Several other states — including Colorado, Oregon and West Virginia — have established various forms of cybersecurity oversight groups to strengthen their ability to prevent, detect and respond to cyber threats within their jurisdictions.
Now, Massachusetts has introduced its own legislative act to codify the state’s current cyber efforts. State Senate Bill 49 would create a comprehensive legal framework to bolster its cybersecurity infrastructure by embedding a variety of security and artificial intelligence measures directly into Massachusetts law.
One provision of S49 includes a mandate for all public employees, across local and all three branches of state government, to complete annual cybersecurity training. Administered by the Executive Office of Technology Services and Security (EOTSS) in collaboration with the state Office of the Comptroller, the training is modeled after existing state ethics training, with agencies given the option to use the state-provided version or an approved equivalent.
Framing the bill’s broader intent, Mark Zglobicki, general counsel to state Sen. Michael Moore, one of the bill’s sponsors, said the proposal is a direct response to the growing threats posed by cyber attacks and evolving technologies.
“In general, the legislation is intended to shore up the commonwealth’s cybersecurity and AI preparedness,” Zglobicki said. “Repeated cyber breaches and the advent of AI prompted the specific inclusion of the training requirements and the control boards for both cybersecurity and AI.” S49 is now in the hands of the Senate Committee on Ways and Means for review.
Building on progress already made, the proposed act aims to solidify and expand cybersecurity efforts by turning what were once temporary executive orders into lasting law. For example, Executive Order (EO) No. 602 originally established the Massachusetts Cyber Incident Response Team under former Gov. Charlie Baker.
“By its nature as an executive order, it only applies to entities under the direct control of the governor,” Zglobicki said. “We moved to codify that EO and expand it to cover other entities like independent entities.”
If S49 passes, the act would establish a new cybersecurity control board tasked with developing a statewide cybersecurity code and issuing emergency directives for government systems and devices — such as restricting vulnerable hardware or software during cybersecurity breaches. The board would include executive leaders and subject matter experts from state agencies, the judiciary, municipalities, academia and key industries like finance, health care and utilities.
As a permanent subcommittee of this board, the Cyber Incident Response Team would be formally codified into law and responsible for conducting biannual tabletop exercises, maintaining the state’s incident response plan and coordinating with agencies during cyber emergencies.
To push statewide coordination, the legislation would require critical infrastructure operators — like water utilities, electric grids and election systems — to report cyber incidents to the Massachusetts Fusion Center, the state’s hub for analyzing public safety threats. The reports would have to include detailed forensics, timelines, communications, and malware samples, in addition to any other relevant data.
S49 also proposes creating a Massachusetts Innovation Fund, a revolving loan that would support IT upgrade projects across state agencies, with repayment scheduled over a seven-year term. Oversight of the fund would be provided by a governing board composed of agency heads, legislators and technology experts.
The act would also address AI’s increasing influence in government and society by forming a Commission on Automated Decision-Making. This group would assess the impact of AI technologies, recommend regulations and develop policies on automated systems used by businesses as well as state, county and local government offices.
