The Commonwealth’s Information Security Program plays a vital role in safeguarding state IT systems by aligning cybersecurity strategies with national standards and fostering collaboration across agencies. The Commonwealth Security and Risk Management (CSRM) division, under the direction of the Chief Information Security Officer and the Chief Information Officer (CIO), oversees this comprehensive program, which is designed to monitor compliance, implement security policies, and enhance training initiatives.

In 2023, the Commonwealth participated in the National Cyber Security Review (NCSR), a self-assessment aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Sponsored by the Multi-State Information Sharing & Analysis Center (MS-ISAC), the NCSR enables agencies to evaluate their cybersecurity posture across five core functions: identify, protect, detect, respond, and recover. Commonwealth agencies performed above the national average, reporting a slight decrease in the overall average score from 5.49 in 2022 to 5.47 in 2023 (on a 7-point scale). The Commonwealth’s scores continue to trend higher in the identify and protect functions, while detect, respond, and recover functions remain areas for improvement. Despite these challenges, the Commonwealth ranks higher than peer states, with agencies in sectors like IT and financial services performing particularly well.

The Commonwealth also saw significant progress in other areas in 2023. CSRM expanded its security awareness training platform, integrating simulated phishing campaigns and threat detection exercises to strengthen user knowledge across all agencies. Additionally, VITA’s thirdparty vendors are offering Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) solutions. This ensures security compliance and risk mitigation, particularly in response to the increased demand for cloud services.

Risk management remains a central focus, with the IT Risk Management Committee driving the prioritization of mitigation efforts for significant risks. In 2023, IT risk compliance improved by 27% while audit compliance grades rose by 8%. Although progress has been made, audit findings remain open for an average of 948 days and risk findings for 1,313 days. CSRM recommends agencies continue to monitor their audit and risk management activities closely and implement mitigating controls to address security gaps.

The Commonwealth’s shared services model continues to provide key resources for agencies, offering centralized IT security auditing, ISO support, and web application vulnerability scanning. In 2023, over 6,000 public-facing websites were scanned quarterly to identify potential weaknesses and prevent exploitation.

Through the Commonwealth Security Information Council (CISC), the Information Security Officers Advisory Group (ISOAG), and monthly IT Risk Management Committee meetings, CSRM facilitates collaboration and knowledge-sharing across agencies. These forums also allow security professionals to earn continuing professional education credits, further enhancing the Commonwealth’s overall cybersecurity maturity.

In conclusion, the Commonwealth’s Information Security Program achieved significant progress in 2023. Despite challenges in detect and respond functions, improvements in training, risk management, and third-party oversight have strengthened the Commonwealth’s cybersecurity posture. The ongoing participation in the NCSR and other assessment tools will continue to provide valuable insights for agencies to benchmark progress and prioritize areas for improvement in the years ahead.