For counties and cities, cyber incidents don’t just “impact IT.”
They can slow permitting, knock billing offline, disrupt court operations, and in the worst cases, create real friction for public safety, 911, and emergency response. CIRCIA adds another operational pressure point: if you’re a covered entity, certain cyber incidents may need to be reported to CISA within 72 hours after you reasonably believe a covered cyber incident occurred.
https://www.law.cornell.edu/uscode/text/6/681b
This isn’t about turning local government into a federal reporting shop. It’s about being ready to produce a clear, defensible first narrative while the situation is still unfolding.
Coverage indicators for counties and cities
Local governments sit at the center of critical infrastructure. Not because of a label, but because of what you operate every day:
- emergency response systems
- public safety communications
- water and wastewater infrastructure
- transportation systems
- public records and permitting platforms
That’s why many state, local, tribal, and territorial (SLTT) organizations may fall within CIRCIA’s scope.
One commonly discussed indicator in the proposed rule is jurisdictions serving approximately 50,000 or more residents. The proposed rule explains how CISA evaluates applicability across critical infrastructure sectors, including SLTT governments:
https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements
CISA recommends evaluating applicability using a three-step covered-entity framework, which looks at sector alignment, organizational size, and operational role:
https://www.cisa.gov/sites/default/files/2024-05/24-0630-Covered-Entity-Infographic-04242024-508c.pdf
A plain-language overview is here:
https://www.cisa.gov/resources-tools/resources/covered-entity-fact-sheet
A simple “coverage memo” that saves time later
Coverage can vary based on organizational structure and services provided, so the practical move is to document a short coverage memo now. Keep it tight:
- population served
- key infrastructure services you operate
- major technology systems that support public services
For a structured evaluation framework:
circia-covered-entity-quick-test
For broader context on CIRCIA’s reporting requirements:
circia-healthcare-72-hour-ready
Cross-department coordination: who owns the clock?
When cyber incidents hit local government, it stops being one team’s problem almost immediately. Depending on what’s impacted, you may have:
- IT and security teams
- finance and administrative offices
- law enforcement systems
- fire and emergency services
- 911 dispatch infrastructure
- courts and public records systems
CIRCIA’s 72-hour reporting lane is short enough that “we’ll figure out who owns this when it happens” doesn’t hold up. You need clock ownership defined ahead of time.
https://www.law.cornell.edu/uscode/text/6/681b
A clean, workable split usually looks like this:
IT and Security Teams
They detect and investigate, collect technical evidence, coordinate containment actions, and keep the incident timeline moving.
Legal and Compliance Leadership
They evaluate reporting obligations, advise on disclosure risk, and keep external submissions consistent.
Public Safety Leadership
They evaluate impacts to emergency services and continuity operations, and they help answer the question that matters most in a civic incident, “Are people safe, and can we still respond?”
Executive Leadership
They approve major response decisions, coordinate public communications, and brief elected officials when needed.
If you want a proven structure for roles, escalation, approvals, and communications, NIST’s incident response guide is a strong backbone:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf
CISA also maintains SLTT-specific cybersecurity resources and support services here:
https://www.cisa.gov/resources-tools/resources/sltt
What to capture during the first 72 hours
In local government, the first 72 hours are often the difference between clarity and chaos.
Not because you’ll “finish” the investigation in 72 hours, you won’t. The win is capturing enough facts, early, to support reporting, leadership decisions, and continuity operations.
CIRCIA’s reporting requirements emphasize the early collection of key incident information.
https://www.law.cornell.edu/uscode/text/6/681b
CISA’s covered cyber incident guidance is helpful for triage, especially when impacts are still emerging:
https://www.cisa.gov/sites/default/files/2024-05/24-0630-CCI-One-Pager-20240410-2-508c.pdf
First-day documentation that actually helps
During the first day, focus on three categories.
Affected systems
Start a working list, time-stamp updates, and keep it grounded in evidence (tickets, logs, screenshots, vendor confirmations). Examples often include:
- emergency dispatch systems
- municipal networks
- identity and authentication platforms
- financial systems
Operational impact
Determine whether disruptions affect:
- emergency response
- public safety operations
- city services or utilities
- administrative services
Continuity measures
If services are disrupted, document what you did to keep the city or county moving:
- activating backup systems
- switching to manual procedures
- isolating affected networks
NIST’s guidance underscores the importance of documenting containment and recovery actions in the incident record.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf
One practical tip, and it’s simple: assign a timeline owner. Not the lead investigator, someone whose job is to keep facts time-stamped and sourced while everyone else is busy putting out fires.
Vendor and regional partnerships
Many counties and cities rely on third parties for core technology operations:
- managed IT service providers
- shared regional data centers
- state-level technology services
- SaaS platforms used across departments
When an incident happens, these partners often hold evidence you need to understand the attack; sometimes, they’re the only ones who have it.
That’s why vendor coordination procedures matter. Define:
- escalation contacts (and backups)
- response timelines
- evidence delivery expectations (logs, IOCs, written findings summaries)
CISA’s SLTT hub is a solid place to start for guidance and support pathways:
https://www.cisa.gov/resources-tools/resources/sltt
Most jurisdictions should also be familiar with the Multi-State Information Sharing and Analysis Center (MS-ISAC), which provides threat intelligence and incident response support to SLTT organizations:
https://www.cisa.gov/resources-tools/services/multi-state-information-sharing-and-analysis-center
For MS-ISAC member incident reporting and service requests:
https://www.cisecurity.org/isac/report-an-incident
The difference this makes is very real. When the pressure is high, you don’t want to be hunting for the right escalation email or negotiating for logs you should have had access to by default.
Runbook: one incident narrative and one approval lane
Local government incidents get messy when everyone is writing their own version of events.
IT has a timeline. A vendor has another. Public safety has a third. Leadership briefing slides quietly drift away from what the logs actually support. Then the external reporting conversation starts, and suddenly consistency becomes a problem.
A practical fix is to maintain one incident narrative as the single source of truth:
- detection timeline
- affected systems
- containment actions taken
- operational impacts
NIST’s incident response guide supports this “one record” approach, including coordination and communications.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf
If you want leadership-friendly framing, NIST CSF 2.0 can help connect the runbook to governance and resilience without turning it into a giant program:
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
Test it before it matters
Tabletop exercises are where you find the real gaps, especially cross-department ones.
CISA provides tabletop exercise packages you can adapt to scenarios involving public services:
https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages
A good tabletop for counties and cities forces these questions:
- How quickly can we confirm whether 911, dispatch, or public safety communications are impacted?
- How long does it take to draft a defensible first narrative?
- Who approves external reporting language, and how fast?
- Can we get the evidence we need from vendors inside the window?
Conclusion: prepared jurisdictions respond faster
Cyber incidents affecting counties and cities can disrupt essential services the community depends on every day. Emergency services and municipal operations have to keep moving, even when systems are degraded.
CIRCIA introduces an additional operational requirement: rapid reporting of cyber incidents affecting critical infrastructure.
https://www.law.cornell.edu/uscode/text/6/681b
The goal isn’t eliminating uncertainty. The goal is to quickly assemble accurate facts, maintain a clean timeline, and coordinate decisions under pressure.
