skip to content
Primary navigation

Executive Order 22-20 Summary

Executive Order 22-20 requires Minnesota’s executive branch to work with non-executive branch entities and critical infrastructure providers to improve information security programs across the State of Minnesota.


Implementation for All Executive Branch Agencies

Timeline

Who owns the action?

Partner(s)

Action and description

9/29/2022

MNIT

Executive Branch Agencies

Patch exploited vulnerabilities and document exceptions: State entities must work with Minnesota IT Services (MNIT) to patch all critical vulnerabilities identified by the Cybersecurity and Infrastructure Security Agency (CISA) as known exploited vulnerabilities. They must also document any exceptions where patching cannot be performed, including a plan to reduce security risk.

Implementation for Regulating State Agencies

Timeline

Who owns the action?

Partner(s)

Action and description

10/14/2022

Regulating State Agencies

Critical Infrastructure Providers
Minnesota Fusion Center

Register contacts with Minnesota Fusion Center: Regulating state agencies must assist critical infrastructure providers under their purview to register as a partner with the Minnesota Fusion Center, a section of the Bureau of Criminal Apprehension (BCA) at the Minnesota Department of Public Safety (DPS).

11/28/2022

Regulating State Agencies

Critical Infrastructure Providers
DPS
MNIT

Provide cyber-attack guidance: Regulating state agencies must provide guidance to critical infrastructure providers about what to do when a cyber-attack occurs. MNIT and DPS will work with regulatory agencies to develop the guidance.

12/28/2022

Regulating State Agencies

Critical Infrastructure Providers
Industry Cyber Advisors
MNIT

Distribute cybersecurity self-assessment criteria: Regulating state agencies, in accordance with their authority, must develop criteria for a cybersecurity self-assessment. These criteria should be developed in partnership with MNIT and other relevant industry cyber advisors. They will communicate these criteria to the critical infrastructure providers over which they have purview.

4/4/2023

Regulating State Agencies

Critical Infrastructure Providers

Certify completed self-assessments: Regulating state agencies must require or encourage, depending on their regulatory power, critical infrastructure providers to certify the completion of cybersecurity self-assessments and entities’ compliance with core cybersecurity best practices.

4/4/2023

Regulating State Agencies

Critical Infrastructure Providers
MNIT

Understand additional support needs for Critical Infrastructure Providers: Regulating state agencies must work with MNIT to identify critical infrastructure providers that need additional assistance completing the cybersecurity self-assessment.

Implementation for MNIT and DPS

Timeline

Who owns the action?

Partner(s)

Action and description

10/31/2022

MNIT

DPS
Regulating State Agencies

Update MEOP: MNIT will work with DPS to review and update the Minnesota Emergency Operations Plan (MEOP) to ensure the state is prepared to coordinate statewide resources to respond to a cyber-attack that impacts critical infrastructure.

12/28/2022

MNIT

DPS
Minnesota Fusion Center
Regulating State Agencies

Participate in a tabletop exercise: MNIT will also work with DPS and state regulatory entities of critical infrastructure sectors to conduct a cyber tabletop exercise using an updated Minnesota Emergency Operations Plan.

12/28/2022

MNIT

Industry Cyber Advisors

Create a vulnerability disclosure program: MNIT must develop and implement a vulnerability disclosure program that will allow MNIT to accept, document, validate, and remediate vulnerabilities in government computer systems reported by Industry Cyber Advisors.

Entities Outlined by Executive Order 22-20

This order will increase Minnesota’s understanding of our current cybersecurity posture, identify needs, and enhance our capabilities to safeguard our interconnected critical infrastructure.

Executive Branch Agencies

Executive Order 22-20 impacts the following state entities: the Departments of Administration, Agriculture, Commerce, Corrections, Education, Employment and Economic Development, Health, Human Rights, Human Services, Labor and Industry, Management and Budget, Natural Resources, Public Safety, Revenue, Transportation, and Veterans Affairs; the Housing Finance and Pollution Control Agencies; the Office of Commissioner of Iron Range Resources and Rehabilitation; the Department of Information Technology Services (aka Minnesota IT Services); the Bureau of Mediation Services. This also applies to the Office of Higher Education and the Department of Military Affairs.

Non-Executive Branch Agencies

This includes state entities not already defined as state agencies or departments in Executive Order 22-20 (see above) and other Constitutional Offices.

Regulating State Agencies

This includes state entities with regulatory oversight over critical infrastructure providers. They must use their existing authority to the extent necessary or permissible to perform these actions.

back to top