Governors need to establish a statewide governance structure...

developing and carrying out information technology security policies, and they have limited responsibility over statewide cyber networks, said NGA. The sharing of cyberthreat information with the private sector and local governments is handled by the state homeland security agencies, which is “further complicating the overall cybersecurity governance structure,” said NGA. Governors can grant their chief information officers or CISOs the authority to “develop and steer a coordinated governance structure ... that can greatly improve coordination and awareness across agencies that operate statewide cybernetworks,” said the paper. States need to do risk assessments to identify information assets, “model different threats to those assets” and allow for planning to conduct those threats, said NGA. Hands-on activities and exercises are needed as part of the assessments to establish “sound business practices and use existing resources,” said the paper. States must monitor threats to mission-critical systems with technologies and business practices that will “identify potential threats, track all stages of cyber attacks in real time, and offer mitigation techniques and options for any resulting loss or damage,” said NGA. The NGA Resource Center for State Cybersecurity will issue a series of reports on actions governors can take on critical areas in the mid and long term over the next year, said the paper. NGA will lead efforts through the Council of Governors to collaborate with the Departments of Defense and Homeland Security on how the National Guard can be used to protect both state and federal efforts.