Responsible Contact Person(s): Naveen Abraham, Chief Core Infrastructure Services
Corrective Action Planned: Ensuring that infrastructure suppliers fulfill all contractual requirements with respect to Commonwealth security policies and standards necessitates a programmatic, continuous improvement ap...
Responsible Contact Person(s): Naveen Abraham, Chief Core Infrastructure Services
Corrective Action Planned: Ensuring that infrastructure suppliers fulfill all contractual requirements with respect to Commonwealth security policies and standards necessitates a programmatic, continuous improvement approach. VITA has made improved cybersecurity a primary goal and major initiatives have completed and are underway. VITA has established a scoring mechanism, based on the Common Vulnerability Scoring System (CVSS), that delineates the necessary response based on the criticality of the vulnerability (critical, high, and medium). For vulnerabilities with a CVSS score of (critical and high), service level agreement (SLA) 1.1.3 is now in place to measure supplier performance and adjust supplier compensation accordingly through SLA credits and RCDs. For vulnerabilities below the critical and high score, in Q4 of 2023, suppliers started providing data in a quarterly report to the MSI and VITA. The new SLAs combined with the reports of vulnerabilities below the critical and high score are used to ensure suppliers’ contractual compliance. VITA’s data shows that patches for software on the enterprise software list are being applied on an ongoing basis. VITA will work with agencies and suppliers if there are any new technical difficulties or questions about patching. New tools are now available to agencies so that they can monitor and verify the remediation of the vulnerabilities for which infrastructure suppliers are responsible. Dashboards have also been provided to the suppliers so that they can review a shared and common vulnerability list. VITA and the suppliers monitor and review enterprise level logs and security events on behalf of customer agencies through the system dashboard and a 24x7 Security Operations Center. The dashboard is available for access by agencies as of Q4 2023. VITA will continue to monitor and improve the security of infrastructure services through ongoing governance, including the requirements of architecture documentation, system security plans, and audit reports. VITA’s infrastructure services group will work with the VITA security group to confirm that the current state achieves security standards compliance.
Estimated Completion Date: 6/30/2024