As Governor Terry McAuliffe (D-VA) completed his term as Chair of the National Governors Association, he announced on July 14, 2017, that 38 governors had signed a compact to improve state cybersecurity. The compact was the culmination of Governor McAuliffe’s focus on cybersecurity as his main initiative during his year as Chair. He noted that his goal was to “elevate the importance of cybersecurity on every governor’s agenda” and demonstrate that cybersecurity was not only a technology issue, but also “a health issue, an education issue, a public safety issue, an economic issue and a democracy issue.” The compact itself states that “protecting citizens from cybersecurity threats” is now a central part of every governor’s basic duty to safeguard public safety. To meet this duty, the parties to the compact each agreed to move toward implementation of certain recommendations surrounding three major topics.
First, the governors agreed to build up their states’ cybersecurity governance. Recommendations to meet this goal include creating a cybersecurity governance structure, either through legislation or executive order, as well as the development of a statewide cybersecurity strategy focused on protecting a state’s critical infrastructure and IT networks. The compact recommends conducting a risk assessment to determine vulnerabilities and threats, potential consequences of attack, and avenues of mitigation.
Second, the governors agreed to prepare and defend their states from cybersecurity events by creating and exercising statewide cybersecurity disruption response plans. The compact recommends that each state create an information sharing framework between state homeland security, emergency management, and IT officials, as well as any managers of critical state infrastructure. Other recommendations to meet this goal include the creation of public communications plans for cyber events and the inclusion of National Guard response into cyber response plans.
Last, the governors agreed to grow the nation’s cybersecurity workforce. To do so, the compact recommends that states reclassify job descriptions for state cybersecurity positions to be in line with private sector practices. The compact recommends that governors work with colleges and universities to increase the availability of transferable, two-year cybersecurity degrees and to create programs to assign college students as cybersecurity interns to state agencies.
The full text of the compact, as well as the list of signatories, is available here.