This 2021 Commonwealth of Virginia (COV) Information Security Report is the 12th annual report by the Chief Information Officer (CIO) of the Commonwealth, to the Governor and the General Assembly. As directed by § 2.2-2009(B)(1) of the Code of Virginia, “The CIO shall annually report to the Governor, the Secretary, and General Assembly on the results of security audits, the extent to which security policy, standards, and guidelines have been adopted by executive branch and independent agencies, and a list of those executive branch agencies and independent agencies that have not implemented acceptable security and risk management regulations, policies, standards, and guidelines to control unauthorized uses, intrusions, or other security threats."

In addition, this report includes the requirements directed by § 2.2-2009(C) of the Code of Virginia, which says, “The CIO shall conduct an annual comprehensive review of cybersecurity policies of every executive branch agency, with a particular focus on any breaches in information technology that occurred in the reviewable year and any steps taken by agencies to strengthen cybersecurity measures. Upon completion of the annual review, the CIO shall issue a report of his findings to the Chairman of the House Committee on Appropriations and the Senate Committee on Finance. Such report shall not contain technical information deemed by the CIO to be security sensitive or information that would expose security vulnerabilities."

This report combines the requirements of § 2.2-2009(B)(1) and § 2.2-2009(C) into a single report.

The scope of this report is limited to the executive branch agencies, six independent agencies, and three Level I institutions of higher education. This report does not address the judicial branch, the legislative branch, and Level II and Level III higher education institutions, which are either statutorily exempted from compliance with Commonwealth policies and standards or outside the scope of VITA’s compliance review.

The CIO has established a Commonwealth security and risk management (CSRM) group within the Virginia Information Technologies Agency (VITA) to fulfill statutory information security duties under § 2.2-2009. CSRM is led by the Commonwealth’s chief information security officer (CISO).

This report is prepared by CSRM on behalf of the CIO. It utilizes a series of compliance metrics established by CSRM to assess the strength of the agency information technology (IT) security programs that protect Commonwealth data and systems. A listing of the agencies in scope to this report and their security, compliance, and cybersecurity assessment metrics are in the appendices of this document.

Commonwealth Threat Management Program

Information security incidents were largely due to the end user. In 2021, information disclosure incidents rose to first place as the largest category of incidents, with physical theft and loss in a close second. Cyber attackers have determined that the easiest target is the employee. When attackers cannot gain access to systems and data by exploiting vulnerabilities, they attempt to compromise users. Most of these attacks are achieved through phishing or malicious spam (malspam) emails.

Cybersecurity Awareness Training is key. To protect COV systems and data, more emphasis needs to be given to security awareness training of employees. While training is required for all users training at least once a year, it is not sufficient to protect users against attack. Phishing is used by hackers to target users and can be highly successful if the user is not adequately trained to identify a potential attack and how to respond to it. To provide more realistic training, CSRM purchased a tool that simulates a phishing attack. In the event an employee clicks a link or provides a login credential, the tool denotes the event, and the employee is required to complete additional training.

CSRM hosted the annual Commonwealth cybersecurity preparedness exercise. The goal of this event was to test the awareness, effectiveness, and efficiency of agencies and service provider’s incident response tools and processes. The exercise concentrated on the various aspects of planning and executing the response to an incident and on the lessons learned from various scenarios. CSRM saw significant improvement in this year’s exercise from the previous year, and we look forward to continuing to build on the success of this exercise to improve the Commonwealth’s ability to respond to IT security incidents.

Attack attempts on the Commonwealth spiked in 2021. During 2021, over 33 million attack attempts (see Figure 5) were detected against Commonwealth systems. This is a rate of 1.05 attacks every second. The spikes in attempted attacks are indicative of new types of attack traffic being observed. Fortunately, the vast majority of attacks are blocked and prevented by Commonwealth monitoring systems and security tools.

Ransomware attacks continue to be a threat to the Commonwealth. CSRM threat management works with the Multi-State Information Sharing & Analysis Center (MS-ISAC) to share threat information with Commonwealth agencies and Higher Education Institutions. Based on the analysis of data from the MS-ISAC, higher education comprised 10% of all security investigations and cost those institutions $3.56 billion in downtime nationwide. During 2021, some of our state agencies experienced newsworthy ransomware attacks. In addition, third-party ransomware attacks that target suppliers or software managed by outside entities are a concern for all Commonwealth agencies.

Data breach costs rose significantly. In 2021, an international security consulting firm estimated that the average cost per incident for the public sector rose from $1.08M to $1.93M. This is a 78% increase in cost over 2020. A key factor that plays into the cost of a data breach is the life cycle of the cyber incident. The longer the incident life cycle, the larger the cost to the organization. A second contributor to the cost of data breaches is regulatory compliance failures, such as loss of data or neglecting to follow required security controls or policies. Compliance failures can lead to additional fines and penalties, adding to the overall cost. CSRM utilized this information to estimate that the cost of response and recovery efforts for all major and minor incidents and investigations in the Commonwealth was over $11 million in 2021.

CSRM provided IT security support for elections in the Commonwealth. In an ongoing effort to ensure safe and secure elections, CSRM performed a comprehensive security review of all systems and infrastructure supporting Virginia elections. In addition, CSRM provided monitoring of local county and city policies and procedures. Over the past 10 years, CSRM has established a cybersecurity command center for every major state or federal election to allow handling of any issues that occur during the election process. CSRM will continue to collaborate with the Department of Elections to provide support for upcoming elections.

Commonwealth Information Security Governance Program

CSRM ensures Commonwealth agencies develop and maintain their information security program. CSRM’s information security governance program is responsible for monitoring performance and compliance against the Commonwealth’s IT security policies, standards, and guidelines for the executive and independent branch agencies. The program provides support to agencies during their work to foster a mature IT security environment, while promoting information security training and awareness. Annually agencies receive a letter grade based on their overall compliance with our governance metrics.

CSRM’s governance program also facilitates monthly opportunities for information security professionals. Monthly meetings are provided for Commonwealth security personnel to receive training, enterprise updates, and networking through the Information Security Officer Advisory Group (ISOAG). Additionally, the information security officers (ISO) Council was formed to recommend strategic direction for information security and privacy initiatives in the Commonwealth. CSRM has also formed a Risk Management Committee made up of risk specialists from CSRM’s IT Risk Management division and information security officers from other Commonwealth agencies. The committee meets monthly to discuss approaches to addressing risks and issues identified as significant. The Risk Management determines the prioritization of risk mitigation and provides feedback on the current approaches to maintain established risk thresholds.

VITA CSRM integrates third-party risk management in the COV risk management program. As part of the VITA governance program, CSRM has developed and implemented methodologies for monitoring and managing risks associated with third-party service providers. The amount of risk introduced by third parties is quantified to ensure the Commonwealth maintains established risk thresholds. Within the multi-sourcing service integration (MSI) model that VITA has adopted, CSRM plays an integral role in identifying cybersecurity risks and tracking them until they are resolved. In addition, VITA’s Enterprise Cloud Oversight Service (ECOS) reviews and approves contract terms and provides oversight of third-party vendors offering Software as a Service (SaaS) applications.

Continuing to refine the quantitative cyber risk analysis model that was implemented in 2020. The CSRM risk management team developed a methodology to estimate financial costs associated with the detection, response, and recovery activities associated with cybersecurity incidents. Quantifying cybersecurity incidents from a financial perspective helped the Department of Treasury determine how much cyber liability insurance is needed in the event a system is breached or incapacitated. In addition, it allows executive leadership to make better and more informed decisions related to their agency’s IT assets. Using this methodology also helps CSRM to prioritize security decisions based on quantifiable risk.

Commonwealth IT Audit and Risk Management Program

IT audit and risk assessment issues are tracked and monitored. Each issue indicates a gap or deficiency of an IT security control. When identified, CSRM ensures the agency has a reasonable corrective action plan to address the deficiency. If a corrective action plan is found to be inadequate, CSRM will work with the agency to address the deficiency and, if necessary, discuss with the risk management committee. Across all agencies, the most frequently identified area with inadequate security controls (19% of all reported issues) is “access control." Poor access controls increase the risk agencies are exposed to unauthorized access of data, fraud, or disruption of IT services.

Audit program compliance grades declined significantly in 2021. Audit program compliance decreased 16% from the prior year, with only 31% of agencies receiving a score of “A" in 2021 compared to the previous year when 47% of all agencies received an “A". This decrease is mainly attributed to the extraordinary demands of the pandemic resulting in reduced performance of normal IT security audits on sensitive systems. CSRM expects that more attention will be focused on auditing sensitive systems now that normal agency operations have resumed.

Risk program compliance grades declined slightly in 2021. Risk management compliance experienced a slight 2% downturn during 2021. In 2021, an “A" score was achieved by 27% of agencies compared to 29% receiving an “A" in 2020. CSRM recommends agencies place more emphasis on implementing comprehensive risk management programs by providing additional attention to risk assessments and dedicating the necessary resources to their IT risk management programs.

Agencies need to improve the timeliness of remediating audit and risk findings. CSRM analysis found that the average number of days to remediate a finding (i.e., a security issue) is excessive. Audit findings average 495 days to close, and findings from risk assessments averaged 382 days. This is a slight improvement of about 5% over the previous year. CSRM notifies agencies of outstanding and overdue findings to further encourage agencies to remediate critical findings quickly. Agencies that are consistently and significantly behind in remediating findings are subject to formal notifications and restrictions in their ability to procure future IT services.

Commonwealth Centralized Security Services

Centralized services continue to address agency audit and risk management needs. VITA offers a centralized service to help Commonwealth agencies meet the requirements for IT system auditing, risk management (called ISO services), and vulnerability scanning. Use of audit and ISO services has helped agencies that lack dedicated resources to comply with the Commonwealth IT security requirements. Agencies using VITA’s centralized services scored an entire letter grade higher on average than agencies that are not utilizing the centralized services. This most likely can be attributed to the additional attention to compliance that is provided by the centralized services.

Centralized vulnerability scanning identifies vulnerabilities before they can be exploited. The web application vulnerability scanning program provides automated scans of Commonwealth websites to identify potential security weaknesses. These scans are used to identify and mitigate vulnerabilities to prevent attacks. CSRM performed over 6,000 scans of public sites and private websites. In addition, CSRM’s vulnerability scanning service has helped to reduce the number and impact of vulnerabilities (see Figure 24).

Nationwide Cyber Security Review

The Commonwealth participated in the Nationwide Cybersecurity Review (NCSR). The NCSR is a self-assessment survey aligned with the National Institute of Standards and Technology (NIST) cybersecurity framework (CSF). The survey allows CSRM to review how agencies evaluate their own cybersecurity posture and to compare results with other Commonwealth agencies and with those from other states. The most current NCSR survey results indicated Commonwealth agencies have an average score (on a scale of 1 to 7) that is slightly better than the national average and that has improved over the prior year.

The Cyber Security Framework was utilized as a methodology to assess and measure security outcomes. The Cyber Security Framework is built on five key security functions that are divided into 23 categories. Each category is further divided into many sub-categories. Agencies were asked questions on how it views cybersecurity risks and the outcomes it has obtained. These answers help CSRM establish a security baseline where steps can be defined to achieve optimal results. Overall, the 2021 NCSR showed that Commonwealth agencies generally report functioning at slightly higher than the minimum recommended level of “implementation in process" and consistent with the 2020 NCSR scores.

Commonwealth secretariats are showing overall improvement. Overall, the average NCSR score for Commonwealth agencies in 2021 was a 5.15 which is slightly above the minimum recommended level of five (5, implementation in process). When scores were consolidated by Commonwealth secretariats, it showed that eleven secretariats rated themselves higher than the minimum recommended level of five. Only two secretariats reported survey results that were slightly less that the recommended minimum score.

Key Takeaways

• Cyber attacks against Commonwealth targets continued to escalate in calendar year 2021. Commonwealth security detected over 33 million cyber attacks – approximately 1 attack every second.

• Ransomware attacks were a continuing threat to the government agencies in 2021. The Commonwealth experienced one ransomware attack that severely impacted an agency in the legislative branch. Another ransomware attack impacted a private company that provides cloud-based timekeeping software used by some agencies. The incident was quickly mitigated, and no Commonwealth data was compromised.

• Information security incidents were largely due to the end user. Cyber criminals know that users are generally the weakest link and most easily exploited through social engineering tactics. Security training and preparedness exercises are essential tools for educating users in how to identify potential social engineering attacks and taking the proper responses.

• Commonwealth security (CSRM) monitors and scores each in-scope agency’s overall compliance with information security standards and policies. In 2021, that was a slight decline in agency compliance scores over the previous year.

• IT security issues and vulnerabilities identified by audits, risk assessments, and security scanning tools are not mitigated in a timely manner by many agencies. Failure to mitigate issues increases the possibility of an issue being exploited by cyber criminals.

• CSRM’s centralized auditing and security services provide extra assistance to agencies that are not adequately staffed and resourced to provide these services on their own. Agencies that subscribed to CSRM’s centralized services in 2021 generally scored higher on our compliance monitoring metrics.

• Commonwealth agencies once again participated in the Nationwide Cyber Security Review (NCSR), an annual self-assessment survey facilitated by the Multi-State Information Sharing and Analysis Center (MS-ISAC). The survey covers the components of the internationally recognized Cyber Security Framework (CSF) developed by the National Institute of Standards and Technology (NIST). In 2021, Commonwealth agencies scored themselves at a compliance level for IT security that compares favorably to agencies in other states. CSRM will use the data from the NCSR survey to identify areas that can be improved or reinforced.