From Provost Cyril Clarke and EVP/COO Amy Sebring: Timeline for Elevating Minimum Security Controls

Virginia Tech continues its commitment to protecting the data of its students, alumni, faculty, and staff, as well as the confidentiality, integrity, and availability of information and IT services important to the university's mission. Thanks to the hard work of many across the university, especially IT professionals in distributed units and the Division of IT, we successfully met our timeline for completing Phase I of the project to elevate safeguards to the Center for Internet Security Critical Security Controls version 8 Implementation Group 2 (CIS IG2) standard. Phase I included completion of an enterprise IT asset inventory (completed March 3) and the completion of a risk assessment survey (completed May 5). We greatly appreciate the work and expertise needed to complete these initial steps.

Completion of Phase I enabled us to provide a satisfactory update to the Board of Visitors at its meeting last week. Two more project phases are now needed to move the university to complete this important project in the IT Transformation program. Based on the IT risk assessments completed in early May, Phase II will develop plans of action and establish milestones, on a unit-by-unit basis, for achieving compliance with the CIS IG2 controls across the university.

The deadlines for completing Phase II are indicated below. Because we are prioritizing the protection of our high-risk systems, any unit that operates one or more such systems as categorized in the lsora GRC classification needs to meet an earlier deadline.

Updated Deadlines for Phase II, Plan of Action and Milestones:

• Deadline for units with one or more high-risk systems: February 29, 2024
• Deadline for units with only low-risk and moderate-risk systems: May 31, 2024

The planning process should be aligned with the annual budget planning process for Fiscal Year 2025. It will be helpful to have estimates for any new resource needs by late January 2024.

The Project Steering Committee and the IT Security Office are currently working to formalize the process for documenting Plans of Action and Milestones in Phase II. The IT Security Office will provide instructions and guidance for units to develop outcomes for Phase II no later than August 1, 2023. This notification is provided in advance to allow you and your team time to plan for the work ahead. IT leadership will communicate the process to the broader IT community once plans are finalized.

Please convey our thanks to all those in your organizations who completed the work for Phase I and for their continuing support as we implement Phase II and, later, Phase Ill to achieve full CIS IG2 compliance. These controls will greatly reduce the risk of losing data and services to a cyberattack and will also position us to be better prepared to comply with current and future regulations and obligations to protect sensitive data.

For questions on this work, please email the university's IT Security Office.