CybrIQ for government · State & Local track
CybrIQ
Government/State & Local
CybrIQ for state & local government

Whole-of-state cyber depends on knowing what's actually connected — across agencies, schools, counties, and special districts.

State CIOs, county IT directors, K-12 technology leads, and municipal CISOs share a problem with federal agencies: the asset inventory does not reflect what is actually on the network. The buyer is different, the vocabulary is different, the budget cycle is different. CybrIQ produces a continuous device inventory in a deployment shape that fits state, local, K-12, and special-district environments, including the ones that don't have a dedicated security team.

MS-ISAC reporting Device-inventory completeness for the MS-ISAC quarterly reports your governance review asks about.
StateRAMP posture Customer-installed deployment fits states with StateRAMP-aligned procurement standards.
Cyber insurance Carriers ask for evidence of hardware-inventory completeness. CybrIQ produces it.
Procurement Cooperative purchasing via NASPO ValuePoint and state-specific contracts (TX DIR, CA CMAS, NY OGS, MI MiDEAL). Azure Marketplace and ServiceNow Store live.
Four audiences, four pressures

SLED is not one buyer shape. It is four — each with a different reporting audience.

The state CIO, the county IT director, the K-12 technology lead, and the special-district IT lead all need the same data: a continuous, accurate inventory of every connected device. Each one answers to a different reporting audience for it. The map below is what the briefing call walks against.

SLED audience map: state CIO and CISO offices answer to StateRAMP, MS-ISAC, SLCGP grant officers, and the state auditor. County and municipal IT directors answer to cyber-insurance carriers, the courts, 911 / dispatch oversight, and election offices following EAC and CISA guidance. K-12 and higher-education IT leads answer to CIPA filtering inspections, FERPA and state student-data-privacy laws, BYOD-on-guest-VLAN questions, and cyber-insurance carriers. Special-district IT (water, transit, port, utility) answers to OT and ICS visibility expectations, NERC CIP for electric utilities, AWWA cybersecurity guidance for water, and CISA Sector Risk Management Agency contact. CybrIQ produces the device-inventory evidence each one is asked for, in a single customer-installed deployment shape.
State agency

State CIO and CISO offices

Whole-of-state cyber initiatives, StateRAMP authorizations, MS-ISAC participation, and the State and Local Cybersecurity Grant Program (SLCGP) reporting all touch the same data: what's actually on the network. CybrIQ produces that inventory for state IT, state agencies, and state-supported entities.

County & municipal

County IT and municipal CISO

Counties run their own networks, often with shared services across courts, sheriffs, public health, libraries, and special districts. The cyber-insurance application asks about device inventory; the resident-services systems span dozens of buildings the IT team has never walked. CybrIQ surfaces what's on each.

K-12 & higher ed

K-12 districts and community colleges

School networks carry student-issued laptops, BYOD on guest VLANs, classroom AV gear, building-systems integrations, and CIPA-relevant filtering hardware. Inventory completeness is the input every cyber-insurance carrier and every state ed-tech survey is now asking for.

Special districts

Water, transit, utility, port authority

Special districts run the most critical operational technology in any community. Water treatment, transit signal systems, port operations, and electric distribution all live on networks that EDR can't reach and that an outside SOC can't see. CybrIQ is built specifically for the OT-and-ICS visibility gap the special-district IT team is asked about after every Volt Typhoon advisory.

Sector pages: Water & wastewater · Transit & transportation · Electric & gas · Ports & maritime

Cyber-insurance carrier evidence

The questions on a 2026 cyber-insurance renewal application — and the evidence CybrIQ produces.

SLED is where cyber-insurance hardens the fastest. Carriers (Travelers, AIG, Beazley, Chubb, Coalition, Hartford) now require specific, documented evidence on the application, not policy statements. The recurring questions and the artifacts CybrIQ ships for each:

"Do you maintain an inventory of all hardware assets connected to your network?"

Evidence: the monthly per-port inventory export, signed at the control plane with a SHA-256 hash. The carrier wants a current document with a date on it, not a vendor claim. The signed export is what they ask for.

"How are unauthorized devices detected and remediated?"

Evidence: the deviation log for the last 12 months, including events fired, time-to-detect, time-to-resolution, and the NAC quarantine or change-management action that closed each one. The carrier asks two things: did you detect it, and what did you do about it. Both are in the log.

"Do you monitor OT and ICS environments separately?"

Evidence: the segmented inventory by VLAN, with OT-specific device classes flagged. For a special district running water, transit, or electric, this is the answer that drives premium. CybrIQ's switch-side identification reaches OT that no agent-based tool can.

"Are you exposed to NDAA Section 889 covered hardware (Hikvision, Dahua, Huawei, ZTE, Hytera)?"

Evidence: the covered-entity reference-library match, against the entire device population. SLED is not directly bound by Section 889, but carriers now treat covered hardware as an underwriting flag, including relabeled and unmarked devices that the asset register would miss.

"How quickly would you detect an unauthorized device on a sensitive network segment?"

Evidence: the 30-second default polling cadence is the answer. Most asset-management tools cannot answer this question with a number; CybrIQ can.

A small but reproducible pattern: SLED organizations that move from "inventory is the spreadsheet from last audit" to "inventory is a signed export with a current date" see premium movement at renewal. The exact discount depends on carrier, claims history, and other controls. The underwriter's question is concrete, and CybrIQ produces the concrete artifact.

SLCGP grant alignment

SLCGP is funding device-discovery investments, through 2027.

The State and Local Cybersecurity Grant Program (SLCGP) is a CISA-administered, FEMA-distributed grant program created under the Infrastructure Investment and Jobs Act. Total program: $1 billion over four years, FY 2022-FY 2025, with awards extending into 2027 for performance. Asset-discovery and inventory investments map directly to several of the program's required cybersecurity-plan elements.

Where CybrIQ fits in an SLCGP-funded program

  • Required cybersecurity plan element 1: Manage, monitor, and track information systems and networks. Device inventory is the input.
  • Required element 4: Implement continuous vulnerability assessments and threat mitigations. Continuous inventory is the prerequisite. You cannot assess what you cannot see.
  • Required element 11: Ensure cybersecurity protections meet the latest standards (NIST CSF, CISA performance goals). NIST CSF 2.0 controls ID.AM-1 and ID.AM-2 (asset identification) are foundational.
  • Pass-through to local governments: States must pass at least 80% of SLCGP funds through to local governments, with 25% earmarked for rural. CybrIQ deployments are sized for local-government budgets; a county or district can be a sub-recipient.

Reporting CybrIQ supplies for SLCGP grant audits

  • Pre-deployment device count vs. post-deployment device count (the "what was the grant invested in" baseline).
  • Inventory completeness over the grant performance period (the "did the investment produce results" question).
  • Deviation events detected and resolved (the "is the program operating" evidence).
  • NIST CSF 2.0 control coverage map for the controls the inventory enables.

If your state's SLCGP plan has device-inventory or asset-discovery as a named investment, the briefing call walks the deployment shape against the named line item and the reporting your grant officer expects.

Election infrastructure

For county and state election offices: device visibility that doesn't introduce a vendor presence on the election network.

Election offices operate under a specific cybersecurity register. The Election Infrastructure subsector is designated Critical Infrastructure (DHS/CISA, 2017); CISA's Election Security Initiative provides resources and guidance; the EAC's Voluntary Voting System Guidelines (VVSG 2.0) set technical baselines. The recurring constraint: the election network cannot accept a vendor cloud, a vendor tunnel, or a tool that inspects traffic on a network that handles ballots. CybrIQ's deployment shape is the answer that fits.

Why the deployment posture matters here specifically

  • No vendor cloud. Election officials are routinely asked by oversight (state legislature, secretary of state, county commission) what cloud services touch the election network. The answer for CybrIQ is "none." The deployment is customer-installed on county-owned hardware.
  • No traffic inspection. CybrIQ does not look at packets. Ballot-handling traffic is not in its visibility surface, by design. The identification mechanism reads switch metadata (port, LLDP, MAC, link characteristics), not what's on the wire.
  • No agents on voting devices. The deployment posture does not require software on EMS (Election Management System) machines, ballot-marking devices, scanners, or pollbooks. Identification is from switch-side signals.
  • Air-gap capable. County election networks are often air-gapped or strongly segmented. CybrIQ's offline-update path (signed packages moved through the county's approved-media process) matches that posture.
  • Identifies unauthorized hardware on EMS / pollbook / scanner segments. The specific concern after every recent election cycle: did anyone plug something into the election network that should not be there. The 30-second polling cadence is the answer to "how fast would you know."

Reporting alignment

CybrIQ output aligns with the device-inventory expectations in the EAC's Voluntary Voting System Guidelines, CISA's Election Security Initiative resources, and the MS-ISAC's Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) reporting. For elections officials briefing the secretary of state, the county commission, or a state legislative committee, the deployment posture and the inventory artifact are the two pieces.

Election-infrastructure briefings are typically scheduled around the slow-cycle (January–August in a federal election year) so a county election office is not pressure-testing a new tool in October.

Whole-of-state cyber

If the state is running a whole-of-state cyber program, one deployment shape covers state agencies, counties, and special districts.

Several states are running whole-of-state cyber initiatives — Texas (DIR), New York (Empire AI / Joint Security Operations Center), Ohio (OhioCyber), Arizona, and others — where the state CIO coordinates security tooling, reporting, or shared services across state agencies, counties, K-12, and special districts. The deployment shape that fits this model has three properties:

  • Local ownership. Each county, district, or agency installs and operates its own deployment on its own hardware. The state does not become the operator of every county's network.
  • Aggregable reporting. Each local deployment's inventory and deviation summaries can roll up to the state CIO's dashboard for the state-level report, without sharing per-device data the localities aren't authorized to release.
  • Cooperative purchasing. A state contract or NASPO ValuePoint route means counties and districts don't each negotiate procurement. The state's contract is the path; the locality installs against its own hardware.

For state CIO offices building a whole-of-state cyber playbook, the briefing call covers the state-level rollup shape against your specific local-government structure.

Frameworks and reporting

What CybrIQ supports compliance with — SLED edition.

SLED leaders carry a different framework set than federal. The mapping below covers what state, county, K-12, and special-district IT shops are most often asked for.

SLED frameworks and reports CybrIQ supports

  • MS-ISAC quarterly governance reports — Hardware inventory completeness as one of the recurring asks.
  • StateRAMP — Customer-installed deployment posture aligns with states pursuing StateRAMP authorization paths for vendors.
  • NIST CSF 2.0 — ID.AM-1 and ID.AM-2 (asset identification) and DE.CM-7 (device monitoring).
  • State and Local Cybersecurity Grant Program (SLCGP) — Asset-discovery investments support the SLCGP reporting requirements on hardware visibility.
  • Cyber-insurance questionnaires — Hardware-inventory completeness and unauthorized-device monitoring are recurring application questions; CybrIQ produces the evidence the carrier asks for.
  • CIS Critical Security Controls v8 — Control 1 (Inventory and Control of Enterprise Assets) — supports automated discovery for sub-control 1.1.
  • K-12: Student Data Privacy laws — State-specific (e.g., NY Ed Law §2-d, CA SOPIPA, TX Ed Code §32.151) — inventory of devices in instructional environments.
Deployment posture for SLED procurement

Built so a small IT team can stand it up.

What the agency or district does

Installs softwareRoomIQ and SpacesIQ are software. The agency or district installs the External Scan Engine (ESE) and the main instance on its own hardware. No vendor appliance ships in.
Configures accessRead-only switch access via SNMP. The network team configures the SNMP community or v3 user with read-only permissions.
Owns the dataDevice inventory data stays on agency- or district-controlled hardware. For regulated environments (FedRAMP, FISMA on-premise, SCIF, air-gapped), the main instance is installed on agency hardware with no vendor cloud in the path. For agencies whose deployment does not require on-premise operation, the main instance is CybrIQ-hosted by default.

What CybrIQ does not do

No SPAN or mirrorNo SPAN port, mirror port, inline tap, or any traffic-capture mechanism. The network team's existing switch deployment is unchanged.
No endpoint agentsNo software on student laptops, classroom devices, building-management systems, or OT. Identification is from switch-side signals only.
No packet inspectionCybrIQ does not look at network traffic. CIPA, FERPA, and state student-data-privacy laws are not affected by the device-discovery process.

Schedule a 30-minute SLED briefing.

No procurement commitment. We walk CybrIQ against your environment — the cooperative-purchasing route that fits, the carrier evidence you owe at renewal, and the MS-ISAC framing your governance review expects.

Request briefing