SLCGP program objectives survey

The goal of SLCGP is to assist SLT governments with managing and reducing systemic cyber risk. This goal can be achieved over the course of the four years of SLCGP funding as applicants focus their Cybersecurity Plans, priorities, projects, and implementation toward addressing the SLCGP objectives. Once CISA confirms that a recipient has met their objective requirements for each fiscal year, the recipient moves to the next set of program objective(s).

During FY 2022, applicants focused on
• Program Objective 1: Develop and establish appropriate governance structures, including by developing, implementing, or revising Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents, and ensure continuity of operations.

In FY 2023, applicants are required to focus on addressing the following program objectives in their applications:
• Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
• Objective 3: Implement security protections commensurate with risk.
• Objective 4: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.
Classification legend:
  0 Non-Existent: Nothing in place
  1 Initial: Undocumented practices are followed
  2 Repeatable: Procedures are documented
  3 Defined: Documented procedures have been incorporated in corporate processes
  4 Managed: Processes are monitored and measured

Question Title

* 1. Governance and Cybersecurity Plans

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
1.1.1 A uniform cybersecurity governance structure is established.
1.1.2 Identified senior officials enable whole-of organization cybersecurity coordination.
1.2.1 Cyber incident response plans are implemented, exercised, and revised.
1.2.1.1 DISASTER RECOVERY plans are implemented, exercised, and revised.
1.2.1.2 BUSINESS CONTINUITY plans are implemented, exercised, and revised.
1.2.1.3 CRISIS COMMUNICATIONS plans are implemented, exercised, and revised.
1.3.1 Systems and network functions are prioritized according to their impact to essential functions.

Question Title

* 2. Security Posture and Testing

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
2.1.1 Asset inventory is regularly updated.
2.2.1 Cyber risk assessments are performed annually.
2.3.1 Active participation in CISA’s Vulnerability Scanning service.
2.3.2 Vulnerability mitigation is prioritized according to high impact and most likely to be exploited.
2.4.1 Network traffic is analyzed to or from information systems, applications, and user accounts.
2.5.1 Incidents and events are responded to, root cause is documented, and information is shared with partners.

Question Title

* 3. Security Protections

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
3.1.1 MFA is implemented where privileged users, Internet-facing systems, and cloud accounts are prioritized.
3.2.1 Individual items identified are addressed through assessments and planning process.
3.2.2 The cybersecurity ecosystem is improved by collaborating to address items identified through assessments and planning process (e.g., regional and intra-state efforts).

Question Title

* 4. Personnel Training

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
4.1.1 Ongoing, role-based phishing training, awareness campaigns are conducted.
4.1.2 Dedicated resources and funding is available for cybersecurity professionals to attend technical trainings and conferences.
4.2.1 NICE based cyber workforce development and training plans are established.
Surveys can be modified to include a documentation upload section for verification and feedback

Question Title

* 5. Contact Information

T