West Virginia is fundamentally restructuring how it protects its digital infrastructure, moving away from a fragmented, agency-by-agency approach toward a centralized command structure. Fresh legislation has granted the state’s chief information security officer (CISO) expanded authority to lead and standardize the West Virginia statewide cybersecurity program, ensuring that security protocols are uniform across all government entities.
The measure, signed into law recently, empowers the state’s Cybersecurity Office—housed within the Office of Technology and led by Leroy Amos—to establish and enforce statewide policies. This shift is designed to replace the previous “ad hoc” system, where individual agencies often developed their own security measures, creating a patchwork of protections that left the state vulnerable to inconsistent compliance and security gaps.
For those of us who have transitioned from the engineering side of tech to reporting on it, this move represents a classic governance correction. In software, you don’t build a system where every module follows its own security logic; you create a global standard. West Virginia is now applying that same architectural principle to its entire state government.
Closing the Gap Between Law and Implementation
The catalyst for this legislative change was not a cyberattack, but a legislative audit. The audit revealed a critical discrepancy: while West Virginia had statutes on the books requiring a statewide cybersecurity framework, the state had failed to actually implement that framework to the specifications required by law.
This “compliance gap” is a common struggle in government IT. Often, a legislature passes a broad mandate to “be secure,” but without a designated leader holding statutory authority, the mandate becomes a suggestion rather than a requirement. By granting the CISO explicit authority, the state is moving from a passive posture of “having a policy” to an active posture of “enforcing a standard.”
The Department of Administration requested the bill specifically to address these findings, signaling that the state’s executive branch recognized that technical tools are useless without the administrative authority to deploy them consistently.
From Fragmented Defense to Centralized Governance
Under the new law, the Cybersecurity Office is tasked with developing a framework based on industry best practices—likely leaning on established standards such as the NIST Cybersecurity Framework. This centralized approach changes the operational reality for every state agency in West Virginia.
Previously, an agency might have implemented multi-factor authentication (MFA) or endpoint detection and response (EDR) tools on their own timeline and to their own specifications. Under the new mandate, the CISO can drive uniform compliance, ensuring that a high-risk agency and a low-risk agency both meet a baseline of security that protects the state’s overall attack surface.
| Feature | Previous Ad Hoc Approach | New Centralized Model |
|---|---|---|
| Authority | Distributed across agencies | Centralized under the CISO |
| Compliance | Variable/Agency-specific | Uniform statewide standards |
| Framework | Statutory but unimplemented | Active, mandated framework |
| Oversight | Fragmented reporting | Centralized monitoring and audit |
Why This Matters for Public Sector Security
The empowerment of a state CISO is a significant trend across the U.S. As state governments become primary targets for ransomware and state-sponsored actors. When security is fragmented, attackers only need to find the weakest link—the one agency with the most outdated policy—to gain a foothold in the state’s broader network.
By clarifying the CISO’s authority in statute, West Virginia is removing the political and bureaucratic friction that often slows down security rollouts. When the CISO has the legal mandate to set standards, “pushback” from agency heads regarding the inconvenience of new security controls becomes a matter of legal compliance rather than a departmental negotiation.
This move as well streamlines the audit process. Instead of auditors having to evaluate dozens of different agency setups, they can now measure the entire state against a single, documented framework. This makes it significantly easier to identify remaining vulnerabilities and justify budget requests for necessary upgrades.
Key Stakeholders and Impact
- State Agencies: Must now align their internal IT operations with the standards set by the Cybersecurity Office.
- The Office of Technology: Gains a clearer mandate to oversee the technical execution of security policies.
- West Virginia Citizens: Benefit from more secure handling of state data and more resilient public services.
- Legislative Auditors: Now have a clear benchmark to measure state compliance against in future reviews.
Note: This article discusses legislative and policy changes regarding government cybersecurity. It is provided for informational purposes and does not constitute legal advice.
The next phase of this rollout will involve the development and publication of the specific cybersecurity policies and standards by the Cybersecurity Office. These documents will serve as the blueprint for all state agencies and will likely be the primary focus of the next round of legislative oversight and audits to ensure the “compliance gap” has been closed.
We aim for to hear from you. Do you think centralized authority is the only way to secure state governments, or does it create a single point of failure? Share your thoughts in the comments below.
