The Massachusetts Department of Environmental Protection (MassDEP) Drinking Water Program has developed a cybersecurity strategy to keep sensitive information secure, in accordance with the state’s public records law. The law allows agencies to protect information that may compromise security or expose vulnerabilities if released.
Following the strategy’s best practices, MassDEP will treat cybersecurity assessment details, system configurations, and related materials from public water systems with heightened confidentiality. Cybersecurity-related documents are only stored and shared to the extent necessary for regulatory review and technical assistance.
During sanitary surveys, cybersecurity assessments are reviewed in person or remotely through secure screen sharing. MassDEP issues a Cybersecurity Corrective Action Plan based on this review, which includes only high-level, nonsensitive information.
This approach helps ensure that information regarding critical infrastructure remains outside the scope of public records requests and reduces the risk of misuse.
