The State Auditor's Office described its ransomware-resiliency and cybersecurity support work to the Joint Legislative Audit and Review Committee, saying targeted audits and checkups aim to raise local governments' defenses against ransomware. Since SAO began piloting the ransomware-resiliency audits in March 2023, the office completed six such audits in the most recent fiscal year and assessed each government against a 22-safeguard set derived from the Joint Ransomware Task Force's SOP ransomware guide. "We began piloting this effort in March 2023 and we've completed a total of 6, ransomware resiliency audits within the last fiscal year," said Quinn Peralta.
Quinn told the committee that across the six audited governments a little over 35% of the assessed safeguards were not in place, while around 60–63% had at least partial implementation. The SAO uses a three-tier scale (fully in place, partially in place, not in place) for these audits. Quinn said the shorter, more targeted ransomware engagements are attractive to local clients because they do not include full penetration testing and can be completed more quickly. "The silver lining in all of this is that the governments were very interested in the audit results and the recommendations, and they continue to make improvements to their IT security posture," Quinn said.
SAO's Center for Government Innovation also performs voluntary cybersecurity checkups and has completed 82 checkups at local governments since 2023; the center maintains a "be cyber smart" campaign and publishes a cybersecurity policy guide to help governments craft IT policies. WaTech and SAO officials told the committee that grant funding from the State and Local Cybersecurity Grant Program (SLCGP) and other federal/state sources has helped many projects: "Over the past 2 years, Washington state has leveraged more than $11,000,000 in federal and state cybersecurity grant funds in support of over 200 projects statewide," said Ralph Johnson, WaTech's chief information security officer.
Committee members asked how nimble the grant program is. Johnson described the SLCGP as a four-year grant with funds released once a year and an annual application process; he said WaTech works to distribute funds quickly after federal release but acknowledged the program is not highly responsive to ad-hoc emergency needs. Auditors and WaTech encouraged local governments to pursue low-cost mitigations, use compensating controls when funding is unavailable, and apply for grant cycles to fund larger remediation work. SAO also maintains other cybersecurity-related services including security attestation engagements and follow-up work on fraud or financial-loss matters with cyber components.