Public-Safety Cyber Mutual Aid: The Idea Whose Time Has Come
You are a fire chief in a county with 12 volunteer stations and a paid crew of 30. Your CAD system goes down at 2 AM on a Saturday. Not a network issue but ransomware. The screens lock. The dispatch audio still works, but the mapping, the unit status, the call records, all of it is gone.
You call your IT person. They are a part-time contractor who manages the station Wi-Fi and the email server. They have never handled a ransomware event. You call your state's cybersecurity office. They say they can have someone out in three business days. You call CISA. They route you to a regional coordinator who will call you back.
Meanwhile, your ambulances are running on paper. The crews are writing run times on their gloves while the hospital asks for ePCR data you cannot produce. The clock is running on a breach notification requirement you are not sure applies.
Now imagine a different scenario where you have a mutual aid agreement with the county next door, not for fire apparatus but for cybersecurity. You call their security team at 2 AM and they answer. They have seen this ransomware variant before, they have a decryption tool and a containment playbook, and they are on site by 4 AM.
That is the model this article is about.
Public Safety Cybersecurity Mutual Aid Agreements
The concept is simple. Public safety agencies have been sharing physical resources for decades. A structure fire in a small town gets ladder trucks from three neighboring districts. A mass casualty event pulls ambulances from across the region. Nobody questions this. It is how the system works.
The same logic applies to cybersecurity. Small and mid-sized agencies cannot afford a full-time security team. A dedicated CISO is out of reach for most departments under 200 personnel. A 24/7 SOC is not happening. What they can do is pool resources with neighboring agencies to create shared incident response capacity.
A mutual aid agreement for cybersecurity works the same way a fire mutual aid agreement works. There is a pre-signed legal document, a defined trigger for activation, and a clear scope of what is being shared. The difference is that instead of sharing a ladder truck, you are sharing an analyst who knows how to contain a ransomware outbreak.
The trigger matters here and it needs to be very specific. A cyber mutual aid agreement should not activate for a phishing email that one person clicked. It should activate for a declared emergency like total loss of CAD functionality, wide-scale encryption of ePCR records, or a confirmed breach of a system that contains PHI. That is the same threshold that would make you call for mutual aid on the fire side.
Sharing Incident Response Capacity Between Emergency Agencies
The operational model has a few variations. The most common is the hub-and-spoke model. A larger city or county maintains a security team that serves as the primary IR resource for smaller surrounding agencies. The hub carries the staffing cost. The spokes contribute a share based on population or call volume. When an incident hits a spoke, the hub's team responds under the pre-signed agreement.
The cooperative model works for mid-sized agencies. Three or four departments of similar size pool their budgets to hire a shared security lead. That person handles prevention and monitoring across all agencies and coordinates IR when something breaks. Each agency gets more capability than they could afford alone.
A few states are starting to formalize state-level cyber response teams. These act as the coordinating body. They maintain a roster of vetted responders from participating agencies and direct resources based on severity. This model works best when the state provides the legal framework and liability coverage.
The key in every model is that the responders understand public safety. A generic IR firm knows how to contain a breach. They may not know that you cannot take the CAD system offline for three days to rebuild it. They may not know that an ePCR outage means crews are documenting on paper and that paper has to be scanned and uploaded within 72 hours to stay compliant. A mutual aid responder from another agency already knows this.
> A fire chief understands that they do not need to own every piece of equipment if they have a reliable mutual aid agreement. The same logic applies to cybersecurity expertise.
HIPAA Compliant Cybersecurity Mutual Aid for EMS
This is where most cyber mutual aid conversations stall. You cannot just let another agency's IT staff touch your systems. If those systems contain PHI, and most public safety systems do, you need a legal framework that keeps you HIPAA compliant.
The solution is a Business Associate Agreement between the participating agencies. The BAA covers the assisting agency's staff when they access systems containing PHI during an incident. It defines the permitted use of that data, the confidentiality obligations, and the breach notification chain.
Some states have intergovernmental agreement statutes that allow public agencies to share resources without a full BAA. These IGAs can include specific language about data access and liability. The legal team needs to look at your state's specific laws. But the principle is the same. The agreement must explicitly authorize the assisting agency's staff to view and analyze PHI for the purpose of incident response.
The liability question also needs to be addressed up front. If a mutual aid responder makes a mistake during recovery, who bears the cost? The agreement should define this. Most models use a standard of gross negligence. The assisting agency is not liable for ordinary mistakes made in good faith during an emergency response. This mirrors the liability protections in physical mutual aid agreements.
Regional Cybersecurity Pilots for Fire and Police Departments
A handful of states are running pilot programs. The patterns are still emerging, but the early results are promising.
One model operates through a regional council of governments. The council hires a shared security analyst who serves five counties. The analyst does vulnerability scanning, policy review, and tabletop exercises for all participating agencies. When an incident occurs, the analyst coordinates the response and brings in additional resources from the state if needed.
Another model uses a city-county partnership. A metropolitan fire department with an internal IT security team extends coverage to the surrounding county volunteer departments. The city covers the staffing cost while the county departments contribute equipment and training space. The arrangement is informal enough to start quickly and formal enough to survive an audit.
The common thread in every working pilot is that the legal structure was in place before the incident. Nobody is drafting a BAA at 2 AM during a ransomware event. The agreement exists, the phone numbers are saved, and the responders have already done the cross-training and the badge exchange. When the call comes, it is execution, not negotiation.
Intergovernmental Agreements for Cyber Incident Response
The legal foundation matters more than the technical one. You can have the best tools in the world, but if your agreement does not hold up under scrutiny, you will not be able to use them.
The IGA or MOU should cover these elements:
- Activation criteria. What counts as a cyber emergency that triggers mutual aid.
- Scope of assistance. What the assisting agency will provide: analysts, tools, forensic support, containment, recovery.
- Data access. Explicit authorization to access systems containing PHI, with BAA language or a statutory carve-out.
- Liability. Standard of care, indemnification, and cost allocation.
- Training and exercises. Requirement for joint tabletop exercises at least annually.
- Termination. How either party can withdraw and what happens to shared data after withdrawal.
The agreement should be reviewed by legal counsel who understands both cybersecurity and public safety operations. A generic IT services contract will not cover the clinical and operational constraints that make public safety different.
I wrote about the vendor subprocessor problem a while back and the same logic applies here. When you bring in a mutual aid partner, you are extending your trust boundary to include their people and their tools. You need to know what they will touch and how they will handle it.
Frequently Asked Questions
How is cyber mutual aid different from hiring a retained IR firm
A retained IR firm is a commercial contract. You pay them, they respond. Cyber mutual aid is a peer-to-peer agreement between government entities. The responders come from agencies that do the same job you do. They understand the operational constraints. The cost is shared rather than billed at commercial rates.
How do we handle HIPAA and PHI when sharing IR resources
You need a Business Associate Agreement or an intergovernmental agreement with specific data access language. The agreement must explicitly authorize the assisting agency's staff to access and analyze systems containing PHI for the purpose of incident recovery. This should be in place before any incident occurs.
What triggers a request for cyber mutual aid
The trigger should be a declared emergency like total loss of CAD functionality, wide-scale ransomware encryption, or a confirmed breach of a system containing PHI. The same threshold that would make you call for mutual aid on the fire side. A single phishing email or a workstation infection does not qualify.
How do we fund a shared security position
The cooperative model spreads the cost across multiple agencies. Each agency contributes based on population, call volume, or a flat per-department fee. Some states offer grant funding for regional cybersecurity initiatives. The Homeland Security Grant Program and the State and Local Cybersecurity Grant Program are both worth exploring.
What if the assisting agency makes a mistake during recovery
The agreement should define liability using a gross negligence standard. The assisting agency is not liable for ordinary mistakes made in good faith during an emergency response, which mirrors the liability protections in physical mutual aid agreements and keeps agencies from hesitating to respond.
The apparatus analogy holds well here and it is worth repeating. You do not need to own every piece of equipment if you have a reliable mutual aid agreement, and the same is true for cybersecurity expertise. The question is whether your agency has the agreements ready before the 2 AM call comes.
-- Steven
Need help with your agency’s cybersecurity? Get in touch