The conversation that happens in every local government IT department at budget time follows a familiar script. The security assessment comes back, the gaps are real, and the IT director presents a list of needed investments. Then reality arrives in the form of a budget that hasn't meaningfully grown, competing priorities, and a purchasing process that makes even small acquisitions a multi-month exercise.
The gap between what's needed and what's funded isn't closing. What can close is the gap between what's available for free or near-free and what organizations are actually using. That gap is larger than most people realize.
the federal and state programs that most local governments underutilize
The most significant resources available to state, local, tribal, and territorial (SLTT) governments are federally funded programs that are either free or nearly so. Many are dramatically underutilized, partly because they're not well-advertised and partly because procurement inertia favors familiar commercial vendors over unfamiliar government programs.
MS-ISAC (Multi-State Information Sharing and Analysis Center)
Free — membership required
Free membership for all SLTT entities. Provides 24/7 SOC support for members experiencing incidents, threat intelligence reports, malware analysis, and the Albert network monitoring sensor program. The Albert sensors are installed on your network perimeter and monitored by MS-ISAC analysts — effectively providing IDS monitoring as a free service. Many counties and municipalities are already eligible and haven't enrolled.
cisecurity.org/ms-isac
CISA Assessments and Services
Free
CISA offers free cybersecurity assessments for SLTT entities, including the Cyber Resilience Review (CRR), which evaluates your security practices across domains, and the Remote Penetration Test (RPT), which assesses your external-facing infrastructure. CISA regional representatives are available to conduct these assessments without cost and without commercial intent.
CISA Continuous Diagnostics and Mitigation (CDM)
Free
The CDM program provides federal agencies and SLTT entities with tools for asset discovery, vulnerability management, and threat hunting. Through the SLTT CDM program, eligible organizations can receive tooling and support for capabilities that would otherwise cost significant money.
State and Local Cybersecurity Grant Program (SLCGP)
Grant funding
Administered by FEMA and CISA, the SLCGP provides dedicated federal grant funding for SLTT government cybersecurity improvements. Funds flow through state agencies, which means local governments apply through their state's homeland security or emergency management office. Check with your state's CISO or emergency management office for current availability.
CISA Cyber Hygiene Vulnerability Scanning
Free
CISA offers free external vulnerability scanning of your internet-facing infrastructure, providing regular reports on discovered vulnerabilities with prioritized remediation guidance. The service runs continuously and generates actionable findings without requiring internal tooling or expertise. Any SLTT entity can request this service at no cost.
free tools you should be using
CISA CSET (Cyber Security Evaluation Tool)
A free, downloadable application that guides organizations through a self-assessment of their cybersecurity posture against multiple standards including NIST CSF, CIS Controls, and NERC CIP. Generates a prioritized findings report that provides an actionable improvement roadmap without requiring a consultant or paid assessment.
Wazuh — open source SIEM and EDR
Wazuh is an open-source security platform providing endpoint detection, log management, SIEM capabilities, and vulnerability detection. The software is free; implementation requires IT staff time and some technical capability. For organizations that have the internal capacity to deploy and maintain it, Wazuh provides enterprise-comparable visibility at zero licensing cost.
Shodan (free tier)
Shodan indexes internet-facing services and allows organizations to see what they're exposing to the internet. The free tier provides basic search capability that lets you search your own IP ranges and identify exposed services before attackers do. Knowing your external attack surface is the prerequisite for reducing it.
Have I Been Pwned
haveibeenpwned.com allows free lookups of email addresses against known credential breach databases. The Domain Search feature (free for verified domain owners) checks all email addresses on your domain against breach data. Running this check regularly — and forcing password resets for compromised accounts — is a simple, free practice that reduces credential-based attack risk.
CISA Known Exploited Vulnerabilities Catalog
The KEV catalog provides authoritative, free information about which vulnerabilities in your software need immediate attention. Combining KEV data with your software inventory — even a basic spreadsheet — creates a functional vulnerability prioritization capability without commercial tooling.
making the case for budget when you need it
Free tools close significant gaps, but they don't replace everything. When budget conversations do happen, the most effective framing for local government IT leaders is risk and consequence, not technology.
Elected officials and budget decision-makers respond to: what is the likelihood of an incident, what would it cost if one occurred, and what does prevention cost relative to response? Notable ransomware incidents against local governments have cost millions in recovery costs, remediation, forensics, and legal fees — plus lost productivity and reputational damage. Prevention investments that cost a fraction of projected incident response costs are a straightforward risk management argument.
Framing for budget conversations: Lead with: "A ransomware incident of the type that affected [nearby county or similar government] cost them approximately $X in recovery costs. Our current exposure to that scenario is [assessment finding]. The investment required to meaningfully reduce that exposure is $Y — approximately Z% of the projected recovery cost." This reframes security spending from a cost to a risk mitigation investment with a quantifiable return.
prioritization when you can't do everything
Based on breach data and incident experience, the priority sequence for resource-constrained SLTT entities is:
-
Enroll in MS-ISAC and request Albert sensor deployment — Free, high-value monitoring capability with 24/7 SOC backup. This is the single best thing most unenrolled SLTT entities can do in the next 30 days.
-
Request CISA external vulnerability scanning — Free, continuous external attack surface monitoring. Tells you what attackers see when they look at your infrastructure.
-
Implement MFA on email and remote access — Free tools (Microsoft Authenticator, Google Authenticator) eliminate the dominant initial access vector. No budget required.
-
Verify and test your backups — If you have backups, test restoration. If they're connected to your main network, create an offline copy. This may require modest storage investment but is the highest-value recovery capability you can have.
-
Configure email authentication (SPF, DKIM, DMARC) — DNS record configuration that closes spoofing-based phishing. Zero cost, significant impact.
-
Apply for SLCGP grant funding through your state — Federal grant funding specifically for SLTT cybersecurity. Requires application effort but provides real budget for higher-cost investments.
The organizations that improve security posture most effectively on constrained budgets are the ones that ruthlessly prioritize the highest-impact, lowest-cost interventions first — and then build the case for incremental investment from a position of demonstrated progress, not aspirational planning.