Picture your state's IT security team on a Tuesday afternoon. They're talented, overextended, and genuinely committed to protecting the systems that millions of constituents depend on. At 5:01 p.m., they log off. The alerts keep firing. The logs keep generating. And somewhere overseas, an adversary who cares nothing about your labor agreements is just getting started.
This is not a scare tactic. It is the operational reality that compliance frameworks, state labor law, and basic threat intelligence all point toward simultaneously. When you stack the regulatory mandates on top of the workforce realities on top of the 24/7 nature of public services, the conclusion is unavoidable. Continuous security monitoring is no longer optional for state and local government. It is required by the rules you already agreed to follow.
1. NIST 800-53 Already Requires It.
Most state governments formally adopt NIST Special Publication 800-53 as their foundational security control standard, either through executive policy, legislative mandate, or the federal grant conditions attached to programs like the State and Local Cybersecurity Grant Program (SLCGP). What many technology leaders underestimate is that 800-53 doesn't merely suggest continuous monitoring. It mandates it, specifically and in writing.
NIST SP 800-53 Rev. 5 — AU-2: Event Logging
Requires organizations to identify event types capable of being logged and coordinate the event logging function with other organizations requiring audit-related information. Logging that stops at 5 p.m. produces gaps that auditors will find — and regulators will penalize.
NIST SP 800-53 Rev. 5 — SI-4: System Monitoring
Directly requires organizations to monitor the system to detect attacks and indicators of potential attacks, anomalous activity, unauthorized connections, and unauthorized system components. Control SI-4(5) calls for system-wide visibility and real-time detection capability. There is no carve-out for after-hours gaps.
NIST SP 800-53 Rev. 5 — CA-7: Continuous Monitoring
Establishes the requirement for an ongoing authorization strategy that includes continuous monitoring of security controls and continuous reporting of security posture. NIST defines 'continuous' as near real-time awareness of threats, vulnerabilities, and configuration changes — not quarterly reviews.
If you live in NIST, your SIEM architecture likely satisfies AU-2 and SI-4, at least enough to get through an audit. The harder question is whether you are genuinely comfortable with an alert firing at midnight and nobody triaging it until the next morning. Because your compliance posture and your actual security posture are not the same thing, and one of them does not care about your business hours.
2. CJIS, IRS 1075, and ARC-AMPE require continuous monitoring.
For state agencies that handle criminal justice data, federal tax information, or motor carrier records, the requirements are even more explicit. And the consequences for falling short are significantly more severe than a standard audit finding.
CJIS Security Policy v5.9.5 — Section 5.4: Audit and Accountability
Requires agencies to audit all access to Criminal Justice Information (CJI) and retain logs for a minimum of one year, with review processes designed to identify suspicious or unauthorized activity. Section 5.4.1.1 requires that audit logs be reviewed on a schedule sufficient to identify security incidents. Any agency accessing NCIC, NLETS, or state criminal history databases is bound by this policy. A review process that runs only during business hours creates unacceptable visibility gaps in one of the most sensitive data classifications that exists.
IRS Publication 1075 (2021) Section 1.8 & Controls AU-6, IR-4, IR-6, SI-4
Any state agency that receives, processes, stores, or transmits Federal Tax Information — departments of revenue, health and human services, child support enforcement — must comply with IRS Publication 1075. Control AU-6 requires ongoing audit log review and analysis. Section 1.8 establishes breach notification obligations with defined urgency thresholds. You cannot meet those reporting obligations if you don't know about the breach until Monday morning.
ARC-AMPE — CMS Acceptable Risk Controls for ACA, Medicaid, and Partner Entities
Any state agency administering Medicaid, CHIP, a state-based health insurance exchange, or ACA eligibility functions must comply with ARC-AMPE, published by CMS in March 2025 as the direct replacement for MARS-E. The framework mandates over 400 security and privacy controls derived from NIST 800-53 Rev. 5, including continuous monitoring, incident response, and audit accountability requirements. State Medicaid agencies were required to achieve compliance by March 4, 2026. You cannot demonstrate continuous monitoring to CMS if your monitoring stops at five o'clock.
The pattern is consistent across every federal data framework: the federal government issues the data, sets the rules, and reserves the right to terminate access. No agency director wants to explain to their governor why the state lost access to NCIC or FTI because no one was reacting to the alerts after 5pm or on the weekends.
3. The Union Contract Is Not the Problem.
Legitimate workforce protections create a real operational challenge that deserves an honest solution.
Many state government employees are protected by collective bargaining agreements that restrict after-hours work, on-call obligations, and overtime expectations. That is not a critique of labor agreements. It is an operational reality that every state CISO and CIO has to navigate directly.
The tension surfaces when you map those labor protections against service delivery requirements. State 911 dispatch systems run 24/7 by legal mandate. DMV online portals process transactions around the clock. Medicaid enrollment systems cannot go offline during federal reporting windows. Emergency management platforms must stay operational during hurricanes and wildfires, which do not check in with HR before making landfall.
Your adversaries such as ransomware groups, nation-state actors, and opportunistic criminals who purchase access from initial access brokers, operate across time zones that have no relationship to Eastern Standard Time. Russian-speaking ransomware affiliates tend to be most active during the hours your team is definitively offline. This is not a coincidence. Threat actors study operational patterns. They know when the monitoring goes quiet, and they plan accordingly.
The answer is not to violate labor agreements or burn out existing staff with unsustainable on-call rotations. The answer is to source continuous coverage from a partner specifically structured to provide it, a managed security service provider or SOC as a service partner that maintains around-the-clock analyst staffing as their core operating model, not an afterthought bolted onto a daytime operation.
4. Add It All Up. Only One Answer Remains.
Here is the arithmetic that should drive your next budget conversation and your next vendor conversation.
Your state adopted NIST 800-53, which legally requires continuous system monitoring and security correlation. Your agency touches CJIS, IRS 1075, or ARC-AMPE data, which layers additional continuous monitoring, audit review, and rapid incident reporting obligations on top of that baseline. Your labor agreements mean your internal team is unavailable after business hours. And your public-facing services, emergency systems, benefits platforms, court records, 911 infrastructure, utilities are legally required to remain available to constituents every hour of every day.
Every one of those facts is simultaneously true. None of them cancel each other out. Compliance frameworks do not include exceptions for staffing constraints. Service delivery mandates do not pause because the monitoring console went dark. Adversaries do not coordinate their attack schedules with your on-call rotation.
When the compliance requirement is continuous, and the service obligation is continuous, and the threat environment is continuous, the security monitoring must also be continuous. Anything less is not a gap in your security program. It is the program's defining failure, and one that auditors, federal partners, and cyber insurance carriers are increasingly unwilling to accept.
The practical path forward is not necessarily an internally built 24-hour SOC. Managed detection and response, SOC as a service, and managed security service providers exist precisely to solve this problem for organizations that cannot staff a round-the-clock operation on their own. Vulnerability management programs, penetration testing, and cyber risk assessments complete the picture by ensuring you understand what you are monitoring for and whether your defenses would hold up under real pressure.
Whole-of-State security models are gaining traction for exactly this reason. Shared services allow states to fund a level of 24/7 analyst coverage and threat detection capability that no single agency could justify independently: distributing cost across the enterprise while raising the security floor for every participant.
State government cybersecurity has entered a period where the expectations are enterprise-grade, and the resources applied to meet them need to match. The frameworks, the federal data access agreements, and the public service mandates have made the requirement clear. The only remaining question is whether your current program is built to answer it around the clock, or just until five.
Ready to Close the Gap?
NuHarbor Security has been building Whole-of-State security programs alongside public sector teams long before it became a talking point. We understand the compliance landscape, the workforce realities, and the threat environment your team faces every day. When your analysts go home, ours stay on. Reach out to discuss what a continuous monitoring strategy looks like for you.
