January 2022
Volume 22, Number 1
From the CIO
CIO Nelson Moe
Another new year is upon us. I’m so proud of all that we have accomplished as a team this year, and I want to look back briefly at 2021 as we start 2022.
One of my key takeaways from my perspective was that we witnessed an increase in appreciation and awareness for technology and cybersecurity overall, even as a kitchen table topic. Society is recognizing technology as an enabler, specifically around advancing remote work.
As for VITA, we’ve realigned governance and project portfolio selection to achieve speed and scale of outcomes, there’s also been more support at the national and state level for technology advancements, as well as higher visibility. Information technology and cyberspace are woven more tightly into the fabric of our lives now.
We see this evidenced at the Commonwealth as agencies continuously work to improve digital services for our Virginia customers. These agencies offered new options including digital signatures and remote applications for items, such as digital access to services at the Department of Motor Vehicles and telemedicine in the health arena.
These takeaways will shape our work in the year to come, as we consider the aspects of digital access and remote work in security and end-user experience moving forward. We will adjust our investment portfolio accordingly and utilize the new advancements we’ve introduced to the enterprise, including robotic process automation (RPA) and artificial intelligence (AI) to assist with achieving our outcomes.
As for cybersecurity, we have seen the increases in volume and sophistication of the threats faced every day in the virtual world. We continue to stand ready to help our partners with any questions, concerns or responses to incidents.
The bottom line is that as time moves forward, new expectations for technology capabilities will emerge both for new services and the protection of our infrastructure and data assets. At VITA, we stand ready to meet those expectations and keep up, if one not one step ahead, of the accelerated pace of development and protections needed.
We know that working with you, our collaborators and partners, bigger and brighter things are ahead in 2022.
Nelson
Microsoft audio conferencing available now
Microsoft has allocated licenses for the Commonwealth of Virginia (COV) to utilize the Teams audio conferencing tool at no additional charge to workplace collaboration services (WCS) customers. The Microsoft Teams audio conference feature was enabled on Dec. 16, 2021; WCS customers should have received an email from Microsoft audio conferencing (maccount@microsoft.com). The email contains the conference phone number and an audio conferencing PIN.
Note: The PIN is unique to each user and needs to remain confidential.
Visit the Microsoft Teams FAQs to learn more about how to utilize the audio conferencing features and how to schedule Teams meetings.
For technical support, please contact the VITA customer care center (VCCC) at 1-866-637-8482 or submit a ticket here.
Internet Explorer (IE) being disabled May 2022
Microsoft recently changed the end-of-life date for the Internet Explorer (IE) version 11 browser from Oct. 13, 2025, to June 15, 2022. Please note, however, that IE will be disabled for the Commonwealth of Virginia on May 15, 2022. This unexpected change will impact any agency that has exclusively used IE 11 features for their web-enabled applications or websites. In that case, those applications and websites may no longer work as designed.
Microsoft Edge Chromium has a compatibility mode for IE 11 that can be turned on by group policy for specific website addresses that require IE 11 to work as designed.
The group policy will be set by May 15 and will be in place for 12 months. If the agency website/application is not remediated by Feb. 15, 2023, the agency will need to apply for an extension to the exception. It is the Commonwealth’s desire to disable the compatibility mode by May 15, 2023, if possible.
Entries are due by Jan. 12 for the annual kids safe security poster contest
Entries are due by Jan. 12 for the annual kids safe online poster contest. The goal of the program is to engage young people in creating posters to encourage other young people to use the internet safely and securely.
All public, private or home-schooled students in kindergarten through 12th grade are eligible to participate. Email submissions to CommonwealthSecurity@VITA.
The top five Virginia winners from each grade group (K-5, 6-8, 9-12) will be entered into the national competition. Entries received may be used in national, regional and state cyber and computer security awareness campaigns. The official rules and topic suggestions are included with the entry form. Please include the following entry form completely filled out (all fields are required) when submitting the poster.
Agency interviews for messaging services to begin soon
VITA’s new messaging service provider, NTT DATA, has been working to develop the messaging service packages for deployment and is targeting this month to begin scheduling one-hour sessions to review solution options and capture any resource or timing constraints for agencies.
To assist with minimizing the amount of information to cover within these sessions, the team has been cultivating a document with FAQs which can be referenced in advance.
Refresh for managed print services has resumed
Refresh efforts for managed print services (MPS) have resumed for all devices that qualify and will remain in service on the Xerox MPS contract. The refresh efforts were suspended temporarily as agencies focused on pandemic-related priorities and MPS contract cost reduction solutions.
Xerox has been partnering with agencies to refresh their fleet of aged single-function printers and multifunction devices through the integrated VITA MPS contract. Aged devices present a risk to agencies as they become unserviceable, no longer meet security standards and cannot be remediated. Through this process, aged devices are removed and refreshed. Xerox will be working with agencies on the refresh of their qualifying devices. This effort modernizes the print/copy fleet, introduces additional features and functionality, and improves the security of the Commonwealth’s data.
Commonwealth of Virginia emails potentially restricted or blacklisted
VITA has become aware of instances where Commonwealth of Virginia email has been impacted by blacklisting actions. Blacklisting is the practice of identifying internet protocol (IP) addresses associated with spam content and then blocking content from those addresses. The point of an email blacklist is to prevent unwanted spam content, sent by untrustworthy sources, from cluttering inboxes.
We are reminding agencies that critical business processes with citizens or organizations outside of the COV network should not solely rely on email. VITA and its suppliers do not have any control over what other companies choose to blacklist.
If you have any questions, you may send them to businessreadiness@vita.
Information Technology Planning standard on ORCA
A new information technology resource management (ITRM) document, Information Technology Planning Standard, is posted to VITA’s online review comment application, ORCA, for comment. The review period, open for 30 days to obtain agency-level feedback, expires on Jan. 17.
The objectives of this new standard are to:
- Document what agencies must do to complete the executive branch agency information technology strategic plan (ITSP)
- Identify and clarify roles and responsibilities in the ITSP process
- Clarify the relationship between ITSP and information technology investment management (ITIM)
- Clarify the distinction between strategic and operational planning
- Standardize the IT planning methodology
- Define and communicate ITSP planning and approval cycles
Updates to IT Risk Management Standard (SEC520)
Revisions have been made to the Information Technology Resource Management (ITRM) document Information Technology Risk Management Standard SEC520-03. The updated standard has been posted to the VITA website.
Risk management activities in the SEC520-03 standard include regulatory requirements that an agency is subject to, information security best practices and defined requirements. These activities will provide identification of sensitive system risks, their associated business impact and a strategy that will help mitigate risks. The risk management framework aligns with the methods set forth by the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Changes to this version of the standard include:
- Language in 2.0, Quantitative Risk, was changed from 'Center for Internet Security' to '18 CIS Controls.' NIST formalized the name change and this keeps the nomenclature in sync.
- 4.4: The entire section of 4.4 IT System and Data Sensitivity was updated to match SEC501 section 4 IT System and Data Sensitivity Classification (of the same name)
- 4.4.2: Added a requirement for the data sets template to be attached to the system security plan
- 4.7.2: Updated the requirements for vulnerability scanning
- Appendix A: Updated the framework core to match the new NIST 18 CIS controls
Information Security Tips
Beware of uninvited guests (on your network)
This month’s edition of Information Security Tips looks at those new electronic devices you may have received as a gift over the holiday season. You’ll likely be adding them soon to your home network. However, before you do that there are some steps you should take to secure that network first, and keep hackers and bad actors at bay.