Building a Security "Battle Rhythm": Beyond Basic IT Safety

Cybersecurity is not a checklist; it is a mindset.

For government agencies and emergency services, the "dusty, antiquated" view of security as a background IT function is dangerous. As the Department of War and other federal entities move toward Impact Level 5 (IL5) operational rigor, public safety agencies must adopt a similar "Battle Rhythm", where security is a daily, active teammate in your mission.

Here is how to move your agency from "compliant" to "combat-ready."

1. MFA is No Longer Optional (The CJIS Reality)

Let’s be clear: The era of "password complexity" is over.

• The Mandate: As of October 1, 2024, the FBI’s CJIS Security Policy mandates Multi-Factor Authentication (MFA) for all access to Criminal Justice Information.

• The Standard: This isn't just about SMS codes. Agencies should aim for Phishing-Resistant MFA (like FIDO2 tokens or CAC/PIV cards), aligning with NIST SP 800-63B guidelines. If your vendors aren't using MFA to access your network, they are a vulnerability.

2. Patching as a Tactic, Not a Chore

Unpatched vulnerabilities are the "open windows" of your digital fortress.

• The Strategy: Do not just patch when it’s convenient. Adopt a Risk-Based Patch Management strategy. Prioritize vulnerabilities listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

• The Test: How do you know a patch won't break your 911 dispatch software? Test it. Use an isolated environment (like the Netmaker Interoperability Lab) to validate patches against your specific CAD/CHE ecosystem before rolling them out to live dispatchers.

3. The "Human Firewall": Training as Culture

The Secretary’s recent memo described AI as a "teammate." Your staff needs to view Security the same way.

• Shift the Narrative: Security training shouldn't be a punishment for clicking a bad link. It should be "mission assurance" training.

• Simulation: Run "Phishing Fire Drills." Just as you practice for natural disasters, practice for digital ones. A dispatcher who identifies a phishing attempt is just as heroic as one who manages a crisis call—because they just saved the network.

4. Zero Trust: "Never Trust, Always Verify"

The old "castle and moat" defense (secure the perimeter, trust the inside) is dead.

• Least Privilege: A telecommunicator does not need admin rights. A vendor does not need 24/7 access.

• Segmentation: Your Wi-Fi for personal phones should never touch the ESInet. We recommend validating your network segmentation regularly to ensure that "air gaps" are actually gaps.

The Bottom Line

In the public sector, a security breach isn't just a data leak; it's a breach of the public trust. By treating cybersecurity as an active, daily discipline, a Battle Rhythm, you ensure that your agency remains resilient, responsive, and ready for whatever the future holds.