| What is the Nationwide Cybersecurity Review? |
The Nationwide Cybersecurity Review (NCSR) is an anonymous, annual self-assessment, designed to measure gaps and capabilities of state and local governments’ cybersecurity programs. It is based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). |
|
| Is the NCSR a requirement for my organization? |
While participation in the NCSR is voluntary, it will provide your organization with an understanding of your cybersecurity maturity and make your organization eligible for future Federal funded cybersecurity services. |
|
| Is the NCSR related to the July 1, 2023, cybersecurity requirements in TN Utilities Bill No. 2282, Amendment HB2346? |
No, the NCSR is not related to the Utilities Bill No. 2282 that some organizations are required to complete. However, completing the NCSR is a great opportunity to obtain a cybersecurity baseline. |
|
| My organization has completed the NCSR already in the past. Why should I complete the NCSR with support from STS? |
While participation in the TN NCSR Project is voluntary, organizations are welcome to complete the NCSR online independently from STS. Participating in the TN NCSR Project will allow you to benefit from guidance and support from STS’s cybersecurity professionals and partners. Participating organizations will also receive a Plan of Action and Milestones (POA&M) that identifies areas of improvement and suggested corrective actions. |
|
| How much does it cost to take the NCSR? |
The NCSR is available at no cost to the local organization. |
|
| How long does it take to complete the NCSR? |
The NCSR takes approximately four (4) to eight (8) hours to complete. |
|
| Who can register for the 2023 TN NCSR? |
County governments, municipal governments, post-secondary schools, and school districts are eligible to participate in the TN NCSR Project. |
|
| How do I register for the NCSR? |
Email ncsr@tn.gov and the State of Tennessee NCSR team will help get your organization started in the process. |
|
| Do I need to be a member of the MS-ISAC to take the NCSR? |
No, however all States, State Agencies/Departments, Local Government Jurisdictions, and Local Government Agencies/Departments are encouraged to sign-up for MS-ISAC. The MS-ISAC is free to join and provides cybersecurity resources and services at no cost. To learn more about MS-ISAC please visit: cisecurity.org/ms-isac |
|
| Who from my organization should participate in the NCSR? |
The ideal person(s) to complete the NCSR are IT personnel or IT vendors within your organization who are responsible for the IT/cybersecurity services. In the absence of IT personnel, the local organization's leader is encouraged to participate, with guidance and support provided by STS and its partners. |
|
| Will support be made available to our internal and/or external IT resources in completing the NCSR? |
Yes. The STS NCSR team will partner directly with the organization’s IT resources, both internal and external, as needed to complete the NCSR. |
|
| If we do not have IT personnel within our organization, should we pay to have a vendor assist us in completion of the NCSR? |
The goal for the State of Tennessee, STS, and our partners is to support each organization to complete the NCSR accurately so that STS can identify areas of improvement in cybersecurity maturity across the State that could be addressed through Federal grant funding. Organizations are welcome to partner with an IT services professional in completing the NCSR in addition to support from STS and our partners, however this is not necessary. |
|
| What are the benefits of participating in the NCSR? |
Receive no-cost support in completing the NCSR and access to suggested corrective actions, become eligible for future State and Federal funded support, and resources to improve your cybersecurity maturity. Eligibility to receive metrics specific to your organization to identify areas of improvement, prioritize next steps, and measure year-to-year progress. |
|
| Is my information shared with anyone outside of the MS-ISAC? |
Completing the NCSR online means your results are private to your organization. By choosing to participate in this initiative with STS, this means your results will be visible to a select number of STS cybersecurity personnel and the state vendor to develop your organization’s plan of actions and milestones to improve your cybersecurity maturity. |
|
| Can other organizations view my results? |
In no instance will an organization’s NCSR results be shared or distributed to or with any other organization. A select number of STS employees will have visibility to the NCSR results. During the NCSR process, STS will issue a Memorandum of Understanding (MOU) to your organization to align on expectations of the NCSR results. |
|