Another issue is that a lot of these malicious actors will mask their affiliations. They will purposely hide that they're affiliated with a state entity or military entity, so it requires a bit of research and work. I think this is what Professor Fung was saying, that university research offices could take on a part of that responsibility and vet which entities are at risk.
However, ultimately, nothing would beat a federal guideline on who these entities are that have state and military affiliations, and they would provide that information to state and military entities for their use.