Company 
Team 
Local Government Partners 
Case Study
Company News 
Team Member Spotlight 
Managed IT Services
Co-Managed 
Managed AI Services
Managed Security Services 
Co-Managed Security Services 
Data Backup + Disaster Recovery 
Compliance as a Service 
SharePoint
Power BI
Web Design + Hosting
Application Development
Businesses 
Municipalities 
Local Government Services 
Healthcare
Manufacturing
Aerospace and Defense
Guides
News
Events
Municipalities
Healthcare
Managed IT Services
Compliance
Cybersecurity
Compliance for Today, Resilience for Tomorrow: Building Municipal Resilience Through Proactive Compliance Efforts
If you’re feeling cybersecurity compliance requirements creeping into your municipality a little more each year, you’re not alone.
Because cybersecurity threats have grown more sophisticated, frequent, and relentless over the past 10 years, the federal government and regulatory agencies have placed more pressure on various industries to implement baseline cybersecurity best practices—especially industries that handle sensitive and confidential information.
In recent years, ransomware groups began to target municipalities more relentlessly because they held sensitive data, ran critical services, and historically had weak defenses. Sadly, many municipalities in the 2010s were running systems from the 1990s and early 2000s. Regulators and cybersecurity industry experts began to recognize that, without mandates, most municipalities would not modernize their cybersecurity defenses on their own.
Today, municipalities find themselves subject to a growing variety of different regulatory requirements aimed at ensuring a consistent set of cybersecurity standards and accessible, secure digital services for residents. Obviously, every municipality wants to serve its residents well. But that responsibility now comes with a growing maze of rules about security, accessibility, privacy, and accountability often written in legal or technical language that wasn’t designed for municipalities with lean teams.
As we’ll see in this guide, compliance isn’t just about checking boxes. The ultimate goal of compliance is actually resilience in the long-term—protecting the trust of residents, keeping essential services running, and avoiding disruptive headlines. That’s why it’s important to understand how you can best address these complicated requirements with a lean team and budget.
Let’s start with the compliance ecosystem to see what you have to face.
What's Inside this Municipal Compliance Guide?
Short on Time? Download the PDF ⬇️
The Municipal Compliance Ecosystem
Many different laws, regulations, and requirements affect municipalities, creating an ecosystem of overlapping requirements that touch nearly every department.
CJIS (Criminal Justice Information Services)
For municipalities with police departments, CJIS is one of the most demanding and highest-risk compliance obligations. CJIS governs how criminal justice information (CJI) is accessed, stored, transmitted, and protected. While CJIS originates at the federal level, every state imposes its own enforcement and oversight requirements.
Three current challenges with CJIS include:
- Municipalities still working through CJIS 6.0: CJIS 6.0 took effect on December 27, 2024, and many municipalities are still wrapping their minds around the increased requirements around identity, governance, and alignment with NIST controls. Of special note are the requirements around mandatory multifactor authentication (MFA)—now required on all devices that can access Criminal Justice Information (CJI) data.
- CJIS 6.1 is expected in 2026: The upcoming CJIS 6.1 requirements are also increasing anxiety and uncertainty, even though no official FBI draft has been released. Requirements are expected to tighten even more around identity and access controls, audit and evidence requirements, and formal governance structures.
- Municipal leaders lack clear internal CJIS ownership and documentation: It’s easy to assume that your IT team or resource will handle CJIS because it’s “tech.” Actually, CJIS comprises a host of both technical and non-technical security controls that involve hands-on activity from police chiefs, municipal managers, and non-IT staff. Non-technical controls include incident response plans, physical security, and background checks on personnel with access to CJI. You are also responsible for documentation such as policies, procedures, equipment lists, audit logs, system configurations, etc.
ADA Digital Accessibility (Title II)
In 2024, the Department of Justice finalized a rule requiring state and local government websites and mobile apps to follow WCAG 2.1 AA standards. Compliance deadlines vary by the size of your municipality. Those with a population of 50,000 or more must comply by April 26, 2027, while smaller municipalities and special district governments have until April 26, 2028.
For municipalities, ADA compliance applies to daily public facing services. Website accessibility gaps can expose municipalities to complaints, lawsuits, and reputational damage, especially when residents rely on digital services to access essential information.
These standards directly affect everything on your website such as online forms, meeting agendas and minutes, utility portals and digital payments, and emergency communications. Your website needs to be accessible to people with disabilities, injuries, slow internet connections, and aging challenges. You may need to invest in enhancements that include:
- Adding “alt text” to all images to help residents who use screen readers
- Making PDFs with searchable text (not scanned images of text)
- Improving keyboard navigation for people with mobility disabilities and who use assistive technology
- Improving form accessibility
- Improving color contrast
- Adding captions and transcripts for video and audio
State and Local Cyber Regulations
Because of slow federal action, states are increasingly passing many laws and regulations to help nudge municipalities toward implementing basic cybersecurity best practices. History shows that once a few states act, others follow quickly. Today’s “early adopter” law often becomes tomorrow’s baseline expectation nationwide.
Consider the legislative movement in the following areas:
-
Data breach notification legislation: All 50 states have this legislation in place that requires municipalities (and all entities) to report a data breach and follow a set of procedures (with some exceptions).
- Data privacy laws: 20 states currently have a data privacy law. (In 2021, 3 states had one.)
- Comprehensive cyber bills: Florida and Ohio currently have comprehensive cyber bills requiring municipalities to align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and other states have proposed similar laws.
- Cyber incident reporting: Three states now require municipalities to report cyber incidents within a specific time (24–72 hours)—with a handful of other states currently advancing similar laws.
- Records/data retention requirements: Each state requires municipalities to retain data/records for a certain duration of time.
- Public Records Laws (Sunshine Laws / FOIA): Every state has laws requiring municipalities to secure records, retain data properly, and ensure availability of records in response to requests.
- Security awareness training: Mandatory in Texas and New York.
With data breach notification as an example (going from one state in 2002 to all 50 states in 2018), states such as California, New York, and Texas will pioneer laws that other states eventually take up. In other words, if only three states have enacted a law, then expect the number of states with that same law exponentially growing within the next 5-10 years.
Cyber Insurance as De Facto Regulation
While it’s not a law, cyber insurance has become a powerful enforcement mechanism that heavily impacts municipalities. Most insurers now require municipalities to demonstrate controls such as:
- MFA
- Endpoint detection and response (EDR)
- Encryption
- Incident response planning
- Data backup and recovery testing
- Security awareness training
- Logging and monitoring
- Software patch management
Failure to meet these requirements can result in higher premiums, reduced coverage, or denial of claims—effectively turning insurance questionnaires into de facto compliance audits.
The good news is that cyber insurance pricing has cooled from the sharp increases seen in 2021 and 2022, with global rates declining 5% in Q1 2026. However, insurers still closely evaluate municipalities because they provide essential public services, manage sensitive resident data, and experience frequent cyberattacks.
Municipalities with stronger baseline cybersecurity controls are often better positioned to qualify for cyber insurance coverage and avoid higher-risk underwriting decisions.
Lower-Priority but Still Relevant Requirements
Municipalities also encounter a variety of other regulations that apply more narrowly and generally involve fewer departments. Some examples include:
- IRS Publication 1075: This applies to municipalities receiving or storing federal tax information (FTI)—especially finance departments handling tax returns or revenue data. The IRS requires that cities keep Federal Tax Information (FTI) secure according to Publication 1075. Secure data transfer, storage, and access are all covered under federal law. According to the IRS, “The [Internal Revenue Code] defines and protects the confidential relationship between the taxpayer and the IRS and makes it a crime to violate this confidence.”
- PCI DSS: Any municipality that offers payment services for tickets, fines, utilities, licenses, or other services needs to secure and protect payment information. That includes credit cards, debit cards, banking, and any other data that hackers can steal to commit financial fraud. While not a law, PCI‑DSS is enforced through contracts by credit card networks (Visa, Mastercard, etc.), acquiring banks (merchant account providers), and payment processors. If a municipality does not comply, the consequences can include heavy fines, higher processing fees, or forced termination of card‑processing privileges.
- HIPAA: Applies to municipalities that handle protected health information (PHI) through public health departments, EMS/ambulance services, and jail medical units.
- FISMA, Executive Order 14028, and federal cybersecurity requirements: While these requirements are aimed primarily at federal agencies and systems, municipalities may need to align with NIST-based controls when they manage federal data, operate federally connected systems, participate in federally funded programs, or accept grants with cybersecurity requirements.
- Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA): The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires critical infrastructure entities to report significant cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).
While these matter, for most municipalities they are not the primary drivers of compliance pressure compared to CJIS, ADA, state laws, and cyber insurance mandates.
Pain Points Municipalities Experience from This Compliance Ecosystem
Such an ecosystem is overwhelming. While municipal leaders are aware of these compliance frameworks, lack of IT resources and budget can sometimes make it difficult to keep up.
Common challenges under these pressures include:
-
Ownership confusion: IT, police, finance, the clerk’s office, and legal teams all touch compliance—and yet no single group “owns” the whole picture. When this happens, it’s easy to point fingers at others, deflect responsibility, or assume your IT resource is taking care of all compliance requirements.
-
Siloed requirements and implementations: You might find that CJIS, a state law, and cyber insurance all require the same control (such as MFA or data backup). When implementing the control, it’s easy to duplicate efforts across different departments, inconsistently apply the control, or apply it in only one department.
-
Audit anxiety: Municipal leaders have so much on their plate that they can sometimes only act on compliance issues when an audit, required assessment, cybersecurity incident, or insurance denial forces the issue. Audits especially tend to force municipalities into remedial activities, but often in a scrambling manner that is costly and still leaves gaps.
-
Consequences of rising risk exposure: Noncompliance issues tend to pile up such as fines, lawsuits, denied insurance claims and coverage, operational disruption, and loss of public trust. While many of the laws and regulations in the compliance ecosystem don’t have direct penalties, the consequences of noncompliance are often more indirect—leading to a degradation of resident services, high remediation costs after a ransomware or other cyberattack, and public relations nightmares.
When compliance starts to feel overwhelming and reactive, it’s good to take a step back and realize that most compliance frameworks and other mandatory requirements tend to use NIST standards. If you align to NIST, you’ve solved most of your compliance problems.
NIST: A Foundation for Municipal Compliance
The good news when considering all these various compliance requirements is that they are not separate, one-off problems that need unique solutions. In fact, compliance professionals refer to this concept as crosswalking—which means mapping multiple frameworks side by side to identify the shared controls underneath them.
Think of it like building codes. If your building meets the state's structural code, it's almost certainly going to satisfy the county's and the city's too because they're all drawing from the same underlying standards.
For municipalities, NIST is that foundation. Behind CJIS audits, state cybersecurity laws, cyber insurance applications, and even future regulations, the same expectations keep showing up: know what you have, limit access, protect data, monitor activity, prepare for incidents, and recover quickly.
The NIST Cybersecurity Framework provides a single, widely accepted way to organize and manage those expectations. By following NIST, municipalities align with best practices that help reduce cyber risk today while also building a foundation that makes future compliance requirements easier to meet.
.jpeg?width=360&height=450&name=AI%20(artificial%20intelligence).jpeg "AI (artificial intelligence)")
Common NIST controls that appear in most compliance frameworks include:
- Clear governance and ownership: IT is not solely responsible for compliance. Leadership has a role too. Municipal leaders need to designate oversight, oversee policies, and approve incident response plans.
- Knowing what you have: You can’t protect something if you don’t track it. Maintain an inventory of devices, systems, and software. You should also know where sensitive data exists (such as CJIS data, sensitive resident data, payment information) and which systems are most critical to your operations.
- Protecting data—including access to that data: Cyberattacks usually succeed because basic cybersecurity best practices aren’t in place. Regularly patching software and using tools such as EDR will help prevent and detect many cyber threats. Unauthorized access is the most common attack entry point, so deploying MFA and limiting employee access to systems and data based on their role is equally, if not more, important.
- Monitoring for problems: Continuous proactive monitoring of your IT systems is a necessity. That includes logging your system activity so that you can detect unusual behavior, watch for suspicious login attempts, and retain logs to support audits and investigations.
- Preparing for a cyber incident: An incident response plan serves as a well-tested drill so that you’re ready if the worst happens—such as a ransomware attack, data loss event, or system outage. It’s important to practice your incident response procedures so that you’re not using them for the first time during an emergency.
- Recovering after a cyber incident: Ultimately, you want a cyber incident to be an inconvenience, not a crisis. It’s important that you maintain secure, tested data backups that give you the ability to quickly restore your systems and essential services so that residents are not negatively impacted.
NIST is also a great way to proactively identify what’s missing in your IT environment. After a NIST assessment, you can identify higher‑risk gaps to remediate so that you’re not simply reacting to a recent audit or insurance questionnaire.
And rather than having competing checklists owned by IT, public safety, finance, and legal, NIST creates a shared structure that everyone at your municipality can understand and use. Centralized compliance supports better coordination and accountability.
Overall, NIST turns compliance from a scramble into a coherent strategy—and that’s what enables resilience.
Municipal Compliance as a Foundation for Resilience
Municipalities that proactively adopt recognized standards are better positioned to avoid costly disruption and keep pace with rapidly evolving state and federal requirements. When compliance expectations, processes, and responsibilities are clear, municipalities make better decisions under pressure. Following compliance requirements provides structure during audits, cyber incidents, and leadership transitions, helping ensure that resident services continue without disruption.
And resilience goes beyond simply preventing cyber incidents. It’s the ability to withstand, respond to, and recover from disruption while continuing to serve residents and protect public resources. When services stay online and data is protected during disruption, residents maintain confidence in local government—even during difficult situations.
Ultimately, compliance maturity improves predictability, operational discipline, and long-term planning: Over time, you become less reactive, allowing your municipality to plan proactively rather than respond under pressure.
Need help with municipal compliance?
We’re here to help. Reach out to us today to talk about your compliance ecosystem.