LGCA Cybersecurity Guide for Local Governments: Key Points and Takeaways

LGCA Cybersecurity Guide for Local Governments: Key Points and Takeaways

The Local Government Cybersecurity Alliance (LGCA) is an organization dedicated to strengthening the cyber defenses of municipalities and public entities. In October 2025, the LGCA released the “Local Government Officials Guide to Cybersecurity,” designed to help local government leaders navigate today’s complex cyber threat landscape. Developed by cybersecurity professionals, local government officials, and public and private sector partners, the guide offers actionable steps for combating cyber risks and strengthening organizational resilience. Below are some of the key points and recommendations presented in the guide.

Cybersecurity Governance

  • Cybersecurity is a leadership responsibility—not merely an IT concern.
  • Effective cybersecurity requires collaboration across various departments, including IT, legal, risk management, finance, and operational units.
  • Local government leaders must recognize cyber risks as a top priority, assess potential impacts across departments, acknowledge the need to mitigate threats, and ensure decision-makers receive timely, relevant information.
  • Boards and senior leaders must stay informed about new and emerging laws and regulations regarding cybersecurity.

Key Roles and Functions

  • Operational vs. strategic cybersecurity: Operational cybersecurity focuses on day-to-day technical defense and IT system health, while strategic cybersecurity ensures that cybersecurity decisions align with broader organizational priorities.
  • IT and cybersecurity should remain two distinct and independent functions. Guidance on defining IT and cybersecurity roles can be found here.
  • The role of the Chief Information Security Officer (CISO) is to lead efforts to develop, implement, and oversee cybersecurity policies. The CISO must have direct, unfiltered access to executive leadership and boards.
  • Smaller governments that can’t afford to employ a full-time CISO can still maintain strong cybersecurity systems by outsourcing part-time virtual CISO services, forming cybersecurity committees, collaborating with state or regional governments, engaging external experts, and implementing continuous cybersecurity training for personnel.

 Challenges and Risk Areas

  • Barriers to effective cybersecurity include insufficient funding, staffing shortages and skills gaps, lack of leadership involvement, expanded attack surfaces, and emerging technologies.
  • High-cyber-risk areas for local governments include third-party risks, insider threats, AI technologies, privacy and data protection, disinformation, critical infrastructure, operational technology (OT) security, convergence of physical security and cybersecurity, and compliance and regulatory requirements.

Budgeting

  • Cybersecurity funding should account for initial capital investments (e.g., secure infrastructure), ongoing operational costs (e.g., security monitoring), and human resources costs (e.g., salaries, benefits, and training for cybersecurity personnel).
  • Several organizations provide benchmarks to guide cybersecurity budgeting decisions. These include NASCIO (0–3% of the IT budget), GFOA (~2% of the IT budget), and ICMA (0–10% of the IT budget).
  • Leaders must adopt a risk-based approach to cybersecurity budgeting and make cybersecurity investments strategically.

Key Strategies

  • Cybersecurity success depends on strong governance and executive oversight, clear staff roles and accountability, ongoing training, risk-informed decision-making, and operational resilience.
  • Continuous monitoring and improvement of cybersecurity systems is necessary. This includes vulnerability scanning, penetration testing, security control evaluations, regular policy updates, ongoing training, and maintaining a risk register.
  • Leaders should ensure that third-party vendor contracts include cybersecurity provisions and accountability clauses.
  • More municipalities are incorporating cyber insurance into their risk management strategies, with risk pooling offering financial benefits and opportunities for collaboration.
  • Internal audits assess system vulnerabilities, the effectiveness of controls, and risk exposure across departments.
  • Cybersecurity incidents must be reported and communicated to the public in a timely manner to maintain public trust and avoid potential consequences of delayed disclosure.
  • Cybersecurity frameworks (such as the NIST Cybersecurity Framework) provide structure for governments in managing cyber risk, ensure compliance with regulatory requirements, and standardize cybersecurity practices across departments.
  • Raising awareness within municipalities involves regular staff trainings, executive and board briefings, simulated exercises and drills, and clear accountability.
  • Cybersecurity reports should present key metrics regarding threat landscape, risk assessment, compliance, incident response, awareness and training, budget, and security.

Final Thoughts

This LGCA guide for local government officials emphasizes the need for cybersecurity to be treated as an organizational priority and a core leadership responsibility. Municipal leaders should assess their governments’ cybersecurity practices for alignment with the best practices presented in the guide. While you focus on improving your municipality’s cybersecurity mechanisms, let RBT CPAs’ government accounting team support your entity’s accounting, tax, audit, and advisory needs. Call us today and find out how we can be Remarkably Better Together.