|Mass Register:||No. 1486|
Table of Contents
WHEREAS, cybersecurity threats are increasing in volume and sophistication, and it is imperative that the Commonwealth monitor and respond to the resulting risks in order to protect the Commonwealth’s technology networks and critical infrastructure from acts of terrorism and criminal activity; and
WHEREAS, the Commonwealth has experienced a dramatic increase in active threats against its state web sites and network in recent months, including frequent denial of service attacks aimed at disrupting government operations and increasing attempts to compromise government information systems and to steal individual credentials; and
WHEREAS, the Commonwealth operates and relies on critical technology, infrastructure, security and data systems for the purpose of ensuring public safety, public health, and the well-being of our communities, and Commonwealth agencies maintain confidential and sensitive data including Personally Identifiable Information, Federal Tax Information, health data, criminal justice information, and public safety data, and financial data; and
WHEREAS, cybersecurity breaches have the potential to interfere with the Commonwealth’s delivery of essential public services to the people of Massachusetts, threaten the confidentiality, integrity, and availability of critical data, and cause significant economic disruption; and
WHEREAS, in response to these growing risks, the Commonwealth must identify, protect against and respond to cybersecurity threats aimed at causing harm to the continuity of government services, public safety, public health, and economic security; and
WHEREAS, effective prevention and response require that Commonwealth executive department agencies and other state agencies served by the Executive Office of Technology Services and Security identify and report significant cybersecurity incidents and coordinate efforts to prevent and mitigate damage from cyber incidents; and
WHEREAS, pursuant to General Laws Chapter 7D, the Executive Office of Technology Services and Security is charged with supervising all activities related to information technology, digital services, and information security and privacy and with ensuring the confidentiality, integrity, and availability of data, information technology systems, applications, infrastructure, and networks for the executive department and any other state agencies for which it provides computer and digital services;
NOW, THEREFORE, I, Charles D. Baker, Governor of the Commonwealth of Massachusetts, by virtue of the authority vested in me by the Constitution, Part 2, c. 2, § 1, Art. 1, do hereby order as follows:
Section 1. The Massachusetts Cyber Incident Response Team (MA-CIRT) is hereby established. The mission of the MA-CIRT is to enhance the Commonwealth’s ability to prepare for, respond to, mitigate against, and recover from significant cybersecurity incidents. Members shall include at least one representative from each of the following entities: the Executive Office of Technology Services and Security (EOTSS), the Commonwealth Security Operations Center, the Executive Office of Public Safety and Security, the Massachusetts State Police Cyber Crime Unit, the Commonwealth Fusion Center, the Massachusetts National Guard, and the Massachusetts Emergency Management Agency.
The Secretary for EOTSS shall lead the MA-CIRT and shall determine the frequency of its meetings.
The MA-CIRT shall review cybersecurity threat information and vulnerabilities to make informed recommendations to and establish appropriate policies to manage the risk of cyber incidents for all executive department agencies and all other state agencies served by EOTSS. CIRT recommendations, policies, and directives shall be informed by information and best practices obtained through the established information sharing network of local, state, national, federal and industry partners in which MA-CIRT member agencies regularly participate.
Section 2. The MA-CIRT shall develop and maintain an up-to-date Cyber Incident Response Plan for the Commonwealth, which shall annually be submitted to the Governor for review and approval. The Plan shall ensure the Commonwealth’s executive leadership is regularly informed of ongoing and pending cybersecurity incidents or threats and shall guide the Commonwealth’s key public safety and information security and technology teams in deploying state agency resources and security professionals in rapidly responding to and minimizing the impact of significant cybersecurity threats to executive department agencies and all other state agencies served by EOTSS.
Section 3. The MA-CIRT will use a risk management approach when assessing the vulnerabilities of critical infrastructure and primary impact areas. The Risk analysis shall include, without limitation, consideration of the importance of ensuring continuity of government and government services, public safety, public health, economic security, and the risk of any loss of public confidence potentially resulting from significant cybersecurity incidents. The MA-CIRT shall regularly review potential cybersecurity threats to executive branch agencies and all other state agencies served by EOTSS and make risk-informed recommendations to address these risks to the Governor on at least an annual basis.
Section 4. In the event of a significant cyber incident that threatens or results in a material impairment of the infrastructure or services of an executive department agency, the Secretary of EOTSS shall serve as the MA-CIRT lead and, with the Governor’s approval, will direct the MA-CIRT in any response. Other secretariats and executive agencies shall collaborate with and assist the MA-CIRT as needed. Representatives from agencies and entities that are not regular MA-CIRT members may be included in the response to a significant cyber incident as determined by the Secretary of EOTSS.
Section 5. Executive department agencies shall comply with all protocols and procedures established by the MA-CIRT and all related policies, standards and Administrative Directives issued by EOTSS pursuant to General Laws Chapter 7D, Section 3(b). In order to ensure proper reporting of cybersecurity incidents, all executive department agencies and all other state agencies served by EOTSS shall make reports of cybersecurity incidents according to the protocol established by EOTSS in Administrative Directive 2022-1 or any superseding directives. Consistent with Directive 2022-1, the Secretariat Chief Information Officer or equivalent responsible officer for an agency served by EOTSS shall immediately report any known cybersecurity incident to the Commonwealth Security Operations Center, operated by EOTSS. The Commonwealth Security Operations Center will inform the MA-CIRT of all reported security threats or incidents.
Section 6. The Massachusetts State Police Commonwealth Fusion Center, in the Executive Office of Public Safety and Security, and the Commonwealth Security Operations Center, in EOTSS, shall routinely exchange information related to cybersecurity threats and incidents that have been reported to or discovered by their respective organizations or to the Cyber Incident Response Team.
Section 7. EOTSS and the MA-CIRT shall consult with the Massachusetts Cyber Center and assist the Center with efforts to foster cyber security resiliency through communications, collaboration, and outreach to state agencies, municipalities, educational institutions, and industry partners.
Section 8. Other state governmental entities, including state agencies outside the executive department, independent agencies and constitutional offices, and municipalities not served by EOTSS, are strongly encouraged to report cybersecurity threats or incidents to the Commonwealth’s Security Operations Center consistent with the protocol established by Administrative Directive 2022-1 or any superseding directives.
Section 9. All executive department personnel are required annually to complete the EOTSS approved security awareness training program administered by the Human Resources Division.
This Executive Order is effective immediately and shall continue in effect until amended, superseded, or revoked by subsequent Executive Order.
Given at the Executive Chamber in Boston this 14th day of December in the year of our Lord two thousand twenty-two and of the Independence of the United States of America two hundred forty-six.