HackFirstAidMunicipal
Glossary

The terms a CAO actually needs in the first hour.

Plain-language definitions of the acronyms, roles, and concepts you'll hear from your insurance carrier, IR firm, and MS-ISAC contact — and why each one matters.

People & roles

CAO (Chief Administrative Officer)
The senior non-elected staff officer of a municipality — sometimes called the City Manager, Town Manager, or Clerk-Treasurer depending on jurisdiction.
Why it matters: In most municipal incidents the CAO is the single decision-maker who can authorize spend, sign the insurance claim, and speak to council. The incident bridge starts with them.
Incident Commander (IC)
The named person running an active incident response, with authority to make decisions without polling a committee.
Why it matters: In a small municipality the IC is almost always the CAO or a delegate. Naming one before the incident — and writing it down — is the highest-leverage preparation step.
IR firm (Incident Response firm)
An external cybersecurity firm engaged to investigate, contain, and remediate a confirmed or suspected breach.
Why it matters: Insurance carriers maintain panels of IR firms with pre-negotiated rates. Calling the carrier first lets them assign a panel firm — calling an IR firm first often means paying out-of-pocket for hours the carrier won't reimburse.
MSP (Managed Service Provider)
A contracted external IT provider that runs day-to-day technology operations for the municipality.
Why it matters: Most small municipalities don't have in-house IT — the MSP is the technical hands. Confirm in advance whether the MSP's contract covers after-hours incident work and what the rate is.

Incident types

Ransomware
Malware that encrypts data and demands payment for a decryption key. Modern variants also exfiltrate data and threaten public release.
Why it matters: The dominant municipal incident type by impact. Isolation — not power-off — preserves forensic evidence and often preserves decryptable state.
BEC (Business Email Compromise)
An attacker uses a compromised or spoofed business email account to redirect a legitimate payment to an attacker-controlled bank account.
Why it matters: The most common cause of direct financial loss in municipal incidents. Almost always defeated by an out-of-band paper countersign on banking changes.
Credential stuffing
An attacker tries username/password pairs leaked from one breach against unrelated accounts, exploiting password reuse.
Why it matters: The most common entry vector for municipal CMS, vendor portal, and email account compromise. MFA breaks the attack; password rotation alone does not.
Defacement
Unauthorized alteration of a public-facing page — usually the homepage or a high-traffic section.
Why it matters: High visibility, usually low data impact, but the response window is publicly measured in minutes. Pre-drafted holding statements matter more than fast technical remediation.

Response & technical concepts

Isolation (network containment)
Disconnecting an affected machine from the network while leaving it powered on, to stop spread without destroying memory-resident evidence.
Why it matters: Pulling the network cable preserves evidence the IR firm needs; powering off destroys it. Train counter staff and MSP techs to isolate, not shut down.
Indicators of Compromise (IoCs)
Specific technical fingerprints of an attack — file hashes, IP addresses, domains, ransomware note text.
Why it matters: MS-ISAC and IR firms share IoCs that let the MSP search the rest of the environment for related activity. Capture and share them early.
MFA (Multi-Factor Authentication)
Login that requires two or more verification factors — typically a password plus a code, app, or hardware key.
Why it matters: Hardware-key MFA defeats the most common municipal attacks (credential stuffing, BEC, MFA fatigue). SMS-based MFA is the weakest form and is bypassable via SIM-swap.
Continuity binder
A printed binder with paper forms, phone trees, vendor contacts, and manual procedures for keeping the municipality running when systems are down.
Why it matters: When permitting, billing, and email are encrypted, the binder is what counter staff actually use. Refresh it every council term — five years is the practical limit.
Holding statement
A pre-drafted short public statement used in the first hour of an incident — confirms the situation, says what is and isn't known, and names a next update time.
Why it matters: Speed and discipline matter more than completeness. Three sentences from the CAO at 9:40 beats a press release at 4pm.

Authorities & coordination

MS-ISAC
The Multi-State Information Sharing and Analysis Center — a free CISA-funded service for US state, local, tribal, and territorial governments.
Why it matters: Free 24/7 SOC, malicious-domain blocking, and IR support. Every US municipality should be an active member before an incident.
CCCS (Canadian Centre for Cyber Security)
Canada's national authority on cybersecurity, with dedicated guidance and reporting channels for provincial and municipal governments.
Why it matters: Canadian municipalities use CCCS reporting paths and provincial privacy commissioner notifications instead of MS-ISAC and US state AGs.
Cyber insurance carrier
The insurer that underwrites the municipality's cyber liability policy and coordinates incident response, breach counsel, and forensic costs.
Why it matters: The first call in any incident — they assign an IR firm, breach counsel, and PR support from their panel. Calling them after engaging others can void coverage.
Statutory notification
A jurisdiction-specific legal obligation to notify regulators and/or affected residents when personal data is exposed.
Why it matters: US states, Canadian provinces, and federal regulators each have their own clocks and thresholds — see the Regulations section for jurisdiction-specific paths.