Senate Engrossed
information technology; security; office |
State of Arizona Senate Fifty-fifth Legislature Second Regular Session 2022
|
SENATE BILL 1598 |
|
|
An Act
amending section 18-104, Arizona Revised Statutes; repealing section 18-105, Arizona Revised Statutes; amending sections 18-121, 41-4252, 41-4253, 41-4254 and 41-4255, Arizona Revised Statutes; repealing sections 41-4256 and 41-4257, Arizona Revised Statutes; amending section 41-4258, Arizona Revised Statutes; amending title 41, chapter 41, Arizona Revised Statutes, by adding article 3; relating to information technology.
(TEXT OF BILL BEGINS ON NEXT PAGE)
Be it enacted by the Legislature of the State of Arizona:
Section. 1. Section 18-104, Arizona Revised Statutes, is amended to read:
18-104. Powers and duties of the department; violation; classification
A. The department shall:
1. Develop, implement and maintain a coordinated statewide plan for information technology. This includes:
(a) Adopting statewide technical, and coordination and security standards for information technology.
(b) Serving as statewide coordinator for information technology resources.
(c) Developing a statewide disaster recovery plan, IDENTIFYING risks in each budget unit and directing agencies to adopt risk mitigation strategies, methods and procedures to minimize the risks.
(d) Developing a list of approved department projects by priority category.
(e) Developing a detailed list of information technology assets that are owned, leased or employed by this state.
(f) Evaluating and either approving or disapproving budget unit information technology plans. Budget units shall submit information technology plans that include quality assurance plans and disaster recovery plans to the department each year on or before May 15. The legislative and judicial departments of state government shall submit information technology plans on or before September 1 for information purposes.
(g) Evaluating specific information technology projects relating to the approved budget unit and statewide information technology plans in consultation with the statewide information security and privacy office in the Arizona department of homeland security. The department shall approve or reject projects with total costs of at least $25,000 but not more than $1,000,000 and may establish conditional approval criteria, including procurement purchase authority. If the total project costs exceed $1,000,000, the department shall evaluate the project and make recommendations to the information technology authorization committee. If the total project costs exceed $5,000,000, the department shall require the budget unit to contract with an independent third party to review and guide the technology approach, scope, estimated cost, timeline for completion and overall feasibility of the project before making recommendations to the information technology authorization committee. On or before the thirtieth day following the last day of each calendar quarter, the budget unit shall submit a report from the independent third party to the information technology authorization committee and the joint legislative budget committee regarding the progress of each ongoing project. As part of a budget request for an information technology project that has total costs of at least $25,000, a budget unit shall indicate the status of review by the department. Projects shall not be artificially divided to avoid review by the department.
2. Require that budget units incorporate a life-cycle analysis into the information technology planning, budgeting and procurement processes.
3. Require that budget units demonstrate expertise to carry out information technology plans, either by employing staff or contracting for outside services.
4. Monitor information technology projects that the department considers to be major or critical, including expenditure and activity reports and periodic review.
5. Temporarily suspend the expenditure of monies if the department determines that the information technology project is at risk of failing to achieve its intended results or does not comply with the requirements of this section.
6. Continuously study emergent technology and evaluate its impact on this state's system.
7. Advise each budget unit as necessary and report to the committee on an annual basis.
8. Provide to budget units information technology consulting services it deems necessary, either directly or by procuring outside consulting services.
9. Maintain all otherwise confidential information received from a budget unit pursuant to this section as confidential.
10. Provide staff support to the committee.
11. Subject to section 35-149, accept, spend and account for grants, monies and direct payments from public or private sources and other grants of monies or property to conduct programs that it deems consistent with the government information technology purposes and objectives of the department.
12. Adopt rules it deems necessary or desirable to further the government information technology objectives and programs of the department.
13. Formulate policies, plans and programs to effectuate the government information technology purposes of the department.
14. Advise and make recommendations to the governor and the legislature on all matters concerning its objectives.
15. Contract and enter into interagency and intergovernmental agreements pursuant to title 11, chapter 7, article 3 with any public or private party.
16. Have an official seal that shall be judicially noticed.
17. Establish an interactive online directory of codes, rules, ordinances, if available electronically, and statutes to assist individuals and businesses with regulatory requirements and obligations. As provided in this paragraph, counties, municipalities and budget units shall submit information in a manner and format prescribed by the agency.
18. Manage enterprise-level Information Technology infrastructure, except that the information security and privacy office in the Arizona department of homeland security shall manage the information security aspects of the infrastructure.
19. develop strategies to protect the Information Technology infrastructure of this state and the data that is stored on or transmitted by the infrastructure.
20. temporarily suspend access to information technology infrastructure when directed by the Arizona department of homeland security and consult with the Arizona department of homeland security regarding security policies, standards and procedures.
B. The department shall advise the judicial and legislative branches of state government concerning information technology.
C. The department may examine all books, papers, records and documents in the office of any budget unit and may require any state officer of the budget unit to furnish information or statements necessary to carry out this chapter.
D. The director, any member of the director's staff or any employee who knowingly divulges or makes known in any manner not permitted by law any particulars of any confidential record, document or information is guilty of a class 5 felony.
Sec. 2. Repeal
Section 18-105, Arizona Revised Statutes, is repealed.
Sec. 3. Section 18-121, Arizona Revised Statutes, is amended to read:
18-121. Information technology authorization committee; members; terms; duties; compensation; definition
A. The information technology authorization committee is established consisting of the following members:
1. One member of the house of representatives who is appointed by the speaker of the house of representatives and who shall serve as an advisory member.
2. One member of the senate who is appointed by the president of the senate and who shall serve as an advisory member.
3. Four members from private industry who are appointed by the governor pursuant to section 38-211, or their designees, and who are knowledgeable in information technology.
4. One local government member and one federal government member who are appointed by the governor and who shall serve as advisory members.
5. Two members who are directors of state agencies and who are appointed by the governor, or their designees.
6. The administrative director of the courts or the director's designee.
7. The director of the department of administration or the director's designee, who shall be the chairperson of the committee but for all other purposes shall serve as an advisory member.
8. Two members from either private industry or state government who are appointed by the governor, or their designees.
9. The staff director of the joint legislative budget committee, or the staff director's designee, who shall serve as an advisory member.
10. The statewide chief information security officer or the officer's designee.
B. Committee members who are from private industry serve two-year terms. The other members serve at the pleasure of their appointing officers.
C. For all budget units and the legislative and judicial branches of state government, the committee shall:
1. Review established statewide information technology standards and the statewide information technology plan.
2. Review the minimum qualifications established by the director for each position authorized for the department for information technology.
3. Approve or disapprove all proposed information technology projects, including project changes and contract amendments, that exceed a total cost of one million dollars $1,000,000, excluding public monies from county, municipal and other political subdivision sources that are not deposited in a state fund. The committee shall also approve or disapprove any proposed information technology project involving more than one budget unit if the collective total development cost of the project is expected to be more than one million dollars $1,000,000. As part of a budget request for an information technology project that has total costs of more than one million dollars $1,000,000, a budget unit and the legislative and judicial branches of state government shall indicate the status of review by the committee. Projects shall not be artificially divided to avoid review by the committee.
4. Develop a report format that incorporates the life-cycle analysis for use in submitting project requests to the committee.
5. Require expenditure and activity reports from a budget unit or the legislative or judicial branch of state government on implementing information technology projects approved by the committee.
6. Conduct periodic reviews on the progress of implementing information technology projects approved by the committee.
7. Monitor information technology projects that the committee considers to be major or critical.
8. Temporarily suspend the expenditure of monies if the committee determines that the information technology project is at risk of failing to achieve its intended results or does not comply with the requirements of this chapter.
9. Hear and decide appeals made by budget units regarding the department's rejection of their proposed information technology plans or projects.
10. Report to the governor, the speaker of the house of representatives, the president of the senate and the secretary of state at least annually on all matters concerning its objectives. This includes:
(a) Its review of the statewide information technology plan developed by the department.
(b) The findings and conclusions of its periodic reviews.
(c) Its recommendations on desirable legislation relating to information technology.
11. Adopt rules it deems necessary or desirable to further the objectives and programs of the committee.
D. The committee shall meet at the call of the chairperson.
E. Members of the committee are not eligible to receive compensation but are eligible to receive reimbursement for expenses pursuant to title 38, chapter 4, article 2.
F. For the purposes of this section, "advisory member" means a member who gives advice to the other members of the committee at committee meetings but who is not eligible to vote and is not a member for purposes of determining whether a quorum is present.
Sec. 4. Section 41-4252, Arizona Revised Statutes, is amended to read:
41-4252. Arizona department of homeland security; director; deputy director; assistant directors; divisions
A. The Arizona department of homeland security is established. The direction, operation and control of the department are the responsibility of the director.
B. The governor shall appoint the director pursuant to section 38-211. The director shall administer the department and serve at the pleasure of the governor. The director is entitled to receive compensation as determined under section 38-611. The director shall appoint a deputy director and a statewide chief information security officer and, subject to legislative appropriation, may appoint additional deputy directors and those assistant directors as the director deems appropriate. The positions of director, statewide chief information security officer and deputy director are exempt from chapter 4, articles 5 and 6 of this title relating to the state service.
C. To be eligible for appointment as director a person must have a background or experience in one or more of the following areas:
1. Public administration.
2. Disaster response.
3. Law enforcement.
4. Business administration.
5. Cybersecurity.
D. The director may organize the department into divisions the director deems appropriate.
Sec. 5. Section 41-4253, Arizona Revised Statutes, is amended to read:
41-4253. Department employees
Subject to chapter 4, article 4 and, as applicable, articles 5 and 6 of this title, the director shall employ, determine the conditions of employment of and specify the duties of administrative, secretarial and clerical employees the director deems necessary.
Sec. 6. Section 41-4254, Arizona Revised Statutes, is amended to read:
41-4254. Department duties
The department shall:
1. Formulate policies, plans and programs to enhance the ability of this state to prevent and respond to acts of terrorism, cybersecurity threats and other critical hazards.
2. Develop a statewide homeland security strategy.
2. adhere to all federal grant terms and conditions.
3. Request appropriations or grants of monies for homeland security purposes.
4. Provide to the senior advisory committee members a summary of the amount of federal homeland security monies requested by this state for each grant program.
5. 4. Receive all awards granted to this state by the federal government for homeland security purposes and provide to the senior advisory committee members a list of the allocations of federal homeland security grants to this state along with the project title and the amount of each subgrantee award.
6. 5. Distribute monies to local jurisdictions and other organizations eligible under federal regulations based on criteria in the statewide homeland security strategy and federal grant guidelines.
7. Coordinate with other state and federal agencies to publish a guide for grantees that receive homeland security monies. The guide shall ensure that monies distributed by the department:
(a) Are coordinated across all levels of government.
(b) Avoid duplication of grant awards.
(c) Eliminate security gaps in every level of government.
8. Conduct preparedness training exercises to put state disaster plans into practice and identify shortcomings in the plans.
9. Assist in the development of regional response plans, including collaborative efforts with other states.
10. Partner with and involve the private sector in preparedness efforts.
Sec. 7. Section 41-4255, Arizona Revised Statutes, is amended to read:
41-4255. Annual report
A. On or before September 1 of each year, the arizona department of homeland security shall submit a homeland security allocation and expenditure report to the governor, the president of the senate, the speaker of the house of representatives, the chairperson of the senate appropriations committee, the chairperson of the house appropriations committee, and the staff and cochairpersons of the joint legislative budget committee and the members of the joint legislative committee on border and homeland security.
B. The director shall provide a copy of the report to the secretary of state. The department may redact sensitive information contained in the report if necessary.
C. The report shall include:
1. Each local and state project that was awarded funding for the current year.
2. Expenditures for each local and state project that was awarded funding for the current year.
3. Expenditures from federal appropriations and grants that were used by the department for administrative and state agency purposes.
4. A narrative description detailing each state project awarded funding, including the goals and objectives of each state project.
5. The progress made on each project since the last report.
6. Project awards and expenditures from prior years beginning with fiscal year 2001-2002 for open grant projects by june 30 of each year.
7. A detailed plan on how homeland security efforts will be continued in the event of decreased federal funding.
Sec. 8. Repeal
Sections 41-4256 and 41-4257, Arizona Revised Statutes, are repealed.
Sec. 9. Section 41-4258, Arizona Revised Statutes, is amended to read:
41-4258. Arizona department of homeland security regional advisory councils; appointment; terms; duties
A. The Arizona department of homeland security regional advisory councils are established.
B. the department shall ensure reasonable distribution of area representation. A total of five councils are established as follows:
1. The north region is composed of the jurisdictions contained in the Coconino, Navajo and Apache county boundaries. No more than four members of the council may be from any one county.
2. The east region is composed of the jurisdictions contained in the Graham, Greenlee, Gila and Pinal county boundaries. No more than three members of the council may be from any one county.
3. The south region is composed of the jurisdictions contained in the Pima, Santa Cruz, Cochise and Yuma county boundaries. No more than three members of the council may be from any one county.
4. The west region is composed of the jurisdictions contained in the Mohave, La Paz and Yavapai county boundaries. No more than four members of the council may be from any one county.
5. The central region is composed of the jurisdictions contained in the Maricopa county boundaries.
C. Each regional advisory council consists of fourteen twelve members who serve for a term of three years. Members shall reside or work in the region they represent, except for the representative from the department of public safety. For the purposes of limiting the membership in a county, the representative from the department of public safety and the tribal representative do not count toward the membership limit from a county.
D. The governor shall appoint each member of a regional advisory council. The membership of the councils consists of:
1. A representative of a fire service from an urban or suburban area in the region.
2. A representative of a fire service from a rural area in the region.
3. A police chief.
4. A county sheriff or the sheriff's proxy.
5. A tribal representative.
6. An emergency manager.
7. A mayor or the mayor's proxy.
8. A county supervisor or the supervisor's proxy.
9. 7. Four at-large members.
10. 8. A representative from the department of public safety.
11. 9. A public health representative.
E. A member must have a background in or experience with disaster response or law enforcement issues.
F. Subject to approval by the director, only those members listed in subsection D, paragraphs 4, 7 and 8 may be represented on the council by a person designated by that member to serve as that member's proxy or deputy director, within a reasonable time frame before the meeting, members may be represented on the council by a person designated by that member to serve as the member's proxy. The proxy must have a background in or experience with disaster response or law enforcement issues. On or before July 1 of each year, the member shall submit a biographical sketch of the proxy's experience and qualifications for service on the council to the Arizona department of homeland security.
G. At the first meeting held after July 1 of each year, each regional advisory council shall elect a chairperson and vice-chairperson vice chairperson.
H. Each regional advisory council shall meet on the call of the chairperson but at least four times annually an as needed basis to conduct business. No actions may be taken without a quorum present.
I. It is the duty of each regional advisory council member to maintain communication with and represent other offices and organizations within the members' professional discipline in the region.
J. In coordination with the department, the regional advisory council shall:
1. Develop, implement and maintain regional homeland security strategies.
2. 1. Support and assist in implementation of implementing Arizona's comprehensive statewide risk assessment.
3. 2. Support and assist an integrated regional approach to homeland security in this state.
4. 3. Establish encourage baseline prevention and response capabilities through anchor cities throughout the region consistent with state and regional plans.
5. Collaborate with other regional councils and organizations to ensure successful integration of homeland security programs and initiatives.
6. 4. Develop a list of recommendations for state homeland security grant program monies and forward these recommendations to the director.
7. 5. Recommend allocation of state homeland security grant program monies to eligible jurisdictions and other organizations based on regional, state and federal criteria.
K. Members are not eligible to receive compensation but are eligible for reimbursement of expenses pursuant to title 38, chapter 4, article 2.
L. Elected officials shall serve on the council in their capacity as elected officials. If an elected official is no longer in office that position on the regional advisory council shall be considered vacant and a new appointment shall be made.
Sec. 10. Title 41, chapter 41, Arizona Revised Statutes, is amended by adding article 3, to read:
ARTICLE 3. STATEWIDE INFORMATION SECURITY AND PRIVACY OFFICE
41-4281. Definitions
In this article, unless the context otherwise requires:
1. "Breach" or "security system breach" has the same meaning prescribed in section 18-551.
2. "Budget Unit" has the same meaning prescribed in section 18-101.
3. "INFORMATION technology" has the same meaning prescribed in section 18-101.
4. "Security incident" has the same meaning prescribed in section 18-551.
41-4282. Statewide information security and privacy office; duties; suspension of budget unit's information infrastructure
A. The statewide information security and privacy office is established in the Arizona department of homeland security. The statewide information security and privacy office shall serve as the strategic planning, facilitation and coordination office for information security in this state. Individual budget units shall continue to maintain operational responsibility for information security.
B. The director shall serve as or appoint the statewide chief information security officer to manage the statewide information security and privacy office. If other than the director, the statewide chief information security officer shall report to the director pursuant to section 41-4252.
C. The statewide information security and privacy office shall:
1. develop, implement, maintain and ensure compliance for each budget unit with statewide information security policies and a coordinated statewide assurance plan for information security and privacy.
2. Direct information security and privacy protection compliance reviews for each budget unit to ensure compliance with policies, standards and effectiveness of information security assurance plans as necessary.
3. Identify information security and privacy protection risks in each budget unit and direct agencies to adopt risk mitigation strategies, methods and procedures to minimize the risks.
4. Monitor and report compliance of each budget unit with state information security and privacy protection policies, standards and procedures.
5. Coordinate statewide information security and privacy protection awareness and training programs.
6. Establish a state Security Operations Center for central detection, reporting and response efforts for security incidents and breaches across the state.
7. Develop other strategies as necessary to protect this state's information technology infrastructure and the data that is stored on or transmitted by the infrastructure.
8. consult with the department of administration for a full review of the security aspects for INFORMATION Technology projects prescribed in section 18-104.
9. operate the information security aspects of the enterprise-level infrastructure managed by the department of administration.
D. The statewide information security and privacy office may temporarily suspend operation of information infrastructure that is owned, leased, outsourced or shared to isolate the source of, or stop the spread of, an information security system breach or other similar incident. A budget unit and the department of administration, as applicable, shall comply with directives to temporarily discontinue or suspend operations of information infrastructure.
E. Each budget unit and its contractors shall identify and report security incidents to the statewide information security and privacy office immediately on discovery and deploy mitigation strategies as directed.
F. The Arizona department of homeland security may examine all books, papers, records and documents in the office of any budget unit and may require any state officer of the budget unit to provide the information or statements necessary to carry out this section.
G. Budget units shall demonstrate expertise to carry out security assurance plans, either by employing staff or contracting for outside services.
H. A budget unit may enter into an agreement with the department of administration or the Arizona department of homeland security to meet the requirements of this section.
Sec. 11. Retention of members
Notwithstanding section 41-4258, Arizona Revised Statutes, as amended by this act, all persons serving as members of the Arizona department of homeland security regional advisory councils on the effective date of this act may continue to serve until the expiration of their normal terms.