Top Cybersecurity and Compliance Challenges for State/Local Government

1. The “AZRAMP to GovRAMP” Migration

Arizona is currently overhauling its vendor authorization process. The state is transitioning from its proprietary AZRAMP (Arizona Risk and Authorization Management Program) to StateRAMP (GovRAMP) to align with national standards.

• The Challenge: Effective July 1, 2025, all new contracts must align with GovRAMP (based on NIST 800-53). This creates a massive compliance bottleneck. Many smaller software vendors used by local municipalities (e.g., for dog licensing or parking tickets) do not meet these federal-grade security controls.
• Compliance Burden: Agency procurement officers must now act as security gatekeepers, rejecting preferred vendors who lack authorization. This slows down the deployment of necessary tools.
• Impact: A “compliance deadlock” where agencies are forced to choose between using non-compliant (but functional) legacy software or waiting months for a compliant vendor to be authorized.

2. Securing Water Infrastructure (SCADA Vulnerabilities)

Water is Arizona’s most critical resource, and its management relies on Supervisory Control and Data Acquisition (SCADA) systems. These Operational Technology (OT) networks are prime targets for nation-state actors and hacktivists.

• The Challenge: Many Arizona water districts operate on “air-gapped” myths—believing their industrial controls are not connected to the internet. In reality, vendor maintenance portals and IoT sensors often bridge these networks to the web, creating invisible attack paths.
• Specific Threat: Attackers do not need to steal data; they only need to alter chemical dosage levels or shut down pumps. The EPA has ramped up warnings, but local water districts often lack the funding to replace aging, insecure PLCs (Programmable Logic Controllers).
• Arizona Context: With the Colorado River shortage, any cyber-induced disruption to water delivery (e.g., the CAP canal system) would escalate immediately from an IT incident to a public safety emergency.

3. Election Security: The “Deepfake” Regulation Gap

Arizona is a focal point for election integrity debates. The challenge has shifted from securing voting machines (which are generally isolated) to securing the information environment surrounding them.

• The Compliance Challenge: Arizona recently enacted legislation (e.g., SB 1359 and HB 2394) criminalizing the use of undiscernible AI deepfakes in political campaigns within 90 days of an election.
• Enforcement Difficulty: Election officials are now tasked with policing content. Determining if a video is a “deepfake” and issuing a takedown order often takes longer than the viral lifespan of the content itself.
• Cybersecurity Risk: “Hack-and-leak” operations where attackers steal genuine emails, mix them with AI-generated forgeries, and release them to confuse voters and discredit election officials.

4. The “Have vs. Have-Not” Divide in Rural Counties

There is a stark cybersecurity disparity between wealthy jurisdictions (like Maricopa County or City of Phoenix) and rural counties (like Apache or Greenlee).

• The Challenge: Rural counties often rely on a single IT director (or a shared MSP) to manage everything from helpdesk to threat hunting. They are unable to compete with the private sector for cyber talent.
• The Threat: Ransomware gangs know that smaller municipalities have weaker defenses and are more likely to pay ransoms to restore critical services (911 dispatch, jail management systems).
• Whole-of-State Friction: While AZDOHS offers grants (SLCGP) for tools like endpoint protection (CrowdStrike/SentinelOne), rural entities often lack the staff to manage these tools once installed.

5. Managing “Shadow IT” in Hybrid Government Work

Post-pandemic, many Arizona state agencies adopted permanent hybrid work models, leading to a sprawling, undefined network perimeter.

• The Challenge: Employees working from home often use unauthorized SaaS applications (“Shadow IT”) to bypass slow government VPNs. For example, using personal Google Drives to transfer large public record files because the official state email system has low attachment limits.
• Compliance Risk: This creates “data leakage” where sensitive citizen data (PII) resides on unmonitored commercial servers, violating state data handling statutes (A.R.S. Title 18).
• Visibility: The State Cyber Command cannot protect data it cannot see. If a personal Dropbox account is compromised, state data is stolen without triggering any government alarms.

Tailored Solutions for Every Arizona State and Local Department

Coeus Consulting understands that each public sector department has unique digital assets and compliance burdens. For the Health and Human Services, Coeus Consulting’s continuous monitoring and advanced encryption can help protect Patient Health Information (PHI), ensuring strict adherence to HIPAA mandates. 

Our services could also assist the state’s court systems with robust access controls and data loss prevention, safeguarding sensitive legal records and citizen PII, in alignment with CJIS and state privacy laws. 

Partner with Coeus Consulting to fortify your digital defenses and propel your public service initiatives forward, safely and efficiently.