Nationwide Cyber Security Review (NCSR)


What is the NCSR?

The NCSR, or Nationwide Cyber Security Review, is a voluntary self-assessment survey designed to evaluate cyber security management within state, local, tribal and territorial governments.

The Senate Appropriations Committee has requested an ongoing effort to chart nationwide progress in cybersecurity and identify emerging areas of concern. In response, the U.S. Department of Homeland Security (DHS) has partnered with the Center for Internet Security's Multi-State Information Sharing and Analysis Center (MS-ISAC), the National Association of Counties (NACo) to develop and conduct the second NCSR.

Reporting Cyber incidents, vulnerabilities and phishing scams

Information and tips from the US Computer Emergency Readiness Team

What is Cyber Security?

Nationwide Cyber Security Review

Malicious Code Analysis Platform

Multi-State Information Sharing and Analysis Center

DHS Cyber Resilience Review Fact Sheet

Initiatives and Free Resources for Critical Infrastructure

State, local, tribal and territorial cybersecurity engagement


Who can participate?

All states (and all agencies within), local government jurisdictions (and all departments within), tribal and territorial governments.


The survey started October 1, 2014 to coincide with National Cyber Security Awareness Month, and must be completed by November 30, 2014.

What to expect from the survey

  • 85 total questions
    • 15 demographic questions
    • 59 survey questions
    • 4 emerging technology questions
    • 7 post survey
  • Based on security program maturity scale
  • Closely aligned with standards and best practices including:
    • Control objectives for Information Technology (CoBIT),
    • Statement on Auditing Standards Number 6 (SAS 6),
    • Sans 20 Critical Security Controls, and
    • National Institute of Standards and Technology (NIST) Special Publication 800

To access the online tool, go to

Survey Question Areas

Security program | Risk managment | Physical access controls | Logical access controls | Personnel and vendor contracts

Security within technology lifecycles | Information dispostion | Malicious code | Monitoring and audit trails

Incident management | Business continuity | Security testing | Privacy