A review of WaTech’s official SEC-01 landing page and the currently posted SEC-01 policy PDF did not reveal any verified updates within the last 30 days indicating the SEC-01 Washington State Cybersecurity Program Policy was amended, superseded, or had an implementation/enforcement timeline changed. This is a monitoring/status finding for compliance teams: continue operating against the currently posted SEC-01 requirements (agency cybersecurity program, annual review, annual attestation to WaTech, vendor contract security alignment) until WaTech publishes a revised policy version or board approval materials indicating changes.
Washington State Senate Bill 6281 (bill text located) proposes amending RCW 43.105.375 to require an assessment prior to purchasing third-party commercial cloud computing services. The assessment would include evaluating cybersecurity and regulatory compliance using the data categories referenced in the document titled “Washington state cybersecurity program policy” (SEC-01) as it exists on the effective date of the section and any subsequent amendments. If enacted, this would operationalize SEC-01 as an explicit statutory reference point for cloud procurement due diligence and could increase internal documentation and review expectations tied to SEC-01 compliance.
A review of the official WaTech SEC-01 policy PDF and related WaTech board/website materials did not identify any new amendment, emergency revision, newly issued SEC-01 guidance, or changed compliance deadline within the research period. The controlling artifact located remains the SEC-01 Washington State Cybersecurity Program Policy adopted and approved on 2024-12-10 (with sunset review 2027-12-10), which continues to require agencies to maintain an agency cybersecurity program (with at least annual review) and provide annual certification/attestation to WaTech. Compliance teams should treat the current SEC-01 as the baseline and monitor WaTech/TSB channels for future revisions.
Washington State SB 6281 (2025–26 biennium) includes proposed language that would require an assessment prior to purchase of third-party commercial cloud computing services, including evaluation of cybersecurity and regulatory compliance criteria tied to the 'Washington state cybersecurity program policy' (SEC-01) and any subsequent amendments. This is not an amendment to SEC-01 itself, but it would elevate SEC-01 as a statutory reference point for procurement/compliance assessments if enacted.
WaTech’s SEC-01 Washington State Cybersecurity Program Policy was adopted by the State CIO and approved by the Technology Services Board on 2024-12-10. The policy establishes enterprise cybersecurity program requirements for covered Washington State agencies (and entities using WaTech services for the services provided), including maintaining an agency cybersecurity program, annual review and updates after significant change, annual certification/attestation by agency leadership to WaTech regarding implementation and compliance with enterprise security policies/standards, and alignment of vendor/partner contract language with security requirements. The policy states it replaces prior IT Policy 141 and IT Standard 141.10 (as indicated in the policy metadata). The document also lists a sunset review date of 2027-12-10 (not a compliance deadline).
WaTech issued the SEC-01-01-G Security Principles Guideline as a companion guidance document tied to the SEC-01 Washington State Cybersecurity Program Policy. Compliance teams should review this guideline for implementation expectations and security principles that support SEC-01 program requirements (e.g., how agencies interpret and operationalize security program controls and practices).
WaTech published the SEC-01-01-G Security Principles Guideline, a companion guidance document associated with the SEC-01 Washington State Cybersecurity Program Policy. The guideline sets out security principles intended to inform security programs/policies/standards and security-related decision-making across covered organizations. The document metadata shows it was adopted by the State CIO and approved by the Technology Services Board on 2024-12-10, with a sunset review date of 2027-12-10.
WaTech has issued SEC-01 (Washington State Cybersecurity Program Policy) as the statewide policy establishing enterprise cybersecurity program requirements for Washington State agencies (e.g., maintaining an agency cybersecurity program aligned to WaTech security policies/standards and related governance expectations). The policy is shown on WaTech’s official policy landing page with an official PDF. For compliance teams, this signals SEC-01 is the governing cybersecurity program policy for Washington State agencies and should be used as the baseline policy reference for agency cybersecurity program structure and oversight expectations.
Washington Technology Solutions (WaTech) published the SEC-01 Washington State Cybersecurity Program Policy, adopted by the State CIO and approved by the Technology Services Board on Dec. 10, 2024. The policy replaces legacy statewide security artifacts (IT Policy 141 and specified sections of IT Standard 141.10) and establishes core agency obligations including maintaining an agency cybersecurity program with at least annual review and providing annual agency head/CIO attestation of compliance to WaTech, plus requirements to align vendor/partner contract language with state and agency security requirements.