Governor Charlie Baker recently took steps to strengthen cybersecurity in Massachusetts by signing an executive order on December 14, 2022 creating an advisory panel to improve the state’s cyber defense. The new state task force will assess existing resources, develop contingency plans, and identify strategies for preventing future cyberattacks. The goal of the task force is to ensure that the Bay State is at the forefront of the ever-evolving cybersecurity landscape. With cyber threats becoming increasingly sophisticated, it’s crucial for the state to stay ahead of the curve. The panel will study existing protocols, assess the state’s current level of preparedness, and recommend ways to improve security measures.
The executive order will also create a Cybersecurity Incident Response Team (MA-CIRT), which will consist of state leaders from the public and private sectors, including representatives from the Governor’s Office, the Massachusetts State Police, the Department of Telecommunications and Cable, the Commonwealth Fusion Center, the Department of Security, the Massachusetts Emergency Management Agency. MA-CIRT will be led by the Secretary of the Executive Office of Technology Services and Security (a position currently held by Curt Wood).
Additionally, the Executive Order:
- Requires MA-CIRT to review cybersecurity threat information and vulnerabilities to make informed recommendations and establish appropriate policies to manage the risk of cyber incidents for executive department agencies and all other state agencies served by EOTSS.
- Requires MA-CIRT to develop and maintain an up-to-date Cyber Incident Response Plan, which will guide the actions of the Commonwealth’s key public safety and information security and technology teams, state agency resources, and security professionals in responding to and minimizing the impact of significant cybersecurity threats to Commonwealth systems. The Plan is required to be submitted annually to the Governor for review and approval.
- Empowers the EOTSS Secretary to serve as MA-CIRT lead, with the approval of the Governor, to direct MA-CIRT in response to a significant cyber incident.
- Requires the routine exchange of information related to cybersecurity threats and reported incidents between the Commonwealth Fusion Center and the Commonwealth Security Operations Center.
- Requires EOTSS and MA-CIRT to consult with the Massachusetts Cyber Center and assist the Center with efforts to foster cybersecurity resiliency through communications, collaboration, and outreach to state agencies, municipalities, educational institutions and industry partners.
- Requires executive department agencies to comply with protocols and procedures established by MA-CIRT and all related policies, standards and Administrative Directives issued by EOTSS.
- Requires Commonwealth executive department agencies and other state agencies served by EOTSS to identify and report significant cybersecurity incidents and coordinate efforts to mitigate and prevent further damage from cyber incidents.
- Requires all executive department personnel to annually complete the EOTSS approved security awareness training program administered by the Human Resources Division.
- And strongly encourages other governmental entities throughout the Commonwealth not served by EOTSS to report cybersecurity threats or incidents to the Commonwealth Security Operations Center.