How North Dakota, West Virginia Will Streamline Cybersecurity

Cybersecurity concerns are always top of mind for state CISOs. Over the past few weeks, two state governments have taken steps to put their cybersecurity and IT leaders a little more at ease. 

In North Dakota, Gov. Doug Burgum on March 30 signed into law a measure that makes the Roughrider State the first state to “authorize a central, shared service approach to cybersecurity strategy across all aspects of state government.” That includes state, local, legislative, judicial, K–12 education and higher education.

Meanwhile, in West Virginia, Gov. Jim Justice signed the Secure WV Act into law in late March. The law creates a new Cybersecurity Office within the Mountain State’s Office of Technology “that will be responsible for conducting a risk assessment across most state agencies,” as Government Technology reports. The law also authorizes the state CISO to create a cybersecurity framework, “to assist and provide guidance to agencies in cyber risk strategy and setting forth other duties” and generally to standardize cybersecurity in the state. That includes ensuring the uniformity and adequacy of the cyber risk assessments. 

Taken together, the separate approaches represent efforts by states to streamline their IT governance and cybersecurity operations and make IT security more consistent across state agencies.

North Dakota Takes Unified Approach to Cybersecurity

North Dakota’s cybersecurity efforts had been in the works for months, and Senate Bill 2110 aims to make security operations more efficient in a state where officials estimate there are roughly 5 million cyberattack attempts each month on average.

“This important investment in 21st-century critical infrastructure recognizes the increasingly digital world in which we live and the growing nature of cybersecurity threats,” Burgum said in a statement. “A unified approach to cybersecurity strengthens our ability to protect the state network’s 252,000 daily users and more than 400 entities from cyberattacks.” 

The IT department is also required to advise and consult with the state’s legislative and judicial branches regarding cybersecurity strategy.

“The collaborative effort on this legislation clearly reflects a whole-of-government approach by North Dakota’s leaders, enabling the state to effectively address millions of monthly attacks and identify potential gaps in cybersecurity,” state CIO Shawn Riley said in a statement.

MORE FROM STATETECH: Find out how state CIOs and CISOs can make “bold plays for change” on cybersecurity.

West Virginia Opens New Cyber Office

Under the Secure WV Act, the CISO, who will be appointed by the state CTO, will be responsible for developing policies, procedures and standards necessary to establish an enterprise cybersecurity program “that recognizes the interdependent relationship and complexity of technology in government operations and the nature of shared risk of cyber threats to the state.” 

The CISO will also create a cyber risk management service aimed at ensuring that state officials at all levels understand their responsibilities for managing their agencies’ cyber risk, according to the legislation.

Further, the CISO will “designate a cyber risk standard for the cybersecurity framework,” and “establish the cyber risk assessment requirements such as assessment type, scope, frequency and reporting.”

Agencies will receive cyber risk guidance for IT projects, including recommendations of security controls and remediation plans.

The CISO will help agencies with creating cyber incident response plans and help them manage frameworks for information custody, classification, accountability and protection.

West Virginia CTO Joshua Spence said in a statement that the legislation will serve as “a foundational step forward in cybersecurity protection of state information systems and data,” according to Government Technology

“By leveraging a risk management approach, the state can ensure cybersecurity resources are applied to that which matters most,” he said.

Spence said the state aims to create a “core cybersecurity standard" that will allow officials to make an “apples-to-apples comparison of cyber-risk assessments across all agencies within the Executive Branch.” 

As West Virginia delves into emerging technologies like blockchain voting, it wants to make sure those are as secure as possible. “As the state seeks to optimize government services by leveraging technology, it is important the state understand the associated cyber risk to ensure that the appropriate levels of protection are applied,” Spence added.