House Bill 5638, recently signed by Gov. Patrick Morrisey, gives additional authority to the state’s chief information security officer. It also establishes more formal oversight of state agency cybersecurity practices, including required participation in annual reviews assessing readiness, data protection and risk management.
The state cybersecurity office, which is within the West Virginia Office of Technology (WVOT), is tasked with setting standards for cybersecurity and with managing the state cybersecurity framework. The legislation builds on a 2019 law that created the state’s cybersecurity office and established baseline requirements for risk assessments and reporting.
HB 5638 also formalizes coordination between the chief information security officer and the chief information officer, while shifting the state’s approach from compliance to enforcement. Agencies are required to undergo annual cybersecurity program reviews that assess readiness, data protection and modernization efforts. The state is empowered to recover costs from agencies that don’t participate.
The law takes effect in June with a Nov. 30 compliance deadline. WVOT is preparing agencies for the changes by implementing new reporting processes and expanding compliance outreach, an official confirmed via email. The office has initiated cybersecurity assessments under the existing framework, and it expects data from the assessments to collectively improve the state's cyber defenses.
Nationwide, state cybersecurity officials have recently been looking at ways to unify cybersecurity efforts across agencies and even local government bodies. Ohio last year enacted requirements for cities and counties to adopt formal cybersecurity programs, with the state auditor as reviewer, while a recent National Association of State CIOs (NASCIO) report said that one-fifth of states are moving forward with whole-of-state cyber approaches.
This all comes at a crucial time, as rapidly evolving technologies like AI make the cybersecurity landscape trickier, with the recent NASCIO report finding decreasing confidence levels among state cyber leadership nationwide.
