Industries · Government, Education & Critical Infrastructure

Public Sector

Security for institutions that serve the public.

K-12 school districts, local and state government agencies, and critical infrastructure operators face security requirements shaped by public accountability, constrained budgets, and regulatory frameworks built for their specific environments — not adapted from enterprise IT playbooks.

K-12

School district assessments

FERPA

Regulatory alignment

CJIS

Law enforcement compliance

NIST

Framework fluency

Who we serve

Three public sector audiences with one thing in common.

Every engagement in this vertical involves data that belongs to the public, systems that the public depends on, and a reporting obligation that goes beyond a board of directors. That changes what good security looks like.

K-12 School Districts

School districts managing student records, identity systems, and district-wide networks under FERPA, CIPA, and state privacy mandates. Budget-constrained, often understaffed on IT security, and increasingly targeted by ransomware actors who understand that districts pay rather than lose instructional days. Convergent has worked with Michigan school districts directly and through district legal counsel.

Local & State Government

City, county, and state agencies handling constituent data, law enforcement records, benefits systems, and public-facing digital services. CJIS compliance for law enforcement. NIST 800-53 and state-specific frameworks for civilian agencies. Public records obligations and breach disclosure rules that private-sector clients don’t face.

Critical Infrastructure Operators

Utilities, water systems, transportation authorities, and energy operators where IT and operational technology converge. NERC CIP for electric utilities. AWIA for water systems. Environments where a security failure has physical consequences — not just data exposure. Assessment and advisory for organizations building their OT security posture.

What is specific to public sector

Public accountability changes the security calculus.

A breach at a school district isn’t just an IT incident — it’s a headline. A ransomware attack on a city government isn’t just an operational disruption — it’s a public services failure. Generalist firms know the controls. Specialist firms know why those controls matter differently here.

Budget cycles don’t pause for threats

Public sector security work has to be scoped realistically. School districts and municipal agencies operate on fiscal-year budgets approved by boards and councils. Recommendations that don’t account for procurement cycles and appropriations timelines don’t get implemented — no matter how technically correct they are.

Student and citizen data carries legal weight

FERPA governs student records. CIPA governs school internet use. CJIS governs law enforcement data. State privacy laws layer on top. A breach notification obligation that triggers public records access means the incident report itself becomes a public document. The assessment has to be written accordingly.

IT and OT share the same network in ways they shouldn’t

In school buildings, government facilities, and infrastructure environments, operational systems — HVAC, access control, building management, SCADA — are often on the same network as administrative IT. The attack surface is wider than the security team knows, and the blast radius of an incident is larger than a pure IT assessment would find.

Procurement through legal counsel is common

School districts and government agencies frequently engage security assessors through their legal counsel — structuring the engagement to ensure findings are handled according to the client’s legal strategy. Convergent has experience with this engagement model and works with law firms as well as directly with districts and agencies.

Public sector service depth

Six services across three pillars, tuned for public institutions.

The same three-pillar approach — advisory, offensive security testing, and assurance — applied with the frameworks, procurement realities, and reporting obligations that public sector clients actually face.

Assurance

Security Risk Assessment

Comprehensive risk assessments for school districts and government agencies aligned to NIST 800-30, NIST 800-53, and applicable state frameworks. Administrative, physical, and technical safeguard evaluation with remediation prioritized against budget and operational reality.

Assurance

FERPA & CJIS Compliance Assessment

Targeted compliance assessment against FERPA for educational institutions and CJIS Security Policy for law enforcement agencies and agencies with access to criminal justice data. Gap analysis, remediation roadmap, and evidence organization through Sanctum.

Offensive

Penetration Testing

External, internal, and web application testing for school districts, municipal networks, and government agency environments. Testing scoped to minimize operational disruption — conducted with awareness of the instructional calendar, public service continuity requirements, and change management constraints.

Offensive

OT & Building Systems Assessment

Security assessment of operational technology environments in government facilities, schools, and infrastructure operators — including building management systems, access control, HVAC, and SCADA where present. Network segmentation review and IT/OT boundary analysis.

Advisory

Virtual CISO for Public Sector

Fractional security leadership for districts and agencies that need CISO-level guidance without a full-time hire. Policy development, board and council reporting, vendor risk management, and incident response coordination — structured around public sector procurement and governance requirements.

Advisory

Post Incident Review, Forensics & Expert Witness& Digital Forensics

Post incident review, forensic analysis, and expert witness support for ransomware events, data breaches, and unauthorized access incidents in public sector environments. Engageable directly or through legal counsel. Notification support aligned to state breach disclosure requirements and public records obligations.

Ready when you are

Talk to a public sector assessor — not a sales rep.

The first conversation is with a senior practitioner who understands FERPA, CJIS, public procurement, and the operational reality of running security in a district or agency. Whether you’re engaging directly or through legal counsel, bring your context and leave with a clear scope.

Consent Preferences