The Commonwealth’s Information Security Program continued to play a vital role in protecting state IT systems by aligning cybersecurity strategies with national standards and fostering cross-agency collaboration. Commonwealth Security and Risk Management (CSRM), under the direction of the Chief Information Security Officer and the Chief Information Officer (CIO), oversees this comprehensive program. It is designed to monitor compliance, implement security policies, and enhance training initiatives.

In 2024, the Commonwealth participated once again in the National Cyber Security Review (NCSR), a self-assessment aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Sponsored by the Multi-State Information Sharing & Analysis Center (MS-ISAC), the NCSR enables agencies to evaluate their cybersecurity posture across five core functions: identify, protect, detect, respond, and recover. Commonwealth agencies reported strong performance, exceeding the national average. The overall score rose from 5.47 in 2023 to 5.65 in 2024 on a sevenpoint scale. Agencies continued to show strength in the identify, protect, and detect functions, while opportunities remained in the respond and recover areas. Virginia maintained its standing above peer states, with agencies in sectors such as IT and financial services leading in performance.

Risk management remained a top priority. The IT Risk Management Committee guided the prioritization of risk mitigation efforts, and in 2024, both IT audit and risk compliance findings declined by 2%. CSRM encourages agencies to remain vigilant by continuously monitoring risk activities and implementing appropriate controls to address security gaps.

The Commonwealth’s shared services model continued to deliver key security resources for agencies, including centralized IT security auditing, information security officer (ISO) support, and web application vulnerability scanning. In 2024, over 1,600 public-facing websites were scanned monthly to identify vulnerabilities and reduce exposure to threats.

CSRM also promoted knowledge sharing and professional development through its leadership of the Commonwealth Security Information Council, the Information Security Officers Advisory Group, and monthly IT Risk Management Committee meetings. These forums not only foster collaboration but also provide opportunities for security professionals to earn continuing professional education credits and support the continued advancement of cybersecurity capabilities across the Commonwealth.

In conclusion, the Commonwealth’s Information Security Program achieved measurable progress in 2024. While areas such as detect and respond still require focused attention, improvements in training, risk oversight, and collaborative engagement continued to elevate the Commonwealth’s cybersecurity posture. Ongoing participation in the NCSR and other assessment tools will ensure that agencies have the insights needed to benchmark progress, address gaps and strengthen resilience in the years ahead.