Does CJIS require phishing training?

The CJIS Security Policy (Section 5.2) requires security awareness training for all personnel with access to Criminal Justice Information, with annual reinforcement at minimum. Recent revisions raised expectations around social engineering content; phishing simulation is the standard demonstration of program effectiveness during CJIS audit. Failure to maintain documented training is a routine audit finding.

What does IRS Publication 1075 say about phishing training?

IRS Publication 1075 governs the safeguarding of Federal Tax Information (FTI) by state agencies and contractors. It requires security awareness training for personnel with access to FTI, including specific coverage of social engineering. State revenue, child support enforcement and human services agencies face this requirement; phishing simulation is the standard evidence on the SAR (Safeguard Activity Report) and during the IRS Office of Safeguards review.

How do small towns and counties afford a phishing program?

CISA's SLTT cybersecurity grant program (the State and Local Cybersecurity Grant Program / SLCGP) explicitly funds awareness training. Many MS-ISAC members access subsidized or sponsored programs. Vendor pricing for SLTT entities is generally sized to small workforces, and a free 25-user trial covers most small municipalities outright.

What are the highest-risk phishing scenarios in government?

Vendor and supply-chain impersonation aimed at procurement and IT, citizen-facing service portal credential theft (DMV, tax collector, court clerk), election-infrastructure-targeted phishing of election officials, payroll fraud during budget cycles and grant-program lures aimed at finance and public-works officials. Ransomware attacks against municipalities have produced multi-week outages in the public record.

How often should government agencies run phishing simulations?

Quarterly is the realistic floor for many smaller jurisdictions; monthly is the goal at well-resourced agencies and a common requirement at state level. CJIS-controlled environments and FTI environments often add cohort-specific quarterly hard-difficulty simulations on top of the all-hands cadence.

State and Local Government Phishing Training Requirements

By The Bait & Phish Team
Government, SLTT, CJIS

State and local governments - counties, cities, towns, school districts, transit authorities, water utilities, election offices and the agencies that hang off all of those - operate the most diverse IT footprint of any sector and the most exposed citizen-facing surface, with the smallest dedicated cybersecurity teams. Ransomware crews have spent the last five years running through that population systematically. The list of municipalities that have lost tax collection systems, court systems, payroll or 911 dispatch to a phishing-initiated incident is long and it grows every quarter.

This post is for the state CISO, the county IT director, the municipal CIO, the election clerk and the SLTT cybersecurity coordinator who has been told to "do something about phishing" with a budget that doesn't quite cover it. It walks through the regulatory and grant frame, the threat scenarios specific to government work, what a credible program looks like at small-jurisdiction and state-agency scale and where the documentation needs to land for federal audits and grant reporting.

The regulatory and guidance frame

CISA SLTT resources - CISA's State, Local, Tribal and Territorial program publishes baseline guidance, the Cybersecurity Performance Goals (CPGs) and operational playbooks. Awareness training and recurring phishing-resistant practices are core CPGs.
CJIS Security Policy (Section 5.2) - applies to any state or local entity with access to Criminal Justice Information through NCIC, NLETS or III. Requires annual security awareness training including social engineering content. Audits are real and findings are routine.
IRS Publication 1075 - applies to any state agency or contractor handling Federal Tax Information. Requires awareness training; the Safeguard Activity Report (SAR) and on-site review evaluate program evidence.
HIPAA - applies to public-health agencies, state Medicaid offices and any government component acting as a covered entity or business associate.
NIST 800-53 (FedRAMP-derived) and 800-171 - frequently incorporated by reference in state contracts and grant terms; the Awareness and Training (AT) family applies.
Election Infrastructure (CISA designation) - election infrastructure is critical infrastructure; election offices are a named CISA priority for phishing-resistant practices.
State-specific frameworks - many states maintain their own SLTT cybersecurity programs and require subordinate jurisdictions to participate.
Cyber insurance - see our 2026 renewal post; carriers ask SLTT entities the same questionnaire as private-sector buyers.

The threat model unique to government

Ransomware against operational systems. Tax collection, court records, payroll, water/wastewater SCADA, 911 dispatch. The visible loss is operational; the hidden loss is the data breach disclosure.
Citizen data exposure. Driver records, tax filings, benefits applications, court records, child welfare files. State notification laws apply to the agency and the contractor.
Election infrastructure targeting. Election officials face credential-theft phishing aimed at voter registration databases, election management systems and result reporting. CISA has issued specific guidance.
Supply-chain phishing. A compromised IT vendor or contractor connects to multiple agencies. The MOVEit-class incident pattern of the last few years shows how a single vendor compromise cascades across SLTT customers.
Procurement and grant fraud. Vendor invoice fraud, fake grant award notices and fake federal-agency notices targeting finance and public-works offices.
Insider misuse. Phishing isn't always the entry vector; sometimes it's the compromise of a privileged insider's account that creates the impersonation channel for further attacks.

The Verizon DBIR has consistently called out the public sector as a heavily-attacked vertical. CISA joint advisories regularly name ransomware crews active against SLTT targets.

Templates that land in government

Federal-agency impersonation - fake CISA, FBI, DHS, FEMA notices. Targets emergency management and IT.
State-agency impersonation - fake state IT, state HR, state procurement notices targeting subordinate jurisdictions.
Citizen-portal credential prompts - fake DMV, tax, court, permitting, benefits portal lures targeting customer-service staff.
Vendor and supply-chain lures - IT vendor, GIS vendor, SCADA vendor impersonation targeting IT and operations.
Grant-program lures - fake grant award notifications, federal program portals targeting finance and public-works.
Election-specific lures - voter file vendor impersonation, election management system credential prompts targeting election offices.
Payroll and benefits BEC - direct deposit fraud during open enrollment; effective against widely-distributed staff.
Public-records request impersonation - fake FOIA / public-records request bait targeting clerks.

A balanced rotation across these categories at varying difficulty produces useful cohort data. Multi-channel coverage matters in jurisdictions where field staff use mobile devices: SMS smishing reaches inspectors, code enforcement and field public-works staff; vishing simulation reaches dispatch and call-center staff who answer plant or office phones.

Cohort design for SLTT entities

Elected officials and senior leadership - separate hard-difficulty whaling track. Often the most resistant population to include; include them anyway.
Finance, procurement, AP - wire fraud, vendor invoice fraud, grant-program lures.
HR and payroll - direct deposit fraud, benefits administration.
IT and admin - credential-theft, vendor impersonation, MFA-fatigue scenarios.
Public-facing service staff - DMV, tax, courts, clerks, permits, benefits - citizen-portal lures and impersonation.
Public safety - police, fire, dispatch, EMS - CJIS-relevant simulations.
Public works and utilities - vendor and SCADA lures.
Election officials - election-specific simulation track if applicable.

A budget-aware program design for small jurisdictions

The smallest jurisdictions - towns of under 5,000, county offices of 50, special districts - can run a credible program with very little:

Tier 1: A free 25-user trial covers most of the central office and IT staff. Run two campaigns to demonstrate baseline.
Tier 2: Expand to all email-using staff. Move to monthly cadence. Add auto-assigned remediation training for users who fail.
Tier 3: Add multi-channel coverage and produce annual reporting to the council, board or commission.

Funding sources include the State and Local Cybersecurity Grant Program (SLCGP), state-level cybersecurity grants, MS-ISAC sponsored programs and the standard IT operating budget. Per-user costs at SLTT scale are usually a small fraction of the cost of a single ransomware response retainer.

Auto-assigned remediation is non-negotiable

Manual remediation does not scale across a 50-department county or a state agency with 30 field offices. Auto-assigned just-in-time training the moment a user clicks closes the loop, produces audit evidence for CJIS and IRS Office of Safeguards review and survives cyber-insurance review.

Documentation packet for SLTT audit and grant reporting

Campaign log: dates, target population, template category, difficulty
Click and reporting rate trend over 24 months by department
Training completion rate per campaign with median time-to-completion
Coverage report: % of personnel including elected officials, contractors, volunteers
Multi-channel evidence where applicable
Written security awareness policy approved by governing body
Council / board / commission reporting cadence and sample report
For CJIS-controlled environments: cohort-specific completion records mapped to the awareness-training requirement
For FTI environments: program documentation suitable for the IRS Safeguard Activity Report
Phishing-related incident log for the past 24 months with remediation

The supply-chain phishing risk specific to SLTT

SLTT entities depend on a small number of shared vendors more than most sectors. The election-management vendor, the property-tax software, the utility billing system, the case-management platform, the GIS provider - each connects to multiple jurisdictions. A successful phishing attack against the vendor cascades to every customer at once. Several of the largest SLTT incidents in the public record have followed this pattern: the agency's own controls held, but the vendor's did not.

The implication is twofold. First, the agency's vendor-risk-management process should require documented phishing-program evidence from any vendor with a significant data flow. Second, the agency's own program should include simulations that mirror the most common vendor-impersonation scenarios, because attackers piggyback on real vendor relationships to establish credibility. CISA joint advisories on supply-chain incidents provide useful template ideas for these simulations.

Mistakes specific to government

Treating elected officials as out-of-scope. They have email accounts, they handle records, they get phished. Include them with the same rules as everyone else.
Letting "we use the state's free training" stand in for simulation. Training comprehension is not behavior change. Both layers are needed.
Ignoring contractors. Outsourced IT, GIS and customer-service contractors hold privileged access; they belong in the program if their email is on your domain.
Overlooking volunteer election workers. Election officials supervising volunteer poll workers should consider awareness coverage for the supervisor cohort even if direct simulation of volunteers isn't practical.
Reporting only aggregate click rate to the council. Cohort breakdown - finance, IT, public-facing services, leadership - tells the actual risk story.

Where Bait & Phish fits

Bait & Phish has been running phishing simulation and security awareness training programs for state agencies, counties, cities, towns, special districts, public utilities and SLTT contractors for more than 15 years. The platform supports the cadence, cohort segmentation and reporting SLTT environments need: monthly multi-channel campaigns (email, SMS, voice), government-realistic template categories, auto-assigned just-in-time remediation training, role-segmented reporting and one-click exports formatted for CJIS audit, IRS Office of Safeguards review, SLCGP grant reporting and cyber-insurance renewal.

Start a free trial covering up to 25 users - typically the central office and IT - or contact us about agency or jurisdiction pricing. Plan structure is on the pricing page. For more on documentation flow into your insurance renewal, see what cyber insurers ask about phishing training.

This post is informational and does not constitute legal, regulatory or compliance advice. Specific obligations vary by jurisdiction, agency and federal program; consult counsel and your compliance team.

Related industry guides

Related compliance guides

19nov