MGO CPA | Tax, Audit, and Consulting Services

Topic: State and Local Government Assurance

How a Cyber Maturity Assessment (CMA) Can Help Protect Your Government Against Security Threats

Executive Summary:

  • Cyber threats are increasingly elevating data and infrastructure risks for state and local governments. Proactive security standards and assessments can strengthen governmental defenses.
  • Cyber Maturity Assessments (CMAs) evaluate preparedness to safeguard against, detect, isolate, and respond to system threats holistically across staff, procedures, and tools.
  • Conducting a CMA can provide governments strategic advantages, such as: gauging risk management capabilities, fostering a security culture, mapping regulatory requirements, adapting to the evolving threat landscape, and informing cybersecurity strategies.

~

Cyber threats grow more sophisticated every day, increasing risks to sensitive data and critical services at the state and local level. With public-sector cyberattacks on the rise, today’s governments need to reinforce their cyber defenses to protect government operations and maintain constituent trust.

In the realm of cybersecurity, staying ahead of the curve is not just advisable; it’s imperative. In 2016, the Department of Defense (DoD) introduced a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS). This rule mandated new cybersecurity safeguards and cyber incident reporting for controlled unclassified information (CUI).

Transitioning from DFARS, the DoD has now developed the Cybersecurity Maturity Model Certification (CMMC), a framework designed to enhance the cybersecurity of government contractors. While state and local governments are not beholden to the CMMC, your team can still benefit from embracing CMMC standards and proactively developing comprehensive security programs.

5 Benefits of a Cyber Maturity Assessment for Your State or Local Government

To check your government against CMMC standards, a powerful tool you can employ is a Cyber Maturity Assessment (CMA) — which examines your organization’s overall preparedness to safeguard against, recognize, isolate, and react to cyber threats that could compromise sensitive data and systems. Analyzing more than just adherence to regulations, a CMA is a holistic analysis of people, processes, and tools that assesses the entity’s broader cyber risk exposure and defenses.

Here are five ways a CMA can be a trusted ally in fortifying your cybersecurity defenses:

1. Risk Management

The CMA framework addresses the crucial question: Is your organization equipped to navigate evolving risks effectively? With the assistance of CMA, state and local governments can gain insights into the maturity of their current processes and mechanisms. This empowers them to make informed decisions on risk mitigation strategies, ensuring a robust defense against emerging cyber threats.

2. Strengthening Security Culture

Promoting a culture of security and privacy by design is paramount in today’s digital landscape. CMA serves as a catalyst in fostering this mindset within organizations. By assessing the maturity of security practices, it enables state and local governments to identify areas for improvement, laying the foundation for a resilient security culture.

3. Understanding of Multiple Regulatory Requirements

Navigating the complex web of regulatory requirements is a challenge for any government entity. CMA provides a comprehensive understanding of an organization’s capabilities to meet controls-based regulatory requirements. This not only ensures compliance but also establishes a framework for efficient regulatory adherence, minimizing vulnerabilities.

4. Proactiveness in an Ever-Evolving Cybersecurity Landscape 

As cyber threats continue to grow in scale and sophistication, organizations must be proactive in adapting to the evolving landscape. CMA equips state and local governments with the foresight needed to stay ahead of cybercriminals. By identifying potential threats and vulnerabilities, organizations can implement strategies to drive growth and transformation while safeguarding their digital assets.

5. Determining Considerations for a Cybersecurity Strategy 

Crafting an effective cybersecurity strategy requires a deep understanding of an organization’s capabilities and potential areas for improvement. CMA assists in identifying key considerations for a cybersecurity strategy, ensuring that state and local governments can rapidly adapt to the dynamic cybersecurity landscape.

Employing a Methodical Approach to CMA that Delivers Actionable Insights

Conducting a productive CMA that yields meaningful insights requires experience with security frameworks and familiarity with the latest threat trends impacting state and local governments. At MGO, our Technology and Cybersecurity Advisory (TCA) team approaches each CMA engagement through a consistent methodology focused on mapping security practices to leading industry standards, evaluating core capability areas, and developing practical recommendations tailored to the organization. 

Key elements of MGO’s CMA methodology include:

  • Utilization of NIST Cybersecurity Framework (CSF), ISO 27001 or CIS Controls as a Baseline – The TCA team will help you identify current gaps in the security of information assets and determine potential opportunities for improvement relative to your organization’s size and stage in the lifecycle.
  • Focus on Key Cybersecurity Capabilities – Emphasizing key cybersecurity capabilities including governance, detection, prevention, response and legal compliance, the TCA team will assist in aligning and mapping these capabilities against industry standards.
  • Recommend Prioritized Areas of a Management Action Plan – The TCA team will assist you in identifying key areas of improvement and provide a risk-ranking to help prioritize moving forward.
  • Maintaining Continuous Improvement – Instituting a recurring cycle of assessment and improvement is crucial, as cybersecurity maturity is a dynamic process that must adapt to evolving threats and business needs.

How We Can Help You Achieve Your Cybersecurity Goals 

Our highly skilled team delivers in-depth cybersecurity and business knowledge that translates to outside-the-box thinking and practical recommendations. We will work with your team to conduct deep-dive walkthroughs and technical testing to help you manage potential cybers

How to Manage Financial Reporting for Special Tax Districts in Your Community

Executive summary 

  • CFDs and IFDs are common options for financing capital projects, but have key differences in funding sources and eligible uses. 
  • As component units, CFDs and IFDs must be included in your government’s financial reporting.  
  • Determining whether to report CFDs/IFDs as fiduciary, blended, or discrete component units is crucial for accurate representation. 

~

As a government leader, you are no doubt all-too-keenly aware of the challenges inherent in financing capital projects in your community. One popular option to fund infrastructure improvements in developing areas is forming special tax districts — with two of the most common variants being community facilities districts (CFDs) and infrastructure financing districts (IFDs).  

While both these types of special tax districts share many similarities, it is their differences that can have a significant impact on how you report them in the financial statements of your organization. In this article, our State and Local Government professionals walk through what you need to know to successfully navigate special tax district reporting. 

What are CFDs and IFDs? 

Before we dive into reporting, here is a glimpse at how each of these special tax districts work and how they are different from one another. 

CFDS – Funding Versatile Local Improvements 

CFDs also known as Mello-Roos Districts (named for the lawmakers behind the legislation that created them), are a popular method of financing certain public capital facilities and services — especially in developing and rehabilitating areas. CFDs impose special taxes on property owners within the district, and proceeds can be used to fund any publicly owned facility with a useful life of five or more years.  

This versatile special tax district has many eligible uses — including parks, libraries, childcare and recreation centers, storm drainage systems, and more. Developers frequently establish CFDs to fund initial infrastructure as an area is built out.

IFDs – Financing Large Infrastructure

IFDs fund capital projects focused on large-scale, community-wide infrastructure needs. This includes major initiatives like highways, transit facilities, sewage treatment plants, dams, flood control systems, and other regionally significant projects.  

Unlike CFDs, IFD funding comes from growth in property tax increment above a base-year level, redirecting tax revenue that would otherwise flow to participating jurisdictions like the city, county, and special districts. In essence, those entities waive their rights to extra revenue generated by growth in the IFD area until the established revenue retention period expires (this period may last up to 30 years). 

Special Tax Districts as Component Units (and What That Means)

Current accounting standards require your government to include in its financial statements the finances of “component units”. Component units are legally separate entities for which the elected officials of a primary government are financially accountable. The primary government is financially accountable if it appoints a voting majority of the entity’s governing body and: (1) it can impose its will on that entity or (2) there is a potential for the entity to provide specific financial benefits to, or impose specific financial burdens on, the primary government. 

Under California law (different states may have different requirements), CFDs and IFDs are legally constituted governmental entities. They are established by and governed by your agency’s legislative body, whether that be the city council or county board of supervisors. This governance structure grants your government the ability to impose its will on the CFDs and IFDs since you can modify budgets or appoint key personnel. Moreover, IFDs create a financial burden by capturing property taxes that would otherwise fund services in participating jurisdictions. 

Due to this financial accountability, CFDs and IFDs are considered component units and should be included in the financial reporting entity of the primary government. That means, as a primary government, you are required to report component unit financial information within your financial reporting entity’s financial statements. 

Fiduciary, Blended, or Discretely Presented: Determining the Reporting Method 

While the objective of including component units in your financial statements is to provide an overview of your government based on financial accountability, the method of component unit inclusion – fiduciary, blended, or discretely presented – depends on the closeness of their relationship with your government. 

To assess whether a special tax district like a CFD or IFD is a fiduciary activity for reporting purposes, ask these questions: 

  1. Does your government exercise control over the assets of the district? 
  1. Does the government benefit from those assets (as opposed to external parties)? 

With CFDs and IFDs, the assets are typically controlled by your government but maintained for the benefit of the district (not external parties). Therefore, their relationships with your government generally do not qualify as fiduciary.  

For IFDs, the revenue they receive by capturing incremental property taxes warrants blended reporting within your government’s financial statements. That means their activity is reported like any other fund – blended in the special revenue funds or other reporting units. 

Treatment gets trickier for CFDs. The key factor is whether your government is obligated in any manner for repayment of the CFD’s bonded debt in the event of delinquencies or default by property owners. If your government must back the debt, the CFD is considered a financial burden and blending is appropriate. Blending makes the long-term debt obligation clearly visible to financial statement users. 

However, if your government has no obligation for CFD debts, the CFD should be reported in fiduciary funds. Here, your government serves as an agent on behalf of property owners and the bondholders within the CFD. The debt service transactions are kept separate from other activities. 

Ensuring Accurate and Transparent Financial Reporting 

Complicating CFD and IFD reporting is the reality that major capital improvements are often funded by a combination of financing mechanisms. You may need to untangle several types of debt and financing sources – such as grants from other governments, general obligation debt, and special assessments. The reporting guidance on CFDs and IFDs is not one-size-fits-all.  

As a steward of public resources, it is important to take care to consider all nuances of how districts are established and financed in your government. Accurately reporting CFD and IFD activities is central to upholding your responsibility to constituents. By proactively addressing district reporting, you also minimize audit issues or restatements down the road. Taking the time upfront to thoroughly understand the standards will pay dividends. 

While financing capital projects may be challenging, you don’t have to figure it out alone. Our specialized State and Local Government team can guide you through the nuances of CFD and IFD reporting. Contact our professionals today to discuss how we can help you meet the highest standards of accountability and transparency.