Executive Order 22-20 Summary
Executive Order 22-20 requires Minnesota’s executive branch to work with non-executive branch entities and critical infrastructure providers to improve information security programs across the State of Minnesota.
Implementation for All Executive Branch Agencies
Timeline |
Who owns the action? |
Partner(s) |
Action and description |
9/29/2022 |
MNIT |
Executive Branch Agencies |
Patch exploited vulnerabilities and document exceptions: State entities must work with Minnesota IT Services (MNIT) to patch all critical vulnerabilities identified by the Cybersecurity and Infrastructure Security Agency (CISA) as known exploited vulnerabilities. They must also document any exceptions where patching cannot be performed, including a plan to reduce security risk. |
Implementation for Regulating State Agencies
Timeline |
Who owns the action? |
Partner(s) |
Action and description |
10/14/2022 |
Regulating State Agencies |
Critical Infrastructure Providers
|
Register contacts with Minnesota Fusion Center: Regulating state agencies must assist critical infrastructure providers under their purview to register as a partner with the Minnesota Fusion Center, a section of the Bureau of Criminal Apprehension (BCA) at the Minnesota Department of Public Safety (DPS). |
11/28/2022 |
Regulating State Agencies |
Critical Infrastructure Providers
|
Provide cyber-attack guidance: Regulating state agencies must provide guidance to critical infrastructure providers about what to do when a cyber-attack occurs. MNIT and DPS will work with regulatory agencies to develop the guidance. |
12/28/2022 |
Regulating State Agencies |
Critical Infrastructure Providers
|
Distribute cybersecurity self-assessment criteria: Regulating state agencies, in accordance with their authority, must develop criteria for a cybersecurity self-assessment. These criteria should be developed in partnership with MNIT and other relevant industry cyber advisors. They will communicate these criteria to the critical infrastructure providers over which they have purview. |
4/4/2023 |
Regulating State Agencies |
Critical Infrastructure Providers |
Certify completed self-assessments: Regulating state agencies must require or encourage, depending on their regulatory power, critical infrastructure providers to certify the completion of cybersecurity self-assessments and entities’ compliance with core cybersecurity best practices. |
4/4/2023 |
Regulating State Agencies |
Critical Infrastructure Providers
|
Understand additional support needs for Critical Infrastructure Providers: Regulating state agencies must work with MNIT to identify critical infrastructure providers that need additional assistance completing the cybersecurity self-assessment. |
Implementation for MNIT and DPS
Timeline |
Who owns the action? |
Partner(s) |
Action and description |
10/31/2022 |
MNIT |
DPS
|
Update MEOP: MNIT will work with DPS to review and update the Minnesota Emergency Operations Plan (MEOP) to ensure the state is prepared to coordinate statewide resources to respond to a cyber-attack that impacts critical infrastructure. |
12/28/2022 |
MNIT |
DPS
|
Participate in a tabletop exercise: MNIT will also work with DPS and state regulatory entities of critical infrastructure sectors to conduct a cyber tabletop exercise using an updated Minnesota Emergency Operations Plan. |
12/28/2022 |
MNIT |
Industry Cyber Advisors |
Create a vulnerability disclosure program: MNIT must develop and implement a vulnerability disclosure program that will allow MNIT to accept, document, validate, and remediate vulnerabilities in government computer systems reported by Industry Cyber Advisors. |
Entities Outlined by Executive Order 22-20
This order will increase Minnesota’s understanding of our current cybersecurity posture, identify needs, and enhance our capabilities to safeguard our interconnected critical infrastructure.
Executive Branch Agencies
Executive Order 22-20 impacts the following state entities: the Departments of Administration, Agriculture, Commerce, Corrections, Education, Employment and Economic Development, Health, Human Rights, Human Services, Labor and Industry, Management and Budget, Natural Resources, Public Safety, Revenue, Transportation, and Veterans Affairs; the Housing Finance and Pollution Control Agencies; the Office of Commissioner of Iron Range Resources and Rehabilitation; the Department of Information Technology Services (aka Minnesota IT Services); the Bureau of Mediation Services. This also applies to the Office of Higher Education and the Department of Military Affairs.
Non-Executive Branch Agencies
This includes state entities not already defined as state agencies or departments in Executive Order 22-20 (see above) and other Constitutional Offices.
Regulating State Agencies
This includes state entities with regulatory oversight over critical infrastructure providers. They must use their existing authority to the extent necessary or permissible to perform these actions.