The City and County of San Francisco (City) is dedicated to building a strong cybersecurity program to support, maintain, and secure critical infrastructure and data systems. The following policy is intended to maintain and enhance key elements of a citywide cybersecurity program.



The COIT Cybersecurity Policy lays the foundation for the City’s Cybersecurity Program as a whole and articulates executive level support for the effort. Cybersecurity operations across the City are in different stages of deployment. The Cybersecurity Policy supports the City’s Cybersecurity Program established to:

  • protect our connected critical infrastructure
  • protect the sensitive information placed in our trust
  • manage risk
  • continuously improve our ability to detect cybersecurity events
  • contain and eradicate compromises, restoring information resources to a secure and operational status
  • ensure risk treatment is sufficient and in alignment with the criticality of the information resource
  • facilitate awareness of risk to our operations within the context of cybersecurity

The requirements identified in this policy apply to all information resources operated by or for the City, and County of San Francisco and its departments, and commissions. Elected officials, employees, consultants, and vendors working on behalf of the City and County of San Francisco are required to comply with this policy.



The COIT Cybersecurity Policy requires all departments to:

  1. Appoint a Departmental Cybersecurity Officer or security liaison to coordinate cybersecurity efforts.
  2. Adopt a cybersecurity framework as a basis to build their cybersecurity program. The City recommends adopting the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a methodology to secure information resources.
  3. Conduct and update, at least annually, a department cybersecurity risk assessment.
  4. Develop and update, at least annually, department cybersecurity requirements to mitigate risk and comply with legal and regulatory cybersecurity requirements. Department will develop and adopt cybersecurity requirements that should be equivalent to or greater than the citywide security requirements by December 31, 2019.
  5. Participate in citywide cybersecurity roundtable meetings.