Lawmakers agree to establish a State Security Operations Center focused on cybersecurity

• The SSOC will collaborate with the Mississippi Office of Homeland Security as well as federal cybersecurity centers and public-sector threat-intelligence partners.

A bill to create a State Security Operations Center (SSOC) is headed to Governor Tate Reeves (R) after lawmakers agreed on the conference report Wednesday morning.

When enacted into law, SB 2654 would create within the Mississippi Department of Information Technology an operational arm of statewide cybersecurity, complementing but not supplanting the strategic, regulatory, and governance authorities already granted the state.

State Senator Bart Williams (R), chairman of the Senate Technology Committee, said upon adopting the conference report that the changes to the bill sought by the House were small.

The conference report, he told Senators, “is almost identical to the bill we passed out of here.” The measure was unanimously approved by the Senate in February.

“Nothing functionally changes,” Williams added.

The changes included from the House deleted a reverse repealer as well as cleaned up a few clerical suggestions. Williams said the Senate bill used the abbreviation ISO, whereas the House bill wrote out the words “Chief Information Security Officer.”

Williams noted that no appropriations were necessary to enact SB 2654.

When he wrapped up his floor speech, there were no questions concerning the conference report from fellow senators, and adoption swiftly followed. 

The SSOC is to provide centralized statewide cybersecurity operations to include continuous monitoring, alerting, threat detection and analysis of state cyberinfrastructure as well as operational incident response and mitigation. The SSOC will also provide security orchestration, automation and response.

The SSOC will collaborate with the Mississippi Office of Homeland Security, federal cybersecurity centers and public-sector threat-intelligence partners, and “any other entity necessary to execute operational cybersecurity responsibilities.”

The bill states that the legislation cannot limit the authority of the state’s chief information officer, modify or limit the statewide cybersecurity authorities, or impact the governance, policy-making, or regulatory functions of the Enterprise Security Program.

Notably, a bill to create a state Chief Information Officer, SB 2625, died in the House Accountability, Efficiency, and Transparency Committee earlier this month. That bill would have created a gubernatorially appointed position meant to serve as the chief policy advisor to the Governor on statewide information technology and cybersecurity issues.