The Minnesota Fusion Center is the mechanism through which government, law enforcement, public safety, and private sector partners share information about threats to public safety, homeland security, and critical infrastructure and key resources (CIKR) within Minnesota. The U.S. Department of Homeland Security (DHS) supports fusion centers in every state to coordinate information-sharing functions between federal, state, local, and tribal law enforcement, other public safety agencies, and the private sector. MNFC’s mission is to collect, evaluate, analyze, and disseminate information about organized criminal, terrorist, or other hazards faced by government, law enforcement, and critical infrastructure in Minnesota while complying with state and federal law to ensure the rights and privacy of all.
The Cybersecurity and Infrastructure Security Agency (CISA) defines 16 sectors as critical infrastructure. These sectors’ assets, systems, and networks, whether physical or virtual, are considered so important to the United States that if they were destroyed or inaccessible there would be a devastating effect on security, national economic security, national public health or safety, or any combination thereof. Guidance for each of these sectors is available through CISA.
The Minnesota Fusion Center uses the term “critical infrastructure and key resources” (CIKR) to define these critical infrastructure sectors:
Minnesota IT Services provides information technology solutions for Minnesota’s state agencies in the executive branch. MNIT sets IT strategy, direction, policies, and standards for enterprise IT leadership and planning, and builds, maintains, and secures the state’s IT infrastructure, applications, projects, and services. As the central IT organization for the State of Minnesota, MNIT secures and monitors cyber activities across the state. The MNIT Security Operation Center (SOC) has a seat in the Minnesota Fusion Center to provide cybersecurity analysis and cyber threat intelligence sharing statewide.
Executive Order 22-20 requires that the appropriate points of contact for Minnesota’s critical infrastructure providers register with the MNFC. This ensures that critical infrastructure providers can receive active threat intelligence briefings, stay informed of the evolving threat landscape, and protect their services to ensure continuity of critical services for Minnesotans.
Each state agency with regulatory oversight of critical infrastructure providers must decide who is best positioned to receive MNFC communications and help make sure that person is registered. There is no limit to how many critical infrastructure provider personnel may register; however, individuals responsible for security operations and cybersecurity are strongly encouraged to sign up.
Contacts can register online with the Minnesota Fusion Center through the MNFC website.
Critical infrastructure providers should join under “Partners Membership,” complete the biographic information, and then select the CIKR sector(s) relevant to their organization. IT and cyber security personnel should select “Information Technology” and may also select a sector.
Registration questions can be directed to the MNFC at firstname.lastname@example.org.
Executive Order 22-20 encourages critical infrastructure providers to report cyber-attacks to the MNFC. This reporting is critical to understanding the Minnesota threat landscape and effectively allocating resources for our interconnected infrastructure.
Email email@example.com to report cyber-attacks to the Minnesota Fusion Center. Report critical events that occur after hours (outside of 7 a.m. to 7 p.m., Monday through Friday) to the State Duty Officer at firstname.lastname@example.org or 651-649-5451.
Critical infrastructure providers are encouraged to lower the threshold for reporting cyber-attacks and err on the side of reporting if in doubt. The MNFC will not disclose information without the prior authorization of the reporting party.
The Minnesota Fusion Center, partnering with the U.S. Department of Homeland Security and Minnesota IT Services, is available to provide additional resources and guidance as needed.
All questions regarding the guidance for registering with the Minnesota Fusion Center and reporting cyber-attacks should be directed to the Minnesota Fusion Center at email@example.com or 651-793-3730.
E.O. 22-20 states that critical infrastructure providers shall immediately begin implementing cybersecurity best practices as recommended by the Cybersecurity and Infrastructure Security Agency, such as multifactor authentication, vulnerability management, robust endpoint defenses, security awareness training for all staff, vendor risk management, and disaster recovery.
State agencies with regulatory oversight over critical infrastructure must also require critical infrastructure providers to certify compliance with core cybersecurity capability best practices at least annually by April 4, 2023.
Additional guidance is available through the National Council of Information Sharing and Analysis Centers (ISACs). Select “MEMBER ISACS” on the top banner to find your sector. ISACs are member-driven organizations, delivering all-hazards threat and mitigation information to owners and operators. ISACs collect, analyze, and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency.
CISA also compiles free cybersecurity services and tools for IT and cybersecurity staff.
State agencies with regulatory oversight over critical infrastructure providers, in cooperation with MNIT, must develop criteria for cybersecurity self-assessments that consistently measure cybersecurity best practices at infrastructure operators.
First, state agencies with regulatory oversight over critical infrastructure must examine their regulatory authority to determine whether they can require critical infrastructure providers to certify that those providers have completed the self-assessment. Industry best practices and frameworks will be the foundation of self-assessments. By April 4, 2023, agencies will determine if they can require providers to certify that a self-assessment has been conducted, and develop a process for certification to occur. If certification cannot be required, agencies will encourage, but not require, self-assessments.
Self-assessments are a critical tool for cybersecurity practitioners that support incorporating best practices to evaluate an organization’s cybersecurity defense and enable organizations to capture trends in information security programs and maturity across Minnesota’s critical sectors. Self-assessment results aid organizations in prioritizing resources to address the great opportunity to mitigate risk.
State agencies with regulatory oversight over critical infrastructure providers must develop criteria for cybersecurity self-assessments no later than December 28, 2022.
If a regulating state agency entity determines that they have the authority to require or encourage annual self-assessments and compliance with cybersecurity best practices, these are to be completed by April 4, 2023.
By April 4, 2023, state agencies with regulatory oversight over critical infrastructure must also, in cooperation with MNIT, identify additional assessment capabilities that critical infrastructure providers might need to complete the standardized cybersecurity assessments. MNIT has been in communication with impacted state agencies and will provide support in developing cybersecurity self-assessment capabilities. These self-assessments may make use of other available resources from CISA, the Center for Information Security, and other providers.
CISA offers a Cyber Resilience Review (CRR) at no cost. This is a voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals.
Minnesota state agencies that want help developing self-assessment criteria are encouraged to work with the security line of business manager assigned to their agency. Additional assistance can be requested through MNIT's Governance, Risk, and Compliance team at firstname.lastname@example.org.
State entities not covered by Executive Order 22-20 are strongly encouraged to review their existing cybersecurity capabilities, implement patch management standards per this order, conduct cybersecurity self-assessments, and provide updated contact information with the Minnesota Fusion Center, U.S. Cybersecurity and Infrastructure Security Agency (CISA), and sector-specific Information Sharing and Analysis Centers (ISACs) as appropriate to stay informed on the evolving threat landscape and ensure timely response activities to protect Minnesotans.
Minnesota IT Services will engage entities not covered by this order and identify opportunities to collaborate on cyber protection and procurement. By February 27, 2023, MNIT will develop guidance for such entities as defined by Executive Order 22-20.
According to Executive Order 22-20, by October 31, 2022, the Department of Public Safety and MNIT must review and update the Minnesota Emergency Operations Plan (MEOP) to ensure that the state is prepared to coordinate statewide resources in response to a cyber-attack that impacts critical Minnesota services.
By December 28, 2022, MNIT and the Department of Public Safety plan to exercise MEOP through a cybersecurity-specific tabletop exercise that includes critical infrastructure providers and state agencies involved in the oversight or management of state critical infrastructure.
MNIT is taking the following steps to promote cybersecurity best practices across government systems: