Skip to main content
Municipalities · State Agencies · Federal Contractors · School Districts · Cybersecurity Training

They didn't just steal data — they paralyzed city governments and declared states of emergency

City of Dallas. City of Oakland. Suffolk County, NY. MOVEit federal exposures. Every major public sector attack started with a phishing email or stolen credential that a trained employee could have stopped. Live expert training built for municipal staff, state agency employees, federal contractors, and school district personnel.

Personal — $299 → Executive — $899 → Business — Custom →
$18M+ City of Baltimore recovery cost (RobbinHood, 2019) — 13 days of disrupted city services
$5.4M Suffolk County NY restoration cost after BlackCat ransomware (2022)
26K Dallas residents' PII exposed in Royal ransomware attack (May 2023)
⚠️ CISA + FBI + MS-ISAC Joint Advisory AA23-263A: State and local government agencies and K-12 school districts are among the most frequently targeted sectors by ransomware groups. The advisory documents specific threat actor techniques targeting election systems, permitting databases, court records, and 911 dispatch infrastructure. Read the CISA #StopRansomware advisory →  |  CISA SLTT resources →
Why public sector is a top ransomware target

Tax dollars, critical services, and CJIS data on aging networks. Attackers know the leverage is there.

Ransomware groups target government for three compounding reasons. First, operational criticality: when a city's network goes down, 911 dispatch, permitting, court scheduling, and benefit payments stop — residents notice immediately, and elected officials face pressure to restore services fast, which translates directly into ransom payment pressure. Second, budget-constrained IT: most municipalities run deferred patching cycles, legacy Windows environments, and flat networks where a compromised front-desk workstation can reach financial systems and law enforcement databases on the same subnet. Third, high-value regulated data: CJIS criminal justice records, voter registration databases, protected health information in public health agencies, and federal CUI held by contractors all create regulatory exposure that amplifies the reputational cost of a breach — and the ransom leverage that comes with it.

Federal contractors face an additional layer: NIST 800-171 and CMMC 2.0 obligations cascade down through the Defense Industrial Base supply chain. A small engineering firm holding CUI for a DoD contract has the same federal security training requirements as a prime contractor — and often far fewer resources to meet them. The MOVEit attack in 2023 showed how a single vendor vulnerability can simultaneously expose dozens of state agencies and federal contractors who had no visibility into their supply chain risk.

Generic phishing awareness training doesn't address any of this. Your AP clerk needs to know what a fraudulent vendor banking-change email looks like — specifically how it mimics your procurement system's notification templates. Your IT director needs to know what the first 15 minutes of a ransomware event looks like in a government network — and which systems to isolate first without cutting 911 dispatch. Your permit office staff need to know how attackers use vishing calls to social-engineer password resets under time pressure. SecurEveryone's public sector program is built around real incident timelines from Dallas, Oakland, Suffolk County, and Baltimore — not a generic phishing module.

Named public sector attacks

These aren't warnings. They're case studies.

City of Dallas
May 2023

Royal ransomware infiltrated Dallas city systems and disabled public safety applications including police and fire department CAD systems, forcing manual dispatch processes. The city shut down roughly 200 servers and 700 workstations. Court services were suspended for weeks, online payment portals went offline, and approximately 26,000 residents had personal information — including Social Security numbers — exfiltrated and published to the Royal leak site. The attack is attributed to an initial access point via a service account with excessive network privileges that Royal exploited after establishing persistence for several weeks before deploying encryption payloads.

Impact: 26K resident PII exposed, court systems suspended, 911 CAD disrupted · Source: City of Dallas, MS-ISAC reporting
City of Oakland
February 2023

PLAY ransomware attacked Oakland city systems, prompting the city to declare a local state of emergency — one of the first U.S. cities to do so in response to a ransomware event. Non-emergency city services were knocked offline for weeks, including permit applications, parking ticket payments, and public record requests. PLAY exfiltrated 10 GB of sensitive city data — including employee personal information and confidential law enforcement records — and published it on their dark web leak site after Oakland refused to pay the ransom. The attack highlighted how CJIS-adjacent data stored on general city networks creates exposure even for agencies that aren't primary law enforcement.

Impact: State of emergency declared, 10GB city data published, services offline for weeks · Source: City of Oakland, FBI advisory
Suffolk County, New York
September 2022

BlackCat (ALPHV) ransomware breached Suffolk County's systems through a known vulnerability in a county email server — a vulnerability that had been identified in a prior security audit but not remediated due to budget prioritization. County staff reverted to paper processes for months. Law enforcement records, court documents, and employee health information were exfiltrated. The county ultimately spent approximately $5.4 million on breach response, system remediation, and recovery — significantly more than it would have cost to patch the vulnerability. The attack triggered a New York State investigation and a critical review of the county's IT security posture.

Impact: $5.4M recovery cost, months-long paper fallback, law enforcement data exposed · Source: Suffolk County OIG, NY State investigation
MOVEit — Federal & State Agencies
May–June 2023

The Cl0p ransomware group exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software's MOVEit file transfer platform, simultaneously compromising government agencies, contractors, and regulated entities worldwide. Among the publicly disclosed U.S. government victims: the Department of Energy (contractor data), the Office of Personnel Management (through a contractor), multiple state Departments of Motor Vehicles (Oregon and Louisiana — combined 6M+ residents), and dozens of MS-ISAC member agencies. The attack illustrates the cascading supply chain risk when a single vendor serves hundreds of government entities — and how agencies can have no visibility into the vulnerability until exploitation is underway.

Impact: DoE, OPM contractor, 6M+ state DMV records, MS-ISAC member agencies · Source: CISA advisory, Congressional testimony
Live training scenarios

Three drills. Every session built around your agency's actual attack surface.

Drill 1 · AP/Finance & Administrative Staff
Government AP Phishing & BEC Fraud Recognition

Walk accounts payable clerks, finance officers, and administrative staff through the specific phishing and business email compromise patterns that target government payment systems. Covers vendor banking-change requests that impersonate your procurement system's notification templates, fraudulent invoice submissions with spoofed vendor domains, executive override requests that bypass normal authorization controls (a hallmark of government BEC), and direct deposit redirection scams targeting payroll and benefits systems. Uses the City of Dallas Royal ransomware timeline and Suffolk County initial access pattern as case studies. Staff leave knowing exactly how to identify a BEC attempt even when the email displays a familiar vendor name — and what the callback verification protocol looks like for any banking change request.

Roles: AP Clerks, Finance Officers, Procurement Staff, Benefits Administrators
Format: Live scenario walkthrough, 45–60 min
Compliance: CJIS Sec. 5.2, NIST 800-171 3.2.2, StateRAMP AT-2
Drill 2 · IT Director, City Manager & Comms
Ransomware Tabletop for Government Leadership

A live ransomware tabletop built specifically for the government decision-makers who must manage the crisis when an attack hits — not the technicians who contain it. Uses the City of Oakland PLAY ransomware timeline as the primary case study, walking through the moment of initial detection through the state of emergency declaration. Covers: the first 15-minute isolation decision window (which systems to cut without severing 911 dispatch), when and how to invoke your emergency operations continuity plan, CISA 72-hour notification requirements and state breach notification law timelines, the public communication sequencing that protects the agency without creating liability, and how to coordinate with MS-ISAC and FBI Cyber Division during an active government incident. Participants leave with a completed agency-specific ransomware response decision matrix and a pre-drafted public statement template.

Roles: IT Director, CISO, City/County Manager, Communications Director, Legal Counsel
Format: Live tabletop exercise, 90–120 min
Compliance: FISMA IR controls, CISA SLTT requirements, CIRCIA reporting obligations
Drill 3 · Permit, Licensing & Public-Facing Staff
Vishing Defense for Government Help Desk & Public Services

Permit office staff, licensing clerks, help desk technicians, and any public-facing government employees are prime vishing targets — attackers call impersonating residents, contractors, inspectors, or IT support staff to pressure employees into revealing credentials, resetting passwords without verification, or granting remote access. This drill covers the specific call scripts attackers use against government employees: the contractor who "urgently needs portal access before a project deadline," the IT support call that asks you to read back a multi-factor authentication code, and the department head impersonation that overrides normal verification protocols. Uses real vishing scenarios from the Suffolk County breach and the social engineering patterns documented in CISA advisory AA23-335A. Staff leave with a laminated vishing response card and verbal verification protocol they can use immediately.

Roles: Permit Office, Licensing Staff, IT Help Desk, Public-Facing Clerks
Format: Live scenario roleplay, 45–60 min
Compliance: CJIS Sec. 5.2 annual training, NIST 800-171 3.2.2, FISMA AT controls
Regulatory alignment

Built for the compliance frameworks that govern public sector and federal contractor cybersecurity.

Which compliance frameworks does this training address?

StateRAMP StateRAMP-authorized cloud services and their government customers must satisfy NIST SP 800-53 AT-2 (Literacy Training and Awareness) and AT-3 (Role-Based Training). Our training provides signed completion records that satisfy AT-2 and AT-3 documentation for StateRAMP authorization package maintenance. Training records include session date, curriculum covered, attendee count, and instructor attestation.
FedRAMP FedRAMP Moderate and High baselines require AT-2 and AT-3 control implementation for federal agency customers and cloud service providers. Our federal contractor and agency training satisfies FedRAMP AT control documentation requirements with signed completion records and curriculum mapping to NIST 800-53 Rev 5 control objectives.
CJIS FBI CJIS Security Policy Section 5.2 requires security awareness training within six months of hire and annually thereafter for all personnel with access to CJIS systems or data — including dispatchers, records clerks, and IT staff at local law enforcement agencies. Our CJIS-aligned training covers the specific social engineering and credential theft vectors that target criminal justice systems and meets annual training documentation requirements.
FISMA Federal Information Security Modernization Act requires federal agencies to provide role-based security awareness training to all employees annually. Our federal agency training satisfies FISMA OMB Circular A-130 training requirements and provides the signed completion records agencies need for their annual FISMA reporting to OMB and agency Inspectors General.
NIST 800-171 NIST SP 800-171 Control 3.2.2 requires CUI-handling organizations to ensure personnel are aware of security risks associated with their activities. Federal contractors pursuing CMMC 2.0 certification satisfy the AT.L1 practice requirement with our training completion records. See our CMMC 2.0 page for the full defense contractor training alignment map.
State Breach Laws All 50 states have breach notification laws requiring government agencies to notify affected residents within specified timeframes. Our executive ransomware tabletop covers the state notification decision tree — distinguishing when a breach notification obligation triggers, how to preserve attorney-client privilege during the notification analysis, and how to coordinate simultaneous state AG notification and public disclosure without creating conflicting statements.
📋
Free: Ransomware Response Playbook
12-page playbook covering the first 60 minutes of a ransomware attack — including the isolation decision tree, CISA notification checklist, and the public communication sequencing that protects the agency without compounding liability. Directly applicable to municipal and state agency environments under CIRCIA and state breach notification obligations.
Download Free →
🗂️
Free: Incident Response Plan Template
12-page IR plan template built for organizations with regulatory reporting obligations. Covers roles and escalation paths, system isolation procedures, regulatory notification timelines (CISA, FBI, state AG, OMB for federal agencies), public communication templates, and the CIRCIA-aligned reporting decision tree. Applicable to municipalities, state agencies, and federal contractors.
Download Free →
Pricing

Expert-led training for public sector teams. No per-seat billing. Budget-line friendly.

Personal
$299
One-on-one session for an individual government employee or contractor — phishing recognition, vishing defense, and Q&A built around your specific role, agency type, and compliance requirements.
  • 60-minute live Zoom / Meet / Teams
  • Role-specific government threat scenarios
  • CJIS / FISMA / StateRAMP compliance map
  • Signed training completion record
  • 24/7 emergency session (+$100)
Book Personal — $299 →
Executive
$899
For IT directors, city/county managers, CISOs, and agency leadership — covers the ransomware tabletop, public communication sequencing, CISA and state breach notification obligations, and federal contractor compliance posture review.
  • 90-minute executive briefing
  • Government ransomware tabletop
  • CISA/FBI/MS-ISAC notification decision tree
  • Public statement template (take-home)
  • FISMA annual training record
  • Priority emergency support (+$100)
Book Executive — $899 →
Business · Custom
Custom
Train your full agency — AP clerks, permit staff, IT team, and leadership in separate targeted sessions tailored to your specific agency type, data environment, and regulatory obligations. Budgetable as a single line item.
  • Multi-session program (half or full day)
  • Separate staff, IT, and executive tracks
  • CJIS / FISMA / StateRAMP compliance docs
  • Agency-specific threat scenario development
  • CIRCIA-aligned IR plan integration
  • Annual retainer options available
Request Business Quote →
Common questions

Questions from government agencies and federal contractors.

Why are state and local governments ransomware targets so consistently?

Three factors converge in public sector environments to make them high-value ransomware targets. First, operational criticality: residents depend on 911 dispatch, permitting systems, court scheduling, and benefit payments — attackers know an outage creates political pressure to pay quickly. Second, aging IT infrastructure: many municipalities run Windows systems approaching end-of-support with deferred patching cycles driven by budget constraints, leaving known vulnerabilities open for months or years. Third, CJIS and criminal-justice data: access to law enforcement databases, inmate records, and protected federal data creates regulatory exposure that magnifies ransom leverage. The CISA and MS-ISAC #StopRansomware advisory AA23-263A specifically highlights state and local government as one of the most frequently targeted sectors.

Does your training satisfy CJIS Security Policy training requirements?

Yes. FBI CJIS Security Policy Section 5.2 requires that all personnel with access to CJIS systems or data complete security awareness training within six months of hire and annually thereafter. SecurEveryone provides signed training completion records with session date, attendees, curriculum covered, and instructor attestation. For law enforcement agencies and criminal justice agencies, our CJIS-specific training covers the exact attack vectors that target court systems, records management, and CAD/dispatch platforms — including the social engineering techniques attackers use to obtain CJIS credentials from help desk and IT support staff.

How does your training support StateRAMP and FedRAMP authorization?

StateRAMP and FedRAMP both require cloud service providers and their government agency customers to implement security awareness training that satisfies NIST SP 800-53 AT (Awareness and Training) controls — specifically AT-2 (Literacy Training and Awareness) and AT-3 (Role-Based Training). Our training provides signed completion records that satisfy AT-2 and AT-3 documentation requirements for FedRAMP Moderate and High baselines and StateRAMP authorization packages. Federal contractors and agency staff who handle CUI under NIST 800-171 also satisfy the 3.2.2 security awareness training control with our completion records.

What was the MOVEit attack's impact on federal agencies?

The 2023 MOVEit SQL injection vulnerability (CVE-2023-34362), exploited by the Cl0p ransomware group, exposed data from the Department of Energy, Office of Personnel Management contractors, multiple state departments of motor vehicles, and over 2,000 organizations worldwide — including MS-ISAC member agencies. The MOVEit attack illustrates how third-party software supply chain vulnerabilities cascade across the public sector simultaneously. Our federal contractor and state agency training covers: how to recognize anomalous bulk data access patterns that precede exfiltration, how to assess vendor software security posture before procurement, and how FISMA incident reporting obligations interact with CISA's cyber incident reporting under CIRCIA for federal agencies and their contractors.

How do federal contractors comply with NIST 800-171 security awareness training requirements?

NIST SP 800-171 Revision 3 Control 3.2.2 requires organizations that handle Controlled Unclassified Information (CUI) to ensure that personnel are aware of security risks associated with their activities and of applicable policies and procedures. For DoD contractors pursuing CMMC 2.0 certification, this maps to the AT.L1 practice set. SecurEveryone provides training completion records that satisfy 3.2.2 documentation requirements, with curriculum specifically covering CUI handling, insider threat indicators, and the phishing and social engineering vectors most commonly used against defense industrial base contractors. See our CMMC 2.0 compliance page for the full CMMC training alignment map.

What does the training cover for AP/finance clerks in government agencies specifically?

AP and finance clerks in government agencies are primary targets for business email compromise — attackers impersonate vendors, department heads, and procurement officers to redirect ACH payments, submit fraudulent invoices, or change direct deposit banking information. Our AP/finance training covers: how to recognize vendor impersonation emails even when display names and spoofed domains look authentic, the callback verification protocol for any banking change request, how to identify urgency pressure tactics and executive override requests that bypass normal authorization controls, and the wire transfer fraud playbook used against government payment teams. This drill maps directly to the City of Dallas and Suffolk County attack patterns where finance staff were the initial entry point.

Ready to train your public sector team?

Book a session directly below. Every session is live, expert-led, and built around your specific agency type — municipality, state agency, federal contractor, or school district. Completion records satisfy CJIS, FISMA, StateRAMP, and NIST 800-171 annual training requirements.

Personal — $299 → Executive — $899 → Business — Custom →
SecurEveryone · StateRAMP · FedRAMP · CJIS · FISMA · NIST 800-171 · Government-specific training · City of Dallas · Oakland · Suffolk County · MOVEit