Log in links for this page

EOTSS Annual Report 2022: Cybersecurity & Enterprise Risk Management

Since 2017, the Executive Office of Technology Services and Security (EOTSS) has taken the lead role in role in cybersecurity and enterprise risk management policy, strategy, and services for the Executive Branch.

Table of Contents

Overview

The Baker-Polito Administration undertook an extensive review of the Commonwealth’s technology landscape in 2015 and 2016. Interviews were conducted with key executives and IT personnel across state government. Our existing policies and practices were compared against industry standards. The results of penetration tests of state applications and systems were benchmarked against other states, the federal government, and the private sector.  

In its conclusion, the study identified that technology services in the Commonwealth had fallen behind and cybersecurity was not being sufficiently addressed. The roadmap forward recommended establishing an enterprise IT organization, matching policies and standards to new industry standards, modernizing the technology landscape, mitigating major vulnerabilities, and centralizing cybersecurity monitoring, testing, compliance, and training.

Since its creation and elevation to the cabinet level secretariat in 2017, EOTSS has served as the enterprise IT organization and has taken the lead role in cybersecurity policy and strategy for the Executive Branch. Key investments have been made to ensure the confidentiality, integrity, and availability of Commonwealth data, applications, and infrastructure. These investments include the development of an enterprise-wide security and risk management strategy, recruitment and engagement of skilled and experienced talent, procuring best-in-class technologies, and building a modern organizational structure to support operations.

Since its creation and elevation to the cabinet level secretariat in 2017, EOTSS has served as the enterprise IT organization and has taken the lead role in cybersecurity policy and strategy for the Executive Branch.

Thanks to ongoing collaboration with the Administration and the Legislature in 2020, $140 million in new bond authorizations were enabled to further investment in security and risk management. These funds have not only led to the accomplishments listed below but will provide for additional capital investments in FY23 and FY24 as we continue to unify security operations, risk management, and data privacy frameworks across the enterprise.

Investments in People & Training

Cybersecurity and risk management are not solely an “IT” responsibility. Combating today’s threats requires the cooperation of all departments and employees within a state agency.   

To that end, investment in the hiring, retention, training, and professional development of the people that lead, manage, and run the Commonwealth’s day-to-day operations remains the first line of defense against cyber threats. 

The Chief Information Security Officer(s) 

With the birth of EOTSS in 2017 came the creation of the first enterprise Chief Information Security Officer (CISO) position in the state.  

The CISO worked immediately with the Commonwealth CIO and EOTSS Secretary to create and maintain new Enterprise Information Security Policies and Standards that align with industry best practices and cross-referenced to the National Institute of Standards and Technology (NIST) framework and Center for Internet Security (CIS) controls.  

Beyond policies, the CISO and the Enterprise Security Office build out key enterprise services and communications to modernize and centralize the Commonwealth's infrastructure and to further improve our overall security posture. Collaboration and improved communication with other secretariats and agencies provided greater visibility and consistency across the enterprise.  

On that note, the CISO worked to develop and support CISO positions at each secretariat. Monthly “CISO cabinet” meetings were held to promote coordination and collaboration on issues relative to enterprise security and risk management impacting all agencies.  

Privacy, Risk & Information Governance 

The Commonwealth’s first Chief Privacy Officer (CPO) was appointed by the EOTSS Secretary in 2019 and a new Chief Risk Officer (CRO) role was added in 2020 to strengthen enterprise leadership around data privacy, information governance, and risk management.  

The CPO works specifically to establish privacy and security frameworks to protect the dissemination of sensitive data and to resolve data privacy and security concerns. The position works closely with the Chief Data Officer, the EOTSS data team, and the CRO to review and offer feedback on data sharing agreements between state agencies – and supports engagement with the Data Steward Council that was formed in 2018, in discussions of data sharing policies and data goals among executive branch agencies. Their combined efforts facilitate the deliberate and thoughtful use of data across agencies to inform policy choices and agency strategy. 

The CRO supports organizational governance and leadership with strategic and operational risk management and is the executive who facilitates and drives the organization's comprehensive risk management program.  

This position also oversaw the development of the first enterprise Information Governance (IG) and Enterprise Risk Management (ERM) programs.  

Establishing a sustainable, scalable IG Program is important when factoring in rapid changes across the information and technology landscape, as exemplified by dramatic increases in data generation and retention, hosting via third-party cloud providers, and evolving cybersecurity threats.  

Third-party risk is one of the biggest cybersecurity threats facing governments today. Through a qualitative and quantitative assessment process, the ERM program will (among other priorities) scrutinize the maturity of the security and privacy standards that current third-party vendors and any apparent successful bidders have in place. 

Security Awareness Training 

Not only has the Administration sought to fill critical roles with top talent throughout Executive-Branch agencies, but it has also invested in new cybersecurity and risk management training frameworks for its workforce.  

EOTSS is focused on establishing a culture of cyber awareness throughout state government. Education of the Commonwealth’s workforce on best practices for good ‘cyber hygiene’ through cybersecurity awareness training and the initiation of simulated phishing exercises are two of the best ways for the Commonwealth to grow our cybersecurity team from a couple dozen to a 40,000+ workforce.

As a result, simulated phishing campaigns are planned throughout the year and all Executive Branch employees must now take Annual Cybersecurity Awareness Training and new hires must take an Information Security Awareness Course within their first 45 days as an employee.

As a result, simulated phishing campaigns are planned throughout the year and all Executive Branch employees must now take Annual Cybersecurity Awareness Training and new hires must take an Information Security Awareness Course within their first 45 days as an employee. This policy also applies to certain non-Executive Branch employees who may have access to Commonwealth systems. EOTSS partners with the state Human Resources Division (HRD) to administer and deliver this training.

Investments in Security Operations

Over the past two years, EOTSS has developed and augmented frameworks and processes to implement unified security operations, incident reporting and response, and vulnerability management across the Executive Branch.

Implementation is managed through Secretary/CIO administrative directives, EOTSS Enterprise Security Polices and Standards, and collaboration with Secretariat Chief Information Officers (SCIOs) and vendor partners.

Security Operations Center (SOC) 

The SOC is a centralized operations center for the Executive Branch that deals with security issues on an organizational and technical level. It is built to identify, protect, detect, respond to, and recover from cyber incidents across the Commonwealth.    

A unified SOC improves efficiencies and capabilities in functionality, reporting, scanning, vulnerability management, information sharing, and incident response for all agencies and avoids a disparate setup of independent operations across the Executive Branch working at cross purposes and deploying inconsistent technology solutions.

Read the text of the graphic.

EOTSS Security Operations Center

This past year, EOTSS increased SOC capacity and services to implement 24x7x365 operations to support the enterprise and to continue building out monitoring, alerting and mitigation of threats.

Collaboration & Partnerships

A 2020 NASCIO survey of state CIOs and CISOs confirmed that the COVID-19 pandemic amplified may of the existing cybersecurity challenges – while also presenting new hazards for all levels of government. There were increases in COVID-related threats to infrastructure tied to the pandemic response as well as frequent scams targeting state employees and constituents alike. For the first time, many CIOs and CISOs were also presented with securing a remote and hybrid workforce at a scale that was never anticipated.  

Moreover, the SolarWinds Hack (2020), Colonial Pipeline Ransomware Attack (2021), and multiple attacks against other federal, state, and local government agencies across the country demonstrate that cyberthreats remain very real and present dangers to all levels of government, higher education, and private industry today.  

It is now more critical than ever to break down silos and promote the sharing of knowledge and resources to identify, protect against, and mitigate these threats.

It is now more critical than ever to break down silos and promote the sharing of knowledge and resources to identify, protect against, and mitigate these threats. A unified framework for information sharing and incident response also improves communication and facilitates a timelier response.

Accordingly, while EOTSS invested in the right people and positions to lead on enterprise risk and security operations, the Secretary and CISO also sought to improve communication and collaboration among its federal, state, and local partners in government as well as academia and the private sector. The goal is to collaborate on polices and best practices, as well as to share information, monitor for threats, and refer incidents to law enforcement when appropriate. 

EOTSS Collaboration & Partnerships Model

EOTSS Collaboration & Partnerships Model

Federal & State Partnerships 

Building off successful efforts in 2019 – where the CISO formalized EOTSS’ relationship with four police, military, emergency management and security organizations to implement information sharing and analysis of cyberthreats, introduce and adopt a cybersecurity incident response framework, and promote security awareness throughout Massachusetts – EOTSS strengthened its partnerships in 2020 and 2021 with the: 

We have improved information sharing, planning, and outreach with these partners through regular working group sessions and table-top exercises to increase awareness and provide information on securing critical infrastructure across the Commonwealth.

National Grant Opportunities 

EOTSS continues to engage in a number of strategic alliances to further enhance the Commonwealth’s cybersecurity posture. Massachusetts was one of seven competitively selected US states and territories partnering with the Homeland Security and Public Safety division of the National Governors Association (NGA) in 2019 to develop plans to improve interagency coordination and collaboration between state and municipal government around cyber security and awareness.  

In 2020, MA was also one of four states that participated in a successful pilot program with Johns Hopkins University leveraging a DHS cybersecurity grant to help defend state and local government computer systems from cyberattacks by deploying automation and orchestration tools to identify and mitigate threats to the Commonwealth’s systems more quickly. 

This past year, EOTSS partnered with the National Cybersecurity Center (NCC) and Google to provide high-level cybersecurity training to members and staff of the Massachusetts State Legislature. Over 100 legislators and staff participated in the training program, which was replicated in state houses across the nation. 

Municipal Partnerships 

The Baker-Polito Administration and EOTSS have maintained strong partnerships with municipal government leaders and their constituents through the Community Compact Cabinet (CCC) and Municipal Grant Programs.  

Through the CCC, the Administration has awarded 749 grants totaling $19.2 million to help Massachusetts communities become more efficient and innovative while improving their technology infrastructure. Most recently, $3.5 million in grants were awarded to 55 municipalities in FY21, and $3.5 million in grants went to 70 municipalities in FY22. More than 300 municipalities and school districts received IT grant funding over the life of this program.

In 2019, EOTSS announced the first-ever Municipal Cybersecurity Awareness Grants, with over 44,000 municipal and public-school employees in 94 municipalities throughout the Commonwealth accessing training to better detect and avoid cyberthreats. The second round in early 2021 increased to 107 municipalities, and another round is planned for FY22 and FY23.

In 2019, EOTSS announced the first-ever Municipal Cybersecurity Awareness Grants, with over 44,000 municipal and public-school employees in 94 municipalities throughout the Commonwealth accessing training to better detect and avoid cyberthreats.

Employees in communities participating in the program receive interactive online training in topics ranging from email security to USB device safety. Employees also receive simulated phishing emails. Phishing is a growing threat in local government in which an attacker seeks to influence the employee to take an action that may be harmful to the organization, by masquerading as a trusted entity.

Cyber Month 

October is Massachusetts Cybersecurity Month in the Commonwealth, as declared by an official proclamation signed by Governor Charlie Baker and Lt. Governor Karyn Polito. To highlight the importance of the Month, Governor Baker released a video to spotlight the critical importance of cybersecurity in everyday life.   

National Cybersecurity Month was established to ensure that all Americans are aware of the importance of cybersecurity. This year’s theme set by the Cybersecurity & Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA) is “Do your part. #BeCyberSmart.” The emphasis of the campaign is on the role that we each play in taking proactive steps to protect our online safety.  

This evergreen theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity.  

In 2021, CISA and NCSA focused on the following areas in promotions and outreach:  

  • October 4 (Week 1): Be Cyber Smart.  

  • October 11 (Week 2): Phight the Phish!  

  • October 18 (Week 3): Explore. Experience. Share. – Cybersecurity Career Awareness Week  

  • October 25 (Week 4): Cybersecurity First  

The following link is a listing of events that took place across the state as part of #MassCyberMonth.  

A Look Ahead for Cybersecurity & Enterprise Risk Management

Preparation for cyber threats is an ongoing and hyper-focused effort. It is critical for the Commonwealth to remain in a state of readiness and preparedness to best position itself to mitigate potential cyber threats and maintain continuity of government services for the customers and constituents we serve.   

Throughout the remainder of FY22, FY23, and beyond, EOTSS is firmly committed to partnering with the Administration, the Legislature, and its fellow secretariats to make additional investments in the people, processes, and technologies that drive the state’s security operations, risk management, and data privacy efforts. 

EOTSS will continue to build out the next generation of the 24x7x365 Unified Security Operations Center (SOC) for the Executive Branch and partners, and improve upon cybersecurity Situational Awareness, Readiness, and Preparedness across the Enterprise. Similarly, the organization will continue to develop the Enterprise Risk Management Program (ERP) led by the Commonwealth’s first Chief Risk Officer (CRO) – by establishing a vendor policy and compliance program, as well as a vendor risk portal, to help mitigate third-party vendor risk – one of the biggest cybersecurity threats facing governments today.  

Investments in recruiting and training will play an important role in the future of these enterprise programs. EOTSS will explore new partnerships with state, federal, and private sector stakeholders to bolster cybersecurity recruiting efforts, improve the talent pipeline, and open new training opportunities, as well as apprenticeships, internships, and co-op programs.  

Government and industry best practices indicate that the EOTSS enterprise cybersecurity approach improves agility, effectiveness, and efficiencies in state government by promoting collaboration and breaking down silos across enterprise-level and agency-specific programs. Unifying security operations, incident response and reporting, and risk management across all agencies is a huge step towards a more secure Commonwealth. EOTSS will continue to evolve on the cybersecurity front and remain ever vigilant to emerging threats. 

Date published: May 10, 2022
Last updated: May 10, 2022

Help Us Improve Mass.gov with your feedback

Feedback