Protecting critical infrastructure for 5.7 million Californians
Los Angeles (LA) county is one of the most heavily populated counties in the country, with just under 10 million residents. The LA County Sanitation Districts (LACSD) operate one of the largest wastewater systems, serving 78 cities across LA county.
As a steward of infrastructure that’s essential to public health and environmental protection, LACSD exhibits a commitment to operational excellence, fiscal responsibility, and public service. For an organization of this scope, cybersecurity isn't just an IT concern, it's a matter of community safety.
When LACSD sought to compete for the Municipal Information Systems Association of California (MISAC) IT Excellence Awards and strengthen its long-term wastewater treatment cybersecurity posture, the organization needed more than a routine compliance checklist. They needed a partner who could translate complex security frameworks into a strategic, actionable roadmap aligned to its core mission.
Navigating a multi-layered cybersecurity challenge
Communicating cybersecurity gaps to business leaders and the public requires more than raw data. LACSD needed findings that could resonate with executives, board members, and the community, not just technical benchmarks. But this was a complicated endeavor, because LACSD's situation was more complex than a standard cybersecurity assessment. The organization faced several intersecting challenges that required a uniquely tailored approach.
LACSD wanted to pursue the MISAC IT Excellence Award, which required demonstrating comprehensive cybersecurity maturity aligned with industry best practices. The MISAC questionnaire—spanning 101 questions across multiple categories—is mapped to the CIS Controls Implementation Group 2 (IG2) framework, a rigorous international standard. Without deep expertise in both frameworks, LACSD had no way to know where they stood or how to present their security posture effectively.
This meant that LACSD required both a maturity assessment (measuring current state) and a compliance assessment (identifying gaps against CIS IG2 standards) simultaneously. Running these two evaluations in parallel, without disrupting daily operations, added significant complexity to the engagement. Like many municipal agencies, LACSD's IT team had limited capacity and budget to take on a complex, multi-framework security project. Internal staff lacked the specialized expertise to bridge MISAC requirements and CIS Controls—and the stakes were too high to get it wrong.
Water and wastewater systems are designated as critical infrastructure under Presidential Policy Directive 21, making this cybersecurity challenge even higher stakes. Cyberattacks on water utilities have increased dramatically in recent years, with high-profile incidents demonstrating significant consequences for communities. Wastewater treatment cybersecurity has never been more important. Any security gap at LACSD wasn't an abstract risk—it was a potential threat to millions of residents.
A proprietary solution built for LACSD's unique needs
LACSD partnered with CAI to help them with these unique cybersecurity challenges. CAI developed a customized methodology specifically for critical infrastructure security and this engagement; no off-the-shelf tool or generic assessment could replicate it.
Before the assessment began, CAI conducted kickoff training for LACSD staff on GRC fundamentals, CIS Controls, and MISAC requirements—ensuring meaningful participation throughout the process.
Evidence was gathered through structured interviews, document reviews, and technical inspections (including penetration testing) designed to minimize operational disruption. The result: a submission-ready documentation packet built collaboratively with LACSD staff.
CAI created a comprehensive mapping between all 101 MISAC questionnaire items, 86 of the 130 CIS IG2 safeguards, and LACSD's own Mission and Values statements. This meant a single assessment effort could simultaneously serve the MISAC award submission, advance CIS compliance objectives, and speak directly to LACSD's organizational strategy. Rather than treating security as a separate technical function, CAI connected it to the outcomes LACSD's leadership already cared about.
CAI evaluated LACSD across Governance, Technology, and Operations dimensions—moving beyond a surface-level checklist to understand how critical infrastructure security controls function in practice. This holistic view uncovered gaps that siloed assessments would miss. The engagement simultaneously assessed process maturity (rated across five levels from “initial” to “optimized”) and control compliance (from “not started” to “operational”). This dual lens gave LACSD both a realistic picture of where they stood today as well as a clear, prioritized path to where they needed to be.
Using NIST SP 800-30 methodology, CAI risk-ranked all observations from “critical” to “low”, so LACSD could direct their limited resources to areas with the highest impact of improvements first. This transformed what could have been an overwhelming list of gaps into a manageable and strategic action plan.
CAI delivered findings in formats tailored to every audience—detailed technical observations for IT staff, an executive summary and interactive dashboards for leadership, and MISAC-formatted responses ready for direct submission to the award program. No translation required.
From unknown eligibility to a comprehensive roadmap
The results of CAI's engagement gave LACSD something it had never had before: a clear, documented picture of its cybersecurity posture—and a prioritized plan to improve it. This included:
Beyond the metrics, the qualitative outcomes were equally significant. For the first time, LACSD's IT staff, management, and executives shared a unified understanding of the organization's wastewater treatment cybersecurity posture, anchored to their mission of public service and operational excellence. Security was no longer a technical issue isolated within the IT department; it became a business priority with executive visibility and board-level relevance.
The strategic roadmap CAI delivered gave LACSD a prioritized, multi-year plan with realistic timelines and resource requirements. This went well beyond gap identification to provide a concrete, sequenced path forward. Every finding came with specific, implementable recommendations. By aligning security investments to LACSD's values of fiscal responsibility and public accountability, CAI gave leadership the evidence-based justification needed to support future security budget requests.
Security maturity as a public commitment
The work CAI completed with Los Angeles County Sanitation Districts demonstrates how a tailored critical infrastructure security assessment can deliver strategic value that extends far beyond compliance checkboxes. By developing a proprietary mapping between MISAC, CIS frameworks, and LACSD's own mission and values, CAI enabled the organization to pursue award recognition while simultaneously building a foundation for sustained, long-term security improvement. The result is a comprehensive roadmap that protects LA County Sanitation Districts from wastewater treatment cybersecurity risks, while also protecting this critical infrastructure serving 5.7 million Californians.
Interested in learning how CAI can help you achieve your security objectives while meeting compliance requirements and industry standards? Fill out the form below.
