In 2024, the Minnesota Legislature amended Minnesota Statutes 16E.36 to require Minnesota IT Services (MNIT) and the Bureau of Criminal Apprehension (BCA) to establish a cyber incident reporting system that accepts the submission of timely, secure, and confidential cybersecurity reports from public agencies, government contractors, and private entities. This law aims to enhance cyber defenses by collecting information about cybersecurity incidents and sharing information with appropriate organizations.
A cybersecurity incident is an action taken using an information system or network that results in an actual or potentially adverse effect on an information system, network, or the information it contains. Types of cybersecurity incidents that must be reported are defined below.
The law requires MNIT and BCA to anonymize and share cyber threat indicators and relevant defensive measures to help prevent attacks. MNIT and BCA are using this lens to shape the reporting requirements.
Beginning Dec. 1, 2024, public entities named in the law are required to start reporting cybersecurity incidents.
Our goal is to collect relevant information that can help us understand how security controls are bypassed and assist other organizations in defending their IT resources. Fill out the form to the best of your ability with the information you have. Further information will be gathered during the triage process.
Our ability to process your incident will be based upon the accuracy and completeness of the information provided. The reporting form includes:
Not-public data is government data that is classified as confidential, private, nonpublic, or protected nonpublic by state statute, federal law, or temporary classification. Find the definition of the different types of data in the Office of the Revisor of Statutes 13.025 2023 Minnesota Statutes.
A mobile device or handheld computer is a computer small enough to hold and operate in hand. Mobile devices are typically battery-powered and possess a flat-panel display and one or more built-in input devices, such as a touchscreen or keypad. Modern mobile devices often emphasize wireless networking, to both the internet and to other devices in their vicinity, such as headsets or in-car entertainment systems, via Wi-Fi, Bluetooth, cellular networks, or near-field communication.
The information you provide on the cybersecurity incident report form is private under state law. We cannot give this information to others without your consent, except that certain other government entities may access this information if allowed by law. The information provided may result in specific threat advisories or general cybersecurity guidance that can help Minnesota governments defend against cybersecurity threats.
Cybersecurity threats are increasingly damaging to government operations and an evolving public safety risk. By sharing information, we can help provide a better understanding of the nature of and impacts from cybersecurity events to keep services available to Minnesotans and protect their data.
The information may result in specific anonymized threat advisories or general cybersecurity guidance that can help Minnesota governments defend against cybersecurity threats. Reporting cybersecurity incidents helps MNIT and BCA:
