Louisiana officials propose NIST‑based cybersecurity standards, reimbursement for noncompliance after incidents

Mike Poche, director of intergovernmental affairs for the Louisiana National Guard, briefed the task force on proposed legislation to (1) give the GOSEP director rulemaking authority to codify baseline cybersecurity standards in the Louisiana Administrative Code and (2) require publicly funded entities that receive ESF‑2 assistance after an incident to reimburse the state if they are found not to have complied with those standards.

Poche said the standards would be NIST‑based and consistent with OTS practices. He described the measure as designed to encourage adoption of baseline cybersecurity hygiene, not to remove ESF‑2's response role. He estimated private contractor incident cleanup costs at approximately $1 million to $3 million per incident and said ESF‑2 had responded to about 200 incidents in the state from 2019 through early 2025.

ESF‑2 cybersecurity director Steven Durell said on‑site evaluations take roughly four to six weeks to schedule. Legislators asked practical implementation questions—how small entities would pay, whether there would be a future effective date to allow ramping up, and how the National Guard cyber protection team fits in. Poche and Durell described existing support (multi‑agency ESF‑2 teams, OTS, Louisiana State Police and National Guard assistance) and emphasized that the bill seeks published standards and post‑incident reimbursement only when noncompliance is identified.

Members said they want to ensure small water districts and other local entities can meet standards without undue cost and asked staff to map implementation timelines and enforcement options. No vote was taken at the hearing.