In recent years, states have been increasingly moving to formalize their cybersecurity strategies through law. They often create dedicated cyber forces to tackle digital threats. One example is Texas House Building 150, which, if established, establishes a Texas Cyber Command to oversee and oversee the state’s response to a cyber incident.
Several other states, including Colorado, Oregon, and West Virginia, have established various forms of cybersecurity monitoring groups to enhance jurisdictions’ ability to prevent, detect and respond to cyber threats.
Currently, Massachusetts has introduced its own legislative legislation to codify the state’s current cyber efforts. State Senate Bill 49 creates a comprehensive legal framework to enhance cybersecurity infrastructure by incorporating various security and artificial intelligence measures directly into Massachusetts law.
One provision in S49 includes the mandate of all civil servants in all three branches of local and state governments, and includes completing annual cybersecurity training. Because Technology Services and Security (EOTSS) is managed by the Administration (EOTSS), the training is modelled on existing state ethics training, giving you the option to use state-provided versions or approved equivalents.
Mark Zugrovikki, general counsel for Sen. Michael Moore, who organized the bill’s broader intentions and sponsored by one of the bill’s sponsors, said the proposal was a direct response to the growing threat posed by cyberattacks and evolving technologies.
“In general, this law is intended to enhance federal cybersecurity and AI preparation,” Zglobicki said. “The advent of repeated cyber violations and the advent of AI have prompted the specific inclusion of both cybersecurity and AI training requirements and control committees.” S49 is now in the hands of the Senate Committee on methods and means of review.
The proposed action was already making progress and aimed at solidifying and expanding cybersecurity efforts by turning the once-temporary executive order into permanent law. For example, Executive Order (EO) No. 602 was the first to establish the Massachusetts Cyber Incident Response Team under former government, Charlie Baker.
“By its nature as an executive order, it only applies to entities under the direct control of the governor,” Zglobicki said. “We codified that EO and expanded it to cover other entities, such as independent entities.”
If S49 passes, the law establishes a new Cybersecurity Management Board tasked with developing statewide cybersecurity codes and issuing emergency orders for government systems and devices, including limiting vulnerable hardware or software during cybersecurity violations. The board includes executive leaders and subject matter experts in key industries such as state agencies, judicial, local government, academia, finance, healthcare and utilities.
As the committee’s permanent subcommittee, the Cyber Incident Response Team is formally codified into the law, conducting semi-annual tabletop exercises, maintaining the state’s incident response plan, and is responsible for coordinating with the agency in a cyber emergency.
To promote statewide coordination, the law requires critical infrastructure operators such as water companies, electrical grids, and election systems to report cyber incidents to the Massachusetts Fusion Center, the state’s hub for analyzing public safety threats. The report should include detailed forensics, timelines, communications, and malware samples, as well as other relevant data.
S49 also proposes creating a Massachusetts Innovation Fund. This is a revolving loan that supports project upgrades across state agencies, with repayment scheduled for a seven-year term. Surveillance of the fund is provided by a management committee consisting of agent managers, lawmakers and technical experts.
The Act will also address the increased influence of AI in government and society by forming a committee on automated decision making. The group evaluates the impact of AI technology, recommends regulations, and develops policies regarding automated systems used by corporate, state, county and local government offices.
