CTR Cyber Incident Reporting Requirements
According to the updated Internal Control Policy, all state departments must notify CTR immediately after internal notifications. This applies to any suspected or actual fraud, cyber incident, phishing, ransomware, or tech compromise. That includes issues like a compromised laptop. It is especially important if the incident involves users with access to systems like MMARS, HR/CMS, or the Commonwealth Information Warehouse.
Reporting to CTR is required in addition to any other mandated reporting to other oversight entities or law enforcement. These events are internal control weaknesses that may impact other departments. Do not wait until remediation—CTR may need to act to protect enterprise systems. All reports are confidential, and CTR does not interfere with mitigation efforts.
As part of the annual Internal Control Certification process, your department head certifies compliance with both internal policies and CTR’s published guidance (e.g., Fiscal Year Memos, Policies, Job Aids, Training) in daily operations.
Action Steps:
- Establish internal protocols to report and triage suspected or actual fraud, cyber incidents, or tech disruptions. See Report Cyber Incidents, Suspicious Activity, and Fraud.
- Include procedures to immediately notify CTR at [email protected] after internal notifications.
Bookmark our CTR Compliance Corner as your one-stop shop for alerts and success factors that you can integrate into your daily operations to keep you safe on your mission.