This 2022 Commonwealth of Virginia (COV) Information Security Report is the 13th annual report by the Chief Information Officer (CIO) of the Commonwealth, to the Governor and the General Assembly. As directed by § 2.2-2009(B)(1) of the Code of Virginia: “The CIO shall annually report to the Governor, the Secretary, and General Assembly on the results of security audits, the extent to which security policy, standards, and guidelines have been adopted by executive branch and independent agencies, and a list of those executive branch agencies and independent agencies that have not implemented acceptable security and risk management regulations, policies, standards, and guidelines to control unauthorized uses, intrusions, or other security threats."

In addition, this report includes the requirements directed by § 2.2-2009(C) of the Code of Virginia, which says: “The CIO shall conduct an annual comprehensive review of cybersecurity policies of every executive branch agency, with a particular focus on any breaches in information technology that occurred in the reviewable year and any steps taken by agencies to strengthen cybersecurity measures. Upon completion of the annual review, the CIO shall issue a report of his findings to the Chairman of the House Committee on Appropriations and the Senate Committee on Finance. Such report shall not contain technical information deemed by the CIO to be security sensitive or information that would expose security vulnerabilities."

This report combines the requirements of § 2.2-2009(B)(1) and § 2.2-2009(C) into a single report.

The CIO has established the Commonwealth Security and Risk Management (CSRM) group within the Virginia Information Technologies Agency (VITA) to fulfill statutory information security duties under § 2.2-2009. CSRM is led by the Commonwealth’s Chief Information Security Officer (CISO).

The scope of this report is limited to the executive branch agencies, six independent agencies, and three Level I institutions of higher education. This report does not address the judicial branch, the legislative branch, and Level II and Level III higher education institutions, which are either statutorily exempted from compliance with Commonwealth policies and standards or outside the scope of VITA’s compliance review.

This report is prepared by CSRM on behalf of the CIO using a series of compliance metrics established by CSRM to assess the strength of the agency information technology (IT) security programs that protect Commonwealth data and systems.

1.1. Commonwealth Threat Management

The Commonwealth took significant action in 2022 to improve cybersecurity threat management throughout the state. Using a federal grant program for cybersecurity, the Commonwealth took action to help mature cybersecurity programs throughout the state in 2022. The Commonwealth also ratified legislation to improve threat intelligence analysis and defense planning.

The number of Physical Theft/Lost Security incidents increased from 52 to 103 in 2022. This was the leading category of incidents in 2022. Theft and lost incidents are attributed to the user, who need to be more cognizant of the environment and location of their COV-issued devices. Successful malware incidents increased from 26 in 2021 to 53 in 2022.

CSRM continues to invest in security awareness training. End users face new and evolving security concerns regularly. In an effort to keep pace with threats and common attacks, CSRM uses simulated phishing exercises to supplement annual security awareness training material. Quarterly phishing campaigns help hone recognition and incident response skills.

In 2022, the number of attacks against the Commonwealth continued to increase. 55 million attacks attempts were detected against Commonwealth systems – a rate of 1.75 attacks every second, up from approximately 33 million attacks in 2021. Most attacks are blocked and prevented by Commonwealth monitoring systems and security tools.

Addressing web application vulnerabilities requires agency support. Malicious attackers use a myriad of techniques to infiltrate systems and gain access to information, such as exploits (e.g., viruses, worms) and vulnerabilities (i.e., system flaws). In 2022, CSRM successfully blocked most exploits, despite an uptick in exploit activity. Critical and high vulnerabilities in internet facing web applications were identified and tracked. CSRM recommend agencies continue to apply patches and remediate prioritized vulnerabilities.

1.2. Commonwealth Information Security Governance Program

CSRM performs annual compliance reviews of agency information security programs compared to the Commonwealth’s IT security policies, standards, and guidelines. Using a letter grade system, agencies receive for IT audit and IT risk management programs.

CSRM provides education and outreach programs to support information security professionals. CSRM supports multiple routine events throughout the year to provide training, share enterprise updates, and networking opportunities for the Commonwealth’s security community. Agency personnel participating in councils and committees provide immediate feedback on various security matters.

Third Party risk management is a key component of the COV Risk Management program. Demand for third party services continues to increase. To review concerns with third party vendors, CSRM Risk Management integrates with supply chain management. The Enterprise Cloud Oversight Service (ECOS)reviews and approves contract terms and provides oversight of third-party vendors offering Software-as-a-Service (SaaS) applications.

CSRM offers three centralized security services to customer agencies. The IT Audit, Information Security Officer (ISO), and Web Application Scanning services provide additional support for agency information security programs. The IT Audit and ISO services are subscription-based services to help agencies satisfy specific security requirements. The Web Application Scanning service is provided at no discrete cost to customer agencies.

1.3. Commonwealth IT Audit and Risk Management Program

IT Audit and Risk compliance grades declined in 2022. While 36% of the IT audit compliance grades were above average, the percentage of failing grades increased to 32%. CSRM attributes this to a decline in the number of IT audits performed in 2022. CSRM anticipates audit program compliance will improve as agencies plan to complete required audits. Many IT risk grades were reduced by a letter grade due to missing risk assessment plans outlining the schedule to complete required risk assessments. Missing or inadequate quarterly updates also had a negative impact on IT Audit and Risk grades in 2022.

CRSM’s Risk Management team also monitors the progress and remediation of IT audit and risk findings. In 2022, the average age for all open IT audit and risk findings was 807 and 1,240 days, respectively. Most findings resulted from gaps with access control requirements, system integrity (e.g., lacking current security patches), and inadequate third-party hosting agreements. CSRM notifies agencies of outstanding and overdue findings to further encourage agencies to remediate critical findings quickly.

1.4. Nationwide Cyber Security Review

The NCSR is a self-assessment survey aligned with the National Institute of Standards and Technology (NIST) cybersecurity framework (CSF). The survey allows CSRM to review how agencies evaluate their own cybersecurity posture and to compare results with other Commonwealth agencies and with those from other states. The most current NCSR survey results indicated Commonwealth agencies have an average score (on a scale of 1 to 7) that is slightly better than the national average and that has improved over the prior year. Overall, the average NCSR score for Commonwealth agencies in 2022 was 5.49, which is slightly above the minimum recommended level of 5. In 2022, 39 Commonwealth agencies participated in the NCSR assessment.

1.5. Conclusions & Recommendations

1.5.1. Centralized Security Awareness Training Platform

User awareness and training is a key defensive measure to help prevent malware related incidents. CSRM expanded its Security Awareness and Training service to provide a centralized solution available to all Commonwealth agencies, not just the executive branch agencies under VITA purview. This will provide a cost-effective consistent means to measure the progress of participating entities. The platform selected, KnowB4, was purchased in December 2022 for a 2023 rollout.

1.5.2. Theft or Loss of Electronic Devices

Lost or stolen physical devices accounted for the majority of the cybersecurity incidents in 2022. The prolific use of mobile phones, laptops, and tablets increases the likelihood of loss and possible loss or unauthorized disclosure of Commonwealth information.

1.5.3. Cybersecurity Attacks & Investigations

VITA detected over 55 million attempted attacks – approximately 1.75 attacks per second. CSRM supported more than 1,000 security investigations on behalf of the Commonwealth in 2022. CSRM recommends agencies identify and implement security controls to reduce the probability and impact of an exploit until security remediation patches are available and installed.

1.5.4. IT Compliance Grades

Overall IT Audit and IT Risk compliance grades declined for a second year. CSRM recommends setting interim deadlines for key deliverables throughout the year to help monitor progress.

1.5.5. Nationwide Agency Self-Evaluation

Commonwealth agencies participating in the 2022 NCSR self-assessment tend to assess their compliance with national standards at or above the minimum target score of 5.