Wisconsin IT Security Standards Handbook

On August 1, 2025, Wisconsin released a major update to its statewide information security framework. With two reorganized handbooks, the IT Security Policy Handbook and the IT Security Standards Handbook, agencies now have a clearer, more modern and fully enforceable security baseline.

For agency CIOs, CISOs, Security Officers, IT Directors and compliance professionals, these handbooks are now the primary source of truth for designing, operating and documenting security programs inside Wisconsin state government.

Through its handbooks, Wisconsin’s Information Security Framework lays out who is accountable for cybersecurity activities, which policies they must implement and provides detailed instructions on how to translate those policies into security controls, assess vendors and respond to incidents.

Our Wisconsin IT Security requirements guide is designed to be the practical, comprehensive companion to those handbooks. It focuses on what Wisconsin’s updated IT Security Policy and Standards Handbooks actually require agencies to do. It shows how the two documents work together, what agencies must implement and document and other cybersecurity obligations that agencies must follow.

What Stands Out About Wisconsin’s IT Security Policy

With updated documents effective August 1, 2025, Wisconsin positions itself among the states moving toward clearer governance, stronger oversight and standardized NIST-aligned controls.

Clear Separation Between Policy and Standards

Wisconsin now maintains two distinct statewide handbooks:

The Policy Handbook (what agencies must achieve)
The Standards Handbook (how to implement those requirements)

This separation provides clarity and reduces ambiguity, helping agencies understand mandatory expectations versus the technical specifics needed to meet them. Few states maintain this level of clean separation, making it a standout feature.

Full Adoption of NIST SP 800-53 Revision 5 Controls

The 2025 Standards Handbook incorporates the updated NIST SP 800-53 Rev. 5 control catalog, ensuring that agencies are aligned with the most current federal control language.

Even without explicitly mandating every RMF step, Wisconsin’s control structure and lifecycle expectations closely mirror NIST’s risk-based approach, making its statewide program both modern and consistent.

Stronger Emphasis on Statewide Governance

The updated handbooks strengthen and clarify statewide roles, including the State CIO, State CISO, Deputy CISO, agency AOs and security teams. Wisconsin clearly defines who is accountable, which decisions require statewide oversight and how agencies must communicate with DET.

Bi-Annual Reporting Expectations for Control Implementation

Wisconsin’s program requires agencies to provide DET with updates on control implementation on a twice-yearly cycle. This regular cadence helps DET maintain visibility across agencies and ensures outdated controls or missing implementations are identified earlier. While not unusual, bi-annual statewide monitoring is more structured than many states’ annual or ad-hoc reporting models.

Explicit Inclusion of Supply-Chain & Acquisition Security Requirements

Wisconsin introduces stronger third-party and acquisition security expectations, requiring agencies to validate vendors against statewide standards, document security posture, manage exceptions and maintain continuous oversight of external providers. This aligns with national SCRM trends driven by CISA and EO 14028.

In practice, agencies may need to adjust internal decision-making to match the new statewide authority lines. This could also mean restructuring who signs off on system authorizations, revising escalation paths, updating internal policies to reflect new definitions of risk ownership and establishing clearer communication channels with DET for reporting and audits.

Wisconsin’s Statutory Framework

Wisconsin’s statewide IT governance is grounded in Chapter 16, Subchapter VII § of state law, which gives the Department of Administration (DOA) broad authority to set statewide IT policy, oversee planning and manage information security.

The Division of Enterprise Technology (DET), under the DOA, serves as the operational arm that carries out these mandates. It does this by issuing statewide security policies, maintaining technical standards and delivering shared IT infrastructure and services across executive branch agencies.

To translate broader statutory and strategic requirements into actionable policies and standards, the DOA/DET issues and maintains the IT Security Policy Handbook and the IT Security Standards Handbook, helping agencies understand what is expected of them and how to stay compliant.

DOA/DET Responsibilities Under Wisconsin Statute

The State CIO and State CISO lead the DOA/DET in managing statewide IT governance and information security. Its key responsibilities are:

Establish statewide IT policies, procedures and planning processes that all executive branch agencies must follow (§ 16.971(2)(a))
Implement security and privacy safeguards for state-owned data, systems and IT infrastructure (§ 16.971(2)(k))
Protect agency-owned data stored within DOA systems, ensuring it is exempt from public disclosure unless the agency authorizes release (§ 16.975)
Oversee statewide cybersecurity operations, continuously monitoring risks across the enterprise through the State CIO and State CISO

These responsibilities require DOA/DET to work in close collaboration with executive agencies, setting expectations, providing guidance, reviewing plans and coordinating on policy enforcement to maintain a unified statewide security posture.

Note that the DET is legally authorized under (Wis. Stat. § 16.972(2)(g)) to assume direct control of an agency’s IT planning or system development, with or without that agency’s consent, when statewide coordination, compliance or risk management requires it. This authority ensures that critical systems and statewide standards can be aligned, even when an individual agency is unable or unwilling to meet required security or architectural expectations.

Wisconsin’s Dual IT and Cybersecurity Model

Wisconsin runs its statewide IT and cybersecurity program using a dual-layer planning model, described in Chapter 16 of the Wisconsin Statutes.

In this model, each executive agency creates its own strategic IT plan and the DOA uses those agency plans to build the statewide IT strategy.

This approach is designed to keep agency-level priorities aligned with statewide goals, architecture and risk management expectations.

Agency-Level Strategic IT Plans (Annual Requirements)

Every executive branch agency (except the UW Board of Regents) must submit an annual IT Strategic Plan to the Department of Administration (DOA) due on March 1 every year.

These plans must:

Identify business needs and upcoming IT projects such as new systems, modernization efforts and major upgrades.
Prioritize cybersecurity and modernization initiatives. Agencies must show how they are reducing risk and updating aging systems.
Address continuity of operations. For example, agencies must plan how services will stay running if systems fail or are disrupted.
Describe projected benefits like improved efficiency, security and service delivery.

Note: Agencies can follow the review and approval process outlined in § 16.976(1)–(5), which lets DOA provide feedback, request changes and ensure statewide alignment.

Statewide Strategic IT Plan (Biennial Requirement)

Using these agency-level plans and the statewide telecommunications strategy, the DOA must build a Statewide Strategic IT Plan for the use and application of information technology.

This plan must:

Integrate all agency needs
Establish statewide IT priorities
Align cybersecurity, infrastructure and modernization efforts
Guide long-term investments and risk management

The statewide plan must be updated every two years and submitted to the Governor and the Joint Committee on Information Policy and Technology by September 15 of each even-numbered year.

Statewide IT Portfolio Oversight

The DOA, with the assistance of executive branch agencies, must also maintain ongoing portfolio oversight to ensure that statewide IT investments are well-managed, cost-effective, secure and aligned with enterprise architecture. This includes:

Determining which IT systems or projects fall under centralized oversight.
For instance, mission-critical or high-risk systems may require DOA involvement.
Monitoring progress, cost, risk and performance
Ensuring agencies are following architecture, budget and security expectations.
Evaluating whether major systems support agency missions and statewide security architecture.

Portfolio oversight acts like enterprise-level quality control, ensuring statewide consistency across agency IT environments.

Wisconsin IT Security Handbooks

The State of Wisconsin IT Security Policy Handbook and the State IT Security Standards Handbook sit at the center of the state’s information security framework. These two documents work together to translate Wisconsin’s statutory IT governance requirements into concrete, enforceable security expectations for every executive branch agency.

Handbook	Purpose	Description
IT Security Policy Handbook	Defines the statewide security policies agencies must follow.	Sets the overarching governance structure, establishes roles and responsibilities and outlines the high-level requirements, such as access control, incident response, risk assessment, configuration management and data protection, that every agency is accountable for.
IT Security Standards Handbook	Provides the technical detail behind those policies.	Maps each policy to specific NIST control families and spells out the control-level actions agencies must implement, from authentication requirements and logging specifications to vulnerability management, encryption and supply chain security. This is the document that tells agencies how each statewide requirement must be operationalized.

Inside the IT Security Policy Handbook

Acting under its statutory authority in Wisconsin Statutes Chapter 16, the DOA/DET, in coordination with executive branch agencies, created the State of Wisconsin IT Security Policy Handbook. This handbook provides clear definitions of the principles, policies, standards, procedures and governance elements that form the state’s information security framework.

To maintain consistency with federal, regulatory and interagency requirements, the Policy Handbook adopts:

NIST Special Publication 800-53 Revision 5 as the statewide control foundation
All Low- and Moderate-impact controls as the minimum baseline for executive agencies
Selected High-impact controls where required by frameworks such as IRS 1075, HIPAA, CJIS, MARS-E and other federal regulations that apply to Wisconsin systems.

Applicability and Scope of Wisconsin’s IT Security Framework

The requirements apply across the entire executive branch and define what every agency, regardless of size, mission or technical maturity, must implement to meet statewide expectations.

While the handbooks are written primarily for government agencies, their impact extends to any organization that interacts with state systems, handles regulated data or depends on state-managed infrastructure.

The scope, audience and exemptions for these requirements are summarized below.

Category	Description
Primary Audience	All Wisconsin executive branch agencies. IT directors, CISOs, security managers, system owners and compliance officers responsible for implementing statewide security requirements.
Sectors Affected	Government operations, agencies handling regulated data in healthcare, finance, education, human services, public safety and statewide programs.
Entity Size	Applies to agencies of all sizes. All must implement the statewide NIST SP 800-53 Rev. 5 Low and Moderate baseline controls.
Geographic Scope	State of Wisconsin executive branch environments and systems.
Exemptions	The Board of Regents of University of Wisconsin System is explicitly exempt. Non-executive and external entities are not required to adopt the handbooks, but may indirectly align when accessing or integrating with state systems.

Governance Structure, Roles and Responsibilities

The Policy Handbook establishes Wisconsin’s statewide security governance model by defining responsibilities across state-level leadership and individual agencies.

Role	Key Responsibilities
Chief Information Officer (CIO)	Ensures DOA drafts, finalizes and formally issues statewide IT security policies for the executive branch.
Chief Information Security Officer (CISO)	Develops and administers the statewide DOA/DET IT Security Program Creates DOA-specific IT security standards Provides guidance to management on interpreting state, federal and local security laws and requirements.
Administrative Officers (AO)	Ensures that IT security policies and standards are implemented within their respective executive branch agencies.
Deputy Chief Information Security Officer (Deputy CISO)	Researches and develops statewide IT security policies, standards and procedures Manages the DOA/DET policy, standards and procedures review schedule. Publishes updates to the DOA/DET Portal as needed. Processes requests for exceptions to executive-branch IT security policies and standards Provides compliance consulting to agencies on regulatory requirements and security best practices.

Monitoring, Compliance and Policy Maintenance

Under Wis. Stat. §16.971(2)(a), the DOA/DET is responsible for monitoring agency compliance with statewide IT security policies and standards.

According to the Policy Handbook, DET’s Bureau of Security:

Conducts an annual review of the Policy Handbook to ensure the policies remain relevant and aligned with statutes and regulatory requirements.
May update policies or standards outside of the formal review cycle when wording changes are necessary to clarify requirements or resolve discrepancies, provided agencies are notified via WI-ISAC, Enterprise IT communications or the Administrative Officer Council.
Publishes updated policies and standards to the DOA/DET Customer Portal and maintains a single repository for documentation applicable to all executive branch agencies.

Agencies must implement statewide policies through internal procedures and are expected to self-assess, document and adjust audit controls based on risk and legal obligations. They must also report their status of control implementation as part of their obligations under the IT Security Standards Handbook’s bi-annual reporting requirement.

Exception Process and Management

If an agency cannot meet a required policy or standard, they can request an exception through the DOA/DET Bureau of Security Exception Procedure.

Regulatory Alignment and Interagency Coordination

While DOA/DET sets the statewide policy framework, each executive branch agency is responsible for implementing those policies in alignment with all relevant federal and sector-specific regulations. Many agencies handle federally regulated data and therefore must simultaneously comply with external requirements, including:

IRS Publication 1075 (Federal Tax Information)
HIPAA (Protected Health Information)
CJIS Security Policy (Criminal Justice Information)
CMS MARS-E (healthcare exchanges and Medicaid systems)
FERPA (educational information)
PCI-DSS (payment card data security)

State agencies jointly share responsibility for protecting sensitive information such as Federal Tax Information (FTI), Protected Health Information (PHI) and Personally Identifiable Information (PII). Under Wis. Stat. § 16.973(3) and (5), statewide security mechanisms must also be used when coordinating audit information or transmitting sensitive data across agency boundaries.

Enforcement and Oversight

Enforcement of statewide security policies occurs at the agency level, not by the DET.

Each agency is responsible for enforcing statewide IT security policies on its own. Human Resources at each agency determines appropriate corrective or disciplinary actions for violations of IT security policies.
DET does not impose sanctions but ensures agencies uphold statewide policy requirements through monitoring and annual reporting.

Translating Policy Into Practice: The IT Security Standards Handbook

The State of Wisconsin IT Security Standards Handbook translates statewide security policies into the technical and operational requirements agencies must implement. Where the Policy Handbook defines what must be secured, the Standards Handbook defines how those requirements must be implemented, using prescriptive technical standards.

To guide agencies in selecting and implementing the correct safeguards, the Standards Handbook requires agencies to:

Adopt NIST SP 800-53 Revision 5 as the foundational control catalog, ensuring all agencies use the same federal-grade baseline.
Categorize their information systems and data as High, Moderate or Low impact using NIST SP 800-53B Table 3-1.
Report control implementation status to DET twice per year through the bi-annual statewide reporting process.
Identify and implement all necessary internal policies, procedures and processes needed to protect their systems and meet statewide requirements.
Meet stricter requirements when federal regulations (e.g., IRS 1075, HIPAA, CJIS) exceed the statewide baseline.
Implement controls as common, system-specific or hybrid, depending on whether the control is inherited from shared services or must be developed and implemented at the agency level.

Mapping of Statewide Security Policies to Required Standards

Each security policy is paired with one or more standards that define the specific actions an agency must take to comply. These standards outline the technical and procedural requirements for state-managed hardware, software and systems, ensuring that every agency implements security controls consistently across the enterprise.

Policy ID	Policy Name	Purpose	Standard(s)	NIST Family
AC-01	Access Control Policy	Establishes structured access controls to mitigate risks from account misuse, remote access and insufficient oversight through principles like least privilege and formal approval.	100 – Access Control Standard 101 – Access Control for Remote Access Standard 102 – Access Control for Wireless Access Standard 103 – Access Control for Mobile Device Security 160 – Identification and Authentication Standard 220 – Personnel Security Standard	AC (Access Control)
AT-01	Security Awareness & Training Policy	Provides structured cybersecurity training to agency personnel and affiliates to promote awareness, role clarity and risk mitigation across the state’s IT environment.	110 – Security Awareness and Training Standard	AT
AU-01	Audit and Accountability Policy	Supports the consistent monitoring and review of system activity by establishing expectations for audit logging and accountability measures.	120 – Audit and Accountability Standard	AU
CA-01	Security Assessment & Authorization Policy	This policy and the associated standard help to implement security best practices regarding security assessments, authorization and continuous monitoring.	130 – Security Assessment and Authorization Standard	CA
CM-01	Configuration Management Policy	Manages system changes risks which impact baseline configuration settings. The configuration management standard shall help document, authorize, manage and control system changes impacting information system components within the control of the executive branch agency.	140 – Configuration Management Standard	CM
CP-01	Contingency Planning Policy	Establishes procedures to manage risks from asset disruptions, failures and disasters through effective contingency planning.	150 – Contingency Planning Standard	CP
IA-01	Identification & Authentication Policy	Manages user access and authentication risks through the establishment of an effective identification and authentication program.	100, 160	IA
IR-01	Incident Response Policy	Establishes guidelines for the identification, response, reporting, assessment, analysis and follow-up to all suspected information security incidents.	170 – Incident Response Standard	IR
MA-01	System Maintenance Policy	Ensures proper system maintenance and repairs by implementing procedures aligned with security best practices.	180 – System Maintenance Standard	MA
MP-01	Media Protection Policy	Manages risks from media access, media storage, media transport and media protection through the establishment of effective Media Protection standards and procedures.	190 – Media Protection	MP
PE-01	Physical & Environmental Security Policy	Mitigates the risks from physical security and environmental threats through the establishment of an effective physical security and environmental control standard and procedures.	200 – Physical and Environment Protection Standard	PE
PL-01	Security Planning Policy	Guides security planning to manage risks through the creation of a comprehensive security planning program.	210 – Security Planning Standard	PL
PS-01	Personnel Security Policy	Manages personnel and third-party access risks through procedures for screening, management and termination.	220 – Personnel Security Standard	PS
RA-01	Risk Assessment Policy	Established so that the impact of an information system compromise can be reduced in an efficient manner. The related risk assessment standard and procedures shall ensure the implementation of security best practices regarding the identification of known vulnerabilities to State of Wisconsin information assets.	230 – Risk Assessment Standard 191 – Data Classification Standard	RA
SA-01	System & Services Acquisition Policy	Manages third-party and product-related risks through a formal third-party risk management framework.	240 – System and Services Acquisition Standard	SA
SC-01	System & Communications Protection Policy	Mitigates risks from insecure configurations, data transfer, denial-of-service and communications vulnerabilities.	250 – System and Communications Protection Standard	SC
SI-01	System & Information Integrity Policy	Addresses system flaws, malicious code and unauthorized changes to ensure integrity and proper error handling.	260 – System and Information Integrity Standard	SI
PM-01	Program Management Policy	Outlines the structure and responsibilities for statewide information security management, ensuring consistent baseline policies, documented procedures and adaptable standards.	500 – Program Management Standard	PM
PT-01	PII Processing & Transparency Policy	Manages risks from improper collection and handling of personally identifiable information (PII).	270 – Program Management Standard	PT
SR-01	Supply Chain Risk Management Policy	Addresses supply chain threats by establishing protections against inadequate vendor and supplier security.	280 – Supply Chain Risk Management Standard	SR

Statewide Risk Assessment Requirements for Wisconsin Agencies

Standard 230, from the IT Security Standard Handbook, establishes how executive branch agencies must perform risk assessments and implement all related NIST SP 800-53 Rev. 5 RA controls. It defines the requirements for system categorization, risk analysis, supply chain assessments, vulnerability scanning, privacy impact assessments and criticality analysis.

The standard sets minimum baseline controls all agencies must implement. Agencies with stricter federal or regulatory obligations, such as IRS 1075, HIPAA, CJIS, FERPA, MARS-E, may need to exceed these requirements.

Governance & Documentation Requirements (RA-1)

To establish the organizational foundation for all risk assessment activities, agencies must:

Develop, document and disseminate a formal Risk Assessment Policy that defines scope, roles, responsibilities, management commitment and compliance expectations.
Create accompanying procedures that explain how the risk assessment controls will be implemented in practice.
Assign personnel responsible for managing, maintaining and distributing the policy and procedures.
Review and update the policy and procedures on an agency-defined schedule.

Security Categorization (RA-2)

Agencies must:

Categorize information systems and data based on the potential impact of loss of confidentiality, integrity and availability.
Document categorization decisions and rationale in the System Security Plan (SSP).
Obtain Authorizing Official (AO) review and approval of categorization results.
Use NIST SP 800-60 for federal security categories and NIST SP 800-53B Table 3-1 to select the required Low/Moderate/High baseline controls.

Full Risk Assessment Requirements (RA-3)

Agencies must conduct formal risk assessments that

Identify system threats and vulnerabilities
Evaluate likelihood and magnitude of harm, including unauthorized access, disclosure, disruption or destruction
Assess potential adverse privacy effects for systems processing PII
Integrate agency mission/business risks with system-level risks
Document results in SSPs, privacy plans and risk assessment plans
Disseminate results to appropriate agency personnel
Update on a defined cycle or whenever major changes occur
Review results at agency-defined intervals

Supply Chain Risk Assessments (RA-3(1))

To identify risks originating from vendors, cloud services hardware origin or outsourced development, agencies must:

Assess supply chain risks for agency-defined systems, components and services
Update assessments when the supply chain changes or when system/environment changes affect risk

Vulnerability Monitoring & Scanning (RA-5)

According to the Risk Assessment IT Standard, agencies must:

Monitor and scan systems and hosted applications on a defined schedule or when new vulnerabilities are published
Use automated tools that support standard enumeration formats
Review and analyze scan results
Remediate validated vulnerabilities based on risk
Share results with appropriate personnel to prevent recurrence
Ensure scanning tools can be updated to include new vulnerabilities
Update the vulnerability list before each scan and when new vulnerabilities emerge.
Ensure scanners have the necessary privileged access for full vulnerability detection.
Establish a public channel for reporting vulnerabilities in agency systems.

Risk Response (RA-7)

Agencies must:

Respond to findings from security assessments, monitoring and audits
Align mitigation actions with agency risk tolerances
Track remediation using POA&Ms or equivalent processes

Privacy Impact Assessments (RA-8)

To identify privacy risks early and incorporate controls into design, agencies must conduct PIAs when developing or procuring IT systems that process PII and when initiating new PII collections that will be processed using IT.

Criticality Analysis (RA-9)

Agencies must prioritize protection for components whose failure would disrupt mission-essential operations. To do this, they must:

Identify critical system functions and components
Document critical elements in SSPs, contingency plans, CMDBs or architecture diagrams

Incident Response & Reporting Requirements

Under the IR-01, Standard 170, Wisconsin requires every executive branch agency to maintain a formal, documented incident response capability. Under Policy IR-01, agencies must be able to detect, report, analyze, contain, eradicate and recover from security incidents affecting state information or systems. To do this agencies must:

Develop and Maintain Policies and Procedures (IR-1)
- Create an official incident response policy and procedures.
- Clearly define roles, responsibilities and compliance expectations.
- Review and update the policy and procedures on a regular (agency-defined) schedule.
Provide incident response training to all relevant users annually, especially when someone takes on a new role or system access or when procedures or systems change.
Executive agencies must train their staff specifically on breach recognition and reporting.
Test their incident response capabilities at least once a year using methods like tabletop exercises, walkthroughs or simulations.
Be prepared to detect, contain, respond to and recover from incidents. They must also learn from these incidents and update future plans to reflect these learnings. The Handbook encourages the use of automated tools where possible.
Track and document all incidents through appropriate channels within an agency-defined timeframe. They should use automated tools to help with reporting.
Offer help and guidance to staff dealing with incidents.
Create and Maintain an Incident Response Plan that defines the agency’s approach to incident response. This plan must include breach response procedures, metrics, resources needed and roles. The plan must then be reviewed and updated yearly.
Include the following in their Incident Response Plan for breaches involving personally identifiable information (PII):
- A process to decide whether individuals or other organizations (such as oversight bodies) need to be notified.
- A way to assess how much harm, embarrassment, inconvenience or unfairness the breach may cause to affected individuals and steps to reduce those impacts.
- A clear list of all relevant privacy laws and requirements that apply to the breach.

Escalation, Coordination & Oversight

Agencies must report incidents to the correct internal channels within agency-defined timelines.
If an incident involves third-party services or supply chain components, agencies must coordinate reporting and containment efforts with those vendors.
DET does not conduct incident response, but oversees whether agencies have plans in place, conduct training, maintain documentation and test and update their IR capabilities.
If an agency cannot meet a requirement in IR-01 or Standard 170, it must submit a formal exception request to the DET Bureau of Security.

External Incident Support – Wisconsin Cyber Response Team (CRT)

Although each executive branch agency is responsible for its own incident response under Policy IR-01 and Standard 170, Wisconsin also offers optional statewide assistance through the Cyber Response Team (CRT).

Operated by Wisconsin Emergency Management (WEM), the CRT is a voluntary, no-cost resource available to public-sector and critical-infrastructure organizations such as counties, municipalities, tribal governments, K-12 schools and libraries, public utilities and healthcare facilities.

The team consists of vetted cybersecurity and IT professionals who can assist when an agency’s internal capacity is exceeded. CRT support can include incident triage, digital forensics, containment and recovery assistance and even pre-incident activities like readiness assessments and preparedness planning.

Data Breach Notification Requirements

Separate from the handbooks, Wisconsin law (Wis. Stat. § 134.98) requires notification when unencrypted, unredacted personal information is acquired by an unauthorized person and creates a material risk of identity theft or fraud.

Requirement	Detail
Notification Timeline	Must notify individuals within 45 days of discovering the breach.
Notification Method	Notification must be sent via postal mail or another communication method previously used with the individual.
Notification to Third Parties	If 1,000 or more individuals are affected, agencies must also notify the three nationwide consumer reporting agencies.
Delay Allowance	Notification can be delayed only if a law enforcement agency issues a written request stating that notice would interfere with an investigation or homeland security.

Vendor & Third-Party Oversight (SA-01 / Standard 240 / SA-9 Controls)

Wisconsin requires strong oversight of all third-party IT providers, including cloud vendors, software suppliers and contractors.

Under Policy SA-01 and Standard 240 (Control SA-9), agencies must:

Ensure every external service provider complies with statewide IT security policies and standards.
Define and document roles and responsibilities for the agency personnel overseeing vendor services.
Continuously monitor vendor security controls for effectiveness.
Conduct a formal risk assessment before outsourcing any system or service (SA-9(1)).
Enforce data handling restrictions when security, privacy or federal requirements dictate where state data may be stored, processed or transmitted (SA-9(5)).

Other State Cybersecurity Obligations Outside DOA/DET

Wisconsin Act 73 15.07.2021, modeled after the NAIC Insurance Data Security Model Law, imposes security and breach notification requirements on entities regulated by the Office of the Commissioner of Insurance (OCI), including insurers, insurance agencies and public adjusters.

Unlike the statewide IT Security Policy Handbook, Act 73 does not apply to all executive branch agencies, but only to insurance “licensees.”

Requirement Category	What Licensees Must Do
Risk Assessment	Conduct periodic risk assessments to identify security risks.
Information Security Program (ISP)	Develop and maintain a written ISP tailored to the licensee’s size, business activities and data sensitivity.
Incident Response Plan	Maintain a documented incident response plan appropriate to organizational scale and risk.
Third-Party Oversight	Exercise due diligence over third-party service providers (mandatory as of Nov 1, 2023).
Governance / Board Oversight	Ensure board-level oversight and approval of the security program.
Annual Certification to OCI	Submit annual compliance certification to OCI (required since 2023).
Cyber Event Reporting to OCI	Notify OCI within 3 business days if: – The event may materially harm consumers or operations or – It involves nonpublic information of 250+ Wisconsin residents.
Consumer Notification	Notify affected individuals within 45 days and notify the producer of the record.
Enforcement	OCI may impose penalties, suspend licenses or require corrective action for noncompliance.

How Agencies Can Implement the Wisconsin IT Security Framework

Step 1: Assign Responsible IT & Compliance Owners

Every agency must begin by defining who owns each part of the security program.

Appoint a program lead, such as an Agency Security Officer or equivalent role.
Define system owners for every application or service in use.
Identify subject-matter leads for key areas such as Identity and Access Management (IAM), Incident Response (IR), Configuration Management (CM) and network operations.
Assign a compliance coordinator responsible for DET reporting, documentation and coordination with statewide requirements.

Step 2: Review the Statewide Baseline Controls

Agencies must understand and implement the required controls outlined in the Wisconsin IT Security Standards Handbook:

Begin with the Policy Handbook to understand high-level obligations.
Review the Standards Handbook to determine how policies map to NIST SP 800-53 Revision 5.
Identify applicable baseline controls based on system categorization (Low, Moderate or High).
Determine additional control requirements based on federal or regulatory obligations (e.g., IRS 1075, HIPAA, CJIS, FERPA, MARS-E).

For example, agencies that process Federal Tax Information (FTI) must implement enhanced controls such as strong encryption, comprehensive auditing and strict access controls beyond the statewide baseline.

Step 3: Map Wisconsin Requirements to NIST RMF Steps

Wisconsin requires agencies to follow the full NIST Risk Management Framework lifecycle.

Categorize systems by impact level (Low, Moderate or High).
Select controls using NIST SP 800-53B Table 3-1.
Implement controls through technical mechanisms and documented procedures.
Assess controls for effectiveness through gap assessments and evidence collection.
Authorize systems by obtaining approval from the designated Authorizing Official (AO).
Monitor controls continuously using logging, vulnerability scanning and periodic reviews.

Step 4: Document Controls and Track Remediation (POA&M Process)

Comprehensive documentation is essential for DET oversight, audit readiness and continuous program improvement:

Maintain a System Security Plan (SSP) for each information system.
Develop a Plan of Action and Milestones (POA&M) for each identified control deficiency.
Track remediation activities, including software patching, procedural updates and configuration changes.
Store all documentation and evidence in a centralized repository. A GRC platform, like Isora can help agencies simplify DET reporting.

For instance, if a vulnerability scan identifies unsupported software, a POA&M should be opened with a 90-day deadline and assigned to the responsible infrastructure team.

Step 5: Prepare for Ongoing Reviews, Assessments & Reporting

Ongoing evaluation and reporting are required to demonstrate continuous compliance:

Conduct internal control assessments on a quarterly or semiannual basis.
Review and update policies and procedures at least annually.
Prepare for DET’s bi-annual control implementation reporting.
Conduct annual incident response training and tabletop exercises.
Review third-party vendor risk and supply chain controls.

Step 6: Automate Evidence Collection & Compliance Monitoring Where Possible

Automation reduces manual errors and improves efficiency across compliance functions.

Use a GRC platform like Isora to manage:
- Surveys and assessments
- Evidence collection workflows
- POA&M tracking
- Control implementation dashboards
- Compliance reporting
Implement continuous vulnerability scanning.
Centralize log data to maintain reliable audit trails.

For example, instead of requesting screenshots from staff, configure the GRC tool to collect automated evidence for controls such as MFA, logging and configuration on a quarterly basis.

Step 7: Assign Roles, Conduct Training and Maintain Ongoing Awareness

Human factors play a critical role in the success of any information security program:

Conduct annual security awareness training for all personnel.
Provide role-specific training for privileged users.
Train incident responders and system owners.
Include security training as part of the onboarding process for all new staff.

Step 8: Track Compliance Deadlines & Ensure Timely DET Reporting

Timely reporting and preparation are essential for statewide coordination:

Maintain a compliance calendar for:
- Bi-annual DET reports
- Annual IR exercises
- Policy reviews
- Risk assessments
Alert system owners ahead of deadlines.
Use automated reminders and dashboards to support timely submissions.

If the next DET control implementation report is due in February, for instance, an internal audit should be scheduled for December to identify any outstanding issues and confirm documentation is in order.

GRC Software for Wisconsin IT Security Framework

Implementing the State of Wisconsin IT Security Standards Handbook demands continuous visibility, documentation and measurable accountability across every agency. Manual tracking through spreadsheets, email chains and disconnected tools makes it difficult to maintain accuracy, meet deadlines or demonstrate progress to the Wisconsin DOA/DET.

A modern GRC platform gives agencies the centralized foundation needed to operationalize these requirements effectively and consistently.

Here’s how a GRC platform can help:

Centralized Compliance Management

GRC software consolidates assessments, control documentation, evidence, system inventories and exception workflows into a single, authoritative system of record. This eliminates fragmented tracking and ensures agencies always work from the most current version of DET-required controls.

Automated Reporting and Oversight

Real-time dashboards streamline reporting to DOA/DET by showing control implementation status, remediation progress, risk posture trends and baseline coverage at a glance. Automated report generation reduces manual effort and improves accuracy during compliance cycles.

Accountability and Task Tracking

Integrated workflows assign ownership, enforce review cycles, verify corrective actions and ensure deadlines are met across teams and departments. Agencies gain transparent, auditable proof of progress for every required control or remediation task.

Standardized Vendor & Supply-Chain Oversight

GRC platforms support consistent third-party evaluations by enabling agencies to send standardized questionnaires, collect attestations and centrally track vendor compliance. Continuous monitoring helps ensure adherence to Wisconsin’s expanded supply-chain and acquisition requirements.

Isora GRC for Wisconsin’s IT Security Standards and Policies

As agencies begin implementing the Wisconsin IT Security Policy and Standards Handbooks, the practical difficulty becomes clear. The 2025 Wisconsin framework requires agencies to conduct regular risk assessments, maintain current asset inventories, document exceptions and report compliance status to oversight bodies such as the Wisconsin DOA/DET.

Isora GRC gives Wisconsin agencies a practical, ready-to-use system for executing these requirements. Instead of managing assessments, risks and inventories across scattered spreadsheets, agencies can coordinate all IT Security Standard activities within one structured, collaborative platform.

Assessment Management

Isora GRC supports frameworks like NIST CSF, NIST SP 800-53, HIPAA Security Rule and IRS 1075, each foundational to Wisconsin’s security standards. Agencies can deploy policy-aligned assessments across departments, systems and third-party providers using prebuilt or custom templates. Findings automatically populate the live risk register and remediation workflows, ensuring evidence-based compliance tracking.

With this, Wisconsin agencies achieve faster, standardized control validation across departments, reducing manual data collection, improving audit readiness and maintaining consistent documentation for DOA/DET reviews and federal oversight partners.

Inventory Management

Isora GRC helps agencies maintain a connected inventory of systems, applications and vendors tied directly to Wisconsin’s IT Security Standards. Each record captures ownership, classification and control mappings, creating traceability from system-level risks to control objectives.

Agencies gain a single, centralized system of record for all assets and vendors, ensuring full visibility and accountability for security ownership, data classification and compliance status, critical for demonstrating adherence to state security requirements and policies.

Risk Management

Isora’s live risk register enables Wisconsin agencies to capture, evaluate and mitigate risks in real time. Assessment findings map directly to specific risks and controls, while exception management tracks deviations, assigns owners and sets expiration dates for policy exceptions.

This allows agencies to maintain ongoing visibility into cybersecurity risks, prioritize remediation based on impact and likelihood and produce clear, actionable insights for CIOs, CISOs and compliance officers across the state.

Reports & Scorecards

Isora GRC automatically generates audit-ready reports and scorecards aligned to Wisconsin’s IT Security Standards. Data from assessments, inventories and the risk register consolidate into visual dashboards and exportable reports for DET compliance reporting and legislative oversight.

Agencies can provide state auditors and oversight boards with real-time documentation that demonstrates compliance progress, control effectiveness and risk trends, strengthening statewide cybersecurity accountability and confidence in IT governance.

Wisconsin IT Security Standards FAQs

What are the key requirements of Wisconsin’s IT Security Standards and Policies for state agencies in 2025?

The Wisconsin IT Security Standards and Policies (2025 update) establish a unified cybersecurity framework for all executive branch agencies under the DOA DET. The standards require agencies to:

Conduct regular risk assessments aligned with NIST SP 800-53 Rev 5 and NIST CSF.
Maintain accurate inventories of systems, applications and vendors.
Document and manage Plans of Action and Milestones (POA&Ms) for identified gaps.
Implement incident response procedures, exception tracking and supply-chain risk management controls.
Report compliance status and remediation progress to DET on a biannual basis.

These updates, effective August 2025, strengthen accountability, visibility and collaboration across agencies to improve statewide cybersecurity resilience.

How do the Wisconsin IT Security Standards Handbook and IT Security Policy Handbook work together to guide statewide cybersecurity compliance?

The Wisconsin IT Security Policy Handbook defines what agencies must do, covering statewide cybersecurity expectations, governance roles and policy principles. The Wisconsin IT Security Standards Handbook defines how to do it, detailing technical controls, operational procedures and reporting mechanisms that agencies must follow to comply with state policy.

Together, the two handbooks form a complete governance framework: the Policy Handbook sets the overarching mandates and the Standards Handbook provides the implementation guidance needed to achieve and demonstrate compliance with DET’s statewide cybersecurity requirements.

What frameworks does the Wisconsin IT Security Standards Handbook align with (e.g., NIST SP 800-53, NIST CSF, ISO 27001)?

The Wisconsin IT Security Standards Handbook is built on widely recognized federal cybersecurity frameworks, ensuring both state and national alignment. Key frameworks include:

NIST SP 800-53 Rev 5 (Security and Privacy Controls for Information Systems and Organizations)
NIST CSF
NIST SP 800-37 and 800-39 for risk management and governance
ISO 27001 and 27002 for information security management best practices

By adopting these frameworks, Wisconsin ensures that its agencies meet rigorous, consistent standards for control implementation, risk management and continuous monitoring, simplifying federal and state compliance overlap.

What are the audit and oversight reporting obligations for agencies under Wisconsin’s IT Security Standards (effective August 2025)?

Under the 2025 Wisconsin IT Security Standards, agencies must maintain continuous compliance evidence and submit biannual reports to the Division of Enterprise Technology (DET) summarizing control implementation, open POA&Ms and overall risk posture.

Agencies are expected to provide:

Documented results of risk assessments and system security reviews.
Updated asset and vendor inventories.
Status of all mitigation and exception activities.
Evidence of policy alignment and training compliance.

DET uses this data for statewide oversight, maturity scoring and cross-agency reporting to legislative and executive stakeholders. A structured GRC platform like Isora GRC enables agencies to automate reporting, maintain audit-ready documentation and demonstrate continuous improvement against Wisconsin’s IT Security Standards and Policies.

How does Wisconsin’s statewide cybersecurity framework integrate with federal mandates such as HIPAA, IRS 1075 and CJIS?

The Wisconsin IT Security Standards and Policies are intentionally aligned with major federal cybersecurity and privacy frameworks to simplify compliance across state programs that handle regulated data. The 2025 update incorporates control mappings and cross-references to:

HIPAA Security Rule for protecting health information in state-run or partner health systems.
IRS 1075 for safeguarding federal tax information (FTI) within Wisconsin agencies that receive or process IRS data.
CJIS Security Policy for law-enforcement systems and shared criminal-justice data.

By harmonizing requirements with NIST SP 800-53 Rev 5, NIST CSF and these federal mandates, Wisconsin ensures agencies can implement one consistent set of controls that meet multiple oversight obligations. This unified approach reduces duplication, strengthens data protection and streamlines federal audit readiness.

This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.