Directive  Administrative Directive 2022-1 Security Incident Reporting

M.G.L. c. 7D, § 2:

There shall be an executive office of technology services and security that will be an executive office within the meaning of section 2 of chapter 6A. The office shall be administered by a secretary who shall be appointed by the governor and who shall supervise all activities concerning information technology of state agencies. The Governor may designate the secretary of the executive office of technology services and security as the chief information officer for the commonwealth. If the Governor does not designate the secretary as the chief information officer, the secretary shall, notwithstanding section 45 of chapter 30 and chapter 31, subject to the approval of the governor, appoint a chief information officer who shall report to the secretary and serve at the pleasure of the secretary. Notwithstanding any general or special law, rule, regulation, executive order, policy or procedure to the contrary, all executive department agencies shall, and other state agencies may, adhere to the policies, procedures and objectives established by the executive office of technology services and security with respect to activities concerning information technology.

M.G.L. c. 7D, § 3:

“(a) The [Executive Office of Technology Services and Security] shall have all powers necessary or convenient to carry out its duties including, but not limited to, the power to: …
(vi) oversee and supervise the maintenance of information technology and the initiation of information technology updates or projects for state agencies;
(vii) initiate procurements of information technology resources for state agencies and enter into agreements or contracts in connection with such procurement on behalf of a state agency or other political subdivision of the commonwealth;
(viii) set policy regarding all procurements of information technology resources;
(ix) review and approve the information technology budget requests of a state agency and IT spending priorities of executive offices and agencies within any executive office;
(x) implement standards for product or service specifications, characteristics or performance requirements of IT resources that increase efficiency and improve security and identify opportunities for cost savings within state agencies based on such standardization; specifically, the office may implement the following: (a) the centralized acquisition and standardization of specifications for desktop computing equipment; (b) consolidation and centralized management of all network resources for the executive department; (c) the consolidation of information technology infrastructure; and (d) following consultation with the secretary of the executive office and the head of the agency or department within the executive offices, effectuate the centralization of other IT services and functions when centralization or standardization will promote greater security, improve service, or reduce costs; …
(b) The office may issue administrative directives pursuant to the authority set forth in this chapter, which shall be binding on all executive department agencies and offices.”

M.G.L. c. 7D, § 4:

The secretary shall, notwithstanding section 45 of chapter 30 and chapter 31, appoint a qualified individual to serve as an enterprise chief information security officer (CISO) for the commonwealth who shall serve at the pleasure of the secretary. The CISO shall advise the secretary and the CIO on preventing data loss and fraud and protecting privacy. The CISO shall ensure all existing IT policies applicable to executive offices and agencies reflect best practices related to security and privacy.

M.G.L. c. 7D, § 4A:

The secretary may, notwithstanding section 45 of chapter 30 and chapter 31, appoint a qualified individual to serve as the chief data officer for the commonwealth, who shall serve at the pleasure of the secretary. Notwithstanding any general or special law, rule, regulation, executive order, policy or procedure to the contrary, the chief data officer shall develop administrative directives to govern the use, storage, collection, and dissemination of data assets for the executive department, and shall develop procedures for facilitating, where appropriate, resolution of disputes between or among agencies, departments, and executive offices regarding the use and sharing of data. The chief data officer shall have the role of promoting and facilitating, subject to all applicable federal and state laws, rules, and regulation, the sharing and use of data assets of the commonwealth in support of data-driven policymaking, research, analysis, study, or economic development.

Chief Information Officer: or ''CIO'', the chief information officer of the Commonwealth.

Information technology: or “IT”, hardware, software, telecommunications equipment and related services designed for the storage, manipulation, and retrieval of data by electronic or mechanical means including, but not limited to, personal computers, mainframes, wide and local area networks, servers, mobile or portable computers, peripheral equipment, telephones, wireless communications, handheld devices, cloud-based application and platform services, public safety radio services, facsimile machines, data centers, dedicated training facilities and switching facilities.

Secretariat Chief Information Officer: or “SCIO”, the person responsible for technology services, security, and information technology in each executive office other than the Executive Office of Technology Services and Security, who reports to both the Secretary of Technology Services and Security and the Secretary of the Executive Office for whose technology services the SCIO is responsible.

Security Incident: any event which has the potential or has already resulted in the unauthorized acquisition, misappropriation, use or manipulation of information that compromises the confidentiality, integrity, or availability of the Commonwealth’s information assets. See IS.009, Section 6.3 regarding identification of information security incidents.

Security Information and Event Management: or “SIEM”, references technology that supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards, and reporting).

Security Incident Response Team: or “SIRT”, The individuals, organizations or vendors designated by the SOC Director to respond to security incidents. See IS.009, Section 6.2.

Security Operations Center: or “SOC”, is an information security organization with capacity and responsibility for monitoring and analyzing the state's security posture and for detecting, analyzing, and responding to cybersecurity incidents. The SOC coordinates with municipal, state, and federal agencies – as well as others in the event of a cybersecurity incident as needed – sharing information and resources as appropriate for optimal response. The Executive Office of Technology Services and Security (EOTSS) has established a Commonwealth Security Operations Center, under the authority and management control of the CIO. SOC operations may include representation from and participation by SCIOs, or their designees, and other partners as directed or agreed to by the CIO.

State agency: a legal entity of state government established by the general court as an agency, board, bureau, commission, council, department, office or division of the commonwealth with a specific mission and which is subject to the control of the governor or whose administration has been solely appointed by the governor.

Effective immediately, all state agencies as defined above must adopt and implement security incident reporting and response procedures. These procedures must align with and adhere to the Enterprise Information Security Policies and Standards established by EOTSS – more specifically IS.009, which sets the Information Security Incident Management Standard.

Further details regarding the protocol for reporting security incidents to the SOC and the subsequent response framework are outlined below.

• Security incident reporting and response procedures adopted pursuant to this directive and IS.009 shall include all reporting requirements applicable to the relevant state agency and the mechanism by which the state agency will notify its leadership, and respective SCIO if applicable.

• All known security incidents shall be reported immediately to agency leadership and the respective secretariat SCIOs or their designee, who will then notify the SOC via the process established by the CIO. Individuals reporting to the SOC should provide as much detail as possible2 about the security incident. Timely reporting of security incidents is critical to the Commonwealth’s efforts to protect, respond, mitigate, and recover from security threats.

• SCIOs, or their designees, should notify the SOC as soon as reasonably possible of any contact with local, state, or federal law enforcement agencies. Communications should be coordinated through the SOC, which maintains cooperative and direct business relationships with the Executive Office of Public Safety and Security (EOPSS), Massachusetts State Police (MSP), Commonwealth Fusion Center (CFC), Department of Homeland Security (DHS), Critical Information Security Agency (CISA), and the Multi-State Information Sharing Analysis Center (MS-ISAC). Informed and coordinated information sharing is necessary to ensure an appropriate, effective, and timely incident response framework is operationalized.

• State agencies not within a Secretariat organizational structure, but obligated under this directive, shall ensure an equivalent to the SCIO position (agency CIO, IT Director, Security Director, etc.) is made aware of all security incidents, and that this individual(s) ensure that the same policies, processes and procedures as are outlined above are followed and adhered to.

• Upon notification of a security incident, the SOC will evaluate the reported information to determine severity, priority, and required action to address and mitigate the threat.

• The SOC will maintain a record of all actions – including incident tracking through resolution – and report incident status updates to relevant entities at intervals established by protocol or at the direction of the CIO or SOC director.

• The SOC will maintain routine, collaborative communications and response actions with SCIOs (or their designees) and other partners as needed to resolve the security incident.

• The SOC may stand up and deploy a SIRT comprised of multiple personnel and vendors from within EOTSS, secretariats, state agencies, and other partners.

• SCIOs, or their designees, should notify the SOC of any external communications to nonexecutive branch agencies or law enforcement regarding the incident at issue.

• Executive Branch agencies requesting external assistance from outside agencies, law enforcement, or third-party vendors must notify the SOC to enhance awareness and response coordination. IT and security vendors, currently under contract or supporting the Commonwealth environment, are not subject to this approval. These vendors are already included in our response and mitigation framework.

• Depending on the size and severity of the security incident, the SOC may authorize and request additional assistance and cooperation from local, state, and federal resources – to include (but not limited to) state and federal law enforcement and intelligence organizations, state and federal IT and security organizations, and the IT security vendor community.

• To assist in operations and resolve security threats, the SOC may host external resources within the SOC or assign personnel to other agencies or organizations as needed.

• The SOC will maintain an active and cooperative working relationship with the Commonwealth Fusion Center and the Multi-State Information Sharing Analysis Center (MS-ISAC) to share and analyze critical information pertaining to trends and threats.

• If the SOC determines a security incident to be a “major incident”, the EOTSS Major Incident protocols will be implemented and followed.

• If a security incident escalates to a level that is beyond the direct capabilities of the SOC, the SOC will engage partner entities; to include but not limited to, state or federal public safety agencies, homeland security, and cyber security organizations. The SOC Director at the direction of the Commonwealth CIO will maintain a leadership role and command of executive branch IT resources, response, and mitigation efforts – in alignment with the command leadership of other participating entities.

• The SOC Director shall ensure that the appropriate EOTSS leadership personnel are kept apprised of any security incidents that are presenting a breach of data, loss of data, or any compromise that threatens the security and integrity of Commonwealth data, systems, or assets.

• The SOC must be notified of any internal communications to a state agency relating to a security incident.

• State agencies are expected to follow their respective security incident reporting and response plans, including notifying state, federal, or other official entities as defined in applicable law, regulation, or policy. The SOC shall be notified of any external communications relating to any government or non-government entity that relates to a Commonwealth security incident.

• No information about a security incident shall be released to the public (including the media) without the express consent of the relevant secretariat leadership and the CIO.

• Applicable Executive Branch communication teams shall be kept apprised of any incidents that may result in public interest or disclosure.

• The SOC, pursuant to the direction of the CIO, continuously scans and monitors Commonwealth information systems and operating environments to detect, analyze, and mitigate security threats, through the deployment of multiple security technology platforms and services.

• The SOC will timely alert and communicate critical information and security threats to state agencies and other entities.

• The SOC will provide routine reporting of trends, threats, and security incidents through a formalized and collaborative communications platform.

SCIOs are responsible for policy compliance for their secretariats and respective agencies.

For non-executive branch agencies that are obligated to report under this directive, agency leadership shall designate the appropriate staff member with similar responsibilities as the SCIO positions. These designees are expected to coordinate and manage the security incident reporting process on behalf of their respective organizations.

Non-executive branch agencies may report incidents under this directive.