Arizona Introduces 13 Cybersecurity Controls

Posted on November 1, 2017


Name of Project

Arizona’s 13 Cybersecurity Statewide Controls

Name of Jurisdiction

The State of Arizona

Description of Initial Problem

State and local governments are a growing target for cybercriminals because they have access to an abundance of sensitive information. At the same time, state governments operate large networks that offer essential services, making it all the more important to keep networks operational and protect them from unauthorized access.

In Arizona, state agencies had gaps in cybersecurity coverage, lacked the best-in-class software and solutions, and, in many cases, were spending more than they needed to for security. This presented a risk to the state through potential exposure of citizen information.

Description of Solution

To better secure the state agencies and the data they collect, the IT division of the Arizona Department of Administration identified 13 standard cybersecurity controls designed to protect data and limit exposure. The IT division also negotiated enterprise contracts, which offered the security controls to 35 cabinet agencies at a discount. This process allowed agencies to improve their cybersecurity posture, reduce risk, and, in many cases, save money.

As a result of these efforts, over 35 state agencies adopted the 13 cybersecurity controls within six months. Because Arizona is a federated state with no mandate that required these agencies to adopt the controls, agencies did so voluntarily. Furthermore, the negotiated enterprise contracts also allowed local governments and nonprofits within Arizona to purchase security controls at the discounted rate, raising the security standards of these governments and organizations.

Cyber Controls Case Study


The project had a number of benefits to the state, its agencies, and Arizona citizens:

  • Eliminated duplicative state spending by $2.5 million annually.
  • Implemented a total of 455 security controls. Of which, 354 ( or 77.8 percent) are already in place, 91 (or 20 percent) are scheduled, and 10 (or about 2 percent) are in the queue.
  • Reduced gaps in areas where no controls previously existed by introducing 210 controls.
  • Agencies benefited through lower costs and more secure applications.
  • Citizens who interface and share data with the agencies benefited because that data is now more secure and less vulnerable.

As a result of the success of this program, Arizona won the 2017 Cybersecurity Leadership and Innovation Award, presented by the the Center for Digital Government, in the state government category.


Close window