WaTech/OCIO issued the SEC-01 Washington State Cybersecurity Program Policy, which explicitly replaces specified portions of OCIO Standard 141.10 (Securing Information Technology Assets), namely sections 1.1 and 2.1–2.5 (previously dated November 13, 2017 per the SEC-01 replacement statement). For compliance teams, this is a governance/control-framework change requiring re-mapping internal policies, control libraries, and audit criteria from the referenced 141.10 sections to SEC-01 requirements and any linked standards/waiver processes referenced by SEC-01.
WaTech/OCIO adopted and the Technology Services Board (TSB) approved SEC-01 “Washington State Cybersecurity Program Policy” (State CIO Adopted and TSB Approved: Dec. 10, 2024). The policy explicitly states it replaces IT Policy 141 and replaces specified portions of IT Security Standard 141.10 (sections 1.1 and 2.1–2.5, originally effective Nov. 13, 2017). Compliance teams tracking OCIO Standard 141.10 should update their control mapping and internal governance documentation to reflect that these sections are now governed by SEC-01 (including program documentation review cadence and enterprise cybersecurity program requirements).
Technology Services Board (TSB) meeting minutes for the Sept. 12, 2024 quarterly full board meeting state that approvals of newer security policies/standards “mark the completion to replace the previous Standard 141.10 Securing Information Technology Assets.” For compliance teams, this is a governance signal that 141.10 should be treated as a legacy framework and that control mappings, audit criteria, and contract/security requirement references should be updated to the applicable WaTech SEC-series policies/standards that supersede the relevant 141.10 sections.
Technology Services Board (TSB) Security Subcommittee agenda materials (Aug. 8, 2024) describe SEC-06-01-S Identification and Authentication Security Standard as expanding on and replacing 141.10 sections 6.2 and 6.3, and include an explicit future-dated change: beginning Jan. 1, 2026, password length and expiration requirements increase (minimum 15 characters; maximum 365-day expiration). This is a concrete implementation milestone for agencies’ authentication/password policies derived from the 141.10 successor standards. Because the agenda book is meeting material (not the final adopted standard text), treat the regulatory status as proposed unless separately confirmed as adopted in an official issued standard document.
Washington State’s Office of Administrative Hearings (OAH) Information Technology Services Roadmap (July 1, 2024–June 30, 2026) includes planning language indicating anticipated adoption of changes to Washington State security standards based on NIST and mentions an audit effort to be compliant with the “WaTech rewrite of state security standard 141.10.” This is not an officially issued amendment to OCIO Standard 141.10, but it is an official-state planning signal that agencies may need to prepare for revisions/rewrites affecting 141.10-aligned controls and audit expectations.
WaTech published and adopted the SEC-04-05-S Network Security Standard (State CIO adopted May 28, 2024; Technology Services Board approved June 24, 2024). The standard explicitly states it replaces specified network-security requirements formerly contained in OCIO IT Security Standard 141.10 (sections 5.1–5.4 and related subsections). Compliance teams who previously managed network-security obligations under 141.10 should update their control mappings, internal procedures, and audit/assessment criteria to align with SEC-04-05-S going forward, since it is the successor/authoritative network-security control document for the impacted 141.10 content.
WaTech adopted and TSB approved the SEC-02 Security Assessment and Authorization Policy, explicitly replacing portions of IT Security Standard 141.10 (sections 1.2.1 and 1.5). This codifies the statewide security assessment/authorization lifecycle expectations for agency IT systems and updates how agencies document and maintain authorization and risk treatment activities relative to the legacy 141.10 framework. Compliance teams should update internal control mappings and governance artifacts to reflect SEC-02 as the governing authority for these replaced requirements.
WaTech adopted and TSB approved USER-02 Acceptable Use Policy, explicitly replacing IT Security Standard 141.10 section 2.10 (December 11, 2017). This establishes updated acceptable-use requirements for state IT assets and user conduct controls that were previously governed under the 141.10 standard. Compliance teams should treat USER-02 as the controlling document for acceptable use and adjust agency training, user acknowledgements, and policy references previously pointing to 141.10 (2.10).
WaTech adopted and the Technology Services Board (TSB) approved the SEC-04 Asset Management Policy, explicitly replacing IT Security Standard 141.10 section 8.2 (December 11, 2017). This formalizes updated statewide requirements for maintaining and managing inventories of IT infrastructure and applications, including periodic review and controls relevant to systems handling higher-sensitivity data. Compliance teams should map legacy 141.10 asset-management obligations to SEC-04 and ensure agency policies/procedures and audit criteria reflect the replacement document and its review cycle.
WaTech issued SEC-11-01-S “Information Security Risk Assessment Standard” (State CIO Adopted and TSB Approved: June 8, 2023) and the document states it replaces IT Security Standard 141.10 section 1.2.1. For 141.10 compliance, this is a substantive governance change: risk assessment obligations previously anchored in 141.10 should be aligned to SEC-11-01-S requirements and triggers. The standard also specifies a sunset review date (June 8, 2026), which compliance programs should track for potential revisions.
An updated Standard No. 141.10 PDF is labeled as updated Feb. 11, 2023 and indicates that parts of the legacy 141.10 standard have been rescinded (i.e., not all provisions in the older monolithic standard remain controlling). The document points readers to replacement artifacts (e.g., references such as 'See the Risk Assessment Standard'), signaling that agencies should not rely solely on the 2017 version for all topic areas and should validate which 141.10 provisions remain in force vs. replaced by SEC-series standards.
The posted Standard No. 141.10 'Securing Information Technology Assets' document reflects the standard’s metadata as 'Updated: February 11, 2023' and indicates that parts have been rescinded. For compliance teams, this serves as authoritative evidence of the last update date for the remaining 141.10 content and supports gap/mapping work to newer WaTech SEC/USER policies that have replaced specific 141.10 sections.
An official WaTech-hosted version of OCIO Standard No. 141.10 (Securing Information Technology Assets) indicates the standard’s Effective Date (2017-11-13) and that the most recent update reflected in the document is 2023-02-11, with parts rescinded. This is not a newly-announced change within the last ~30 days, but it is the most recent authoritative accessible copy located in the research set and serves as baseline compliance evidence for teams relying on 141.10 requirements (e.g., annual verification, periodic assessments/audits) while portions are being replaced by SEC-series artifacts.