Pennsylvania Information Security Regulation, Complete Guide (2025)

In 2016, Pennsylvania Governor Tom Wolf, recognizing the need for unified oversight across state technology operations, issued Executive Order 2016-06, Enterprise Information Technology Governance. The order formally established the Governor’s Office of Administration (OA) as the Commonwealth’s central information security authority and delegated execution to the Office for Information Technology (OA/OIT), led by the Commonwealth Chief Information Officer (CIO).

Essentially, that means Pennsylvania’s information security governance under Executive Order 2016-06 operates through three core entities, each with a distinct role in defining, executing and enforcing enterprise IT strategy:

• The Office for Information Technology under the Governor’s Office of Administration (OA/OIT) serves as the central authority, responsible for setting statewide IT and cybersecurity strategy, developing enterprise policies and coordinating technology investments across all executive agencies under the Governor’s jurisdiction.
• Executive Agencies and Delivery Centers implement OA/OIT’s directives through their Information Security Officers (ISOs), Enterprise Delivery Centers (EDCs) and internal governance processes. These entities manage day-to-day compliance, adapt enterprise policies to agency environments and maintain operational security.
• OA/OIT Oversight and Coordination ensures accountability by monitoring agency performance, reviewing compliance with Information Technology Policies (ITPs) and providing ongoing guidance on risk management, procurement and technical standards.

How Pennsylvania’s Information Security Framework Differs from Other States

What stands out about Executive Order 2016-06 is that, unlike statutory frameworks such as California’s SIMM 5300, Ohio’s ORC 9.64 or Texas TAC 202, Pennsylvania’s approach is executive-driven rather than legislatively mandated.

In practice, this means the Commonwealth’s information security governance is maintained through a Governor-issued Executive Order, not through legislation enacted by the General Assembly. There is no legislatively created cybersecurity commission, no codified statewide control program and no statutory enforcement mechanism.

While it lacks the permanence of statute, the executive-driven framework provides a distinct degree of flexibility. It enables the Commonwealth to maintain a unified IT and cybersecurity approach and respond to evolving threats without the delays inherent in a legislative process.

But even with these strengths, Pennsylvania’s executive-driven framework can be difficult for agencies to interpret and apply consistently. Its inherently fragmented structure and limited transparency of internal guidance continue to create uncertainty about who must comply and how.

This Pennsylvania Information Security Policy Guide helps state agencies, Commonwealth entities and affiliated organizations understand their information security obligations under Executive Order 2016-06, Enterprise Information Technology Governance. It provides a clear explanation of who is required to comply, what specific policies and standards apply and how compliance is administered within Pennsylvania’s cybersecurity framework. 

Executive Foundations of Pennsylvania’s Information Security Framework

The Executive Order 2016-06 defines a clear governance hierarchy, outlining key roles and institutions responsible for setting policy, executing strategy and maintaining accountability.

Chain of Authority under Executive Order 2016-06

It also sets out how direction flows from the Governor to the agencies:

1. Governor: The Governor of the state establishes the enterprise governance mandate and delegates authority.
2. Office of Administration (OA): The OA serves as the Commonwealth’s central technology and administrative authority.
3. Office for Information Technology (OIT): Led by the Commonwealth Chief Information Officer (CIO), the OIT executes the Governor’s directive. The CIO must oversee the technology strategy, investment and cybersecurity operations across all executive agencies.
4. Agency Information Security Officer (ISO) and backup ISO: The ISO is tasked with the responsibility of managing operational implementation of information security and IT risk management across the executive agency. ISOs report directly to the Agency Heads and coordinate with the OA/OIT.
5. Enterprise Delivery Centers (EDCs) and the Commonwealth CISO: EDCs, among other responsibilities, provide consultation to agencies on infrastructure, staffing and IT operations.

Roles and Responsibilities of the OA/OIT

OA/OIT serves as the nerve center of the Commonwealth’s IT governance ecosystem, integrating technology strategy, investment oversight and information security management.

As the Commonwealth’s central technology authority, the OA/OIT oversees the following activities:

• Develops and recommends enterprise-level IT priorities, strategies and long-term plans to the Secretary of Administration.
• Consolidates infrastructure and support services to reduce redundancy and optimize resource utilization.
• Directs IT investments, procurement policies and advisory functions to ensure statewide alignment with strategic and budgetary goals.
• Enforces compliance across executive agencies, maintaining consistent governance, security and operational standards throughout the Commonwealth.

In addition to these functions, OA/OIT advises the Secretary of Administration on major changes to staffing, structure and enterprise IT operations. It retains decision-making authority over key enterprise matters, including restructuring initiatives, delivery of shared services and monitoring of agency project performance.

Core Functions of the OA/OIT Under Executive Order 2016-06

Through Executive Order 2016-06, the Governor defines the authority of the Office for Information Technology (OA/OIT) across eight functional domains that together form the Commonwealth’s enterprise IT and cybersecurity governance structure.

1. Governance and Strategic Planning
   Sets the big-picture IT strategy for the entire Commonwealth, making sure every agency’s tech plans, budgets and goals align with statewide priorities.
2. Portfolio and Project Management
   Oversees all government IT projects to prevent duplication, standardize processes and ensure projects meet cost, quality and delivery targets.
3. IT Procurement and Contract Management
   Manages how IT goods and services are purchased, ensuring contracts, vendors and spending align with state policy and long-term strategy.
4. Enterprise Architecture, Standards and Policy
   Defines the technical blueprint for how systems should work together, creating uniform IT standards and reviewing projects for compliance.
5. IT Security Management
   Protects the Commonwealth’s information assets by managing risks, enforcing cybersecurity policy and ensuring agencies follow federal and state security rules.
6. IT Shared Services
   Consolidates common IT operations like infrastructure and support to save costs, improve performance and ensure consistent service across agencies.
7. Telecommunications Governance
   Oversees statewide communication networks to guarantee secure, reliable connectivity and avoid redundant telecom systems.
8. IT Service Management
   Standardizes how IT services are delivered, monitored and improved—ensuring consistent quality and accountability throughout the service lifecycle.

Together, these eight domains operationalize the Governor’s executive authority across all facets of Commonwealth IT governance.

To translate these governance functions into enforceable practice, the Office for Information Technology (OA/OIT) issues Information Technology Policies (ITPs) that define statewide standards, guide implementation and uphold a unified security posture across executive agencies.

What are Information Technology Policies (ITPs)

Acting under the authority of Executive Order 2016-06, the Office for Information Technology (OA/OIT) develops and issues Information Technology Policies (ITPs).

Each ITP serves as an authoritative directive that establishes policy-level controls, procedural guidance and governance expectations for technology management across all executive agencies.

In essence, an ITP outlines what agencies must do to comply with Commonwealth standards, while allowing each agency to determine how to implement those requirements within its own environment.

Collectively, ITPs form the core of Pennsylvania’s enterprise IT governance framework, functioning as the Commonwealth’s equivalent of a centralized policy library.

They cover every major operational area of information technology, including:

• ​​Information Security and Risk Management – cybersecurity controls, threat mitigation and risk-assessment standards.
• Incident Response and Continuity Planning – procedures for detecting, reporting and recovering from cyber incidents.
• Data Governance and Classification – requirements for handling, storing and securing Commonwealth data assets.
• Access Control and Identity Management – standards for authentication, authorization and identity lifecycle management.
• Procurement, Vendor and Cloud Oversight – requirements for contracts, third-party assessments and service agreements.
• Architecture, Systems Development and Operations – technical policies guiding infrastructure, software and network management.

The OA/OIT maintains more than 150 active ITPs, organized into domains such as General, Security, Network, Data and Policy.

Each document is available on the Commonwealth’s IT Policy repository called IT Central. Using this platform, agencies can access detailed technical standards, procedural checklists and operational templates associated with each policy.

Interpreting Pennsylvania’s Information Security ITPs

Many of these ITPs align both in structure and intent with recognized NIST standards, including the Cybersecurity Framework (CSF) and NIST SP 800-53.

From an information security standpoint, we’ve organized the most relevant ITPs into four categories to help security professionals ensure they are complying with the key policies that uphold security and compliance across IT operations and to highlight where agencies should concentrate their efforts to strengthen governance and risk management.

1. Governance & Risk Management – Defines how information security leadership, accountability and oversight are structured across agencies.
2. Data Protection & Access Control – Addresses how Commonwealth data is identified, classified and safeguarded according to sensitivity.
3. Technical & Operational Safeguards – Describes baseline technical standards for securing systems, networks and IT resources.
4. Response, Continuity & Oversight – Covers policies guiding incident detection, response coordination and continuity of operations.

Governance & Risk Management

The Commonwealth’s risk management structure, established under Executive Order 2016-06 and the IT Risk Management Policy, forms the foundation for safeguarding information assets and ensuring continuity of operations across all executive agencies.

Every IT system, application and dataset falls under a unified process designed to identify vulnerabilities, assess their potential impact and implement appropriate controls in line with Commonwealth priorities.

Foundational Components of the IT Risk Management Policy

• Risk Identification: Agencies must identify potential IT risks, including cybersecurity threats, operational disruptions and technology failures, through continuous monitoring and periodic assessments.
• Risk Assessment: Evaluate identified risks based on likelihood and potential impact on the confidentiality, integrity and availability of information assets.
• Risk Mitigation & Treatment: Apply preventive, detective and corrective controls to address vulnerabilities in alignment with Commonwealth risk priorities
• Compliance & Standards: Ensure alignment with industry-recognized frameworks such as the NIST Cybersecurity Framework and relevant state or federal standards.
• Monitoring & Reporting: Implement continuous monitoring and routine reporting to ensure leadership visibility into risk posture and emerging issues.
• Training & Awareness: Promote a culture of risk awareness through ongoing education and training initiatives.

Vendor and Third-Party Risk Management

Vendors form a critical part of the Commonwealth’s IT ecosystem. Therefore, all third-party engagements must undergo a structured IT Vendor Risk Assessment led by the GRC team before any procurement or onboarding.

A new or revised assessment is required:

• When adding new computing services or modifying existing ones.
• When pilot projects or proofs of concept are tested.
• These must be approved under DGS Bureau of Procurement Policy Directive 2021-1 (New Technology Pilot Program).

This process ensures all vendor-related IT risks are identified, reviewed and mitigated before deployment or renewal.

Control Assurance and SOC Reporting

The IT Risk Management Policy mandates compliance with System and Organization Control (SOC) reporting standards issued by the American Institute of Certified Public Accountants (AICPA) to confirm that both internal and third-party control environments are effective.

SOC Report Overview

• SOC 1 – Focuses on controls affecting financial reporting.
  • Type I: Evaluates control design at a single point in time.
  • Type II: Evaluates operational effectiveness over a period.
• SOC 2 – Reviews controls tied to security, availability, integrity, confidentiality and privacy.
  • Type I: Point-in-time review of design.
  • Type II: Period review of effectiveness.
• SOC 3 – A simplified, public-facing summary used for general assurance and transparency.

Review Protocol

• Agencies and service organizations must obtain and review the latest SOC reports from their providers, following the SOC Report Review Procedure.
• These reviews act as formal assurance that vendors maintain adequate controls, comply with contractual terms and protect Commonwealth data from unauthorized access or misuse.

Risk Acceptance and Acknowledgement

According to the IT Risk Management Policy, every identified risk must be formally reviewed, documented and formally acknowledged.

When a potential risk is identified, agencies have to follow these steps:

Step 1 – Identify and Document the Risk

The GRC team must record the identified risk using one of the two forms:

• IT Risk Acknowledgment Form (General IT Risks) – for risks within agency systems or operations.
• IT Risk Acknowledgment Form (IT Vendor Risks) – for risks associated with third-party vendors or service providers.

Each form captures details about the risk, its potential impact and any existing mitigation strategies.

Step 2 – Initiate Risk Review and Discussion

The GRC team then shares the identified risk with key stakeholders, including the CIO, CISO, Agency ISO and Business/Process Owner, for preliminary discussion and context.

This ensures that both executive and operational leaders are aware of the exposure and can evaluate its significance before formal acceptance.

Step 3 – Develop Recommendations and Obtain Approvals

Following a review, the GRC team must document recommendations for remediation or acceptance and then initiate the formal sign-off process.

• The Agency Deputy Secretary for Administration or Agency Secretary certifies full understanding and acceptance of the identified risk and assumes accountability if any issue arises.
• The Agency Business Area Contact (Bureau Director) must acknowledge comprehension of the outlined risks and agree to uphold mitigation responsibilities within their functional area.
• The Agency Office of Chief Counsel must confirm that legal counsel has reviewed the risk, provided appropriate guidance and identified any legal or contractual implications.

Step 4 – Finalize and Record Acceptance

Once all signatures are obtained, the GRC team must file the completed acknowledgment form in the agency’s official risk register. This record serves as evidence that:

• The risk has been reviewed at the appropriate level of authority.
• Legal, operational and security implications have been considered.
• Leadership has formally accepted accountability for the decision.

This structured process ensures that every known technical, operational or vendor-related risk is visible, traceable and formally accepted by responsible leaders. It embeds accountability into the Commonwealth’s governance framework and maintains a clear audit trail for compliance and oversight.

Agency-Level Compliance and Accountability

The Information Security Officer Policy (ISOP) defines how each Commonwealth agency must designate an Information Security Officer and outlines their role in leading, coordinating and maintaining the agency’s information security program.

According to this policy, the Information Security Officer (ISO) is accountable for implementing and maintaining the agency’s information security program.

Each agency must also designate a backup ISO to ensure continuity of responsibilities.

Role Designation and Separation of Duties

• The ISO must be a Commonwealth employee or contractor approved by the Commonwealth Chief Information Security Officer (CISO) when the agency is part of a Delivery Center.
• The agency must ensure appropriate separation of duties to prevent conflict of interest.

For example, the ISO must not simultaneously be the system owner or data owner in critical functions

• The policy also requires that the ISO and the Agency Privacy Officer be different individuals, maintaining independent oversight between security and privacy functions.
• Agency heads retain formal accountability for compliance outcomes but rely on Delivery Centers and OA/OIT oversight for approval of projects, procurements and technical architecture.

For independent agencies, the agency CIO should designate an ISO and notify the Commonwealth CISO. If someone new takes over the role, the CIO needs to report it immediately.

Key Responsibilities of the ISO in Executive Agencies

The policy outlines a minimum set of responsibilities of the ISO. This is to ensure that every agency maintains a consistent and accountable information security program.

• Develop and manage an agency information security program that meets or exceeds Commonwealth policies and standards.
• Ensure all agency systems and data are classified for sensitivity according to Commonwealth classification standards.
• Conduct annual IT security awareness training for all authorized users, as required by Management Directive 535.09.
• Lead an annual tabletop exercise of the agency’s security incident response process and submit an executive summary to the agency CIO, CTO and Commonwealth CISO.
• Implement prevention, detective and corrective controls commensurate with risk, data sensitivity and criticality of systems.
• Develop and document an incident-management process aligned with the Commonwealth’s enterprise incident-response framework.

The ISO is also responsible for providing ongoing assurance to agency leadership and the Commonwealth CISO that the organization remains compliant with all legislative, contractual and policy obligations related to information security.

Who ISOs Report To and How Oversight Works in Agencies

• The ISO typically reports through the agency’s CIO or equivalent, but retains independence for security issues and must coordinate with the Commonwealth CISO when required.
• The Commonwealth CIO has final approval of senior IT management appointments and conducts performance reviews of senior IT personnel—implicitly including or affecting the ISO role.
• In their role, the ISO is also expected to collaborate closely with the agency’s CIO, CTO and Privacy Officer to align security measures with operational and regulatory requirements, ensuring consistent communication across all levels of IT governance.

Enterprise Standards for Securing Commonwealth IT Resources

The Information Security Policy establishes the Commonwealth’s enterprise-wide standards for protecting IT resources, ensuring every executive agency meets or exceeds its legal, regulatory and ethical responsibilities under Executive Order 2016-06.

Compliance and Risk Management

• Agencies must maintain a formal risk-management and compliance methodology that continuously identifies vulnerabilities and tracks remediation.
• Immediate corrective action is required whenever non-compliance or a security incident is identified.
• In areas not yet governed by a specific ITP, agencies must follow recognized industry standards such as FIPS and SP Special Publications by NIST. 
• When no existing policy applies, agencies must request a policy exception through OA/OIT’s IT Policy Governance Process for review by the Enterprise Information Security Office (EISO).

Other activities include, but are not limited to, the following:

Offshore Access Restrictions

• Offshore access to production systems and “C”-classified data is strictly prohibited.
• Commonwealth production data must remain within the continental United States (CONUS) and under U.S. jurisdiction.

The use of a “C” designation indicates that all or part of the record requires special treatment and/or heightened protections, including, but not limited to, as appropriate, non-disclosure to the public, non-disclosure to any person without a need to know, non-disclosure outside of certain workgroups, non-disclosure without certain prerequisites, etc. (Data Classification Policy)

Technical Security Assessments

Agencies must conduct annual assessments of systems supporting critical functions and biennial assessments of other systems.
Reports and letters of attestation must be submitted to the Agency ISO and EISO Vulnerability Management Team for review.

​​OA/OIT may perform enterprise-wide assessments and benchmarking of agencies’ security posture.Reverse Proxy and Web Application Controls

The policy document requires that agencies use OA/OIT’s managed Reverse Proxy Services for all web applications unless granted an approved exception.
These systems have to undergo vulnerability scanning regularly before a network connection.

The findings must be remediated within OA/OIT-defined timelines aligned with the IT Security Incident Reporting Policy.

Virtual Private Network (VPN) Security

Remote access to Commonwealth systems requires an approved VPN with multi-factor authentication (MFA).
These VPN endpoints must pass anti-virus and operating system checks before connection and comply with the Encryption Policy and Minimum Standards for IDs, Passwords and MFA.
A list of supported anti-virus applications for endpoint checks can be found on the IT Central Security Services Page under Protection/Endpoint (Commonwealth authorized access only).

Managed File Transfer (MFT)

Agencies must use the Enterprise MFT Service for secure file exchanges instead of FTP.
Any alternative MFT or FTP product requires an approved exception.
All FTP servers must have logging enabled and meet Commonwealth logging and encryption requirements.
Sensitive or personal data transferred must be encrypted in line with the Encryption Policy and the Pennsylvania Breach of Personal Information Notification Act.

Data Protection & Access Control

The Data Classification Policy establishes how agencies must label and safeguard Commonwealth data based on its sensitivity. It also describes the potential impact if this data is compromised.

For example, it requires that all agencies classify their data in alignment with NIST SP 800-60 Rev. 1 and assign them to one of four sensitivity levels, Confidential, Restricted, Internal or Public, to ensure appropriate handling, encryption and disposal.

The document also details how to apply the right safeguards like encryption, media sanitization and yearly classification reviews so that data stays protected, no matter where it’s stored or shared.

The Data Management Policy, on the other hand, sets clear rules for how data should be managed from the moment it’s created until it’s securely deleted. It defines who owns the data, how long it must be kept and how its quality and accuracy are checked.

This policy also includes steps for managing data securely during system upgrades or transfers to make sure information stays reliable and compliant.

The Access Management Policy focuses on how privileged accounts, like administrator or system accounts, are created, used and monitored. It’s based on the “least privilege” principle, meaning users only get the access they truly need.

This policy document can be used to understand how agencies must verify every user, enforce multi-factor authentication, review account access regularly and remove permissions immediately when roles change to prevent unauthorized system access.

The Encryption Policy requires that all sensitive Commonwealth data, especially “Class C” and Closed Records, be encrypted both in transit and at rest. It mandates the use of federally validated cryptographic standards, so that only the right people can reach sensitive information.

Technical & Operational Safeguards

The third category brings together important operational policies that help agencies maintain strong technical defenses and secure day-to-day IT operations across the Commonwealth network.

The Enterprise Host Security Policy requires agencies to deploy standard endpoint protection tools, such as Endpoint Detection and Response (EDR) and Host Intrusion Prevention Systems (HIPS) and to follow patching standards to block malware and prevent unauthorized access.

The Security Logging and Event Monitoring Policy mandates continuous monitoring and centralized log collection through the Enterprise SIEM, ensuring that administrator actions, system activity and anomalies are logged, reviewed and protected from tampering.

Information on setting strict timelines for applying security updates, defining how agencies must respond to zero-day vulnerabilities and active outbreaks to prevent exploitation, are all defined in the IT Resources Patching Policy.

Supporting these policies is the Firewall Policy. It establishes baseline rules for network gateways, web application firewalls (WAFs) and content filtering.

For ISOs and cybersecurity personnels, these policies translate enterprise security requirements into enforceable technical and operational controls, establishing consistent standards for endpoint protection, controlled system access, secure network boundaries and verifiable monitoring across all Commonwealth environments.

Together, they keep devices, servers and applications resilient against evolving threats while providing agencies with consistent, auditable safeguards to prevent, detect and respond to security incidents effectively.

Response, Continuity & Oversight

The Business Continuity Policy tells agencies to create and regularly update Continuity of Operations (COOP) plans, and set up alternate sites that can support essential services for at least 30 days. It also suggests storing vital records safely at an off-site facility located at least 50 miles from the Capitol.

To add more depth to IT facility protection, the Physical Security Policy focuses on how to keep data centers, server rooms and network closets secure through controlled access, visitor sign-ins and routine inspections.

It also mandates physical penetration testing to identify weaknesses in facility access, with all testing activities pre-approved and reported to the Commonwealth CISO.

Together, these two policies make sure the Commonwealth can keep running even during emergencies or disasters.

Incident Reporting

In the event of a breach, the IT Security Incident Reporting Policy defines how cybersecurity incidents must be identified, reported and managed across all Commonwealth agencies.

The goal of this policy is to make sure that every security event, anything that could compromise the confidentiality, integrity or availability of Commonwealth systems or data, is handled quickly, consistently and in coordination with all relevant offices.

It designates the Office of Administration’s Enterprise Information Security Office (EISO) as the central authority through the Pennsylvania Computer Security Incident Response Team (PA-CSIRT). The policy also defines roles for Agency ISOs and CIOs in detection, escalation and recovery.

It also aligns with the Pennsylvania Breach of Personal Information Notification Act (73 P.S. §§ 2301–2330), which legally requires public notification whenever unencrypted or unredacted personal information is accessed or acquired by an unauthorized person.

This policy applies to all agencies, offices, boards, commissions and councils under the Governor’s jurisdiction. It also extends to vendors, contractors, licensors and suppliers connected to the Commonwealth Network.

Everyone who falls under this policy must follow the same incident reporting and escalation procedures, including the timelines set for each stage of response.

Information Sharing Restrictions

Until the underlying vulnerability has been fully remediated, details about ongoing incidents such as Indicators of Compromise (IOCs) or forensic findings must not be shared externally because a premature disclosure can expose the Commonwealth to further exploitation or reputational harm.

Incident Categories and Reporting Timelines

Incident reports are submitted via the internal Archer GRC Portal (grc.pa.gov/RSAarcher) or by contacting PA-CSIRT at 1-877-55-CSIRT (1-877-552-7478). Incidents exceeding closure timelines must remain open in the tracking system with status updates until remediation is complete.

The EISO is responsible for creating and assigning a security incident ticket in Archer to the OA/OIT Enterprise Delivery Center (EDC) ISO or the respective agency ISO if a security vulnerability/incident exists/occurs on a Reverse-Proxy Server or web server.

Who Can Access Pennsylvania’s IT Policies?

Access to IT Central is restricted only to Commonwealth personnel, which includes IT staff, Chief Information Security Officers (CISOs), compliance officers, employees and approved contractors of executive agencies. This internal platform ensures that sensitive operational details such as configurations, vulnerability thresholds and control mappings remain protected.

However, each ITP operates at a governance layer. It defines standards and expectations but not the exact technical configurations or step-by-step procedures.

This tiered structure, with public ITPs providing governance-level policy and detailed standards/procedures restricted to IT Central, enables the Commonwealth to balance transparency with operational security while offering Executive agencies flexibility in implementation.

Applicability of ITPs

Executive Order 2016-06 derives its authority from the Governor’s administrative powers, meaning it only applies to offices and agencies that report to the Governor or function under the Governor’s administrative oversight.

Therefore,

• All executive-branch agencies, boards and commissions under the Governor’s authority must adhere to these policies
• Contractors and third-party service providers that handle Commonwealth data or connect to Commonwealth networks are also required to comply with these policies.

Under the Pennsylvania Constitution, the Commonwealth has three coequal branches: executive, legislative and judicial.

The Governor leads only the executive branch and cannot issue binding orders to the other two branches. Therefore, the courts and the General Assembly are not subject to the Governor’s Executive Orders.

Additionally, offices such as the Attorney General, Treasurer and Auditor General are part of the Commonwealth government but operate independently under their own elected leadership. Because they do not fall under the Governor’s administrative control, Executive Orders do not automatically apply to them unless they choose to comply voluntarily.

In short, the scope of Executive Order 2016-06 is limited by the constitutional separation of powers. It governs only the executive branch, not the entire state government.

Who is Responsible for Compliance?

Each agency must appoint an Information Security Officer (ISO) who is accountable for implementing and maintaining the agency’s information security program. Each agency must also designate a backup ISO to ensure continuity of responsibilities.

• The ISO must be a Commonwealth employee or contractor approved by the Commonwealth Chief Information Security Officer (CISO) when the agency is part of a Delivery Center.
• The agency must ensure appropriate separation of duties (for example, the ISO must not simultaneously be the system owner or data owner in critical functions) to prevent conflict of interest.
• Agency heads retain formal accountability for compliance outcomes but rely on Delivery Centers and OA/OIT oversight for approval of projects, procurements and technical architecture.

Key Responsibilities of the ISO in Executive Agencies

• Develop and manage an agency information security program that meets or exceeds Commonwealth policies and standards.
• Ensure all agency systems and data are classified for sensitivity according to Commonwealth classification standards.
• Develop and maintain an information security awareness and training program for agency staff, contractors and relevant service providers.
• Implement prevention, detective and corrective controls commensurate with risk, data sensitivity and criticality of systems.
• Develop and document an incident-management process aligned with the Commonwealth’s enterprise incident-response framework.

Reporting Structure & Oversight

• The ISO typically reports through the agency’s CIO or equivalent, but retains independence for security issues and must coordinate with the Commonwealth CISO when required.
• The Commonwealth CIO has final approval of senior IT management appointments and conducts performance reviews of senior IT personnel—implicitly including or affecting the ISO role.

Delivery Centers and Shared-Service Implementation

In January 2017, Governor Tom Wolf announced a major transformation in how Pennsylvania delivers information technology (IT) and human resources (HR) services. Since then, technology, cybersecurity and operational support have been delivered through a shared network of Enterprise Delivery Centers (EDCs) rather than isolated agency-based systems.

EDCs were created to:

• Centralize IT and cybersecurity functions across agencies with similar missions.
• Standardize tools, processes and policies to reduce redundancy and increase efficiency.
• Facilitate shared governance and decision-making through integrated oversight involving the Office for Information Technology (OA/OIT) and agency leadership.
• Provide agencies with direct operational support, including infrastructure management, network security and application hosting.

Each EDC operates under OA/OIT oversight and adopts enterprise standards and Information Technology Policies (ITPs) issued under Executive Order 2016-06. This initiative, known as the Shared Services Delivery Center Model, restructured Commonwealth operations in the following ways:

• Agencies group by mission into Delivery Centers: Instead of each agency running its own IT and HR departments, agencies with similar goals (for example, public safety or environmental protection) were combined into Enterprise Delivery Centers (EDCs).
• Agencies participate in a shared services delivery model: Each EDC operates with its own governance committees and steering groups, which include representatives from participating agencies—typically senior IT managers, Information Security Officers (ISOs) and business executives. Through these committees, agencies can
  • Propose projects or service improvements based on mission needs
  • Review performance metrics, budget allocations and technology roadmaps.
  • Provide feedback and escalation. They can raise issues related to service levels, security, or implementation timelines directly to the Delivery Center leadership.
  • Agencies receive regular reports on service-level metrics, cost apportionment and shared project performance, maintaining transparency and accountability.
• Agencies share IT and HR staff across departments: About 2,200 IT and HR employees who had previously worked directly for individual agencies were reclassified under OA, though they continued to support their same agency functions.
• Agencies replace duplicate systems with shared infrastructure: Agencies now share key hardware and software assets such as firewalls, network switches and SQL clusters to eliminate the costs of each agency buying and maintaining its own.
  • The Departments of Environmental Protection (DEP) and Conservation and Natural Resources (DCNR) jointly maintain and secure shared GIS infrastructure, ensuring uniform access controls and patch management practices while lowering replacement and maintenance costs.
• Agencies improve ticket response times through shared help desks: Three agencies that previously maintained separate IT help desks now operate under a single shared help desk, improving ticket response times and standardizing incident tracking.
  • The Pennsylvania Emergency Management Agency (PEMA) and the Department of Transportation (PennDOT) share real-time data from 911 centers to enhance emergency coordination and digital interoperability.
  • All agencies within the Delivery Center pool their cybersecurity expertise, allowing specialists to collaborate on risk management, vulnerability assessments and compliance initiatives.
• Agencies within the Public Safety Delivery Center (PSDC) collaborate on unified IT operations: IT staff from the Department of Corrections (DOC) and the Pennsylvania State Police (PSP) collaborate on mobile device management, jointly overseeing procurement, enrollment, configuration and deployment under unified policies.
  • Both agencies share desktop configuration and patch management processes through System Center Configuration Manager (SCCM), ensuring consistent endpoint security across departments.

Understanding these shared operations is essential for ISOs to coordinate effectively, align with enterprise controls and ensure compliance across connected environments.

Compliance and Corrective Measures

All executive agencies must use a risk‐management method so they stay in compliance and handle vulnerabilities in a timely way.

If an agency discovers that they are non-compliant with ITPs, it is required to take immediate corrective action.

In situations where there is a new or emerging security requirement and no existing system policy addresses it, agencies must use recognized industry best practices or adopt established standards such as the National Institute of Standards and Technology (NIST) standards (for example, the Federal Information Processing Standards “FIPS” or NIST Special Publications “SP”).

The detailed internal procedures and technical standards are kept inside the Commonwealth’s systems and only authorized staff (through the Office of Administration / Office of Information Technology (OA/OIT) internal platforms) can access them.

If an agency fails to follow enterprise policy, there is no statutory penalty. Instead, what happens is administrative escalation. The OA/OIT reviews what’s going on, mandates corrective actions and puts enhanced oversight in place until compliance is restored.

Exceptions Process

While compliance with all ITPs is mandatory, the framework recognizes that temporary exceptions may occasionally be necessary.

In which case, agencies may request an IT Policy Exception through the formal OA/OIT exception process when they cannot fully comply or when the CIO deems it necessary. When a request is approved, it must be time-bound and fully documented to maintain transparency and control any deviation from policy. (IT Policy Governance Policy)

Additionally, vendors and contractors that handle Commonwealth data or connect to Commonwealth networks must prove compliance with all applicable ITPs as a condition of contract approval.

Statutory Data-Protection Obligations

Pennsylvania’s cybersecurity framework primarily originates from the Governor’s Executive Order 2016-06.

Alongside the cybersecurity rules established through the Executive Order, the Commonwealth also maintains targeted data-protection statutes that impose specific obligations on public agencies, private entities and regulated industries.

One such law is the Breach of Personal Information Notification Act (BPINA) at 73 P.S. § 2301 et seq., as amended in 2024.

The Breach of Personal Information Notification Act (BPINA)
(73 P.S. § 2301 et seq., amended 2024)

The Breach of Personal Information Notification Act (BPINA) outlines when organizations must notify individuals after a data breach. It requires both public agencies and private entities to inform affected persons if their personal information has been compromised.

The Act defines:

• Covered data types (e.g., Social Security numbers, driver’s license numbers, financial account details).
• Notification triggers based on unauthorized access or acquisition.
• Delivery methods for notifying affected residents.

While BPINA provides a clear notification framework, it does not establish technical or procedural safeguards, nor does it mandate comprehensive cybersecurity programs.  Its primary goal is to ensure transparency and timely disclosure after a breach, rather than prescribe preventive security controls.

Sector-Specific Statutes

Certain sectors are subject to separate cybersecurity requirements. The Insurance Data Security Act (40 P.S. § 67.1 et seq., Act 2 of 2023*) requires licensed insurers and related entities to implement formal cybersecurity programs, conduct third-party risk assessments and report certain incidents to the Pennsylvania Insurance Department.

However, these requirements apply only to regulated insurance entities, not to state agencies or public institutions governed under Executive Order 2016-06.

These laws operate alongside Executive Order 2016-06 to define the broader perimeter of information security in Pennsylvania.

Fragmented Cybersecurity Oversight

Pennsylvania’s cybersecurity governance is executive-driven, not legislative. This means it operates under the Governor’s Executive authority and applies only to agencies within the executive branch.

Based on Pennsylvania’s structure, Independent offices such as the Attorney General, Treasurer and Auditor General, along with the judiciary and the legislature, fall outside the Governor’s direct authority.

This creates inconsistencies across the Commonwealth. Because each of these bodies can set its own cybersecurity standards, timelines and budgets, it leads to uneven protection levels across the Commonwealth.

For example, if an independent office connects to Commonwealth systems or exchanges data with an executive agency but follows a different security protocol, vulnerabilities can emerge at those connection points.

No Uniform Accountability
Executive Orders rely on administrative enforcement, not statutory law.

So, when an agency is out of compliance, the Governor (through OA/OIT) can require corrective action—but cannot impose legal penalties. The absence of a legal backing makes Pennsylvania’s framework more flexible but also less enforceable.

Visibility Gaps Across the Enterprise
The OA/OIT cannot always see the full risk landscape, since independent bodies are not required to share incidents, vulnerabilities, or audit results.
This creates blind spots in statewide cybersecurity risk management.

Information Gaps
Pennsylvania’s Information Technology Policies (ITPs) are publicly available and define the high-level rules every executive agency must follow. But the detailed technical standards and procedures that explain how to implement those rules are kept internally within a system called IT Central, accessible only to authorized Commonwealth personnel.

By definition, Commonwealth personnel include IT staff, CISOs, compliance officers, employees and contractors working under executive agencies. However, some external contractors or affiliated entities that handle Commonwealth data do not qualify as Commonwealth personnel, meaning they cannot access IT Central directly, even though they are still expected to follow its standards.

In such cases, contractors are essentially being asked to comply without having full instructions. This creates confusion, inconsistent implementation and a higher risk of error.

Overall, while decentralization offers flexibility, it also brings risks such as inconsistent implementation, limited accountability and gaps in coordination.

The absence of full transparency further complicates efforts to maintain a consistent, statewide cybersecurity baseline, which is one of the central objectives of Executive Order 2016-06.

The Future of Pennsylvania’s Information Security Regulation

While Pennsylvania’s information security governance has traditionally operated under executive authority, 2025 has brought significant legislative momentum toward codifying statewide cybersecurity standards.

On March 3, 2025, Senator Kristin Phillips-Hill (R–York) introduced a comprehensive package to modernize and secure the Commonwealth’s IT infrastructure. The proposed measure aimed to:

• Require NIST-based cybersecurity standards for all state IT contracts, ensuring alignment with federal best practices and minimizing procurement risks.
• Elevate the Commonwealth CIO to a cabinet-level position to enhance enterprise coordination and oversight.
• Mandate biannual independent cybersecurity audits and establish a bipartisan legislative cybersecurity committee for continuous oversight.
• Criminalize ransomware possession and prohibit ransom payments by state agencies, paired with recovery-planning mandates.
• Ban TikTok and other high-risk applications on state-owned devices, aligning Pennsylvania with federal directives and the actions of 39 other states.

On June 4, 2025, the Senate unanimously approved two key bills from the package, including Bill 377, which mandates that all Commonwealth IT procurements comply with NIST cybersecurity standards. The bill now awaits consideration in the House.

These developments illustrate that from executive policy to legislative enforcement, Pennsylvania’s cybersecurity landscape is shifting toward continuous accountability.

As these mandates take hold, agencies will need systems capable of operationalizing compliance across people, processes and technology. This is where dedicated compliance platforms become essential.

Compliance Software for Pennsylvania’s Information Security Policy

Implementing Pennsylvania’s Information Security Policy requires continuous visibility into risk, governance and compliance across executive agencies. Teams must document controls aligned to Commonwealth Information Technology Policies and keep evidence organized for OA/OIT oversight.

A Governance, Risk and Compliance (GRC) platform helps agencies:

• Run structured assessments: Evaluate programs against NIST SP 800-53 or a custom control framework derived from required Commonwealth policies. Assign owners, record responses and track remediation to show progress over time.
• Establish visibility with connected inventories: Maintain a live inventory of assets and vendors with data classification and ownership. Link inventory records to assessments and risks to support policy alignment and scoping.
• Produce audit-ready evidence: Centralize assessment results, inventory details and risk records to generate clear reports, dashboards and exports for OA/OIT reviews and leadership briefings.

Without a centralized workspace, these activities live in spreadsheets and shared drives, which slows reviews and weakens evidence quality.

Isora GRC for Pennsylvania’s Information Security Policy

Isora GRC gives Commonwealth agencies a structured way to meet Pennsylvania’s statewide information security requirements under Executive Order 2016-06 and its supporting Information Technology Policies (ITPs). The platform provides the tools to manage security assessments, track risks, maintain inventories and produce audit-ready documentation in one shared workspace.

Assessment Management

Isora centralizes the management of cybersecurity assessments across programs and departments. Agencies can evaluate their information security practices against NIST CSF, NIST SP 800-53, or other Commonwealth-approved frameworks and record results consistently. Assessment findings flow into the risk register, helping teams document program maturity and prepare evidence for OA/OIT compliance reviews.

Reports & Scorecards

Isora streamlines how agencies collect and present compliance evidence. Reports bring together information from assessments, inventories and risk registers into clear, exportable summaries aligned with OA/OIT reporting expectations. Teams can demonstrate control coverage, remediation progress and risk posture in a structured, repeatable format suitable for internal review or enterprise audit documentation.

Inventory Management

Isora helps agencies organize a connected inventory of systems, applications and vendors that support Commonwealth operations. Each inventory record links directly to relevant assessments and risks, creating a defensible view of assets covered under the Data Classification and Asset Management Policies. This gives teams a structured, accessible inventory that supports risk identification and compliance validation without relying on manual tracking.

Risk Management

Isora’s risk register provides a single, collaborative workspace for documenting and monitoring cybersecurity risks. Teams can capture likelihood, impact, mitigation strategy and ownership, then link those risks to assessments and associated controls. This structure allows agencies to maintain traceable evidence of risk decisions and mitigation progress consistent with the IT Risk Management Policy.

Pennsylvania Information Security Policy FAQs

Who must comply with Pennsylvania Executive Order 2016-06?

All executive-branch agencies under the Governor’s jurisdiction, including departments, boards, commissions and councils, are required to comply with the Information Technology Policies (ITPs) issued by the Office for Information Technology (OA/OIT). These policies operationalize the Governor’s authority under Executive Order 2016-06 and establish consistent information security standards across the Commonwealth.

Isora GRC gives agencies the structure to implement and manage an information security risk management program that aligns with OA/OIT policies. Teams can evaluate controls, document risks, assign ownership and track progress toward full compliance, all within a single, auditable workspace.

Which entities are actually bound by OA/OIT ITPs?

Executive-branch agencies are fully bound. Independent constitutional offices (the Attorney General, Treasurer and Auditor General) and the legislative and judicial branches are outside the Governor’s administrative authority but may choose to align voluntarily or by memorandum of understanding.

How can agencies align with NIST and Commonwealth policies at the same time?

The Commonwealth’s Information Technology Policies (ITPs) draw heavily from federal cybersecurity frameworks, particularly the NIST Cybersecurity Framework (CSF) and NIST Special Publications such as SP 800-53 (Security and Privacy Controls), SP 800-60 (Information and System Categorization) and FIPS 199/200.

These federal standards establish the foundation for safeguarding the confidentiality, integrity and availability of government information systems. OA/OIT’s ITPs reference federal frameworks like NIST SP 800-53, FIPS 199 and NIST SP 800-60. Agencies must map local controls to these national standards and demonstrate equivalence.

Isora supports this alignment by providing a growing library of frameworks and regulations that can be used to conduct assessments and evaluate compliance. This helps agencies reference and report against NIST and Commonwealth requirements in a single workflow without duplicating effort.

How does OA/OIT verify compliance during agency reviews?

The OA/OIT conduct compliance checks through scheduled and ad hoc reviews. It evaluates whether agencies have documented and implemented required controls. Reviews focus on risk management, data classification and incident response records.

Isora helps agencies prepare for these reviews by streamlining how compliance evidence is collected and organized. It centralizes information from assessments, inventories and risk registers into clear, exportable reports that align with OA/OIT’s review and reporting expectations.

What happens when an agency falls out of compliance with Pennsylvania Executive Order 2016-06?

When an agency is found non-compliant with an Information Technology Policy (ITP), the Office for Information Technology (OA/OIT) initiates an administrative escalation process rather than a legal penalty. This process typically includes:

• Formal notification from OA/OIT outlining the area of non-compliance and required remediation steps.
• Corrective Action Plan (CAP) development, where the agency documents how it will address the gaps—what actions will be taken, by whom and within what timeline.
• Enhanced oversight from OA/OIT until the agency demonstrates that all corrective actions have been completed and verified.
• Ongoing monitoring to ensure that the same control weakness does not recur.

While there are no statutory fines or sanctions, non-compliance can have significant operational consequences: delayed project approvals, procurement holds, or increased scrutiny during future audits.

How can agencies manage vendor and third-party risk more efficiently?

Before onboarding or renewing any IT vendor, agencies must complete an IT Vendor Risk Assessment per the IT Risk Management Policy and Procurement Directive 2021-1. This includes reviewing SOC reports, security controls and data-handling practices.