Volume 22, Number 5
From the desk of the Chief Information Officer
CIO Robert Osmond
I’m grateful and excited to take on the role of chief information officer of the Commonwealth. As many of you know, I’m not new to state government here in Virginia, having most recently led information technology, process improvement and strategic innovation at the Virginia Department of Transportation (VDOT). However, in this new opportunity, I know that I will have a lot of new information to absorb. I look forward to listening and learning from each one of you as we continue to serve our customers’ technology needs together.
As we start down this road together, I’m happy to share that we have reached a major milestone in our data center move. We have completed all agency migrations and are in the final stages of exiting the Commonwealth Enterprise Solutions Center (CESC). Today, May 2, we are disconnecting CESC from our network. This will enable us to complete the removal of the remaining infrastructure, meeting our deadline to turn over the space by the end of June. We would like to take this opportunity to thank our agency partners for their support and engagement throughout this program. Over the course of the last 578 days, together we successfully executed more than 50 agency move events and moved upwards of 4,500 servers and applications. This could not have been done without the assistance and teamwork of agency staff and our suppliers.
Another major development is the commencement of the messaging project. As of May 1, NTT DATA has officially taken over messaging services from Resultant (formerly Tempus Nova). VITA will be the first agency to switch from Google to Microsoft 365. We’re happy to work through this process, smoothing out any bumps in the road before any of our agencies migrate. We’ll keep you updated as we move forward.
And finally, this is Virginia Public Service Week, where we celebrate our state workforce and the great work you do each and every day. Without you, our mission at VITA could not be carried out, and we appreciate your continued partnership, collaboration and commitment to serving the people of the Commonwealth.
Thank you for all that you do,
Virginia student named national winner in 2022 MS-ISAC Kids Safe Online poster contest
A third grader from Manassas, Leila, has been named a national winner in the 2022 Multi-State Information Sharing and Analysis Center’s (MS-ISAC) Kids Safe Online poster contest. She’s one of only 13 students selected for the honor.
The goal of the annual contest is to engage young people in creating posters to encourage their peers to use the internet safely and securely. The competition also offers an opportunity for teachers to address and reinforce cybersecurity and online safety issues.
Additionally, Virginia had 35 finalists at the state level from kindergarten through grade 12. You can see all the winning posters on our website
. Congrats to Leila and all of Virginia's finalists!
Xerox administrative password and configuration updates
As of May 1, the user-level administrative password will be updated biannually on all service catalog order Xerox devices. This password update is in support of Xerox's compliance with applicable laws, policies, and standards, including federal and Commonwealth security policies and standards. The user-level administrative password allows users to update certain components of the standard printer configurations. See the list of components
For security purposes, the user-level administrative password will only be provided to your agency’s information security officer (ISO). If the password needs to be shared with anyone other than the agency ISO, a change of custody form must be completed.
Messaging platform migration: RFS form now available - submit by May 6
As a reminder, the following services will be migrated to Microsoft 365:
- Most Google drive applications
- Groups (distribution lists)
- Mobile device management (MDM)
ACS to ISE migration rescheduled for May 7
On May 7, VITA will be migrating all agency remote access to a new system. This new system is for secure wireless and virtual private network (VPN) authentication, and administrative network device access to log into VITA switches and routers. This change is occurring to replace the old authentication system (ACS) which is at end of life and direct all agencies to the new system (ISE).
During the migration from the current ACS authentication appliance to the new ISE appliance, agencies will not be able to sign into VPN or utilize secure wireless from 11:59 p.m. to 6 a.m. Users signed into VPN or secure wireless, prior to the start of the migration, will not lose connectivity.
Internet Explorer will be disabled for Commonwealth of Virginia on May 17
VITA is disabling the Internet Explorer (IE) version 11 browser for the Commonwealth of Virginia on May 17. This is one month earlier than Microsoft’s end-of-life date for IE, which is June 15. For any Commonwealth of Virginia (COV) agency that has used exclusive IE 11 features for their web-enabled applications or websites, this means that those applications and websites may no longer work as designed.
For any agency that applied for and received an exception, VITA will direct Unisys to insert URLs for the impacted websites or applications into a group policy that will enable Microsoft Edge Chromium to access the website using the IE 11 compatibility mode. This workaround will be in place for 12 months.
Dropbox access will be blocked on the Commonwealth of Virginia network: now on May 30
Dropbox does not meet Commonwealth of Virginia (COV) security standards and is not an approved cloud storage or content management platform for Commonwealth data. VITA will be blocking access to Dropbox from the Commonwealth of Virginia (COV) network on May 30. At that time, the Dropbox platform will not be reachable by COV workstations.
If an agency has the need for Dropbox functionality, VITA has enterprise cloud service oversight (ECOS)-approved platforms that are compliant with the IT security and privacy requirements of the COV available in the VITA service catalog.
- Box content management system - a cloud-based, user-centric platform that enables users to easily share, manage and secure their content using any device. Box is integrated with many enterprise applications, including Microsoft Office, Gmail and others. This allows users to securely store and edit content with other users in common applications. Box enterprise offers unlimited storage. Learn more about the Box service offering.
- Workplace collaboration services (name change to VITA enterprise services in the near future) - Provides development for the Office 365 platform (SharePoint, Teams and OneDrive), as well as other available software as a service (SaaS) applications in the service catalog. Agencies can also learn how to develop and maintain these solutions in house. Learn more about the WCS offering.
New enterprise architecture requirements regarding event log management have been posted on VITA's online review and comment application
New enterprise architecture (EA) requirements regarding event log management
have been posted on VITA’s online review and comment application (ORCA). The review period ends on May 27
Overview of event log management
Event log management is an approach to dealing with large volumes of computer-generated log messages (audit records, audit trails, event-logs, etc.) which are generated by nearly every computing device. Event log management supports security, system and network operations, and regulatory compliance.
These new COV requirements posted on ORCA define the set of event logs of interest, categorize the event logs by type and criticality, and define a model of excellence for the capture and utilization of event logs in support of COV security.
Additionally, they identify new actions around log collections and analysis that will need to be completed by agencies and suppliers with respect to the following:
- Adherence to the federal event log maturity model
- Documentation of event logs consumed and log schema
- Standardization of event log collection
- Forwarding logs to the COV security information and event management (SIEM)
- Implementation of security orchestration automation and response (SOAR) workflows and user behavior analytics
Updated project manager selection and training standard published on the VITA website
Overview of document
The project manager selection and training standard, CPM 111-05, was first published in 2003 and was last updated in January 2018. The purpose of the standard is to:
- Describe the required skills, training and experience Commonwealth project and program managers need to have in order to be considered qualified to manage Commonwealth IT projects.
- Provide a method for identifying project and program managers qualified to manage Commonwealth IT projects and IT programs.
- Identify the steps a project or program sponsor must take in selecting a qualified project or program manager to manage a Commonwealth IT project or program.
Notable changes to the standard include:
- Changed all agency-level PM requirements to preferred. There are no more agency level requirements.
- Rewritten, simplified and consolidated the PM qualifications and requirements
- A new, simplified and easier to read qualification matrix
- Updated reference documents, i.e., project management body of knowledge (PMBOK) sixth edition, etc.
- Moved Community College Workforce Alliance (CCWA) PM qualification testing instructions from the document to the project management division (PMD) website
- Section 5, PM selection: Clarified and emphasized that this entire section is advisory, not required. Of note, the VITA PMD consultant is no longer required to be on the PM interview panel.
Information security tips
This month’s information security tips focus on cyber cleaning for spring.
For two years, you’ve accumulated digital clutter and technical debt at a rate previously considered impossible, at least pre-pandemic. Now that spring has sprung, it’s a great time to polish up that password, and sweep out any applications that you don’t need. Find out what else you can do to reduce your risk and beef up cybersecurity.