Nevada Adopts Statewide Data Classification Policy After Disruptive Cyberattack
Nevada’s Governor’s Technology Office introduced a statewide data classification policy intended to standardize how state agencies label and protect information following a major cyberattack that disrupted government systems for weeks. The framework establishes four sensitivity tiers—public, sensitive, confidential, and restricted—and directs agencies to choose the more restrictive category when classification is unclear, aiming to prevent inconsistent handling of private versus public data and to create a common baseline for interagency data sharing.
State officials and lawmakers described the policy as a foundational step for broader cybersecurity improvements in the wake of the incident, alongside initiatives such as expanding multifactor authentication, standing up a new Security Operations Center (SOC), and forming a legislative working group to guide future security measures. The policy is positioned as a standardization and resilience measure and does not change Nevada’s public records law, under which records are presumed public unless specific confidentiality provisions apply.
Sources
Related Stories
Nevada Expands Zero Trust and Identity Modernization After Ransomware Attack
Nevada officials said a **major ransomware attack** prompted the state to accelerate cybersecurity and digital modernization efforts, with State CIO **Tim Galluzi** framing the incident as proof that resilience, workforce readiness, and governance must be built into daily operations rather than treated as one-time projects. The state subsequently secured unanimous legislative support and backing from the governor to invest in new cybersecurity tools and infrastructure intended to better protect resident data and critical government systems. Nevada's response emphasizes **zero trust architecture**, stronger **identity and access management**, and broader cross-agency coordination as part of a longer-term modernization strategy. Galluzi described identity as the "new firewall" in an environment where employees, partners, and residents increasingly access systems remotely, and he also highlighted workforce training as a core defensive measure alongside technology upgrades and improved service delivery.
TodayRansomware Attack on Nevada State Government via Malicious Admin Tool
A ransomware attack on the Nevada state government was enabled by a state employee's accidental download of a trojanized system administration tool from a fraudulent website in May. The attackers established a backdoor, conducted lateral movement, and infiltrated the state's password vault server over several months. By August, they had exfiltrated sensitive data, deleted backup volumes, and deployed ransomware, disrupting services at more than 60 state agencies, including health benefits, public safety records, and DMV operations. The incident forced critical systems offline for up to 28 days, with recovery efforts requiring a full rebuild of Active Directory and significant overtime from IT staff. The state did not pay a ransom, and most recovery costs were covered by cyberinsurance, totaling at least $1.5 million. The after-action report from Nevada's technology office highlighted the attacker's use of search ads to distribute malware disguised as legitimate admin tools, a growing trend in initial access techniques. Despite the extensive impact, Nevada was commended for its accelerated response and transparency in reporting, restoring 90% of impacted data within a month. The incident underscores the risks of supply chain and user-driven compromises, as well as the importance of robust detection, backup, and identity management practices in defending against sophisticated ransomware campaigns targeting government infrastructure.
4 months ago
Trump Administration Cyber Policy Shifts: Regulatory Rollbacks and Reduced Federal Election Security Support
National Cyber Director **Sean Cairncross** called on industry to help the Trump administration **reduce cybersecurity regulatory burden** and improve “friction” points in cyber information sharing, while also urging companies to lobby Congress to renew the expired **Cybersecurity Information Sharing Act of 2015** with a proposed **10-year extension**. Cairncross framed the administration’s approach as partnering with industry rather than expanding private-sector mandates, and said a forthcoming administration cybersecurity strategy would be released “sooner rather than later.” Separately, state election officials are increasingly planning to **self-fund and self-organize election security** as **CISA scales back election security support**, including work related to disinformation, and as election security specialists are reportedly fired or sidelined. With reduced federal staffing and no dedicated congressional election security grant funding, states described feeling they are “going it alone”; Arizona, for example, advanced a **$650,000** state package to patch vulnerabilities and recover from a prior cyberattack on its political candidate portal. A third report described U.S. manufacturers expanding collaboration through **MFG-ISAC**—including tabletop exercises, OT training, and incident response playbooks—but this activity is sector-focused and not directly tied to the federal policy and election-security pullback described elsewhere.
1 months ago