Click here to download a PDF version of the paper.
State and local governments have purchased commercial off-the-shelf technologies with known vulnerabilities that federal agencies have banned. Five years after Congress passed bipartisan legislation to strengthen information sharing between the federal government and its partners, federal agencies could do more to support state and local governments’ cybersecurity practices.
State and local governments are on the front lines of the national effort to protect American citizens from cybersecurity attacks. They are responsible for providing public safety and managing elections. State and local agencies hold some of our most sensitive information, including financial and health records. State and local education agencies manage personal information of more than 50 million school children and their parents. All of these vital national services face serious threats from potential cyberattacks.
But state and local governments have limited cybersecurity expertise and capacity. State governments themselves have scarce resources for addressing cybersecurity vulnerabilities among other responsibilities, including information technology management and federal regulatory compliance.
In a new Lincoln Network report, “Improving State and Local Governments’ Acquisition Security Management,” Dan Lips examines how federal agencies are banning the acquisition and use of certain information technology with links to nation states that present a cybersecurity threat to the United States. But state governments and local governments continue to purchase and use certain technologies that federal government agencies have deemed unsafe. Specifically, recent reviews warn that state and local agencies continue to use Lexmark, Lenovo, and DJI technology that federal agencies have prohibited.
In 2021 and beyond, Congress and federal agencies should prioritize sharing information about security vulnerabilities in commercial off-the-shelf technologies with state and local government agencies and other partners. Moreover, Congress should restrict the use of federal grant funding to prohibit states, localities, tribal and territorial government agencies from purchasing technology or other equipment that would put sensitive data at risk.