Log in links for this page

Enterprise Policies, Standards, & Guidelines

IT Policies, Standards, and Guidelines for Executive Branch Agencies

Pursuant to M.G.L. c. 6A, § 7A, and M.G.L. c. 7D, EOTSS has established policies, standards, and guidelines as part of its Standard Operating Environment (SOE) for the procurement, delivery, and support of information technology systems and services across the Commonwealth’s Executive Branch agencies.

Collectively, the policies, standards, and guidelines that make up the SOE help protect the confidentiality, integrity, and availability of the Commonwealth's data and information systems. Agency business and IT leadership are expected to be knowledgeable and compliant with all policies, standards, and guidelines.

Please note: While non-Executive branch agencies are not required to follow defined EOTSS policies, standards, and guidelines, compliance is recommended.

Table of Contents

Administrative Directives & CIO Guidance

Administrative Directives issued by the EOTSS Secretary/CIO

Pursuant to M.G.L. c. 6A, § 7A, and M.G.L. c. 7D, the EOTSS Secretary and CIO for the Commonwealth has issued administrative directives that apply to all executive branch agencies and end-users.

Commonwealth CIO Guidance and Memoranda

Enterprise guidance and memos issued by the EOTSS Secretary/Commonwealth CIO and EOTSS Executive Leadership.

Enterprise Risk & Security

Enterprise Information Security Policies and Standards

At the direction of the EOTSS Secretary/CIO and the Commonwealth’s Chief Information Security Officer, the EOTSS Enterprise Security Office is responsible for writing, publishing, and updating all Enterprise Information Security Policies and Standards that apply to all Executive Department offices and agencies.

These policies include, but are not limited to, policies for Acceptable Use, Access Management/Passwords, Communication and Network Security, Information Security Incident Management, Information Security Risk Management, and Vulnerability Management.

Security Information and Event Management (SIEM)

EOTSS has standardized on and is implementing a SIEM throughout the Commonwealth enterprise. All executive branch entities and other state agencies as determined by the Secretary/CIO of Technology Services and Security under Chapter 7D are required to comply with this program. There will be corresponding Administrative Directives published in support of this program.

The Logging and Event Monitoring Standard documents the requirements for security monitoring and event management to detect unauthorized activity on Commonwealth information systems. EOTSS centrally manages a standard platform that continues to incorporate data sources to capture, index, and correlate real-time security information and events in a searchable repository from which graphs, reports, dashboards, visualization, and alerts are generated and can be acted upon.

Security Vulnerability Management Program (VMP)

EOTSS has standardized on and is implementing a VMP throughout the Commonwealth enterprise. All executive branch entities and other state agencies as determined by the Secretary/CIO of Technology Services and Security under Chapter 7D are required to comply with this program. There will be corresponding Administrative Directives published in support of this program.

Centrally, EOTSS currently leverages vulnerability management solutions that identify, evaluate, treat, and report on security vulnerabilities in systems and the software that runs on them.

Reporting a Suspected Cyber Security Threat for State Employees

To report a security incident, contact the EOTSS Information Security Office by submitting an incident ticket using the Service Now platform or call the EOTSS Service Desk directly at (844) 435-7629. An incident is any event that threatens the security, confidentiality, integrity, or availability of Commonwealth of Massachusetts assets (electronic or paper), information systems, and/or the networks that deliver the information.

EOTSS Information Governance Framework

The EOTSS “Information Governance Framework” and Information Governance Program provides independent planning, execution, and management of the necessary policies, standards, practices, technologies, and tools to support our information lifecycle, risk, and compliance needs at an enterprise level.

Commonwealth Web Content Filtering Service

The EOTSS Web Content Filtering service is a secure internet and web gateway delivered as a service from the cloud. The service prevents access to unauthorized sites, like Social Media, pornography, or other undesired categories. The service also automatically blocks sites that are known to contain malware.

End User Security Awareness Training

EOTSS currently requires all Executive Branch employees to take Annual Cybersecurity Awareness Training. Additionally, all new hires must take an Information Security Awareness Course within their first 45 days as new employees. This policy also applies to certain non-Executive Branch employees who may have access to Commonwealth systems. EOTSS partners with the state Human Resources Division (HRD) to administer and deliver this training.

Device Encryption

Microsoft BitLocker offers enhanced protection against data theft or data exposure for computers that are lost or stolen. BitLocker encrypts all data that is stored on the Windows operating system volumes and drives and configured data drives.

Anti-Malware/Antivirus Standard

The EOTSS standard is Microsoft Defender, which will be leveraged as an anti-malware/antivirus component integrated with Windows. This product is replacing all other antivirus software.

Mobile Device and Mobile Application Management

Microsoft Endpoint Configuration Manager (formerly SCCM and Intune) will be leveraged to securely manage iOS, Android, and Windows devices with a single endpoint management solution while on or off the Commonwealth network. This will streamline and automate deployment, provisioning, policy management, application delivery, and updates to end user devices. This solution will address mobile device management for Commonwealth-owned devices, and mobile application management for personal owned devices that access Commonwealth resources. Other products will be retired and will no longer be authorized as a mobile data management tool.

Device Advanced Threat Protection

The Commonwealth will centrally leverage Microsoft Defender Advanced Threat Protection as an enterprise endpoint security platform. Defender is designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Additionally, Microsoft Defender for Office 365 will be leveraged to safeguard the Commonwealth against malicious threats posed by email messages, links (URLs), and collaboration tools.

Commonwealth Secure Email System Terms of Use

The Commonwealth Secure Email System is for use by Commonwealth staff, contractors, and administrators who need to ensure specific messages they send are encrypted. It is not intended for use as a regular email client.

End User & IT Help Desk Support

EOTSS End User Support Services

EOTSS provides IT support for end-users as well as Agency and Secretariat IT staff through deskside support, and the Help Desk. 


ServiceNow is the standard for Information Technology Service Management (ITSM) and will eventually be the consolidated ITSM platform. ServiceNow offers users the following functionality: a service catalog to request services, incident management, online chat functionality to speak with the service desk, asset management, change management, a knowledge base for self-service, security incident reporting, and governance, risk, and compliance.

Enterprise Print Services

EOTSS is developing an Enterprise Print service to eliminate desktop printers, set a standard for remote printing, prioritize digital solutions, support a mobile workforce, improve business continuity, enhance security, reduce environmental impact & cost.

Personal End-User Devices

EOTSS prohibits the use of personal devices to access state applications and systems. Previous accommodations for such devices had been made during the pandemic emergency response. However, new device deployments and in-place upgrades under the Modern Workplace Program have provided remote/hybrid employees with a single, state-owned device (laptop). Exceptions may be made on a case-by-case basis, as warranted.

Home Printers

Home printers are not included in the standard technology setup. EOTSS is currently allowing home printers on a case-by-case basis if approved by agency leadership and CIOs. However, EOTSS only supports printer set up and installation of drivers for our supported agencies (see https://www.mass.gov/how-to/request-help-with-a-computer-problem to find out if your agency is currently supported by EOTSS) – EOTSS will not support other printer issues such as ink and toner requests.

Staff not currently supported by EOTSS should reach out to their respective IT staff for further guidance on their agency positions with respect to home printers and support.

Additional guidance and standards relative to Home Printers are forthcoming as part of the Enterprise Print Services program.

End User Hardware & Software Standards

EOTSS Hardware Standards

The Commonwealth is moving to a “one-device” model for the standard employee technology set up. Upon completion of the Modern Workplace Program, most Executive Branch employees will only require one device (a laptop by default). Additionally, each employee will receive one docking station, monitor, keyboard, and mouse. There are (of course) business case, accessibility, and user-based exceptions to the standard set up.  Please note agencies can purchase and deploy enhanced laptops, additional monitors, assistive technology, and other equipment based on demonstrated need.

EOTSS Software Standards

All new devices will come pre-loaded with the new standard software set up: Windows 10, Microsoft Office Pro Plus, OneDrive for Business, SharePoint and Teams (Office 2016/365 Click-to-Run requires a Microsoft M365 G3 license) – as well as other tools such as the Adobe product suite. As with hardware, there will continue to be business case, accessibility, and user-based exceptions.

EOTSS Product and Service Catalog

Users and IT staff can use the catalog in ServiceNow to provision new users, request VPN accounts or Microsoft/Adobe/other standard products, tools, and services as needed.

Microsoft M365 G3 and Mailbox Licensing Guidance

EOTSS intends to offer three (3) mailbox licensing levels:

  1. Full M365 G3, which includes access to Office Pro Plus, Exchange Online, SharePoint Online, and Teams;
  2. Exchange Online Plan 2, which includes access to Exchange Online (Email) only;
  3. “No” license

This guidance will help to determine the appropriate license for business needs. 

Asset Decommission and Disposal

The EOTSS Asset Management team provides support for asset decommissioning and disposal, for both hard drives/memory sticks and computer peripherals, in accordance with the MA Operational Services Division (OSD) policies and procedures governing the Disposition of Surplus State Property.

Asset Management Standard

The Asset Management Standard outlines requirements for the handling, classification, and disposal of information by the Commonwealth of Massachusetts. It is part of the EOTSS Enterprise Security Policies and Standards.

Access Management

Access Management Standard

The Access Management Standard sets policy standards for implementing user access management, network access control, and system authentication control in order to protect the Commonwealth's information assets and network services. It is included within the Enterprise Information Security Policies and Standards.

Commonwealth VPN Service

The Commonwealth's VPN service is available to the Commonwealth of Massachusetts Executive Branch and certain non-Executive Branch agencies and their authorized business partners. A Virtual Private Network (VPN) enables remote users to communicate securely and confidentially over a public network (i.e. internet) to protect resources within the Commonwealth of Massachusetts and its Wide-Area-Network (MAGNET). Remote Access VPN establishes an encrypted tunnel for all data to be securely transmitted so that remote users can communicate confidentially over a public network—i.e., the Internet.

Identity Access Management

A consolidated Active Directory (AD) environment leveraging Microsoft Azure AD is being implemented across the enterprise. Azure AD provides for a single identity platform for internal and external users - a single sign-on which allows access to Commonwealth applications from anywhere. Azure AD also provides conditional access and multi-factor authentication to help protect and govern access. AzureAD MFA will replace all other identity access management platforms.

Multi-factor Authentication (MFA)

Multi-factor authentication (MFA) is a secure authentication method in which users are required to show more than one type of identification to gain access to online services and applications.

Communication & Network Services

Communication and Network Security Standard

The Communication and Network Security Standard details requirements for network security management, remote access security management, third-party network access, and secure file transfer by the Commonwealth of Massachusetts. It is included within the Enterprise Information Security Policies and Standards.

Cabling Standards

EOTSS Telecommunication and Network cabling standards for Executive Branch Agencies.

Facility Planning and Timeline Considerations

The EOTSS defined standards and required lead time for facility planning include (but are not limited to) guidance and timelines for Network and WiFi installation, end-user hardware and device procurement to deployment, and MassVoice procurement to installation. PLEASE NOTE that timeline delays can be expected due to current increased demand and global supply chain issues.


Any Executive Branch agency requiring new or upgraded voice solutions will be required to join the MassVoice Enterprise Solution as part of the Standard Operating Environment. Over the next 2 years, all Executive Branch agencies will be migrated to the MassVoice platform. MassVoice is a secure, Private-Cloud Unified Communications service tailored exclusively to Massachusetts State and Local government clients. Currently managed by New Era Technology this service remains the EOTSS enterprise standard Unified Communications solution.

Secure Wifi Standards

The EOTSS Secure WiFi Standards refer to dedicated Commonwealth wireless local area network access at various Commonwealth agency locations. The service is built in a manner to ensure that only authorized devices can access Commonwealth resources. These security measures are in place to guard against unauthorized access to secure SSIDs and the capturing of user data over the air.

Collaboration & Conferencing Tools

Microsoft Teams

EOTSS has established Microsoft Teams as the enterprise standard for the Executive Branch Agency business collaboration and conferencing software platform. This application is part of the Microsoft Office 365 product suite and is included in the cost of the Microsoft licensing agreement.

Acceptable Use of Zoom and other Collaboration Tools

While Microsoft Teams is the enterprise standard for the Executive Branch business collaboration software platform, agencies may utilize Zoom, GoToMeeting, and similar tools if Teams cannot meet their unique business needs or those of their employees and constituents.

Intranet Solutions

For agencies interested in Intranet solutions, SharePoint Online is the EOTSS standard. SharePoint licensing costs are covered under the Commonwealth’s Microsoft Office 365 licensing agreement.

eSignature Tools

Adobe Sign

Adobe Sign is the enterprise solution e-signature platform. It is recommended that each executive branch agency determine if Adobe sign is something that can be deployed within their agency and across their business operations. An Adobe Sign license is only required for individuals who will be initiating transactions – not for users who will be signing. An Adobe Sign Administrator is required to be assigned for each agency/Secretariat that wants to offer Adobe Sign to their end users.

Hosting & Infrastructure


EOTSS maintains responsibility and authority for establishing standards and guidelines for infrastructure and hosting services. These standards are currently under review and will be published ASAP. In the interim, if you have questions on Hosting and Infrastructure, please contact the EOTSS Assistant Secretary for Technology, Security and Operations or the Commonwealth CTO. 

All executive branch agencies must comply with these standards and guidelines, and must ensure that all business applications are operated on EOTSS-approved infrastructure (hardware, software) and hosted in an EOTSS approved facility (on-premise facility, approved Cloud service provider (IaaS/Paas), or Software as a Service.

Business Applications

Business Applications

Deep subject matter expertise resides in Commonwealth agencies and Secretariats, making it crucial that the organizational structure envisioned by Chapter 64 of the Acts of 2017, respect and preserve the proper role of agencies and Secretariats in managing the aspects of the application layer that relate to the day-to-day operations of the Commonwealth’s core programs and services. Therefore, Secretariats and agencies own, operate, manage, and support the business applications in most instances. There are established hybrid models in which EOTSS enterprise application support teams support statewide application such as HR/CMS and the Commonwealth Information Warehouse; however, EOTSS is not the business owner of the application.

MA Digital Services

Digital Policies and Guidelines

A collection of policies and guidelines from the Commonwealth’s Chief Digital Officer intended to improve the public-facing web presence and related services for executive department offices and agencies.

Mass.gov Linking Policy

MA Digital Services policy on liking content and tools within Mass.gov. Links will go directly to the most relevant pages, not necessarily to organizational home pages.

Terms of Use

By using Mass.gov you agree to these terms and conditions. Please note that the Massachusetts Judicial Branch has its own Terms of Use and Site Policies that apply to its pages on Mass.gov. Other individual state agencies or other Commonwealth entities may also adopt additional terms of use that apply to specific web-based transactions with those agencies or data posted on their websites.

Knowledge Base

This Knowledge Base is your self-service guide to authoring and updating content for Mass.gov. Most of this guide focuses on the Content Management System (CMS), but it also addresses related third-party tools such as Formstack and Google Analytics.

Mayflower Design System

Mayflower is the official Design System for the Commonwealth of Massachusetts. This system makes it easy for state agencies to build accessible, mobile-friendly sites, or apps consistent with Mass.gov.

Legal & Privacy

eDaaS - eDiscovery as a Service

eDiscover as a Service (eDaaS) includes the identification, search, collection, extraction, and preservation of electronically stored information (ESI) contained in Exchange On-Premises or Online. This professional service is performed by eDiscovery analysts that provide legal and IT expertise and experience in complex search language syntax and will work directly with the requestors which are authorized participants of our service under the authorization of Secretariat/Agency General Counsel or Department Head.

Data and Privacy

The Commonwealth's data sharing framework is designed to ensure that data is shared securely and deliberately between state agencies to drive better-informed decision making. Here you will find data sharing information for the Commonwealth’s Executive Branch agencies - including the Executive Branch Data Sharing Memorandum of Understanding (MOU), the online Data Use License Agreement (DULA), contacts for the Data Steward Council, and more.

Social Media Legal Guidance Toolkit

There are no legal prohibitions against state agencies using social media sites or having social media identities. However, there are legal considerations. This Social Media Legal Guidance Toolkit is designed for you and your legal counsel to review and apply before implementing social media for your agency or authorizing employees to participate on social media sites.

Social Media Participation Policy

This sample document provides a template for agencies to formalize their policy on the use of social media sites for employees that are managers, non-union employees, and contractors.

Contracts, Fiscal, & Procurement

Contract Management Guidance & Templates

Looking for an IT product or service and don't know where to start? There are multiple options as you begin looking for an IT product or service. The EOTSS Contract Management Team is here to point you in the right direction. Includes, templates, purchasing guidelines, and the statewide contract list.

Accessibility for IT Solutions Contract Language

The Commonwealth is legally obligated to ensure non-discrimination and equal access to state services on the part of persons with a disability and reasonable accommodations to state employees with a disability. This mandatory contract language helps the Commonwealth achieve accessibility in the acquisition, deployment and utilization of information technology.

EOTSS Chargeback & Cost Recovery Model

Here you will find information about Chargeback services – including the billing system, guide, and rate schedule. EOTSS  is authorized by the legislature to charge back agencies/entities for services provided. EOTSS operates under a "cost-recovery" model and uses a "chargeback methodology" to recover its expenses.

IT Capital Planning

IT Capital Planning

The EOTSS Office of Capital Planning oversees the IT capital investment portfolio and related program management. The Office – in coordination with the EOTSS Secretary and the IT Investment Advisory Board – issues regular guidance on the IT capital planning process, business case standards, and the project life cycle.

IT Accessibility & Adaptive Technology

Enterprise IT Accessibility Standards and Guidance

Information, guidelines, techniques, and resources for ensuring websites and applications are accessible to all and comply with the Commonwealth's accessibility policy. EOTSS plans to update its guidance on IT Accessibility during Q1 and Q2 of CY2022 – including the Enterprise IT Accessibility Standards, Web Accessibility Standards, the IT Accessibility Guide, and the IT Acquisition Access Compliance Program.


Mass GIS Standards and Best Practices

As the Commonwealth’s Bureau of Geographic Information, MassGIS has established standards and best practices for the acquisition, management, and reporting of geographical information.

EOTSS Hybrid Work Guidance

EOTSS Hybrid Work Guidance

In addition to the policies, standards, and directives included as part of the Standard Operating Environment EOTSS offers the following guidance in support of a hybrid workforce model – a combination of in-office and telework

Working Securely from Home

With all levels of government and businesses across the country urging employees to work remotely to slow the spread of the Coronavirus, now’s a good time to review the security settings of your home network and pay close attention to business-specific guidance.

Protecting against Coronavirus Scams

With the amount of news coverage surrounding the COVID-19 pandemic, it's no surprise that cybercriminals are taking advantage with phishing emails and fraudulent web content. The EOTSS Security Team is paying close attention as many organizations are reporting a rise in social engineering, phishing, and other scams.

Securing Your Home Network

Most Internet Service Providers (“ISP”) offer traditional plug-and-play systems. It is recommended that even if you have a professional set up your home network, you should verify that the settings are appropriate.

Creating a Strong Password

Your password is all that is standing in between you and the bad actors. Choosing a strong password will help keep your online life and personal information safe from those who should not have access to it. Read the Password Best Practices and Recommendations guide for tips on creating a strong password.

Personal End-User Devices

EOTSS prohibits the use of personal devices to access state applications and systems. Previous accommodations for such devices had been made during the pandemic emergency response. However, new device deployments and in-place upgrades under the Modern Workplace Program have provided remote/hybrid employees with a single, state-owned device (laptop). Exceptions may be made on a case-by-case basis, as warranted.

Home Internet Connectivity

Employees and vendors teleworking are responsible for their own remote Internet connectivity unless the agency head or SCIO offers an agency/secretariat-provided connection (Mi-Fi or other mechanisms). Requests for such connections should be coordinated through the respective agency head and SCIO. The FCC offers general guidance on Home Broadband, including FAQs and minimum download speeds.

Mi-Fi / Hotspots

Mi-Fi is a cellular device that acts as a mobile hotspot. Requests for these devices should be made through the same process as agencies/secretariats use today for assigning and procuring wireless/mobile devices – usually the respective agency head and SCIO.

Wireless Providers

Select a wireless provider that provides good cellular service in the area where you plan to use the MiFi (https://www.mass.gov/doc/itt72/download). Both AT&T and Verizon Wireless offer public safety grade wireless (priority and pre-emption) for qualified users – see the ITT72 or contact your wireless provider service, account managers.

Virtual Meeting Best Practices

With the shift to a hybrid workforce model over the past year, webinars and conference calls have become the standard method for meetings and collaborative work. It is important to remain security conscious when teleworking and to follow these best practices for virtual meetings.

Date published: October 19, 2021

Help Us Improve Mass.gov with your feedback