Gov. Charlie Baker made the announcement on Thursday, June 1, with the release of a proposal under Article 87 of the state constitution, to “improve data security, safeguard privacy and promote better service delivery.”
Article 87 authorizes reorganization of executive branch agencies, albeit following statehouse hearings within 30 days, the state said in a news release. If neither legislative chamber disapproves, the proposed act would become law 60 days after its introduction.
In the news release, the administration characterized Baker's act as “re-establishing the Massachusetts Office of Information Technology (MassIT) as the Executive Office of Technology Services and Security (EOTSS)," which would be led by a secretary of technology.
The goal is to centralize IT infrastructure service across the executive department under EOTSS, and review and update policies and procedures governing state cybersecurity, digital platforms and data management.
Massachusetts “lags behind” other states and private companies in securing IT assets and its technology infrastructure, the state said in a list of frequently asked questions pertaining to the governor’s proposal, obtained by Government Technology.
Its technology infrastructure is housed in “disparate,” nonstandard locations, the state added, and because “statutes and policies support this nonstandard, decentralized approach … we need legislation that simplifies IT management.”
In the FAQs, state officials further noted the state tried several times to centralize and consolidate IT via executive orders in 2009 and 2011, and with legislation in 2014.
“Despite these targeted activities, only a small portion of the centralization goal was achieved, leaving the commonwealth even more vulnerable than before,” officials wrote, adding they expect this new endeavor will “improve security and services delivery for all.”
Baker’s proposal would create or expand the responsibilities of four C-level executives: the chief information security officer, the chief privacy officer, the chief data officer and the chief digital officer. The state has previously created CISO and CDO positions.
It also would also improve security through the adoption of best practices, leverage industry expertise to reduce the state’s “overall risk profile and deploy mitigation measures,” and commission EOTSS to “review, streamline and generally modernize” IT policies and procedures, the state said.
Exactly how EOTSS would be organized, and where positions like that of MassIT Executive Director Mark Nunnelly would fit in relation to the new secretary of technology remain unclear. Those details likely won’t be forthcoming until after the proposed legislation becomes law.
The act's fiscal impact is also uncertain. In a response to an FAQ titled "Isn't this just a cost-savings exercise?" the state said additional investments are being made "to ensure we are fully secure and modernized," but also indicated changes in tech offer chances to innovate "at lower prices, giving us the potential to achieve savings as well."
In a statement, the governor characterized the legislation as “elevating the mission of MassIT and streamlining the digital platforms and services state government provides.”
Lt. Governor Karyn Polito said in a statement the proposal will “help simplify IT management,” and let agencies focus on improving service delivery.
“Creating the Executive Office of Technology Services and Security will support the commonwealth’s continued focus on providing constituents and state workers with modern, secure and stable technologies,” Polito said.
Also in the statement, Nunnelly said EOTSS will forge an enterprise approach to the state’s “technology architecture and procurement,” thereby making it “more secure and efficient.”
Nunnelly was unavailable for an interview with Government Technology by press time, according to a member of the governor’s communications team, who also declined to comment on the record.
