WaTech/OCIO adopted and the Technology Services Board (TSB) approved SEC-01 “Washington State Cybersecurity Program Policy” (State CIO Adopted and TSB Approved: Dec. 10, 2024). The policy explicitly states it replaces IT Policy 141 and replaces specified portions of IT Security Standard 141.10 (sections 1.1 and 2.1–2.5, originally effective Nov. 13, 2017). Compliance teams tracking OCIO Standard 141.10 should update their control mapping and internal governance documentation to reflect that these sections are now governed by SEC-01 (including program documentation review cadence and enterprise cybersecurity program requirements).
Technology Services Board (TSB) Security Subcommittee agenda materials (Aug. 8, 2024) describe SEC-06-01-S Identification and Authentication Security Standard as expanding on and replacing 141.10 sections 6.2 and 6.3, and include an explicit future-dated change: beginning Jan. 1, 2026, password length and expiration requirements increase (minimum 15 characters; maximum 365-day expiration). This is a concrete implementation milestone for agencies’ authentication/password policies derived from the 141.10 successor standards. Because the agenda book is meeting material (not the final adopted standard text), treat the regulatory status as proposed unless separately confirmed as adopted in an official issued standard document.
WaTech issued SEC-11-01-S “Information Security Risk Assessment Standard” (State CIO Adopted and TSB Approved: June 8, 2023) and the document states it replaces IT Security Standard 141.10 section 1.2.1. For 141.10 compliance, this is a substantive governance change: risk assessment obligations previously anchored in 141.10 should be aligned to SEC-11-01-S requirements and triggers. The standard also specifies a sunset review date (June 8, 2026), which compliance programs should track for potential revisions.
An updated Standard No. 141.10 PDF is labeled as updated Feb. 11, 2023 and indicates that parts of the legacy 141.10 standard have been rescinded (i.e., not all provisions in the older monolithic standard remain controlling). The document points readers to replacement artifacts (e.g., references such as 'See the Risk Assessment Standard'), signaling that agencies should not rely solely on the 2017 version for all topic areas and should validate which 141.10 provisions remain in force vs. replaced by SEC-series standards.