As cyber threats intensify and federal cybersecurity resources shrink, state and local governments face a challenging equation and a fundamental mismatch: dramatically increased responsibility with proportionally decreased support.
The Trump Administration’s March 19, 2025 Executive Order “Achieving Efficiency Through State and Local Preparedness” shifts the focus to state and local government to prepare for cyber-attacks. Amid proposed cuts to cybersecurity budgets and resources at the Federal level, the Executive Order seeks to empower state and local governments “to better understand, plan for, and ultimately address the needs of their citizens.” State and local governments should play a more active role in cybersecurity resilience and preparedness. Indeed, it was one of our goals when we launched NYC Cyber Command, a municipal cyber defense organization established by mayoral executive order in July 2017, where I held the position of Deputy CISO and Head of Threat Management. As state and local governments take on more responsibility, our experience in New York City can provide lessons and a roadmap for a partnership-based approach, as well as how to scale support outside of large metropolitan areas.
Shared Responsibility Model
NYC Cyber Command is led by the Chief Information Security Officer of the City of New York and is tasked with protecting all of the city’s systems against cyber threats, including over 100 city government agencies and critical services. Within NYC Cyber Command, a partnership-based approach was essential to our work, as individual agencies possess irreplaceable domain expertise regarding operational workflows and system dependencies that help engineer resilience. A water utility understands its operational technology (OT) differently than a fire department grasps its emergency medical services (EMS) systems. Rather than centralizing all security decisions, our shared responsibility model preserved this critical knowledge while providing coordinated defense capabilities. The same is true for state-level intelligence sharing and federal coordination for broader impact.
Just as cloud computing transformed IT by clearly delineating responsibilities between providers and customers, cybersecurity governance needs similar clarity between federal, state, and local entities. In cloud security, providers secure the infrastructure while customers secure their applications and data – a model that has proven both scalable and effective at clarifying accountability, even when security incidents occur.
The key principles that make a shared responsibility model successful include:
- Clear delineation of responsibilities based on capabilities and control
- Standardized frameworks and protocols that define how responsibilities are coordinated and transferred between stakeholders
- Shared accountability for overall security outcomes
- Scalable support structures that adapt to stakeholder needs
The model reflects the core concept of states’ responsibility for security of the infrastructure and local governments’ responsibility for security in the infrastructure (their operations). This approach provides economies of scale, clear accountability, and standardization.
While the concept of a Whole-of-State approach is not new, it has not been universally documented nor adopted. And while some states use the approach as part of their cybersecurity strategy, it is not yet a standardized framework with expected outcomes. However, it has proven to be effective with partial implementation by several states, as initially demonstrated by New York City.
This piece is part of an Aspen Digital series of perspectives on the evolving space of intergovernmental cyber policy, including challenges and best practices for building state, local, tribal and territorial capacity and how governments can collaborate effectively.
The views represented herein are those of the author(s) and do not necessarily reflect the views of the Aspen Institute, its programs, staff, volunteers, participants, or its trustees.