The report, released last week, points to lapses in compliance that could potentially leave vital public services vulnerable to hackers. Specifically, the state auditor found that, as of Sept. 8, 32 state agencies had not completed the legally required third-party cybersecurity assessments.
And the report makes it clear what’s at stake if those gaps aren’t addressed, stating, “Failure to follow the state’s cybersecurity program exposes critical government operations to unnecessary risk.”
That warning comes amid a recent string of cyber incidents targeting Mississippi government entities. In 2023, a ransomware attack on Hinds County disrupted vehicle registration and real estate transactions, costing taxpayers at least $600,000. A year later, a data breach disrupted the Starkville Oktibbeha Consolidated School District. And this past July, hackers infiltrated an online meeting of the Attorney General’s Opioid Settlement Fund Advisory Council.
“Part of our role in my office, according to state regulations, is to report on whether agencies have followed the steps to protect themselves from hackers,” Auditor Shad White said in the report. “This report should be a loud warning bell to state officials.”
The breaches have forced state leaders to rethink how Mississippi approaches cybersecurity. But rather than just responding after the damage is done, officials are focusing on prevention — helping agencies comply with state law before vulnerabilities turn into public crises. That shift appears to be paying off, at least in part.
Although the state auditor found that nearly one-third of Mississippi’s agencies have yet to meet the Enterprise Security Program requirement this year, that figure actually represents progress. A 2019 survey found that 65 percent of agencies were either out of compliance or failed to report altogether.
According to Jay White, chief information security officer at the Mississippi Department of Information Technology Services (ITS), his office is taking a hands-on approach to help agencies meet the law.
“ITS issued a Request for Proposals (RFP) to establish a pool of qualified vendors capable of providing comprehensive security and risk assessment services,” he said via email. “Through these awarded contracts, any government entity within the state of Mississippi can readily procure security and risk assessment services from pre-approved vendors, streamlining the process for agencies to meet compliance requirements and strengthen their cybersecurity posture.”
White said his office is also working to make sure smaller agencies aren’t left behind. ITS has distributed detailed documentation to every state agency, he said, outlining exactly what’s required to complete a cybersecurity assessment and how to scope one correctly. The department has also provided practical resources — including templates, checklists and best practice guides — to help agencies with limited staff or budgets stay on track and meet compliance standards.
Additionally, the state created a Cyber Security Review Board in 2024 to coordinate defense efforts. The board, White said, had its first meeting in July 2024 and continues to meet monthly to “execute its legislative directives and advance the state’s overall cybersecurity resilience.”
When agencies fall behind on their cybersecurity requirements, White said ITS doesn’t wait for problems to escalate. Instead, his team takes what he described as a “proactive approach,” reaching out directly to noncompliant agencies to walk them through what’s needed to meet the law.
“The department reaches out directly to these agencies to offer guidance and assistance in understanding the requirements and steps necessary to achieve compliance,” he said.
