Internal validation & live display

Multiple badges & continuous verification

Faster underwriting decisions

https://images.rankiteo.com/companyimages/nacodc.jpeg

National Association of Counties Company CyberSecurity Posture

naco.org

The National Association of Counties (NACo) is the only national organization that represents county governments in the United States. Founded in 1935, NACo assists America’s 3,069 counties in pursuing excellence in public service to produce healthy, vibrant, safe and resilient counties. NACo promotes sound public policies, fosters county solutions and innovation, promotes intergovernmental and public-private collaboration and provides value-added services to save counties and taxpayers money. With its headquarters on Capitol Hill, NACo is a full-service organization that delivers its services through its dedicated and skilled staff who comprise the following departments: Executive Management, Legislative Affairs, Public Affairs, County Solutions and Innovation, Information Technology, Finance and Administration and the Financial Service Corporation.

National Association of Counties A.I CyberSecurity Scoring

NAC

Company Details

Linkedin ID:

nacodc

Website:

http://www.naco.org

Employees number:

183

Number of followers:

21,910

NAICS:

921

Industry Type:

Public Policy Offices

Homepage:

naco.org

IP Addresses:

Company ID:

NAT_6650210

Scan Status:

In-progress

NAC Risk Score (AI oriented)

Between 750 and 799

NAC Public Policy Offices

Updated: 21/11/2025

Powered by our proprietary A.I cyber incident model
Insurance preferes TPRM score to calculate premium

NAC Global Score (TPRM)

XXXX

NAC Public Policy Offices

—

Instant access to detailed risk factors
Benchmark vs. industry & size peers

Vulnerabilities
Findings

NAC Company CyberSecurity News & History

Past Incidents

Attack Types

Entity	Type	Severity	Impact	Seen	Blog Details	Incident Details	View
U.S. County Governments (Collective)	Vulnerability	100	6	10/2025		NAC5693056100125
Rankiteo Explanation : Attack threatening the economy of geographical region Description: Researchers from the University of Maryland uncovered systemic cybersecurity vulnerabilities across 3,095 U.S. county governments, exposing 42,735 internet-facing devices (98% of all counties) to potential exploits. The study revealed critical gaps in security measures for public-facing nodes, databases, and online services—including school boards, wastewater systems, housing, elections, and emergency response infrastructure. Counties, often constrained by limited budgets, lack visibility into their cyberattack surface, making them prime targets for hackers seeking initial attack vectors. The exposed vulnerabilities (e.g., unpatched CVEs) risk compromising sensitive citizen data, disrupting essential services (water, elections, police response), and enabling cascading attacks on regional economies. While the researchers avoided active probing to prevent exacerbating risks, passive reconnaissance (via OSINT tools like Shodan/Censys) confirmed that poor cyber resilience at the local level could lead to disastrous societal consequences, including service outages, data breaches, or even threats to public safety if critical infrastructure (e.g., water treatment) is targeted.

U.S. County Governments (Collective)

Vulnerability

Severity: 100

Impact: 6

Seen: 10/2025

Blog:

NAC5693056100125

Rankiteo Explanation

Attack threatening the economy of geographical region

Description: Researchers from the University of Maryland uncovered systemic cybersecurity vulnerabilities across **3,095 U.S. county governments**, exposing **42,735 internet-facing devices** (98% of all counties) to potential exploits. The study revealed critical gaps in security measures for public-facing nodes, databases, and online services—including school boards, wastewater systems, housing, elections, and emergency response infrastructure. Counties, often constrained by limited budgets, lack visibility into their cyberattack surface, making them prime targets for hackers seeking initial attack vectors. The exposed vulnerabilities (e.g., unpatched CVEs) risk compromising **sensitive citizen data**, disrupting **essential services** (water, elections, police response), and enabling cascading attacks on regional economies. While the researchers avoided active probing to prevent exacerbating risks, passive reconnaissance (via OSINT tools like Shodan/Censys) confirmed that poor cyber resilience at the local level could lead to **disastrous societal consequences**, including service outages, data breaches, or even threats to public safety if critical infrastructure (e.g., water treatment) is targeted.

NAC Company Scoring based on AI Models

Cyber Incidents Likelihood 3 - 6 - 9 months

🔒

Incident Predictions locked

Access Monitoring Plan

A.I Risk Score Likelihood 3 - 6 - 9 months

🔒

A.I. Risk Score Predictions locked

Access Monitoring Plan

Underwriter Stats for NAC

Incidents vs Public Policy Offices Industry Average (This Year)

National Association of Counties has 20.48% more incidents than the average of same-industry companies with at least one recorded incident.

Incidents vs All-Companies Average (This Year)

National Association of Counties has 56.25% more incidents than the average of all companies with at least one recorded incident.

Incident Types NAC vs Public Policy Offices Industry Avg (This Year)

National Association of Counties reported 1 incidents this year: 0 cyber attacks, 0 ransomware, 1 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.

Incident History — NAC (X = Date, Y = Severity)

NAC cyber incidents detection timeline including parent company and subsidiaries

NAC Company Subsidiaries

NAC Similar Companies

Foundation for Alcohol Research and Education (FARE)

fare.org.au

The Foundation for Alcohol Research and Education (FARE) is the leading not-for-profit organisation working towards an Australia free from alcohol harms. We approach this through developing evidence-informed policy, enabling people-powered advocacy and delivering health promotion programs. Austr

Security Report → Compare→

Texas Center for Justice and Equity

texascje.org

TCJE advances solutions and builds coalitions to end mass incarceration and foster safer Texas communities. Our three, often-intersecting goals are as follows: * Reverse the pipeline that pushes people into the justice system. We are fighting to reduce the number of people entering the system, i

Security Report → Compare→

National Grain and Feed Association

ngfa.org

The National Grain and Feed Association, founded in 1896, is a broad-based, non-profit trade association that represents and provides services for grain, feed and related commercial businesses. Its activities focus on enhancing the growth and economic performance of U.S. agriculture. NGFA member

Security Report → Compare→

HQN

hqnetwork.co.uk

HQN provides fast practical guidance on everything to do with housing. We’ve got everything covered – repairs and maintenance, housing management, governance, health and safety, lettings and allocations, estate services and more. Turn to us for advice and guidance on the hot topics – value for

Security Report → Compare→

Virginia Department of Business Assistance

http://www.vdba.virginia.gov

The Virginia Department of Business Assistance, created by the Virginia General Assembly in 1996, provides a one-stop-service for technical assistance related to business formation, access to capital, and workforce development. VDBA works with existing businesses as they grow their workforce and men

Security Report → Compare→

Fay-Penn Economic Development Council

faypenn.org

Fay-Penn Economic Development Council's mission is to maintain and increase employment opportunities (jobs) in Fayette County in an effort to improve the quality of life for all of its residents. This mission is met through a comprehensive strategy of specific #economicdevelopment objectives. The or

Security Report → Compare→

NAC CyberSecurity News

November 21, 2025 01:30 PM

MACo’s Inaugural Information Technology Conference

County professionals and technology partners from across Maryland convened on November 20 for the inaugural MACo IT Affiliate Conference.

Read Article →

November 20, 2025 04:07 PM

U.S. House Passes Reauthorization Bill for the State and Local Cybersecurity Grant Program

The U.S. House passed a bill to reauthorize the State and Local Cybersecurity Grant Program, a key priority for counties · NACo supports the reauthorization...

Read Article →

November 18, 2025 06:54 PM

Full renewal of state and local cyber grants program passes in House

The PILLAR Act, which would renew federal cybersecurity grants to state and local governments for 10 years, passed by voice vote in the...

Read Article →

October 09, 2025 07:00 AM

NACo Cyber Awareness Month Deal: Build Cyber Leadership Skills for Just $1,000

During Cybersecurity Awareness Month (October), the National Association of Counties (NACo) is offering exclusive scholarships that reduce...

Read Article →

October 07, 2025 09:25 PM

Cyber Resilience In Action: County Leaders Share Their Strategies

Join county IT leaders to hear how they are defending local government systems, staff, and constituents from ever-increasing cyber-attacks.

Read Article →

September 30, 2025 07:00 AM

US Cuts Federal Funding for MS-ISAC Cybersecurity Program

The Trump administration wants CISA to transition to a “new model” for supporting local government agencies' cyber strategy.

Read Article →

September 22, 2025 07:00 AM

Fort Bend County Hosts 77th Annual State Treasurers Conference

The 77th Annual County Treasurers' Association of Texas Conference brought together county treasurers, financial leaders and policymakers...

Read Article →

September 18, 2025 07:00 AM

Governors, mayors, CIOs sign letter supporting state and local cyber grant reauthorization

Groups including the National Governors Association and NASCIO have signed a letter asking Congress to reauthorize the State and Local...

Read Article →

September 17, 2025 07:00 AM

NGA Joins State and Local Government Leaders, Urges Congress to Preserve State and Local Cyber Security Grant Program

The Honorable John Thune Majority Leader U.S. Senate 511 Dirksen Senate Office Building Washington, D.C. 20510. The Honorable Chuck Schumer

Read Article →

Frequently Asked Questions

Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.

NAC CyberSecurity History Information

Official Website of National Association of Counties

The official website of National Association of Counties is http://www.naco.org.

National Association of Counties’s AI-Generated Cybersecurity Score

According to Rankiteo, National Association of Counties’s AI-generated cybersecurity score is 751, reflecting their Fair security posture.

How many security badges does National Association of Counties’ have ?

According to Rankiteo, National Association of Counties currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.

Does National Association of Counties have SOC 2 Type 1 certification ?

According to Rankiteo, National Association of Counties is not certified under SOC 2 Type 1.

Does National Association of Counties have SOC 2 Type 2 certification ?

According to Rankiteo, National Association of Counties does not hold a SOC 2 Type 2 certification.

Does National Association of Counties comply with GDPR ?

According to Rankiteo, National Association of Counties is not listed as GDPR compliant.

Does National Association of Counties have PCI DSS certification ?

According to Rankiteo, National Association of Counties does not currently maintain PCI DSS compliance.

Does National Association of Counties comply with HIPAA ?

According to Rankiteo, National Association of Counties is not compliant with HIPAA regulations.

Does National Association of Counties have ISO 27001 certification ?

According to Rankiteo,National Association of Counties is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.

Industry Classification of National Association of Counties

National Association of Counties operates primarily in the Public Policy Offices industry.

Number of Employees at National Association of Counties

National Association of Counties employs approximately 183 people worldwide.

Subsidiaries Owned by National Association of Counties

National Association of Counties presently has no subsidiaries across any sectors.

National Association of Counties’s LinkedIn Followers

National Association of Counties’s official LinkedIn profile has approximately 21,910 followers.

NAICS Classification of National Association of Counties

National Association of Counties is classified under the NAICS code 921, which corresponds to Executive, Legislative, and Other General Government Support.

National Association of Counties’s Presence on Crunchbase

No, National Association of Counties does not have a profile on Crunchbase.

National Association of Counties’s Presence on LinkedIn

Yes, National Association of Counties maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/nacodc.

Cybersecurity Incidents Involving National Association of Counties

As of November 28, 2025, Rankiteo reports that National Association of Counties has experienced 1 cybersecurity incidents.

Number of Peer and Competitor Companies

National Association of Counties has an estimated 1,023 peer or competitor companies worldwide.

What types of cybersecurity incidents have occurred at National Association of Counties ?

Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability.

How does National Association of Counties detect and respond to cybersecurity incidents ?

Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with passive reconnaissance to avoid exacerbating vulnerabilities, containment measures with secure python application for data analysis, and communication strategy with publication in *journal of cybersecurity* (january 2025), communication strategy with media outreach to raise awareness, and enhanced monitoring with recommendation for counties to adopt continuous monitoring via osint tools (e.g., shodan, censys)..

Incident Details

Can you provide details on each incident ?

Incident : Research Study

Exposure

Impact

Title: Holistic Assessment of U.S. County Governments' Cyber Attack Surface

Description: Researchers at the University of Maryland conducted a study to assess the cyber attack surface of U.S. county governments, identifying vulnerabilities in 42,735 internet-facing devices across 3,095 counties (98% of all U.S. counties). The study, published in January 2025 in the *Journal of Cybersecurity*, highlighted systemic gaps in cybersecurity resilience at the county level, emphasizing risks to sensitive citizen data, emergency services, elections, water supply, and local economies. The research relied on passive reconnaissance tools (e.g., Shodan, Censys) and OSINT to map vulnerabilities without exacerbating risks. Key findings underscore the urgency of addressing cybersecurity in underfunded local governments, which are often targeted as 'weakest links' by threat actors.

Date Publicly Disclosed: 2025-01

Type: Research Study

Vulnerability Exploited: Unspecified CVEs identified via Shodan/Censys scansPublic-facing nodes and databases with inadequate security controls

Motivation: Academic ResearchPublic AwarenessPolicy Advocacy

What are the most common types of attacks the company has faced ?

Common Attack Types: The most common types of attacks the company has faced is Vulnerability.

Impact of the Incidents

What was the impact of each incident ?

Incident : Research Study NAC5693056100125

Systems Affected: 42,735 internet-facing devices across 3,095 U.S. counties

Operational Impact: Potential risks to emergency services, elections, water supply, and local economies due to unaddressed vulnerabilities

Brand Reputation Impact: Highlighted systemic neglect of county-level cybersecurity, risking public trust in local government digital services

Identity Theft Risk: ['Sensitive citizen data (e.g., housing, permits, elections) at risk due to inadequate protections']

Which entities were affected by each incident ?

Incident : Research Study NAC5693056100125

Entity Name: U.S. County Governments (3,095 counties, 98% coverage)

Entity Type: Local Government, Public Sector

Industry: Government Administration, Public Services, Critical Infrastructure (e.g., water, elections)

Location: United States (all 50 states)

Size: Varies (small to large counties)

Customers Affected: U.S. citizens relying on county services (e.g., schools, housing, emergency response)

Response to the Incidents

What measures were taken in response to each incident ?

Incident : Research Study NAC5693056100125

Containment Measures: Passive reconnaissance to avoid exacerbating vulnerabilitiesSecure Python application for data analysis

Communication Strategy: Publication in *Journal of Cybersecurity* (January 2025)Media outreach to raise awareness

Enhanced Monitoring: Recommendation for counties to adopt continuous monitoring via OSINT tools (e.g., Shodan, Censys)

Data Breach Information

What type of data was compromised in each breach ?

Incident : Research Study NAC5693056100125

Sensitivity of Data: Potential exposure of citizen data (e.g., housing, permits, elections, emergency services)

Personally Identifiable Information: Risk of PII exposure due to unpatched vulnerabilities in public-facing systems

How does the company handle incidents involving personally identifiable information (PII) ?

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by passive reconnaissance to avoid exacerbating vulnerabilities, secure python application for data analysis and .

Lessons Learned and Recommendations

What lessons were learned from each incident ?

Incident : Research Study NAC5693056100125

Lessons Learned: County governments are critically under-resourced for cybersecurity, despite managing sensitive data and infrastructure., Passive reconnaissance tools (e.g., Shodan, Censys) can effectively map attack surfaces without increasing risk., Lack of visibility into county-level vulnerabilities creates systemic risks for elections, emergency services, and public trust., Collaborative research can drive policy changes and resource allocation for local government cybersecurity.

What recommendations were made to prevent future incidents ?

Incident : Research Study NAC5693056100125

Recommendations: Increase funding and resources for county cybersecurity programs., Implement continuous monitoring of public-facing assets using OSINT tools., Develop standardized cybersecurity frameworks tailored to local governments., Prioritize patching of known CVEs in county IT infrastructure., Enhance public-private partnerships to share threat intelligence and best practices.Increase funding and resources for county cybersecurity programs., Implement continuous monitoring of public-facing assets using OSINT tools., Develop standardized cybersecurity frameworks tailored to local governments., Prioritize patching of known CVEs in county IT infrastructure., Enhance public-private partnerships to share threat intelligence and best practices.Increase funding and resources for county cybersecurity programs., Implement continuous monitoring of public-facing assets using OSINT tools., Develop standardized cybersecurity frameworks tailored to local governments., Prioritize patching of known CVEs in county IT infrastructure., Enhance public-private partnerships to share threat intelligence and best practices.Increase funding and resources for county cybersecurity programs., Implement continuous monitoring of public-facing assets using OSINT tools., Develop standardized cybersecurity frameworks tailored to local governments., Prioritize patching of known CVEs in county IT infrastructure., Enhance public-private partnerships to share threat intelligence and best practices.Increase funding and resources for county cybersecurity programs., Implement continuous monitoring of public-facing assets using OSINT tools., Develop standardized cybersecurity frameworks tailored to local governments., Prioritize patching of known CVEs in county IT infrastructure., Enhance public-private partnerships to share threat intelligence and best practices.

What are the key lessons learned from past incidents ?

Key Lessons Learned: The key lessons learned from past incidents are County governments are critically under-resourced for cybersecurity, despite managing sensitive data and infrastructure.,Passive reconnaissance tools (e.g., Shodan, Censys) can effectively map attack surfaces without increasing risk.,Lack of visibility into county-level vulnerabilities creates systemic risks for elections, emergency services, and public trust.,Collaborative research can drive policy changes and resource allocation for local government cybersecurity.

References

Where can I find more information about each incident ?

Incident : Research Study NAC5693056100125

Source: Journal of Cybersecurity (UK)

Date Accessed: 2025-01

Incident : Research Study NAC5693056100125

Source: University of Maryland College of Information Studies

Where can stakeholders find additional resources on cybersecurity best practices ?

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Journal of Cybersecurity (UK)Date Accessed: 2025-01, and Source: University of Maryland College of Information Studies.

Investigation Status

What is the current status of the investigation for each incident ?

Incident : Research Study NAC5693056100125

Investigation Status: Completed (published in January 2025)

How does the company communicate the status of incident investigations to stakeholders ?

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Publication In *Journal Of Cybersecurity* (January 2025) and Media Outreach To Raise Awareness.

Stakeholder and Customer Advisories

Were there any advisories issued to stakeholders or customers for each incident ?

Incident : Research Study NAC5693056100125

Stakeholder Advisories: Urgent Need For Federal/State Support To Address County-Level Cybersecurity Gaps.

Customer Advisories: Citizens advised to monitor county communications for updates on service security

What advisories does the company provide to stakeholders and customers following an incident ?

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Urgent Need For Federal/State Support To Address County-Level Cybersecurity Gaps, Citizens Advised To Monitor County Communications For Updates On Service Security and .

Initial Access Broker

How did the initial access broker gain entry for each incident ?

Incident : Research Study NAC5693056100125

High Value Targets: Public-Facing Databases, Election Systems, Emergency Service Networks,

Data Sold on Dark Web: Public-Facing Databases, Election Systems, Emergency Service Networks,

Post-Incident Analysis

What were the root causes and corrective actions taken for each incident ?

Incident : Research Study NAC5693056100125

Root Causes: Chronic Underfunding Of County Cybersecurity Programs, Lack Of Standardized Security Protocols Across Local Governments, Limited Visibility Into Attack Surfaces Due To Decentralized It Management, Over-Reliance On Outdated Or Unpatched Systems,

Corrective Actions: Advocate For Federal/State Cybersecurity Grants For Counties, Establish A National Repository For County-Level Vulnerability Data (Anonymized), Mandate Regular Cybersecurity Audits For Local Governments, Develop Training Programs For County It Staff On Threat Detection And Response,

What is the company's process for conducting post-incident analysis ?

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Recommendation For Counties To Adopt Continuous Monitoring Via Osint Tools (E.G., Shodan, Censys), .

What corrective actions has the company taken based on post-incident analysis ?

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Advocate For Federal/State Cybersecurity Grants For Counties, Establish A National Repository For County-Level Vulnerability Data (Anonymized), Mandate Regular Cybersecurity Audits For Local Governments, Develop Training Programs For County It Staff On Threat Detection And Response, .