Governor Charlie Baker signed an executive order to establish the Massachusetts Cyber Incident Response Team (MA-CIRT). Led by the Secretary of the Executive Office of Technology Services and Security (EOTSS), MA-CIRT is established with the mission of enhancing the Commonwealth’s ability to prepare for, respond to, mitigate against, and recover from significant cybersecurity threats. The Governor signed the executive order as Massachusetts and other jurisdictions confront an overall increase in cybersecurity threats to websites and networks.
“State governments and other organizations across the country are increasingly being targeted by bad actors aiming to disrupt operations and compromise information systems,” said Governor Charlie Baker. “This executive order will further strengthen the Commonwealth’s policies, procedures, and resources required to prevent potential threats and appropriately respond to attacks on government infrastructure and services. As state governments expand their digital footprints, moving more services online and allowing for a more connected workforce, it’s critical that we make the necessary investments to protect this critical technology infrastructure from acts of terrorism and criminal, organized crime, and gang activity.”
“Cybersecurity attacks threaten Commonwealth technology networks and the continuity of essential government services we provide to the constituents we serve,” said Lt. Governor Karyn Polito. “With the establishment of MA-CIRT, the Baker-Polito Administration continues to invest and prioritize the delivery of effective and reliable government services to the people of the Commonwealth.”
“With my background in public safety, I know the importance that leadership buy-in plays in swift, organized, and effective response to an external threat,” said Secretary of Technology Services and Security Curt Wood. “The Baker-Polito Administration is once again leading from the front on government cybersecurity and I thank Governor Baker, Lt. Governor Polito, and my fellow leaders in cybersecurity and public safety for their partnership on the issuance of this critical executive order that will serve the Commonwealth for years to come.”
Under the direction of the EOTSS Secretary, the formation of MA-CIRT convenes cybersecurity and public safety experts from across state government as required members, including leadership representatives from:
• The Executive Office of Technology Services and Security
• The Commonwealth Security Operations Center
• The Executive Office of Public Safety and Security
• The Commonwealth Fusion Center
• The Massachusetts State Police Cyber Crime Unit
• The Massachusetts National Guard
• The Massachusetts Emergency Management Agency
The Executive Order reinforces Massachusetts as a leader in cybersecurity enhancement efforts through a variety of strategies. To prevent against attacks and increase the Commonwealth’s cybersecurity resiliency, the Order underscores the need for preparing for and marshalling a coordinated response, mitigation, and recovery effort from significant cybersecurity threats or incidents. Additionally, the Order:
• Requires MA-CIRT to review cybersecurity threat information and vulnerabilities to make informed recommendations and establish appropriate policies to manage the risk of cyber incidents for executive department agencies and all other state agencies served by EOTSS.
• Requires MA-CIRT to develop and maintain an up-to-date Cyber Incident Response Plan, which will guide the actions of the Commonwealth’s key public safety and information security and technology teams, state agency resources, and security professionals in responding to and minimizing the impact of significant cybersecurity threats to Commonwealth systems. The Plan is required to be submitted annually to the Governor for review and approval.
• Empowers the EOTSS Secretary to serve as MA-CIRT lead, with the approval of the Governor, to direct MA-CIRT in response to a significant cyber incident.
• Requires the routine exchange of information related to cybersecurity threats and reported incidents between the Commonwealth Fusion Center and the Commonwealth Security Operations Center.
• Requires EOTSS and MA-CIRT to consult with the Massachusetts Cyber Center and assist the Center with efforts to foster cybersecurity resiliency through communications, collaboration, and outreach to state agencies, municipalities, educational institutions, and industry partners.
• Requires executive department agencies to comply with protocols and procedures established by MA-CIRT and all related policies, standards, and Administrative Directives issued by EOTSS.
• Requires Commonwealth executive department agencies and other state agencies served by EOTSS to identify and report significant cybersecurity incidents and coordinate efforts to mitigate and prevent further damage from cyber incidents.
• Requires all executive department personnel to annually complete the EOTSS approved security awareness training program administered by the Human Resources Division.
• And strongly encourages other governmental entities throughout the Commonwealth not served by EOTSS to report cybersecurity threats or incidents to the Commonwealth Security Operations Center.
In 2021, Congress recognized the increased cyber threat posed to state and local governments by establishing a $1 billion State and Local Cybersecurity Grant Program as a part of the Infrastructure Investment and Jobs Act. The four-year grant program requires 80% of funds go toward assisting municipalities in enhancing their cybersecurity posture. This new federal program compliments the various support for municipal cybersecurity efforts offered by the Baker-Polito Administration, including: the Municipal Cybersecurity Awareness Grant Program, Free Cybersecurity Health Check Program, and the Community Compact IT Grant Program, which was established by Governor Baker’s Executive Order 554 in 2015.
EOTSS was established in 2017 as the Commonwealth’s lead technology and cybersecurity agency via Article 87 government restructuring legislation filed by Governor Baker and approved by the Legislature. Its mission is to lead initiatives to modernize the Commonwealth’s IT infrastructure assets, continually strengthen government cybersecurity operations and standards via the consolidation of infrastructure and cybersecurity operations for the Commonwealth into a centrally managed state agency and leverage innovative technology solutions to offer user-friendly digital services to its constituents.