Frequently Asked Questions
Article 87, MassIT
General Questions
1. What is this legislation and what does it do?
The proposed Article 87 legislation establishes a legal framework that enables the
Commonwealth to be more cyber-secure; keep current with best practices in technology;
improve the quality and value of information technology (IT) services; and create a modern IT
platform supporting digital services and data-driven policymaking. It does this through the
following key changes:







Structure and Mission: Creates a new secretariat of Technology Services and Security,
headed by a Secretary of Technology who is charged with the mission of securing,
modernizing and centralizing IT infrastructure for the executive department. MassIT
becomes the Executive Office of Technology Service and Security (EOTSS).
Security: Improves security through the adoption of best practices, including
standardization, centralization, and leveraging industry expertise to reduce the
Commonwealth’s overall risk profile and deploy mitigation strategies.
Enterprise IT Modernization: Commissions the newly established EOTSS to review,
streamline, and generally modernize the policies and procedures governing our
information technology infrastructure, cybersecurity, digital platforms and data
management, and to create a new policy architecture suited to the needs of an evolving
and complex organization.
New Roles and Responsibilities: Creates and/or expands the responsibilities of key
enterprise-level leadership positions within EOTSS, including the following:
o Chief Information Security Officer (CISO), assigned enterprise-wide responsibility
for cybersecurity;
o Chief Privacy Officer, entrusted with ensuring all data usage is in keeping with
federal and state legislation;
o Chief Data Officer, expected to promote data sharing, analysis and data-driven
policy making throughout the Commonwealth; and
o Chief Digital Officer, focused on modernizing the Commonwealth’s digital
presence.

2. Do we need to do this? What are other states and organizations doing?
Massachusetts lags behind other states and the private sector in its focus on securing stateheld, information technology assets. Starting around 2002, states large and small have been
moving to centralize key functions, especially infrastructure and telecommunications. In the
Commonwealth, our technology infrastructure is housed in disparate locations without
standardized management, control or oversight, leading to unmanageable security threats and
inefficiencies. Because statutes and policies support this non-standard, decentralized approach
to technology, we need legislation that simplifies IT management while emphasizing its
importance in supporting agencies in their delivery of services to constituents.

1

 3. When will the change take effect?
The law may only take effect sixty (60) calendar days after the Governor introduces the
proposal, provided that neither house of the legislature disapproves of the proposal by a
majority vote during the sixty (60) day period. The statute anticipates that legislative committees
in each house will conduct hearings on the proposal within thirty (30) days of its introduction,
and ten (10) days following such hearings will recommend to the respective chambers approval
or disapproval of the proposal.
In the event that neither chamber votes to disapprove the proposal, it becomes law following
sixty (60) days after its introduction.
Assuming the Article 87 proposal becomes law, the Executive Department will implement the
reforms, changes and reorganizations contemplated in the proposal gradually over time,
although it is currently envisioned that all the technical and organizational work required will be
complete within 24 months, with another 6-12 months allowed for adjustments and corrections.
4. Didn’t “consolidation” happen already? Hasn’t this been done before?
This change isn’t about consolidation so much as creating a consistent approach to commodity
technology services and infrastructure. Consistency and standardization are critical for securing
the Commonwealth’s information assets.
Efforts have been made before to consolidate. In February 2009, Governor Patrick issued
Executive Order No. 510 to centralize the management and operation of IT systems across the
Executive department at the Secretariat level. This was followed in May 2011 by Executive
Order No. 532 which gave further support to the consolidation effort. The legislature codified
these executive orders in 2014, enacting legislation that formally established a Massachusetts
Office of Information Technology within the Executive Office of Administration of Finance.
Despite these targeted activities, only a small portion of the centralization goal was achieved,
leaving the Commonwealth even more vulnerable than before. We expect this new effort will
improve security and services delivery for all.
5. Isn’t this just a cost-savings exercise?
No. Additional investments are being made to ensure we are fully secure and modernized. This
is an effort to improve security, which requires adopting best practices and implementing
modern technology platforms, all of which will have the added benefit of also improving quality
of service. Significant changes in the technology marketplace over the past several years offer
new opportunities for technological innovation at lower prices, giving us the potential to achieve
savings as well.

2