A new report from the Mississippi Office of the State Auditor reveals that nearly one-third of state agencies are not meeting the state’s basic cybersecurity requirements, leaving sensitive data and government systems open to potential cyberattacks.
The audit, released last week, found that as of September 8, 32 agencies had failed to complete their legally mandated third-party cybersecurity assessments, a key safeguard meant to protect taxpayer data.
The report warned that these failures pose significant threats to state operations, stating:
“Failure to follow the state’s cybersecurity program exposes critical government operations to unnecessary risk.”
Recent Cyberattacks Highlight the Urgency
The findings come on the heels of several high-profile cyber incidents in Mississippi over the past two years.
- In 2023, a ransomware attack on Hinds County crippled vehicle registration and real estate transactions, costing taxpayers over $600,000.
- In 2024, a data breach struck the Starkville Oktibbeha Consolidated School District.
- And this past July, hackers infiltrated an online meeting of the Attorney General’s Opioid Settlement Fund Advisory Council.
“These incidents are a loud warning bell,” said State Auditor Shad White, emphasizing that his office is required by law to track whether agencies are taking the necessary steps to protect against hackers.
Progress Since 2019 — But Work Remains
While troubling, the 2025 results show some improvement. In 2019, a similar audit found that 65% of agencies were either noncompliant or failed to report their cybersecurity status. That figure has now dropped by roughly half, reflecting gradual progress toward stronger cyber defenses.
ITS Leads Efforts to Strengthen Agency Cybersecurity
Jay White, Chief Information Security Officer at the Mississippi Department of Information Technology Services (ITS), said his team is taking a more hands-on approach to help agencies meet compliance.
He explained that ITS has launched a Request for Proposals (RFP) to create a pool of pre-approved cybersecurity vendors capable of conducting risk assessments and helping agencies fix weaknesses.
“Through these awarded contracts, any Mississippi government entity can quickly obtain security and risk assessment services,” White said, noting that the goal is to streamline compliance and improve the state’s overall cybersecurity posture.
Support for Smaller Agencies
Recognizing that many smaller state offices lack the staff or funding to meet the law’s requirements, ITS has distributed detailed guidelines, checklists, and best practice templates to help them complete assessments accurately.
White said the department’s outreach program focuses on education and proactive assistance, ensuring that no agency is left behind.
“We reach out directly to these agencies to offer guidance and walk them through what’s needed to meet compliance,” he said.
Cyber Security Review Board Adds Oversight
To further coordinate protection efforts, Mississippi established a Cyber Security Review Board in 2024. The board met for the first time that July and continues to meet monthly to strengthen the state’s overall cyber resilience and monitor compliance progress.
White said these combined efforts — audits, vendor partnerships, and direct support — mark a shift from reactive responses to preventative cybersecurity management.
