State agencies and other entities subject to the provisions of this article shall:
(1) Undergo an appropriate cyber risk assessment as required by the cybersecurity framework or as directed by the Chief Information Security Officer;
(2) Adhere to the cybersecurity standard established by the Chief Information Security Officer in the use of information technology infrastructure;
(3) Adhere to enterprise cybersecurity policies and standards;
(4) Manage cybersecurity policies and procedures where more restricted security controls are deemed appropriate;
(5) Submit all cybersecurity policy and standard exception requests to the Chief Information Security Officer for approval;
(6) Complete and submit a cyber risk self-assessment report to the Chief Information Security Officer by December 31, 2020; and
(7) Manage a plan of action and milestones based on the findings of the cyber risk assessment and business needs.
Structure West Virginia Code
Chapter 5A. Department of Administration
Article 6B. Cyber Security Program
§5A-6B-1. West Virginia Cybersecurity Office; Scope; Exemptions
§5A-6B-3. Powers and Duties of Chief Information Security Officer; Staff; Rule-Making
§5A-6B-4. Responsibilities of Agencies for Cybersecurity