CISO Compass: New law establishes OCS as the state’s lead organization in combatting cyber threats

Home » CISO Compass: New law establishes OCS as the state’s lead organization in combatting cyber threats
Release Date: 
05/18/2021

Dear Washingtonians,

I want to update you on new legislation, recently signed into law by Gov. Jay Inslee, that takes an important step in creating a unified approach to cybersecurity in state government.

Senate Bill 5432 establishes the state Office of Cybersecurity (OCS) as the state’s lead organization in combatting cyber threats and creates a clear mandate for the development of centralized services and functions across state government

The bill creates several new ongoing requirements for the OCS, including:

  • Annual report: A confidential, annual report must be submitted to the governor and appropriate legislative committees that identifies and describes cybersecurity risks identified through audits. You have heard me talk before about the need to elevate the importance of cybersecurity. This provision does exactly that. It’s a great thing that the governor’s office and the Legislature are so engaged.
  • Quarterly reviews: The legislation requires quarterly reviews of any unmitigated risks identified by OCS with the governor’s office and appropriate legislative committees. Just like when you’re driving a car and making constant small adjustments to stay on course, the quarterly reviews will help ensure the state’s security posture stays on track.
  • Catalog of services: The new law also requires OCS to list all services available for deployment at the enterprise level. I believe this provision is critical so that state agencies can have a common understanding of services needed at an enterprise level and make sure we are not duplicating efforts.

In addition to those requirements, the legislation requires OCS to develop policy related to the management of security incidents and to define a “major cybersecurity incident” within policy. And the legislation requires state agencies to inform OCS of any business needs to improve security on an annual basis.

OCS is also required to partner with WaTech’s state Office of Privacy and Data Protection and the state attorney general’s office to research and examine best practices for data governance, data sharing and data protection, including model terms for data-sharing contracts and adherence to privacy policies. A report of findings and specific recommendations is due to the governor and appropriate legislative committees by Dec.1, 2021.

Finally, OCS is required to hire a vendor to do an assessment of cybersecurity audits of state agencies completed since July 1, 2015. The assessment must evaluate the efficacy of the audits performed and the state’s ability to take action based on the audits.

As you can see, there’s a lot of work ahead for OCS, but I am excited by the approach and what it can mean for improving Washington state’s overall security posture.

I welcome your thoughts and ideas and look forward to our continuing partnership to serve this great state. Thank you for all that you are doing.

 

Vinod Brahmapuram

State Chief Information Security Officer