State Requirements

Local Policies

Cities, counties, and special districts can impose cybersecurity and procurement requirements that go beyond state and federal law. They are the most fragmented layer of the compliance picture — and the easiest to miss. This page explains where local obligations come from and how to find the ones that apply to your contract.

Where local requirements come from

County & city procurement codes

Local governments adopt their own procurement ordinances — often based on the ABA Model Procurement Code — that can add cybersecurity, insurance, and data-handling terms to contracts.

Data-protection & breach ordinances

Some municipalities impose their own breach-notification timelines or data-security standards on vendors handling resident data, layered on top of state law.

Agency & department IT policies

Individual city/county IT departments frequently publish security requirements (MFA, encryption, incident reporting) that flow into vendor agreements and SaaS approvals.

Solicitation-specific terms

Even without a standing ordinance, a local RFP or contract can incorporate NIST 800-171, CIS Controls, or cyber-insurance requirements by reference. Always read the solicitation.

How to check your local obligations

Start with the solicitation or contract — read every clause that references security, data, or insurance.
Check the jurisdiction's procurement or finance department site for a standing vendor policy.
Confirm the controlling state requirements, which usually set the floor local rules build on.
When in doubt, ask the contracting officer to identify the governing cybersecurity standard in writing.

A searchable directory of specific city and county cybersecurity policies is being built. In the meantime, the guidance above will help you locate the rules that apply to a given local contract.