemented formalized documentation,and have implemented or have begun implementing a formalized security framework to direct their state-level activities.Furthermo

36、re,five states scored at or below the level of“Documented Policy,”denoted by a“3”on the maturity scale.Three of those seven states scored at the maturity level of“Informally Performed,”or a“2”on the maturity scale.Figure 4 depicts the distribution of scores for the full State peer group.Figure 4.202

37、3 NCSR State Peer Group:Average Scoring Distribution.The figure below represents the scoring distribution of the 48 states.Maturity Level7 06 95 134 213 22 31 0Quantity of StatesOn average,1,248 of the 3,122 Local participants(35%)in the 2023 NCSR scored at or above the recommended minimum maturity

38、level of“Implementation in Process,”which is denoted by a numerical score of“5.”This is a slight improvement over the prior years NCSR cycle,which saw 34%of local organizations at this level.A total of 1,102 Locals(31%)were below the level of“3,”or“Documented Policy,”which is the same percentage as

39、the prior years NCSR cycle.This indicates that a large number of organizations are either not performing cybersecurity activities or are utilizing informal,ad-hoc processes.As a first step,these organizations would benefit from utilizing publicly available and federally funded resources to establish

40、 or improve their cybersecurity program.Examples include the MS-ISACs Malicious Domain Blocking and Reporting program and CISAs Cyber Hygiene scanning assessment service.Figure 5 on page 4 depicts the distribution of scores for the full Local peer group.2023 Nationwide Cybersecurity Review 4 Executi

41、ve SummaryFigure 5.2023 NCSR Local Peer Group:Average Scoring Distribution.The figure below represents the scoring distribution of participating Locals.Maturity Level7 166 4025 8304 6803 5792 6271 475Quantity of Local OrganizationsSLTT organizations reported not performing several cybersecurity acti

42、vities or doing so only in an informal or partial manner.See page 23.This displays a need for additional resources and capabilities within the SLTT community,which can be addressed through future federal and regional programs.Based on identified areas of low or non-performance of cybersecurity activ

43、ities,MS-ISAC recommends future federal resources be directed in the below program and service areas:Expanded engagement program activities for underperforming groups within the SLTT community,with a focus on high priority security controls.Software platform or portal application that automates risk

44、 management and asset management processes.Access to more advanced detection capabilities.An expanded description of federal recommendations can be found on page 13.2023 Nationwide Cybersecurity Review Executive Summary 5SLTTs reported key security concerns that they face.The top five reported conce

45、rns remained the same for the ninth consecutive year,though the year-to-year ranking changed.See Figure 24 on page 40.Ranking of the 2023 top security concerns:Lack of sufficient funding Increasing sophistication of threats Emerging technologies Lack of documented processes Inadequate availability o

46、f cybersecurity professionals70%of NCSR respondents selected“Lack of sufficient funding”as a top security concern,and 64%of NCSR respondents selected“Increasing sophistication of threats”as a top security concern.Over 3,300 of the NCSR respondents(80%)also stated they have less than five dedicated s

47、ecurity employees.MS-ISAC,recognizing the security concerns of SLTT organizations,prioritizes delivering cost-effective,high-impact cybersecurity services and resources to SLTT organizations,including services and resources SLTT organizations can obtain at no cost by leveraging federal funding.Feder

48、ally funded services,such as the MS-ISACs Malicious Domain Blocking and Reporting(MDBR),a protective DNS service,offer tremendous value and capability to organizations at all maturity levels with minimal impact to organizational resources.Organizations with a defined data breach reporting process di

49、splayed higher cybersecurity maturity.See Figure 23 on page 39.Organizations that have a defined process to report a breach of Personally Identifiable Information(PII)or Protected Health Information(PHI)scored 43%higher,on average,than organizations that do not have a defined process.Formalizing thi

50、s activity is vital to have a timely response to a data breach and reduce the risk of harm to potentially affected stakeholders.2023 Nationwide Cybersecurity Review 6 Executive SummaryOrganizations that assessed their cybersecurity programs reported higher cybersecurity maturity.See page 32.Organiza

51、tions that have taken the NCSR for multiple years are at a higher level of cybersecurity maturity than those who have not.Completing cybersecurity assessments to identify areas needing resourcing and capability improvement,as well as acting on those findings,is a practice that guides an organization

52、 to higher maturity.Assessment should be a recommended practice to guide organizations spending of budgets(and/or external funding such as grants)as well as their overall cybersecurity resource prioritization.Organizations with two or more years of NCSR participation displayed 23%higher maturity sco

53、ring on average compared to first-year participants.This average scoring difference is slightly greater than the 2022 variance of 22%.When viewing historical data further,entities that have participated for nine years consecutively since 2015 scored 41%higher than entities that participated for the

54、first time.Adoption and implementation of a security framework has a significant correlation with higher organizational cyber maturity.See Figure 21 on page 37.Entities that employed a security framework,such as the CIS Critical Security Controls,NIST CSF,and ISO 27000 series,scored 60%higher than o

55、rganizations that did not.This is significant,as adopting a framework enables organizations to assess themselves regularly against an accepted standard(like many do with the NCSR),plan a strategy to address their weaknesses,and continually improve their maturity.A framework can include prioritizatio

56、n methods,such as the CIS Controls Implementation Groups,which guide organizations toward the essential activities to build a security program.The MS-ISAC recommends that organizations adopt a framework to gain these benefits.2023 Nationwide Cybersecurity Review Executive Summary 7Recommendations fo

57、r SLTT OrganizationsThere are multiple resources and key capabilities that SLTT organizations can adopt within the first year of their cybersecurity program and then work to continuously refine program activities within a longer-term plan.The MS-ISAC recommends that SLTT organizations begin the foll

58、owing summary of actions to improve their cybersecurity maturity:Utilize federally funded services from organizations such as CISA and the MS-ISAC along with open-source tools to establish performance of cybersecurity activities.Services include a malicious domain blocking program,incident response

59、planning resources,cyber hygiene scanning assessments,and disaster recovery practice resources.Create security policies and communicate the policy information to executives,employees,and third-party stakeholders.Report organizational cybersecurity metrics to management or executive teams to justify

60、and prioritize future cyber investments.Evaluate practices within a formal cybersecurity framework,such as the CIS Controls or a NIST Framework,and plan for implementation.Leverage the NCSR program and associated reporting annually to benchmark current security activities and establish a comparison

61、against national peer data.2023 Nationwide Cybersecurity Review 8 Executive SummaryThe below table displays the main deficiencies or concerns from the SLTT community,as well as recommended current resources and capabilities.The concerns are listed in prioritized order based on NCSR results and not b

62、ased on the NIST order of functions/categories.Deficient Function/ConcernRecommended Current Resources and CapabilitiesIdentity Risk Management Strategy CISA Cyber Hygiene Assessment Scanning Services CIS Risk Assessment Method(RAM)MS-ISAC Risk Assessment Guide CISA Risk Management ResourcesRespond

63、Improvements Incident Response Tabletop ExercisesRecover Improvements Disaster Recovery Tabletop ExercisesDetect Anomalies and Events CISA Security Monitoring CIS Albert Network MonitoringProtect Information Protection Processes and Procedures MS-ISAC Malicious Domain Blocking&Reporting(MDBR)CISA Ma

64、lware Next-Generation Analysis CIS SecureSuite MembershipLack of Sufficient Funding Grant Program Information Cybersecurity Advisory Services Program(CASP)Increasing Sophistication of Threats MS-ISAC and CISA AdvisoriesEmerging Technologies MS-ISAC and CISA Advisories CISA Artificial Intelligence Re

65、sourcesLack of Documented Processes MS-ISAC Policy Template GuideLack of Security Staffing&Inadequate Availability of Cybersecurity Professionals CISA Programs&Services MS-ISAC Membership 2023 Nationwide Cybersecurity ReviewSummary Report 2023 Nationwide Cybersecurity Review 10 Summary Report:Higher

66、 Scoring AreasHigher Scoring Areas*Repeated Participation in the NCSR Correlates with Higher ScoresA total of 3,681 organizations completed the NCSR during the 2022 cycle.Out of that group,2,643 of them returned to participate in the 2023 NCSR and saw an average improvement in maturity of 4%across a

67、ll functions.In general,organizations that have participated at least one time prior scored higher than those that have only participated once.Detect Security Continuous Monitoring(DE.CM)The State,Local,Tribal,and Territorial peer groups displayed relatively high scores within the“Detect Security Co

68、ntinuous Monitoring”category.This indicates that these groups have capabilities and processes in place to monitor networks,detect malicious code,and safeguard physical environments.While these specific activities are high performing areas,the activity of detecting unauthorized mobile code is relativ

69、ely low performing among the peer groups.Protect Identity Management&Access Control(PR.AC)“Identity Management and Access Control”was the highest-scoring category within the Protect function for the State,Local,Tribal,and Territorial peer groups.This indicates that organizations have implemented cap

70、abilities and processes to limit the access of assets and associated facilities to authorized users or devices.Respond Mitigation(RS.MI)“Mitigation”was the highest-scoring category within the Respond function for the State,Local,Tribal,and Territorial peer groups.This indicates that organizations fe

71、el they have put measures or capabilities in place to contain an incident and lessen its severity.*The references on this page are aligned with the categories outlined in the NIST Cybersecurity Framework.For further information,please visit https:/www.nist.gov/cyberframework 2023 Nationwide Cybersec

72、urity Review Summary Report:Lower Scoring Areas and Key Deficiencies 11Lower Scoring Areas and Key Deficiencies*Identify Risk Management Strategy(ID.RM)“Risk Management Strategy”was the lowest-scoring category within the Identify function for each of the State,Local,Tribal,and Territorial peer group

73、s.This indicates that organizational risk tolerance and management processes have not been widely formalized within the SLTT community.Organizations such as CISA and the Center for Internet Security offer no-cost best practice resources that can assist with organizational risk processes.This include

74、s the following resources:CISA Risk Management Resources and CIS Risk Assessment Method(RAM).Respond Improvements(RS.IM)“Improvements”was the lowest-scoring category within the Respond function for the State,Local,Tribal,and Territorial peer groups.This indicates there is a common weakness within th

75、ese peer groups,where policies and procedures have not been implemented consistently.This important category covers how an organization assesses lessons learned and after-action reporting following an incident as well as how they update strategies,policies,or procedures accordingly.Recover Improveme

76、nts(RC.IM)The“Improvements”category scored the lowest within the Recover function for the State,Local,and Tribal peer groups.This indicates that disaster recovery plans have not been formally reviewed and updated widely within the SLTT community.The following resources can assist with both incident

77、response and disaster recovery processes:Incident Response&Disaster Recovery Tabletop Exercises.Detect Anomalies and Events(DE.AE)The“Anomalies and Events”category scored the lowest within the Detect function for the Local,Tribal,and Territorial peer groups.This category includes managing a baseline

78、 of network operations and expected data flows,establishing incident alert thresholds,and aggregating event data from multiple sources.The following CISA service can assist with various detection related processes:CISA Security Monitoring.*The references on this page are aligned with the categories

79、outlined in the NIST Cybersecurity Framework.For further information,please visit https:/www.nist.gov/cyberframework 2023 Nationwide Cybersecurity Review 12 Summary Report:Lower Scoring Areas and Key DeficienciesLack of Security StaffingMore than 80%of participants reported their organization had le

80、ss than five employees dedicated to cybersecurity.With a lack in security staffing,it is difficult to begin assessing and implementing an appropriate cybersecurity program.The current lack of staffing and capability demonstrates a need for managed services and low-resource,low-maintenance resources,

81、tools,and services that can be used without creating more effort for the SLTT partner.It is recommended that SLTT organizations register for MS-ISAC or EI-ISAC membership and utilize no-cost resources and services to augment a lack of staffing.Figure 6.Breakout of the 3,350 organizations that stated

82、 they have less than 5 security employees.This figure displays the ranges for the full organizational staffing total within this group of organizations,as well as the volume of 2023 NCSR participants within each level.1 to 99 Total Employees 34%100 to 999 Total Employees 50%1,000 to 4,999 Total Empl

83、oyees 14%5,000 to 9,999 Total Employees 1%10,000 to 24,999 Total Employees 1%25,000 to 49,999 Total Employees 0%50,000 or More Total Employees 0%1 to 9934%5,000 to 9,999 1%10,000 to 24,999 1%100 to 9950%1,000 to 4,99914%2023 Nationwide Cybersecurity Review Summary Report:Recommendations for Federal

84、Stakeholders 13Recommendations for Federal StakeholdersIncrease Community Engagement Activities to Foster Service Adoption and Continue to Expand Grant Funding OpportunitiesCISA,the MS-ISAC,and the EI-ISAC currently work directly with U.S.State,Local,Tribal,and Territorial(SLTT)organizations to util

85、ize federally funded security service offerings.These activities,including both virtual and in-person engagement,should continue in order to benefit the SLTT community.Increased community engagement will lead to growth in adoption of federal and MS-ISAC,EI-ISAC,and CISA services,which will enhance c

86、yber maturity nationwide.A continued expansion of cybersecurity focused grant funding opportunities will also be important for the SLTT community,as“lack of sufficient funding”continues to be their top reported concern.This expanded engagement is crucial to reach the cyber underserved and allow for

87、resource adoption within this group.It is recommended that federal stakeholders also engage with national partner organizations to promote wider usage of ISAC services and resources.Promote Usage of Current Disaster Recovery Best Practices and Related ResourcesSLTT organizations have shown deficienc

88、ies within the Recover function of the NIST Cybersecurity Framework.No-cost resources and best practice materials,including disaster recovery tabletop exercises,are currently available from CISA,MS-ISAC,and EI-ISAC.Further promotion and utilization of these resources is recommended.Implement Risk,Co

89、mpliance,and Asset Management Program Offering to the SLTT CommunitySLTT organizations have displayed deficiencies within risk management processes,including activities specific to third-party stakeholders.Federal funding could be directed towards a software platform or portal application that autom

90、ates internal and external risk management processes.This platform or application should include capabilities to catalog and assess third-party suppliers/entities and applicable information systems.This resource would address deficiencies related to risk management and third-party activities by prov

91、iding centralized capabilities to automate specific tasks.It is recommended this program offering also include resources to assist with asset management.The SLTT community has shown weaknesses for asset focused activities such as cataloguing external information systems,managing inventory of softwar

92、e applications,and mapping organizational communication/data flows.2023 Nationwide Cybersecurity Review 14 Summary Report:Recommendations for Federal StakeholdersExpand Offerings to Assist with Detection CapabilitiesSLTT organizations would benefit from access to resources and capabilities that assi

93、st with detection processes.This would include the ability to detect unauthorized mobile code,aggregate event data from multiple sources,and perform external service provider monitoring.Federal stakeholders and partners should evaluate opportunities to provide these types of services,or direct the S

94、LTT community to entities that implement these services.2023 Nationwide Cybersecurity Review Summary Report:Recommendations for SLTT Organizations 15Recommendations for SLTT OrganizationsEstablish Cybersecurity Capabilities and Processes with Available ResourcesAny SLTT organization can utilize fede

95、rally-funded services from organizations such as CISA and the MS-ISAC along with open-source tools to establish performance of cybersecurity activities.Organizations should then evaluate additional services and capabilities if resources allow.Review resources and guidance materials that can assist w

96、ith implementing processes specific to asset management,data&account protections,vulnerability management,incident response testing,and disaster recovery testing.Best practice resources specific to these activities can be found through public outlets as well as the MS-ISAC and CISA.SLTT organization

97、s should also utilize educational opportunities offered through the MS-ISACs Training&Education webinar events that are available at no-cost to MS-ISAC members.Organizations that are MS-ISAC members can also collaborate with similar organizations via community forums and events,as well as gain advis

98、ement with Engagement employees to assist with service adoption.Identify Necessary Improvements and Assess to Measure Changes in Maturity Over TimeA general practice that can assist organizations in increasing maturity scores is to take a cybersecurity assessment like the NCSR and adopt a cybersecur

99、ity framework as a guiding set of practices or standards.With these two pieces in place,an organization can plan out which improvements to target for funding and effort,and they can then repeatedly assess themselves to compare maturity over time.Participants who adopted at least one cybersecurity fr

100、amework scored 60%higher on average than organizations that did not select a security framework.Of all respondents,19%stated they currently do not utilize a formal security framework.This is an improvement over the previous year,which saw 23%of respondents stating they did not utilize a framework.Fr

101、amework examples include the NIST CSF,the CIS Controls,and ISO 27000 Series.The NCSR assessment is directly mapped to multiple frameworks,including the CIS Controls and NIST 800-53.By participating and aligning responses to a desired methodology,organizations can successfully implement and follow a

102、formalized cybersecurity framework.Utilize Automated NCSR Platform Metrics and Report Your NCSR Findings to ExecutivesAny NCSR participant can use the no-cost and publicly-available Data Reporting Template to report their NCSR findings.By copying their findings into this report and entering any avai

103、lable low-or no-cost resources that can be solutions,SLTT organizations will be well-prepared to present the importance of cybersecurity maturity to gain executive buy-in.2023 Nationwide Cybersecurity Review 16 Summary Report:Recommendations for SLTT OrganizationsThe NCSR platform includes automated

104、 reporting that can be utilized for this purpose.This includes the“Year-to-Year Results Report”and the“Peer Profile Reports.”This automated reporting displays historical trends for the participant organization as well as an anonymized comparison to nationwide scoring averages.The NCSR platform also

105、includes a report that aligns organizational NCSR results to no-cost services and federally-funded resources,such as open-source tools,policy templates,and MS-ISAC services.2023 Nationwide Cybersecurity Review Summary Report:Current Capabilities and Future Planning 17Current Capabilities and Future

106、PlanningSLTT Resources AvailableThe following no-cost resources are available to SLTT organizations and can assist with deficiencies identified within the NCSR assessment.These areas include incident response testing,vulnerability management,configuration management,and risk assessment:MS-ISAC Malic

107、ious Domain Blocking&Reporting(MDBR)MS-ISAC Tabletop Exercises CISA Tabletop Exercise Package MS-ISAC Cybersecurity Advisory Services Program MS-ISAC Vulnerability Disclosure Program(VDP):Currently available to election entities EI-ISAC Endpoint Detection and Response(EDR):Currently available to ele

108、ction entities CISA Cyber Hygiene Scanning Services CISA Risk Assessments CISA Risk Management Resources CIS SecureSuite Membership CIS Risk Assessment Method(RAM)CyberCorps:Scholarship for Service ProgramA full listing of MS-ISAC services can be found at https:/www.cisecurity.org/ms-isac/services.A

109、 full listing of EI-ISAC services can be found at:https:/www.cisecurity.org/ei-isac/ei-isac-services.A full listing of CISA services can be found at https:/www.cisa.gov/resources-tools/services.The following low-cost resources are also available to SLTT organizations and can assist with common defic

110、iencies:CIS Albert Network Monitoring CIS Endpoint Security Services(ESS)MS-ISAC Malicious Domain Blocking&Reporting Plus(MDBR+)2023 Nationwide Cybersecurity Review 18 Summary Report:Current Capabilities and Future PlanningCurrent National InitiativesThe MS-ISAC,EI-ISAC,and CISA have engaged with th

111、e SLTT community to become trusted advisors and help improve cyber maturity nationwide.This includes the following initiatives:Fostering no-cost service adoption within each state through CISA Cybersecurity Advisors(CSAs)and MS-ISAC and EI-ISAC Regional Engagement Managers Holding state and communit

112、y level cybersecurity insight briefings and providing recommendations to address key shortcomings Managing information sharing forums and collaboration through events such as tabletop exercises Providing resources to assist federal grant programs such as the Homeland Security Grant Program(HSGP)and

113、the State and Local Cybersecurity Grant Program(SLCGP)Collaborating with sectors such as K-12 school districts and election offices to provide tailored program and service offerings to mitigate common threatsFuture Planning&RecommendationsThe following actions are recommended at a national level in

114、order to combat current deficiencies and continue an upward cybersecurity maturity trend:Increase community engagement activities to foster service adoption,including proactive outreach and engagement with SLTT groups.This should include further virtual and in-person opportunities for SLTT organizat

115、ions to engage with CISA and MS-ISAC teams.This should also include further consultative or advisory work between groups such as the MS-ISAC and SLTT organizations to implement cybersecurity processes and capabilities.Continue to expand grant funding opportunities.Implement risk,compliance,and asset

116、 management program offering or best practice materials.Expand access to detection capabilities.A no-cost Vulnerability Disclosure Program(VDP)is currently available to election entities.Expansion to other SLTT sectors is recommended.Promote usage of disaster recovery best practices and related reso

117、urces 2023 Nationwide Cybersecurity Review Summary Report:Current SLTT Cybersecurity Maturity at a Glance 19Current SLTT Cybersecurity Maturity at a GlanceFigure 7.Average scores of all NIST CSF functions for the State,Local,Tribal,and Territorial peer groups between 2020 and 2023,when viewing the f

118、ull data set for each year.Note:2022 data is not available for the Territorial peer group,as the NCSR program did not receive participation from at least five organizations during the 2022 NCSR cycle.Average Maturity Level76543210 4.88 4.92 5.08 4.98 3.80 3.95 4.03 4.06 3.94 4.24 4.32 3.76 3.05 3.81

119、 NA 3.46StateLocalTribalTerritorial 2020 2021 2022 2023State:Partially Documented Standards and/or ProceduresThe State peer group exhibited an overall average maturity level of“4.98”on the NCSR scale.This maturity level is described as“Partially Documented Standards and/or Procedures.”This shows tha

120、t the State participants in 2023 developed both formal policy to guide cybersecurity activity and standards/procedures that would allow for consistent implementation of practices.This level indicates that states are mostly at the maturity point where they are in the process of,or have finalized,impl

121、ementation of a formal security framework.Framework implementation and associated activities will need to be tested and reviewed periodically to continue maturity within a cybersecurity program.The State peer group displayed a slight decrease in average scoring compared to prior year scoring.Organiz

122、ations do have the option to adjust answers downward,which can be attributed to a range of factors.These include changing environments,new internal technologies or processes,new threats,and an increased awareness of applicable activities.Local:Partially Documented Standards and/or Procedures(4)The L

123、ocal peer group exhibited an overall maturity level slightly above a value of“4”.This indicates that the Local peer group overall tends to perform a range of cyber activities and that they may have formal cybersecurity policies and standards in place but that they have not fully implemented a formal

124、 security framework.2023 Nationwide Cybersecurity Review 20 Summary Report:Current SLTT Cybersecurity Maturity at a GlanceTribal and Territorial:Documented Policy(3)The Tribal peer group(3.76)and Territorial peer group(3.46)each exhibited an overall maturity level above the threshold of“3”which is d

125、efined as“Documented Policy”.This indicates that these groups may have capabilities and processes in place to address certain security activities but are lacking documentation to define organizational requirements and may not be implementing a formal security framework.The Tribal peer group and the

126、Territorial peer group each showed a decrease in average scoring compared to prior year data.This can be attributed to factors such as a different combination of organizations that participated within the full peer group alongside technological factors.Figure 8.Average scores of all NIST CSF functio

127、ns for the“State-Elections”and“Local Elections”peer group subsectors for 2020 through 2023,when viewing the full data set for each year.The“State Elections”subsector includes entities such as the State Board of Elections offices and Secretary of State Offices.The“Local Elections”subsector includes e

128、ntities such as local Board of Elections offices and local Registrar offices.Average Maturity Level76543210 4.04 4.39 4.59 4.52 4.12 4.18 4.40 4.35State ElectionsLocal Elections 2020 2021 2022 2023State Elections:Partially Documented Standards and/or Procedures(4)State elections organizations,such a

129、s state Boards of Elections and Offices of the Secretary of State,exhibited an average maturity level that reaches slightly above a value of“4,”“Partially Documented Standards and/or Procedures,”on the NCSR scale.State elections have remained at a level of“4”since the 2019 NCSR.This score level refl

130、ects that,overall,state elections organizations have already developed formal policy to guide cybersecurity activity yet are in the process of developing standards and procedures that would allow for consistent implementation of cybersecurity practices.Membership in the EI-ISAC provides access to fe

131、derally funded services to improve cybersecurity capabilities.To get a better understanding of how the multiple-year participants in this group performed,see page 28 on returning NCSR participants for both elections and non-elections entities.This additional section shows that the returning state-le

132、vel participants displayed a year-to-year overall increase in their scoring.2023 Nationwide Cybersecurity Review Summary Report:Current SLTT Cybersecurity Maturity at a Glance 21Local Elections:Partially Documented Standards and/or Procedures(4)Local elections organizations,such as local Boards of E

133、lections and local Registrar offices,exhibited an average maturity level that is slightly above a value of“4,”“Partially Documented Standards and/or Procedures,”on the NCSR scale.These results indicate an overall trend of entities having already developed formal policy to guide cybersecurity activit

134、y yet are in the process of developing standards and procedures that would allow for consistent implementation of cybersecurity practices.Both the State Elections and Local Elections peer group subsectors are displaying a trend of incremental annual improvement toward the recommended maturity level

135、of“5.”2023 Nationwide Cybersecurity Review 22 Summary Report:Current SLTT Cybersecurity Maturity at a GlanceNIST CSF Function&Category Heat Map SummaryFigure 9.2023 Highlights:Strengths and Deficiencies.Within each NIST CSF function below,the coloring is based on the seven-point maturity scale shown

136、 below.Key:1Not Performed,2Informally Done,3Documented Policy,4Partially Documented Standards and/or Procedures,5Implementation in Process,6Tested and Verified,7OptimizedStateLocalTribalTerritoryState ElectionsLocal ElectionsOrganization Total483,6092262374Identify 4.63 3.91 3.23 3.50 4.18 4.16Asset

137、 Management 4.51 4.05 3.35 3.08 4.38 4.30Business Environment 4.71 4.03 2.97 4.33 4.43 4.32Governance 5.05 4.05 3.64 4.13 4.39 4.20Risk Assessment 4.99 4.09 3.78 3.72 4.46 4.29Risk Management Strategy 3.87 3.34 2.39 2.22 3.26 3.71Protect 4.96 4.33 4.15 3.77 4.76 4.70Identity Mgmt.and Access Controls

138、 5.30 4.95 4.89 4.50 5.22 5.33Awareness and Training 5.23 4.47 4.30 4.13 4.97 4.82Data Security 4.81 4.23 3.92 3.60 4.83 4.50Info.Protection Processes and Procedures 4.96 4.06 3.78 3.24 4.38 4.34Maintenance 4.75 4.29 3.95 3.50 4.80 4.84Protective Technology 4.71 3.97 4.02 3.63 4.37 4.38Detect 5.19 4

139、.09 4.01 3.75 4.76 4.49Anomalies and Events 5.23 3.97 3.80 3.37 4.56 4.49Security Continuous Monitoring 5.10 4.33 4.31 4.21 4.88 4.72Detection Processes 5.23 3.98 3.91 3.67 4.83 4.26Respond 5.25 4.10 4.04 3.35 4.47 4.25Response Planning 5.40 4.02 3.95 3.33 4.09 4.09Communications 5.22 4.00 3.94 3.43

140、 4.19 4.04Analysis 5.19 4.16 4.11 3.25 4.93 4.36Mitigation 5.40 4.39 4.33 3.50 5.13 4.67Improvements 5.04 3.92 3.84 3.25 4.02 4.08Recover 4.89 3.89 3.36 2.93 4.44 4.15Recovery Planning 4.98 3.97 3.32 3.17 4.22 4.22Improvements 4.70 3.81 3.32 3.00 4.30 4.06Communications 4.99 3.87 3.45 2.61 4.80 4.17

141、All Function Average 4.98 4.06 3.76 3.46 4.52 4.35 2023 Nationwide Cybersecurity Review Summary Report:Performance Levels of Cybersecurity Program Activities 23Performance Levels of Cybersecurity Program ActivitiesCyber Activities the SLTT Community is Not PerformingThe answer of“Not Performed”is th

142、e lowest-scoring option within the NCSRs answer scale.It correlates to a score of“1”within the seven-point numeric ranking.This answer denotes that the respondent does not currently have a technology or process in place to achieve the objective referenced within the applicable NCSR question and,cons

143、equently,the NIST CSF subcategory in question.The goal of this section is to identify the areas within the NIST CSF where a considerable proportion of the SLTT community is not performing those cybersecurity activities in any form.The ten NIST CSF subcategory activities in See Figure 10 on page 24.h

144、ad the highest volume of“Not Performed”selections when viewing the data for all 4,210 NCSR participants.This ranking includes items within the Identify,Protect,and Detect functions.The activities include software integrity checking,organizational risk tolerance processes,response and recovery plan t

145、esting,vulnerability management plan implementation,and removable media usage.The MS-ISAC recommends that organizations who chose“Not Performed”for any response evaluate applicable resources that are available.The NCSR platform includes an automated report aligning individual results to cybersecurit

146、y resources,including open-source tools that enable an organization to establish that capability.Organizations can also participate in an MS-ISAC Virtual Service Review(VSR)that describes available no-cost cybersecurity services.Once an organization becomes a member of the MS-ISAC,the employees with

147、 that organization will be able to engage with the MS-ISAC team through a Virtual Service Review and gain benefits included within membership.2023 Nationwide Cybersecurity Review 24 Summary Report:Performance Levels of Cybersecurity Program ActivitiesFigure 10.All Participant Summary.NIST CSF Activi

148、ties with the Highest Volume of“Not Performed”Selections in the 2023 NCSR and comparison to 2022 NCSR data.NIST CSF Subcategory2023 NCSRNot Performed Selection Rate2022 NCSRNot Performed Selection RateDE.CM-5:Unauthorized mobile code is detected28%28%ID.RM-3:The organizations determination of risk t

149、olerance is informed by its role in critical infrastructure and sector specific risk analysis23%20%PR.PT-2:Removable media is protected and its use restricted according to policy22%21%ID.RM-2:Organizational risk tolerance is determined and clearly expressed21%20%PR.DS-6:Integrity checking mechanisms

150、 are used to verify software,firmware,and information integrity19%19%PR.IP-10:Response and recovery plans are tested19%19%DE.AE-3:Event data are aggregated and correlated from multiple sources and sensors18%18%PR.DS-7:The development and testing environment(s)are separate from the production environ

151、ment18%18%ID.RM-1:Risk management processes are established,managed,and agreed to by organizational stakeholders18%17%ID.BE-1:The organizations role in the supply chain is identified and communicated17%16%2023 Nationwide Cybersecurity Review Summary Report:Performance Levels of Cybersecurity Program

152、 Activities 25Figure 11.SLTT Breakout Summary:NIST CSF Activities with the Highest Volume of“Not Performed”Selections.NIST CSF subcategories from Figure 10,with a breakout for the peer groups of State,Local,and Tribal.The selection percentage rate within each peer group is provided.NIST CSF Subcateg

153、oryStateNot Performed Selection Rate(n=48)LocalNot Performed Selection Rate(n=3,609)TribalNot Performed Selection Rate(n=22)TerritoryNot Performed Selection Rate(n=6)DE.CM-5:Unauthorized mobile code is detected2%31%23%17%ID.RM-3:The organizations determination of risk tolerance is informed by its ro

154、le in critical infrastructure and sector specific risk analysis10%25%50%33%PR.PT-2:Removable media is protected and its use restricted according to policy6%25%14%17%ID.RM-2:Organizational risk tolerance is determined and clearly expressed4%23%50%33%PR.DS-6:Integrity checking mechanisms are used to v

155、erify software,firmware,and information integrity4%21%14%33%PR.IP-10:Response and recovery plans are tested2%20%23%33%DE.AE-3:Event data are aggregated and correlated from multiple sources and sensors0%21%14%17%PR.DS-7:The development and testing environment(s)are separate from the production enviro

156、nment0%20%18%17%ID.RM-1:Risk management processes are established,managed,and agreed to by organizational stakeholders2%19%41%33%ID.BE-1:The organizations role in the supply chain is identified and communicated4%19%41%0%2023 Nationwide Cybersecurity Review 26 Summary Report:Performance Levels of Cyb

157、ersecurity Program ActivitiesCyber Activities Being Performed by the SLTT CommunityThe 10 NIST CSF subcategory activities in Figure 12 had the lowest volume of“Not Performed”selections by NCSR participants,meaning the SLTT community is showing high levels of performance within these areas.This ranki

158、ng includes items within the Identify,Protect,and Respond functions.The activities include managing physical device inventory,managing physical and remote access,verifying credentials,and establishing roles and responsibilities for privileged users.Figure 12.All Participant Summary:Most Frequently P

159、erformed NIST CSF Activities.NIST CSF Subcategory2023 NCSRPerformance Selection RateID.AM-1:Physical devices and systems within the organization are inventoried.99%PR.AC-2:Physical access to assets is managed and protected98%PR.AC-3:Remote access is managed98%PR.IP-4:Backups of information are condu

160、cted,maintained,and tested periodically98%PR.AC-1:Identities and credentials are issued,managed,verified,revoked,and audited for authorized devices,users,and processes98%PR.AC-4:Access permissions and authorizations are managed,incorporating the principles of least privilege and separation of duties

161、97%PR.DS-3:Assets are formally managed throughout removal,transfers,and disposition97%PR.AC-5:Network integrity is protected,incorporating network segregation where appropriate96%DE.CM-4:Malicious code is detected96%ID.AM-2:Software platforms and applications within the organization are inventoried9

162、6%2023 Nationwide Cybersecurity Review Summary Report:Performance Levels of Cybersecurity Program Activities 27Figure 13.SLTT Breakout:Most Frequently Performed NIST CSF Activities.NIST CSF subcategories from Figure 12,with a breakout for the peer groups of State,Local,and Tribal.The selection perce

163、ntage rate within each peer group is provided.NIST CSF SubcategoryStatePerformance Selection Rate(n=48)LocalPerformance Selection Rate(n=3,609)TribalPerformance Selection Rate(n=22)TerritoryPerformance Selection Rate(n=6)ID.AM-1:Physical devices and systems within the organization are inventoried.10

164、0%98%100%83%PR.AC-2:Physical access to assets is managed and protected100%98%100%100%PR.AC-3:Remote access is managed100%98%100%83%PR.IP-4:Backups of information are conducted,maintained,and tested periodically100%97%100%83%PR.AC-1:Identities and credentials are issued,managed,verified,revoked,and a

165、udited for authorized devices,users,and processes100%97%100%83%PR.AC-4:Access permissions and authorizations are managed,incorporating the principles of least privilege and separation of duties100%96%100%83%PR.DS-3:Assets are formally managed throughout removal,transfers,and disposition100%96%100%83

166、%PR.AC-5:Network integrity is protected,incorporating network segregation where appropriate98%96%95%83%DE.CM-4:Malicious code is detected100%96%100%83%ID.AM-2:Software platforms and applications within the organization are inventoried100%96%100%83%2023 Nationwide Cybersecurity Review 28 Summary Repo

167、rt:Returning Participant AnalysisReturning Participant AnalysisIn total,1,974 organizations participated in each of the 2021,2022,and 2023 NCSR cycles.These 1,974 organizations are a subset of the 4,210 total 2023 NCSR participants.To adequately measure the improvements year-over-year for those that

168、 participated in the past,we will explore how these organizations have progressed over time.Figure 14.Scoring comparison between 2021,2022,and 2023 for the 1,974 repeat SLTT participants.Note:Data is not available for the Territorial peer group,as the NCSR program did not receive participation from

169、at least five organizations during this three-year window.Average Maturity Level76543210 4.91 5.07 5.03 4.04 4.29 4.43 3.82 4.12 4.01StateLocalTribal 2021 2022 2023Notable Findings Returning NCSR participants tend to score higher than first time NCSR participants.When viewing repeat participants onl

170、y,the Local peer group has trended upward year-to-year,reaching a level of 4.43.The State and Tribal peer groups are similar to their prior year maturity level,showing slight decreases.Organizations do have the option to adjust answers downward,which can be attributed to a range of factors.These inc

171、lude changing environments,new internal technologies or processes,new threats,and an increased awareness of applicable activities.2023 Nationwide Cybersecurity Review Summary Report:Returning Participant Analysis 29State Elections Returning Participant Progress 20212023Figure 15.Year-to-year functio

172、n comparison for the“State Elections”participants that completed the NCSR in each of the 2021,2022,and 2023 NCSR cycles.Average Maturity Level76543210 4.12 4.62 4.40 4.71 4.92 4.98 4.77 4.81 5.01 4.62 4.88 4.70 4.42 4.69 4.72IdentifyProtectDetectRespondRecover 2021 2022 2023Notable Findings Of the 2

173、3“State Elections”2023 NCSR participants,17 also participated in the 2021 and 2022 NCSR cycles.Returning“State Elections”participants that completed the 2023 NCSR improved their maturity on average within three of the five NIST CSF functions.Organizations do have the option to adjust answers downwar

174、d,which can be attributed to a range of factors.These include changing environments,new internal technologies or processes,new threats,and an increased awareness of applicable activities.2023 Nationwide Cybersecurity Review 30 Summary Report:Returning Participant AnalysisLocal Elections Returning Pa

175、rticipant Progress 20212023Figure 16.Year-to-year function comparison for the“Local Elections”participants that completed the NCSR in each of the 2021,2022,and 2023 NCSR cycles.Average Maturity Level76543210 3.99 4.59 4.68 4.70 5.03 5.18 4.12 4.75 4.94 4.10 4.60 4.71 3.99 4.39 4.70IdentifyProtectDet

176、ectRespondRecover 2021 2022 2023Notable Findings Of the 74“Local Elections”2023 NCSR participants,20 also participated in the 2021 and 2022 NCSR cycles.Returning“Local Elections”participants increased their scores in all NIST CSF functions.2023 Nationwide Cybersecurity Review Summary Report:NCSR Par

177、ticipation 31NCSR ParticipationNCSR Individual ReportsAll NCSR participants have access to custom reports specific to their organization.All individual self-assessments and scores are kept confidential and anonymous.The reports allow participants to develop a benchmark to gauge year-to-year progress

178、 and continuously compare themselves against their peers.Peer Groups DefinedFor the purposes of continuous data analysis and trending,respondents are grouped into one of four main peer groups:State,Local,Tribal,and Territorial.The State peer group involves participation among the 50 state government

179、s.The Local peer group consists of any local government entity.This includes cities,counties,parishes,boroughs,K-12 public school districts,Fire/EMS/911,associations,authorities,and many more entity types at the local level.The Tribal peer group includes participation by tribal governments and triba

180、l government agencies.The Territorial peer group includes participation among the six territorial governments.To maintain anonymity,each peer group must include participation from a minimum of five organizations per group.The MS-ISAC was able to break the State,Local,Tribal,and Territorial peer grou

181、ps down into subsets represented by over 50 additional peer group subsectors.These subsectors are discussed in further detail on page 38.To maintain anonymity,each subsector peer group must include participation from a minimum of five organizations per group.An organization can be a part of multiple

182、 subsectors,if applicable.2023 Homeland Security Grant ProgramAs outlined in the FY 2023 Notice of Funding Opportunity(NOFO),State Homeland Security Program(SHSP),and Urban Area Security Initiative(UASI)recipients and sub-recipients were required to complete the NCSR by the end of calendar year 2023

183、.2023 Nationwide Cybersecurity Review 32 Summary Report:NCSR ParticipationFirst Time Participants&Repeat ParticipantsIn addition,participants completing the NCSR for the first time in 2023 scored significantly lower on average compared to all others.This is a common trend for first-time participants

184、.Participants who had taken the NCSR at least one time previously scored 23%higher,on average,compared to those first-time participants.These lower-scoring first-time participants had a substantial impact on the overall function scores of the NCSR.Figure 17 represents year-to-year SLTT participation

185、 in the NCSR.Figure 17.Participation Quantity by SLTT Peer Groups by Year.Peer Group201820192020202120222023State435050494848State Agency343524522477466490Local2772,5232,3212,6933,1223,609Tribal61917151522Territorial266646Participation HighlightsOverall Highlights Percentage Change in Participation.

186、The 2023 NCSR saw a year-over-year participation increase of 14%.This year had the largest amount of participation in the NCSRs 12-year history.Organizations with two or more years of NCSR participation displayed 23%higher maturity scoring on average compared to first-year participants.Repeat Assess

187、ments.Entities that have participated for nine years consecutively since 2015 scored 41%higher than entities that participated for the first time.A total of 215 organizations have participated for nine consecutive years.2023 Nationwide Cybersecurity Review Summary Report:NCSR Participation 33State H

188、ighlights State Aggregate Roll-Up.Of the 48 State participants,six states aggregate their scores.This means all participating state agencies complete the NCSR,at which point their scores are averaged to compile the overall State score.This aggregate process is beneficial when an organization with ce

189、ntralized oversight recruits departments or agencies under their jurisdiction to complete the assessment.A total of 490 state agencies participated in the 2023 NCSR as part of a roll-up or independently.Local Highlights Local Peer Group Participation.The Local peer group saw an overall increase of 4

190、87 participant entities compared to 2022.County Participation.The county/parish peer group subsector remains the largest subsector that completed the NCSR in 2023,with a total of 871 organizations completing the assessment.City Participation.The city peer group subsector increased and was the second

191、 largest subsector that completed the NCSR in 2023,with a total of 720 participants.Tribal Highlights Tribal Peer Group Participation.The 2023 NCSR was completed by 22 tribal organizations.This is the highest ever NCSR participation total for the Tribal peer group.Out of the 22 tribal organizations,

192、10 of them were first time NCSR participants.Figure 18.The five peer group subsectors with the highest volume of organizational participation during the 2023 NCSR cycle.Local Public Safety/Law Enf.263Local Emergency Services 345Local K-12 Schools 655Local City 729Local County/Parish 871Participants

193、2023 Nationwide Cybersecurity Review 34 Summary Report:State&Local Distribution SummaryState&Local Distribution SummaryDistribution of State Overall Maturity ScoresFigure 19.2023 NCSR State Peer Group:Average Scoring Distribution.The figure below represents the scoring distribution of the 48 states.

194、Maturity Level7 06 95 134 213 22 31 0Quantity of StatesOverall,22 of the 48 states(46%)scored at or above the recommended minimum maturity level of“Implementation in Process,”which is denoted by a numerical score of“5.”The remaining 48%scored below an average maturity of“5,”including three states th

195、at scored at a maturity level of“2,”“Informally Done.”The largest groupings of maturity levels were level“4”at 44%and“5”at 27%.Any state can utilize the MS-ISACs Policy Template Guide to find sanitized policy templates to customize and implement.While implementing policy may take some time,by at lea

196、st having an overall Information Security Policy documented and put in place,states without policies can increase their maturity.2023 Nationwide Cybersecurity Review Summary Report:State&Local Distribution Summary 35Distribution of Local Overall Maturity ScoresFigure 20.2023 NCSR Local Peer Group:Av

197、erage Scoring Distribution.The figure below represents the scoring distribution of participating Locals.Maturity Level7 166 4025 8304 6803 5792 6271 475Quantity of Local OrganizationsOverall,on average,1,248 of the 3,609 Local participants(35%)scored at or above the recommended minimum maturity leve

198、l of“Implementation in Process,”which is denoted by a numerical score of“5.”Even with increased participation for 2023,the average of all participants shows trending toward greater maturity.However,a total of 1,102 Locals(31%)were below a level of“3,”or“Documented Policy.”These organizations are inf

199、ormally performing the cybersecurity activities in the NIST CSF,but they do not have any formal policy or procedures to govern how those activities are performed and/or managed.The largest groupings of maturity levels were level“5”at 23%and level“4”at 19%.The MS-ISAC Policy Template Guide could be u

200、tilized as a short-term solution for reaching a score of at least a“3,”“Documented Policy.”This policy catalog provides over 50 policy templates an organization can completely customize.Cybersecurity improvements do take time,and organizations participating in the NCSR should not immediately expect

201、a score of“5,”“6,”or“7”.A realistic expectation is that an organization will reach a higher maturity level of“5”or“6”after years of incremental security improvements.A general recommendation is to increase from a level of“1”to at least a level of“3”to start.Lower-scoring entities can utilize MS-ISAC

202、 and CISA resources available that assist with increasing maturity at these levels.This indicates a capability or process has been established,which is defined within a level of“2.”Once that capability or process is included within organizational policy,a level of“3”is reached.2023 Nationwide Cybers

203、ecurity Review 36 Summary Report:Demographic SummariesDemographic SummariesStaffing AnalysisParticipants were asked to select a staffing total range for full-time equivalent(FTE)employees.This applied to full organization staffing,information technology(IT)staffing,and cybersecurity staffing.Data wa

204、s self-reported.Notable Findings Over 3,228 of the NCSR respondents(77%)selected either“1 to 99”or“100 to 999”total employees within the entire organization.Over 77%of respondents selected the category of“24 and less”IT employees.Organizations that have 25 or more IT employees scored 24%higher,on av

205、erage,than organizations with less than 25 IT employees.Over 3,355 of the NCSR respondents(80%)stated they have less than five dedicated security employees.Organizations that have five or more dedicated security employees scored 19%higher,on average,than organizations with less than five dedicated s

206、ecurity employees.Staffing Findings and RecommendationsSmaller IT and security organizations scored lower than their larger-staffed counterparts.This indicates that smaller organizations typically have fewer resources to deal with the increasingly complex IT systems and attendant cybersecurity threa

207、ts.While“lack of sufficient funding”continues to be the top security concern reported by NCSR participants,there may be limitations to hiring additional IT and security staff.FedVTE training available to any State,Local,Tribal,or Territorial government can assist with turning current employees into

208、subject matter experts.Organizations without dedicated IT and security staff scored at an average of“3,”“Documented Policy.”NCSR data indicates that leaders of these organizations can likely improve the cybersecurity maturity of their organizations by hiring at least one qualified employee with a se

209、curity position description.By documenting and adopting standards and procedures to formalize their cybersecurity activities,they can also progress toward the next level of cybersecurity maturity.2023 Nationwide Cybersecurity Review Summary Report:Demographic Summaries 37Organizations with lower sta

210、ffing and budget totals should consider taking advantage of opportunities like the Federal Governments CyberCorps:Scholarship for Service program that would allow them to augment their security staff with qualified,entry-level interns and full-time personnel.Additionally,they can take advantage of r

211、esources from the MS-ISAC,EI-ISAC,and CISA to provide a capability they may not have or capabilities that have minimal impact on staff time utilized for cybersecurity activity.Organizations with lower staffing and budget totals should also utilize federally funded resources from MS-ISAC,EI-ISAC,and

212、CISA as well as open-sources to assist with IT and cybersecurity activities.Examples include CISAs Free Cybersecurity Services and Tools webpage and MS-ISAC membership offerings.Future cyber grant programs can assist with budget constraints.The SLTT community would benefit from guidance materials to

213、 assist with obtaining grant funding.Figure 21.Summary of Framework and/or Security Methodology Usage by NCSR Participants.SLTT participant results for the following 2023 NCSR question:“Which control frameworks and/or security methodologies are your organizations information security controls based

214、on?”Average Maturity Level76543210 2.79 4.46No Framework SelectedFramework SelectedNotable Findings Entities that currently employ a security framework,such as the CIS Controls,the NIST CSF,or ISO 27000 series,scored 60%higher than those organizations that do not.This has been a consistent finding s

215、ince 2019.Adopting a framework enables organizations to assess themselves regularly against an accepted standard,plan a strategy to address their weaknesses,and continuously improve their maturity.2023 Nationwide Cybersecurity Review 38 Summary Report:Demographic SummariesFigure 22.Summary of cyber

216、executive reporting by NCSR participating organizations.SLTT participant results for the following 2023 NCSR question:“Do your top-level decision-makers receive periodic(at least annual)reports on the status of information risks,controls,and/or security from the departments,divisions,and/or agencies

217、 within your organization?”Average Maturity Level76543210 4.43 2.93 4.83 3.40 4.63 3.09 4.64 3.11 4.43 2.90 4.59 3.09Identify FunctionProtect FunctionDetect FunctionRespond FunctionRecover FunctionAll Function Average Yes(n=3,055)No(n=1,148)Notable Findings Organizations that provide cybersecurity r

218、eporting to top-level decision makers scored 49%higher on average than organizations that stated they do not perform this activity.Executive cybersecurity reporting educates key stakeholders and executives on an organizations cybersecurity challenges,needs,and priorities to effectively reduce the or

219、ganizations cyber risk.Without this type of communication,organizations likely will struggle to get cybersecurity activity and funding prioritized.No-cost reporting templates are publicly available after participating in the NCSR.Organizations can use these reporting templates by directly mapping re

220、sults to available resources.Based on these findings,a recommended first step is to present your NCSR results,cybersecurity needs,priorities,challenges,and other topics to executives or other key stakeholders.2023 Nationwide Cybersecurity Review Summary Report:Demographic Summaries 39Figure 23.Summa

221、ry of breach reporting processes by NCSR participating organizations.SLTT participant results for the following 2023 NCSR question:“Does your organization have clearly defined processes to report a breach of Personally Identifiable Information(PII)/Protected Health Information(PHI)?”Average Maturity

222、 Level76543210 4.64 3.27 5.02 3.72 4.85 3.42 4.92 3.37 4.71 3.15 4.71 3.15Identify FunctionProtect FunctionDetect FunctionRespond FunctionRecover FunctionAll Function Average Yes(n=3,055)No(n=1,148)Notable Findings Organizations that have a defined process to report a PII or PHI breach scored 43%hig

223、her on average than organizations that do not have a defined process.Organizations can reduce the risk of harm to potentially affected stakeholders by having an established process to report this type of breach.2023 Nationwide Cybersecurity Review 40 Summary Report:Demographic SummariesTop Security

224、ConcernsParticipants have continually identified the same top five security concerns since 2015.Their concerns below are presented in order from highest to lowest as identified in 2023.The percentage of NCSR respondents that selected the given answer option is displayed for each of the 2023,2022,and

225、 2021 NCSR cycles.Figure 24.Top 5 Security Concerns2023Selection Rate2022Selection Rate2021Selection Rate1Lack of sufficient funding70%72%73%2Increasing sophistication of threats64%63%63%3Emerging technologies46%40%38%4Lack of documented processes44%43%39%5Inadequate availability of cybersecurity pr

226、ofessionals35%38%37%2023 Nationwide Cybersecurity Review Summary Report:Analysis by Function 41Analysis by Function2023 Function AveragesFigure 25.Current 2023 cybersecurity maturity of the State,Local,and Tribal peer groups for organizations that participated each year during the 2021,2022,and 2023

227、 NCSR cycles.Note:Data is not available for the Territorial peer group,as the NCSR program did not receive participation from at least five organizations when using the reporting criteria.Average Maturity Level76543210 4.67 5.01 5.25 5.30 4.93 4.27 4.68 4.52 4.47 4.22 3.48 4.11 3.94 4.45 4.09StateLo

228、calTribal Identify Protect Detect Respond RecoverFigure 25 displays the 2023 average score of each NIST CSF function within the State,Local,and Tribal peer groups when viewing the data set for organizations that participated each year during the 2021,2022,and 2023 NCSR cycles.The following section p

229、rovides additional data specific to categories within each NIST CSF function.Individual organizations can use this data to benchmark their security maturity alongside national trends.2023 Nationwide Cybersecurity Review 42 Summary Report:Analysis by FunctionIdentify FunctionThe activities under this

230、 functional area are key for an organizations understanding of their current internal culture,infrastructure,and risk tolerance.This functional area tends to be one of the lowest-rated functions for many organizations.Immature capabilities in the Identify function may hinder an organizations ability

231、 to effectively apply risk management principles for cybersecurity.By incorporating sound risk management principles into cybersecurity programs,organizations will be able to continuously align their efforts towards protecting their most valuable assets against the most relevant risks.Identify Categ

232、oriesAsset ManagementThe data,personnel,devices,system,and facilities that enable the organization to achieve business purposes are identified and managed in a way that is consistent with their relative importance to business objectives and the organizations risk strategy.Business EnvironmentThe org

233、anizations mission,objectives,stakeholders,and activities are understood and prioritized.This information is used to inform cybersecurity roles,responsibilities,and risk management decisions.GovernanceThe policies,procedures,and processes to manage and monitor the organizations regulatory,legal,risk

234、,environmental,and operational requirements are understood and inform the management of cybersecurity risk.Risk AssessmentThe organization understands the cybersecurity risks to organizational operations(including mission,functions,image,or reputation),organizational assets,and individuals.Risk Mana

235、gement StrategyThe organizations priorities,constraints,risk tolerances,and assumptions are established and used to support operational risk decisions.DetectProtectIdentifyRecoverRespondSECURITYFRAMEWORK 2023 Nationwide Cybersecurity Review Summary Report:Analysis by Function 43Identify Analysis Sum

236、maryIdentify Function HighlightsFigure 26.Year-to-year average for the Identify function across the peer groups for organizations that participated each year during the 2021,2022,and 2023 NCSR cycles.Note:Data is not available for the Territorial peer group,as the NCSR program did not receive partic

237、ipation from at least five organizations when using the reporting criteria.Average Maturity Level76543210 4.46 4.68 4.67 3.80 4.13 4.27 3.01 3.46 3.48StateLocalTribal 2021 2022 2023OverallIdentify is the lowest-scoring function for the State and Tribal peer groups,and it is the second lowest-scoring

238、 function for the Local peer group.Repeat local and tribal participants exhibited a year over year increase in this function,while repeat state participants remained at a similar scoring level compared to the prior year.2023 Nationwide Cybersecurity Review 44 Summary Report:Analysis by FunctionIdent

239、ify Category HighlightsFigure 27.Category Summary:Year-to-year averages for the Identify categories across the peer groups when viewing organizations that participated each year during the 2021,2022,and 2023 NCSR cycles.Note:Average scores typically increase year-to-year.However,there are certain ca

240、ses where scoring has decreased.This can be attributed to a range of factors.These include changing environments,new internal technologies or processes,new threats,and an increased awareness of applicable activities.YearAsset Mgmt.Business EnvironmentGover-nanceRisk AssessmentRisk Mgmt.StrategySuppl

241、y Chain Risk Mgmt.Identify FunctionState Peer Group20214.394.625.114.933.853.854.4620224.574.735.125.003.99N/A4.6820234.564.755.105.043.91N/A4.67Local Peer Group20214.104.084.024.133.363.083.8020224.294.234.264.313.55N/A4.1320234.404.364.404.483.72N/A4.27Tribal Peer Group20213.333.403.634.061.891.73

242、3.0120223.533.333.673.982.78N/A3.4620233.392.773.924.223.11N/A3.48Risk Management StrategyRisk Management Strategy was the lowest-scoring category within any of the NIST CSF functions for the State and Local peer groups.Business Environment was the lowest-scoring category within any of the NIST CSF

243、functions for the Tribal peer group.CISA,Center for Internet Security,and MS-ISAC have no-cost resources that can assist SLTT organizations with implementing formalized risk management policies and practices.2023 Nationwide Cybersecurity Review Summary Report:Analysis by Function 45Identify Subcateg

244、ory HighlightsID.RM2“Organizational risk tolerance is determined and clearly expressed”was one of the lowest-scoring subcategory activities in the NIST CSF for the State(3.77),Local(3.65),and Tribal(2.67)peer groups.ID.RM-3“The organizations determination of risk tolerance is informed by its role in

245、 critical infrastructure and sector specific risk analysis”was one of the lowest-scoring subcategory activities in the NIST CSF for the State(3.70),Local(3.65),and Tribal(3.33)peer groups.ID.RA-2“Cyber threat intelligence and vulnerability information is received from information sharing forums and

246、sources”was the highest-scoring subcategory activity in the Identify function for the State(5.85),Local(5.20),and Tribal(5.67)peer groups.2023 Nationwide Cybersecurity Review 46 Summary Report:Analysis by FunctionProtect FunctionThe activities under the Protect function pertain to different methods

247、and activities that reduce the likelihood of cybersecurity events happening and that ensure appropriate controls are in place to deliver critical services.These controls are focused on preventing cybersecurity events from occurring through common attack vectors,including attacks targeting users and

248、attacks leveraging inherent weakness in applications and network communication.Protect CategoriesIdentity Management and Access ControlAccess to assets and associated facilities is limited to authorized users,processes,or devices and to authorized activities and transactions.Awareness and TrainingTh

249、e organizations personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies,procedures,and agreements.Data SecurityInformation and records(data)are managed

250、consistent with the organizations risk strategy to protect the confidentiality,integrity,and availability of information.Information Protection Processes and ProceduresSecurity policies(that address purpose,scope,roles,responsibilities,management commitment,and coordination among organizational enti

251、ties),processes,and procedures are maintained and used to manage protection of information systems and assets.MaintenanceMaintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.Protective TechnologyTechnical security solut

252、ions are managed to ensure the security and resilience of systems and that assets remain consistent with related policies,procedures,and agreements.DetectProtectIdentifyRecoverRespondSECURITYFRAMEWORK 2023 Nationwide Cybersecurity Review Summary Report:Analysis by Function 47Protect Analysis Summary

253、Protect Function HighlightsFigure 28.Year-to-year average for the Protect function across the peer groups for organizations that participated each year during the 2021,2022,and 2023 NCSR cycles.Note:Data is not available for the Territorial peer group,as the NCSR program did not receive participatio

254、n from at least five organizations when using the reporting criteria.Average Maturity Level76543210 4.97 5.08 5.01 4.37 4.58 4.68 3.96 4.08 4.11StateLocalTribal 2021 2022 2023StateThe repeat participants in the State peer group remained at an average score“5,”“Implementation in Process,”for the Prot

255、ect function for the second consecutive year.This indicates they have fully documented policies and standards around these activities and are now working toward testing and verifying their processes.LocalThe repeat participants in the Local peer group scored highest within the Protect function for t

256、he fifth consecutive year,indicating they have documented policies around this function and are continuing to develop additional procedures to support the policies.TribalThe repeat participants in the Tribal peer group remained at an average score of“4,”“Partially Documented Standards and/or Procedu

257、res”for the second consecutive year.2023 Nationwide Cybersecurity Review 48 Summary Report:Analysis by FunctionProtect Category HighlightsFigure 29.Category Summary.Year-to-year averages for the Protect categories across the peer groups when viewing organizations that participated each year during t

258、he 2021,2022,and 2023 NCSR cycles.YearIdentity Mgmt.and Access ControlAwareness and TrainingData SecurityInfo.Protection Proc.and ProceduresMainte-nanceProtective Tech.Protect FunctionState Peer Group20215.325.354.724.954.784.714.9720225.435.404.935.104.834.785.0820235.355.294.865.004.794.765.01Loca

259、l Peer Group20215.064.524.184.074.234.134.3720225.224.724.484.284.494.254.5820235.304.804.584.424.614.354.68Tribal Peer Group20214.743.773.963.574.173.573.9620224.833.773.983.684.333.884.0820234.873.933.863.694.503.794.11Protect Subcategory HighlightsPR.DS-6“Integrity checking mechanisms are used to

260、 verify software,firmware,and information integrity”was either the lowest-scoring or one of the lowest-scoring Protect subcategory activities for the repeat participants within the State(3.87),Local(3.85),and Tribal(3.50)peer groups.2023 Nationwide Cybersecurity Review Summary Report:Analysis by Fun

261、ction 49PR.IP-2“A system development life cycle to manage systems is implemented”was the lowest-scoring Protect subcategory activity for the repeat participants within the Local(3.84)peer group and the Tribal peer group(2.50).PR.IP-4“Backups of information are conducted,maintained,and tested periodi

262、cally”was one of the highest-scoring Protect subcategory activities for the repeat participants within the State(5.40),Local(5.44)and Tribal(4.17)peer groups.PR.AC-3“Remote access is managed”was one of the highest-scoring Protect subcategory activities for the repeat participants within the State(5.

263、60),Local(5.54),and Tribal(5.00)peer groups.PR.AT-1“All users are informed and trained”was one of the highest-scoring Protect subcategory activities for the repeat participants within the State(6.04),Local(5.17),and Tribal peer groups(5.17).2023 Nationwide Cybersecurity Review 50 Summary Report:Anal

264、ysis by FunctionDetect FunctionThe quicker an organization can detect a cybersecurity incident,the better positioned it is to be able to remediate the problem and reduce the consequences of the event.Activities found within the Detect function pertain to an organizations ability to identify incident

265、s.These controls are becoming more important,as growing numbers of logs and events within an environment can be overwhelming to handle and make it difficult to identify key concerns.Detect CategoriesAnomalies and EventsAnomalous activity is detected in a timely manner and the potential impact of eve

266、nts is understood.Security Continuous MonitoringThe information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.Detection ProcessesDetection processes and procedures are maintained and tested to ensure timely

267、and adequate awareness of anomalous events.DetectProtectIdentifyRecoverRespondSECURITYFRAMEWORK 2023 Nationwide Cybersecurity Review Summary Report:Analysis by Function 51Detect Analysis SummaryDetect Function HighlightsFigure 30.Year-to-year average for the Detect function across the peer groups fo

268、r organizations that participated each year during the 2021,2022,and 2023 NCSR cycles.Note:Data is not available for the Territorial peer group,as the NCSR program did not receive participation from at least five organizations when using the reporting criteria.Average Maturity Level76543210 5.15 5.2

269、8 5.25 4.13 4.38 4.52 3.57 4.13 3.94StateLocalTribal 2021 2022 2023StateThe State peer group scored highest in the“Detection Processes”category within the Detect function.Local and TribalThe Local and Tribal peer groups both scored highest in the“Security Continuous Monitoring”category within the De

270、tect function.2023 Nationwide Cybersecurity Review 52 Summary Report:Analysis by FunctionDetect Category HighlightsFigure 31.Category Summary:Year-to-year averages for the Detect categories across the peer groups when viewing organizations that participated each year during the 2021,2022,and 2023 NC

271、SR cycles.YearAnomalies and EventsSecurity Continuous MonitoringDetection ProcessesDetect FunctionState Peer Group20215.205.085.175.1520225.255.195.405.2820235.295.155.305.25Local Peer Group20214.014.344.034.1320224.234.594.314.3820234.414.744.404.52Tribal Peer Group20213.733.943.033.5720224.404.343

272、.674.1320233.674.323.833.94 2023 Nationwide Cybersecurity Review Summary Report:Analysis by Function 53Detect Subcategory HighlightsDE.CM-8“Vulnerability scans are performed”was one of the highest-scoring Detect subcategory activities for the repeat participants within the State(5.91),Local(5.14),an

273、d Tribal(4.83)peer groups.DE.CM-4“Malicious code is detected”was one of the highest-scoring Detect subcategory activities for the repeat participants State(5.66),Local(5.40),and Tribal(5.33)peer groups.DE.CM-5“Unauthorized mobile code is detected”was one of the lower-scoring Detect subcategory activ

274、ities for the repeat participants within the State(4.43),Local(3.94),and Tribal(3.67)peer groups.DE.AE-1“A baseline of network operations and expected data flows for users and systems is established and managed”was one of the lower-scoring Detect subcategory activities for the repeat participants wi

275、thin the State(4.64),Local(4.14),and Tribal(3.17)peer groups.2023 Nationwide Cybersecurity Review 54 Summary Report:Analysis by FunctionRespond FunctionAn organizations ability to quickly and appropriately respond to an incident plays a significant role in reducing the incidents consequences.As such

276、,the activities within the Respond function examine how an organization plans,analyzes,communicates,mitigates,and improves its response capabilities.For many organizations,integration and cooperation with other entities is key.Many organizations do not have the internal resources to handle all compo

277、nents of incident response.One example is the ability to conduct forensics after an incident,which helps organizations to identify and remediate the original attack vector.Organizations can address this gap through resource sharing within the SLTT community and leveraging organizations such as MS-IS

278、AC and CISA,which have dedicated resources to provide incident response at no cost to the victim.Respond CategoriesResponse PlanningResponse processes and procedures are executed and maintained to ensure timely response to detected cybersecurity events.CommunicationsResponse activities are coordinat

279、ed with internal and external stakeholders,as appropriate,to include external support from law enforcement agencies.AnalysisAnalysis is conducted to ensure adequate response and support recovery activities.MitigationActivities are performed to prevent expansion of an event,mitigate its effects,and r

280、esolve the incident.ImprovementsOrganizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.DetectProtectIdentifyRecoverRespondSECURITYFRAMEWORK 2023 Nationwide Cybersecurity Review Summary Report:Analysis by Function 55Res

281、pond Analysis SummaryRespond Function HighlightsFigure 32.Year-to-year average for the Respond function across the peer groups for organizations that participated each year during the 2021,2022,and 2023 NCSR cycles.Note:Data is not available for the Territorial peer group,as the NCSR program did not

282、 receive participation from at least five organizations when using the reporting criteria.Average Maturity Level76543210 5.23 5.35 5.30 4.07 4.31 4.47 4.69 4.70 4.45StateLocalTribal 2021 2022 2023StateThe State peer group scored highest within the Respond function for the ninth consecutive year,indi

283、cating they have successfully implemented policies.This trend indicates that states have consistently documented their lessons learned after an incident and performed mitigation activities that allow for an increase in maturity.Many in this peer group are moving toward a level of“6,”“Tested and Veri

284、fied.”Local&TribalThe Local and Tribal peer groups are both now at an average maturity level of“4,”“Partially Documented Standards and/or Procedures,”within the Respond function.2023 Nationwide Cybersecurity Review 56 Summary Report:Analysis by FunctionRespond Category HighlightsFigure 33.Category S

285、ummary.Year-to-year averages for the Respond categories across the peer groups when viewing organizations that participated each year during the 2021,2022,and 2023 NCSR cycles.YearResponse PlanningCommuni-cationsAnalysisMitigationImprove-mentsRespond FunctionState Peer Group20215.235.215.195.385.115

286、.2320225.475.395.355.445.135.3520235.455.265.245.455.105.30Local Peer Group20214.003.994.124.393.874.0720224.214.224.404.634.104.3120234.374.354.564.784.314.47Tribal Peer Group20215.175.004.334.784.174.6920225.174.904.754.284.424.7020234.834.474.334.114.504.45 2023 Nationwide Cybersecurity Review Su

287、mmary Report:Analysis by Function 57Respond Subcategory HighlightsRS.AN-1“Notifications from detection systems are investigated”was the highest-scoring Respond subcatesgory activity for the repeat participants within the State(5.68)and Local(5.06)peer groups.RS.MI-1“Incidents are contained”was one o

288、f the highest-scoring Respond subcategory activities for the repeat participants within the State(5.66),Local(4.89),and Tribal(4.33)peer groups.RS.AN-3“Forensics are performed”was one of the relatively lower-scoring Respond subcategory activities for the repeat participants within the State(4.79),Lo

289、cal(4.20),and Tribal(4.17)peer groups.RS.IM-2“Response strategies are updated”was one of the relatively lower-scoring Respond subcategory activities for the repeat participants within the State(5.15),Local(4.28),and Tribal(4.00)peer groups.2023 Nationwide Cybersecurity Review 58 Summary Report:Analy

290、sis by FunctionRecover FunctionActivities within the Recover function pertain to an organizations ability to return to its baseline after an incident has occurred.Such controls are focused not only on activities to recover from the incident,but also on many of the components dedicated to managing re

291、sponse plans throughout their lifecycle.Recover CategoriesRecovery PlanningRecovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.ImprovementsRecovery planning and processes are improved by incorporating lesson

292、s learned into future activities.CommunicationsRestoration activities are coordinated with internal and external parties,such as coordinating centers,Internet Service Providers,owners of attacking systems,victims,other Computer Security Incident Response Teams(CSIRT),and vendors.DetectProtectIdentif

293、yRecoverRespondSECURITYFRAMEWORK 2023 Nationwide Cybersecurity Review Summary Report:Analysis by Function 59Recover Analysis SummaryRecover Function HighlightsFigure 34.Year-to-year average for the Recover function across the peer groups for organizations that participated each year during the 2021,

294、2022,and 2023 NCSR cycles.Note:Data is not available for the Territorial peer group,as the NCSR program did not receive participation from at least five organizations when using the reporting criteria.Average Maturity Level76543210 4.72 4.93 4.93 3.86 4.07 4.22 3.87 4.23 4.09StateLocalTribal 2021 20

295、22 2023 2023 Nationwide Cybersecurity Review 60 Summary Report:Analysis by FunctionRecover Category HighlightsFigure 35.Category Summary:Year-to-year averages for the Recover categories across the peer groups when viewing organizations that participated each year during the 2021,2022,and 2023 NCSR c

296、ycles.YearRecovery PlanningImprove-mentsCommunica-tionsRecover FunctionState Peer Group20214.814.734.624.7220225.134.814.864.9320235.024.735.034.93Local Peer Group20213.963.813.803.8620224.174.014.044.0720234.294.164.214.22Tribal Peer Group20213.833.833.953.8720224.003.754.944.2320233.833.504.944.09

297、State,Local,and TribalThe State,Local,and Tribal peer groups scored lowest in the“Improvements”category within the Recover function,indicating organizations may not be consistently reviewing and updating formalized recovery plans.To assist with increasing maturity within the Recover function,there a

298、re no-cost resources,such as policy templates and FedVTE training,that these entities can take advantage of to build policies and develop professional staff.By consulting the MS-ISACs Cybersecurity Resources Guide,these organizations can easily find links to these templates and training opportunitie

299、s relevant to this NIST CSF function,as this guide is organized in accordance with the framework.Organizations can also consult no-cost federal resources here:CISA Services.2023 Nationwide Cybersecurity Review Summary Report:Analysis by Function 61Recover Subcategory HighlightsRC.CO-3“Recovery activ

300、ities are communicated to internal stakeholders and executive and management teams”was one of the higher-scoring subcategories for the repeat participants within the State(5.40),Local(4.35),and Tribal(5.00)peer groups.RC.CO2“Reputation after an event is repaired”was one of the lower-scoring subcateg

301、ories for the repeat participants within the State(4.60)and Local(3.95)peer groups.RC.IM-2“Recovery strategies are updated”was one of the lowest-scoring subcategory activities for the repeat participants within the State(4.66),Local(4.14),and Tribal(3.50)peer groups.2023 Nationwide Cybersecurity Rev

302、iew 62 Summary Report:Peer Group SubsectorsPeer Group SubsectorsFigure 36.Average 2023 scores across the NIST CSF functions for State-level and Territory-level peer group subsectors,as well as the“Fusion Center”peer group subsector.Within each NIST CSF function below,the color code used is based on

303、the seven-point maturity scale shown in See Figure 38 on page 65.Key:1Not Performed,2Informally Done,3Documented Policy,4Partially Documented Standards and/or Procedures,5Implementation in Process,6Tested and Verified,7OptimizedPeer Group or Subsector NameOrganization QuantityIdentifyProtectDetectRe

304、spondRecoverAll Function AverageState Emergency Services 11 5.61 5.76 5.66 5.49 5.57 5.62State Finance&Revenue 51 5.25 5.54 5.30 5.40 5.30 5.36State Education 26 5.03 5.52 5.15 5.22 5.25 5.23State Public Safety&Law Enf.53 5.01 5.45 5.33 5.34 4.89 5.21State Recreational 15 4.93 5.53 5.28 5.02 4.67 5.

305、09State Business&Admin.68 4.86 5.27 5.08 5.16 5.00 5.07State Information Technology 7 4.79 5.15 5.05 5.23 5.03 5.05State Environmental 45 4.77 5.16 5.04 5.07 4.94 5.00State Agency All 490 4.82 5.18 5.00 5.08 4.90 4.99State Transportation 16 4.73 5.07 5.13 5.16 4.84 4.98State Overall(50 States)48 4.6

306、3 4.96 5.19 5.25 4.89 4.98Fusion Center 7 4.67 5.27 4.94 4.76 4.75 4.88State Health&Human Services 116 4.76 5.05 4.80 4.92 4.83 4.87State Judicial 24 4.56 4.94 4.78 4.99 4.55 4.77State Higher Education 31 4.36 4.47 4.51 4.98 4.68 4.60State Elections 23 4.18 4.76 4.76 4.47 4.44 4.52Territory Agency A

307、ll 21 3.46 3.82 3.41 3.53 3.45 3.54Territory Overall(6 Territories)6 3.50 3.77 3.75 3.35 2.93 3.46Territory Health&Human Svcs.5 3.10 3.85 3.20 3.05 2.40 3.12 2023 Nationwide Cybersecurity Review Summary Report:Peer Group Subsectors 63Figure 37.Average 2023 scores across the NIST CSF functions for Lo

308、cal-level peer group subsectors as well as the Tribal peer group.*Within each NIST CSF function below,the color code used is based on the seven-point maturity scale shown in See Figure 38 on page 65.Key:1Not Performed,2Informally Done,3Documented Policy,4Partially Documented Standards and/or Procedu

309、res,5Implementation in Process,6Tested and Verified,7OptimizedPeer Group or Subsector NameOrganization QuantityIdentifyProtectDetectRespondRecoverAll Function AverageAuthority Public Utilities 6 4.64 5.15 5.50 5.37 5.02 5.14Local Port/Airport 19 4.78 5.13 5.17 5.20 4.93 5.04Local Business&Admin 18 4

310、.71 5.42 5.12 5.05 4.81 5.02Association 11 4.78 5.11 4.83 4.97 4.68 4.87Authority Fire&Emerg.Svcs.5 4.89 5.17 4.86 4.60 4.51 4.80Local Recreational 11 4.69 5.12 4.73 4.85 4.51 4.78Local Police Department 137 4.46 4.92 4.88 4.65 4.42 4.66Local Health&Human Services 68 4.47 4.78 4.77 4.63 4.48 4.63Loc

311、al Public Safety&Law Enf.263 4.42 4.86 4.73 4.58 4.41 4.60Local Sheriffs Office 111 4.29 4.71 4.51 4.49 4.34 4.47Authority Port/Airport 5 4.45 4.58 4.74 4.30 4.24 4.46Local 911 Services 18 4.49 4.81 4.31 4.32 4.28 4.44Local Higher Education 36 4.21 4.44 4.15 4.61 4.37 4.35Local Elections 74 4.16 4.7

312、0 4.49 4.25 4.15 4.35Authority All 39 4.16 4.42 4.46 4.45 4.24 4.35Local Emergency Mgmt.Svcs.191 4.07 4.60 4.41 4.31 4.13 4.31Local County/Parish 871 4.07 4.55 4.35 4.33 4.06 4.27Local Consolidated Govt.16 3.90 4.48 4.45 4.25 4.08 4.23Local All Emerg./Fire/911 Svcs.345 4.07 4.42 4.27 4.16 4.00 4.18C

313、ommission 68 4.15 4.37 4.13 4.08 4.00 4.15Local City 729 3.97 4.39 4.19 4.14 3.90 4.12Local Homeland Security 20 3.93 4.29 4.24 4.09 3.82 4.07Local All 3,609 3.91 4.33 4.09 4.10 3.89 4.06Local Finance&Revenue 13 3.96 4.50 4.00 4.12 3.71 4.06Authority Mass Transit 7 3.77 3.74 4.19 4.41 4.18 4.06Local

314、 Water Services 21 3.93 4.35 4.01 3.95 3.87 4.02Local Information Technology 12 3.72 4.32 3.93 4.01 4.05 4.00Local All Special Function 1,777 3.81 4.21 3.94 3.97 3.80 3.95Authority Health&Human Svcs.7 3.63 3.98 3.95 4.17 3.97 3.94Local Community College 112 3.77 4.11 3.82 4.01 3.86 3.92Local Fire De

315、pt./Services119 3.89 4.07 3.98 3.85 3.75 3.91 2023 Nationwide Cybersecurity Review 64 Summary Report:Peer Group SubsectorsPeer Group or Subsector NameOrganization QuantityIdentifyProtectDetectRespondRecoverAll Function AverageLocal All Public Utilities 64 3.71 4.06 4.07 3.96 3.60 3.88Local Environme

316、ntal 7 3.68 4.30 3.77 3.82 3.27 3.77Tribal22 3.23 4.15 4.01 4.04 3.36 3.76Local Town/Township/Village 98 3.53 3.96 3.64 3.63 3.42 3.64Local Judicial 23 3.55 4.02 3.49 3.64 3.48 3.64Local K-12 Schools 655 3.34 3.76 3.32 3.49 3.35 3.45Local Education Office 28 3.21 3.44 2.89 3.18 2.78 3.10Local Librar

317、y 24 2.45 2.65 2.54 2.81 2.29 2.55*The“Local All Special Function”peer group subsector represents NCSR submissions from any office or department at a local level rather than the overall local governments themselves such as cities,towns,or counties.Examples include local public health departments,loc

318、al public safety offices,and local police departments.The“Local Authority”peer group subsector consists of standalone authorities created by acts of government or funded by government that may not sit as subordinate agencies under their local government entity.The“Local Association”peer group subsec

319、tor consists of associations of local-level government entities and includes examples like associations of counties or specific departments.These associations may be national or regional in nature,but they are focused on local government entities or employees as their constituents.The“Local Commissi

320、on”peer group subsector consists of multi-person or multi-governmental commissions formed to serve a specific purpose or to provide governmental services or functions.Regional planning commissions are an example of entities in this subsector.The“Local Consolidated Gov.”peer group subsector consists

321、of participants from organizations made up of a government formed by consolidating one or more individual governments.Common examples include governments formed by the consolidation of a municipal and county government into one entity.2023 Nationwide Cybersecurity Review Summary Report:Peer Group Su

322、bsectors 65Figure 38.Key:NCSR Maturity LevelsScoreMaturity LevelDescription7OptimizedYour organization is executing the activity or process and has formally documented policies,standards,and procedures.Implementation is tested,verified,and reviewed regularly to ensure continued effectiveness.6Tested

323、 and VerifiedYour organization is executing the activity or process and has formally documented policies,standards,and procedures.Implementation is tested and verified.5Implementation in ProcessYour organization has an activity or process defined within documented policies,standards,and/or procedure

324、s.Your organization is in the process of implementing and aligning the documentation to a formal security framework and/or methodology.4Partially Documented Standards and/or ProceduresYour organization has a formal policy in place and has begun the process of developing documented standards and/or p

325、rocedures to support the policy.3Documented PolicyYour organization has a formal policy in place that has been approved by senior management.2Informally DoneActivities and processes may be substantially performed,and technologies may be available to achieve this objective,but they are undocumented a

326、nd/or not formally approved by senior management.1Not PerformedActivities,processes,and technologies are not in place to achieve the referenced objective.2023 Nationwide Cybersecurity Review 66 Summary Report:Noteworthy Subsector FindingsNoteworthy Subsector FindingsK-12 School DistrictsThe“Local K-

327、12 School District”subsector saw the highest participation of K-12 schools in the history of the NCSR.Participation increased from 402 K-12 school districts in 2022 to 655 K-12 school districts in 2023.The 2022 K-12 School District subsector displayed an overall average maturity score of 3.25.This 2

328、023 subsector had an overall maturity score of 3.45.The MS-ISAC and CISA currently implement initiatives with K-12 school districts to improve their cyber maturity.This is accomplished through custom content and recommendations,webinars and trainings,and a collaborative peer working group.County/Par

329、ishThe“County/Parish”subsector scored 2%higher in 2023 compared to 2022.This subsector maintained an average maturity level of“4,”“Partially Documented Standards and/or Procedures.”Counties/Parishes represent a large subset of NCSR participants.CityThe“City”subsector saw a slight decrease in year ov

330、er year average maturity scoring,going from 4.17 in 2022,to 4.12 in 2023,though still above the level of“4”overall.Public UtilitiesThe“Local All Public Utilities”subsector scored at a level of 3.88,which improved upon the prior year score of 3.77.However,this subsector currently lags behind subsecto

331、rs such as“Local Emergency Management Services”and“Local Health&Human Services”.The public utilities subsector includes organizations such as water,wastewater,and sanitation/sewer districts.These types of organizations are deemed“high risk”by federal agencies.Further engagement with public utility o

332、rganizations is recommended for federal and regional stakeholders.Health&Human ServicesThe“State Health&Human Services”subsector scored at a level of 4.87,and the Local Health&Human Services”subsector scored at a level of 4.63.Each of these subsectors showed improvements in scoring during the 2023 N

333、CSR cycle compared to the 2022 NCSR cycle.Healthcare is considered a“high risk”sector by federal agencies and includes organizations such as a state-level or local-level Department of Health.2023 Nationwide Cybersecurity Review Summary Report:Noteworthy Subsector Findings 67Emergency Services&ManagementThe“State Emergency Services”subsector scored at a level of 5.62,making it the highest scoring s