Bill Text: MS HB958 | 2025 | Regular Session | Engrossed

Bill Title: Department of Information Technology Services; revise certain provisions relating to acquisition of technology services.

Spectrum: Partisan Bill (Republican 1-0)

Status: (Engrossed) 2025-02-17 - Referred To Accountability, Efficiency, Transparency [HB958 Detail]

Download: Mississippi-2025-HB958-Engrossed.html


2025 Regular Session

To: State Affairs

By: Representative Zuber

House Bill 958

(As Passed the House)



     SECTION 1.  Section 25-53-1, Mississippi Code of 1972, is amended as follows:

     25-53-1.  The Legislature recognizes that in order for the State of Mississippi to receive the maximum use and benefit from information technology and services now in operation or which will in the future be placed in operation, there should be full cooperation and cohesive planning and effort by and between the several state agencies and that it is the responsibility of the Legislature to provide statutory authority therefor.  The Legislature, therefore, declares and determines that for these and other related purposes there is hereby established an agency of state government to be known as the Mississippi Department of Information Technology Services (MDITS).  The Legislature further declares that the Mississippi Department of Information Technology Services (MDITS) shall provide statewide services that facilitate cost-effective information processing and telecommunication solutions.  State agencies shall work in full cooperation with the board of MDITS to identify opportunities to minimize duplication, reduce costs and improve the efficiency of providing common technology services across agency boundaries.  The * * *provisions of this chapter shall not apply to the Department of Human Services for a period of three (3) years beginning July 1, 2017.  The provisions of this chapter shall not apply to the Department of Child Protection Services for a period of three (3) years beginning July 1, 2017.  Through June 30, 2024, the provisions of this chapter shall not apply to the Department of Health and the Department of Revenue for the purposes of implementing, administering and enforcing the provisions of the Mississippi Medical Cannabis Act, for acquisitions made before June 30, 2024.

     SECTION 2.  Section 25-53-3, Mississippi Code of 1972, is amended as follows:

     25-53-3.  (1)  Whenever the term "Central Data Processing Authority" or the term "authority," when referring to the Central Data Processing Authority, is used in any law, rule, regulation, document or elsewhere, it shall be construed to mean the Mississippi Department of Information Technology Services.

     (2)  For the purposes of this chapter the following terms shall have the meanings ascribed in this section unless the context otherwise requires:

          (a)  "Central Data Processing Authority" and "CDPA" mean "Mississippi Department of Information Technology Services ( * * *MDITS ITS)" and the term "authority" means "board of the * * *MDITS ITS."

          (b)  "Bureau of Systems Policy and Planning," "Bureau of Telecommunications," "Bureau of Central Data Processing" and "bureau" mean " * * *Mississippi Department of Information Technology Services ITS."

          (c)  * * *"Computer equipment or services" means any information technology, computer or computer related telecommunications equipment, electronic word processing and office systems, or services utilized in connection therewith, including, but not limited to, all phases of computer software and consulting services, and insurance on all state‑owned computer equipment.

  (d)  "Acquisition" of * * *computer or telecommunications equipment or services information technology means the purchase, lease, rental, or acquisition in any other manner of any such * * *computer or telecommunications equipment or services information technology.

          ( * * *ed)  "Agency" means and includes all the various state agencies, officers, departments, boards, commissions, offices and institutions of the state.

          ( * * *fe)  "Governing authority" means boards of supervisors, governing boards of all school districts, all boards of directors of public water supply districts, boards of directors of master public water supply districts, municipal public utility commissions, governing authorities of all municipalities, port authorities, commissioners and boards of trustees of any public hospitals and any political subdivision of the state supported, wholly or in part, by public funds of the state or political subdivisions thereof.

          ( * * *gf)  "Bid" means any of the valid source selection techniques and competitive procurement methods appropriate to information technology procurement in the public sector, including, but not limited to, competitive sealed bidding, competitive sealed proposals, simplified small purchase procedures, sole source procurements, and emergency procurements.

          ( * * *hg)  "Telecommunications transmission facility" means any transmission medium, switch, instrument, inside wiring system or other facility which is used, in whole or in part, to provide any transmission.

          ( * * *ih)  "Equipment support contract" means a contract which covers a single, specific class or classes of telecommunications equipment or service and all features associated with that class, through which state agencies may purchase or lease the item of equipment or service specified by issuing a purchase order under the terms of the contract without the necessity of further competitive bidding.

          ( * * *ji)  "Inside wiring system" means any wiring which:

              (i)  Directly or indirectly, interconnects any terminal equipment with any other terminal equipment or with any regulated facility or common carrier services; and

              (ii)  Is located at the premises of the customer and is not inside any terminal equipment.

          ( * * *kj)  "Procurement" means the selling, buying, purchasing, renting, leasing or otherwise obtaining * * *telecommunications equipment, system or related services information technology, as well as activities engaged in, resulting in or expected to result in selling, buying, purchasing, renting, leasing or otherwise obtaining * * *telecommunications equipment information technology.

          ( * * *lk)  "Telecommunications equipment, systems, related services" are limited to the equipment and means to provide:

              (i)  Telecommunications transmission facilities.

              (ii)  Telephone systems, including voice processing systems.

              (iii)  Facsimile systems.

              (iv)  Radio paging services.

              (v)  Mobile telephone services, including cellular mobile telephone service.

              (vi)  Intercom and paging systems.

              (vii)  Video teleconferencing systems.

              (viii)  Personal communications networks and services.

              (ix)  Any and all systems based on emerging and future telecommunications technologies relative to (i) through (viii) above.

          ( * * *ml)  "Telecommunications system lease contract" means a contract between a supplier of telecommunications systems, including equipment and related services, and the Mississippi Department of Information Technology Services * * * through which telecommunications systems, including equipment and related services, may be leased for a term which shall not exceed sixty (60) months for a system lease valued less than One Million Dollars ($1,000,000.00) and shall not exceed one hundred twenty (120) months for a system lease valued One Million Dollars ($1,000,000.00) or more.

          ( * * *nm)  "Tariffed or regulated service" means telecommunications service offered by common carriers and subject to control by the Mississippi Public Service Commission or the Federal Communications Commission.

          ( * * *on)  "State Data Center" means one or more facilities operated by the * * *Mississippi Department of Information Technology Services ITS to provide information technology resources requiring enterprise computing resources or any other * * *centrally ITS managed information resources.

          (o)  "Information technology" means any technology as defined by the ITS, including, but not limited to, computer and/or telecommunications equipment, systems or related services.

     SECTION 3.  Section 25-53-5, Mississippi Code of 1972, is amended as follows:

     25-53-5.  The authority shall have the following powers, duties, and responsibilities:

          (a)  * * *(i)  The authority shall provide for the development of plans for the efficient acquisition and utilization of * * *computer equipment and services information technology by all agencies of state government, and provide for their implementation.  In so doing, the authority may use the * * *MDITS ITS' staff, at the discretion of the executive director of the authority, or the authority may contract for the services of qualified consulting firms in the field of information technology and utilize the service of such consultants as may be necessary for such purposes.  * * *  Pursuant to Section 25‑53‑1, the provisions of this section shall not apply to the Department of Human Services for a period of three (3) years beginning on July 1, 2017.  Pursuant to Section 25‑53‑1, the provisions of this section shall not apply to the Department of Child Protection Services for a period of three (3) years beginning July 1, 2017.

   (ii)  [Repealed]

          (b)  The authority shall immediately institute procedures for carrying out the purposes of this chapter and supervise the efficient execution of the powers and duties of the * * *office of executive director of the * * *authority ITS.  In the execution of its functions under this chapter, the authority shall maintain as a paramount consideration the successful internal organization and operation of the several agencies so that efficiency existing therein shall not be adversely affected or impaired.  In executing its functions in relation to the institutions of higher learning and junior colleges in the state, the authority shall take into consideration the special needs of such institutions in relation to the fields of teaching and scientific research.

          (c)  * * *Title of whatever nature of all computer equipment now vested in any agency of the State of Mississippi is hereby vested in the authority, and no such equipment shall be disposed of in any manner except in accordance with the direction of the authority or under the provisions of such rules and regulations as may hereafter be adopted by the authority in relation thereto.

  (d)  The authority shall adopt rules, regulations, and procedures governing the acquisition of * * *computer and telecommunications equipment and services information technology which shall, to the fullest extent practicable, ensure the maximum of competition between all manufacturers of supplies or equipment or services.  In the writing of specifications, in the making of contracts relating to the acquisition of such * * *equipment and services information technology, and in the performance of its other duties the authority shall provide for the maximum compatibility of all information systems hereafter installed or utilized by all state agencies and may require the use of common computer languages where necessary to accomplish the purposes of this chapter.  The authority may establish by regulation and charge reasonable fees on a nondiscriminatory basis for the furnishing to bidders of copies of bid specifications and other documents issued by the authority.

          ( * * *ed)  The authority shall adopt rules and regulations governing the sharing with, or the sale or lease of information technology services to any nonstate agency or person.  Such regulations shall provide that any such sharing, sale or lease shall be restricted in that same shall be accomplished only where such services are not readily available otherwise within the state, and then only at a charge to the user not less than the prevailing rate of charge for similar services by private enterprise within this state.

          ( * * *fe)  The authority may, in its discretion, establish a special technical advisory committee or committees to study and make recommendations on * * *technology matters within the competence of the authority as the authority may see fit.  Persons serving on * * *the Information Resource Council, its task forces, or any such * * *technical advisory committees shall be entitled to receive their actual and necessary expenses actually incurred in the performance of such duties, together with mileage as provided by law for state employees, provided the same has been authorized by a resolution duly adopted by the authority and entered on its minutes prior to the performance of such duties.  For the purposes of this paragraph, such committee meetings are exempt from the requirements of Sections 25-41-1 through 25-41-17.

          ( * * *gf)  The authority may provide for the development and require the adoption of standardized computer programs and may provide for the dissemination of information to and the establishment of training programs for the personnel of the various information technology centers of state agencies and personnel of the agencies utilizing the services thereof.

          ( * * *hg)  The authority shall adopt reasonable rules and regulations requiring the reporting to the authority through the office of executive director of such information as may be required for carrying out the purposes of this chapter and may also establish such reasonable procedures to be followed in the presentation of bills for payment under the terms of all contracts for the acquisition of * * *computer equipment and services information technology now or hereafter in force as may be required by the authority or by the executive director in the execution of their powers and duties.

          ( * * *ih)  The authority shall require such adequate documentation of information technology procedures utilized by the various state agencies and may require the establishment of such organizational structures within state agencies relating to information technology operations as may be necessary to effectuate the purposes of this chapter.

          ( * * *ji)  The authority may adopt such further reasonable rules and regulations as may be necessary to fully implement the purposes of this chapter.  All rules and regulations adopted by the authority shall be published * * *and disseminated in readily accessible form to all affected state agencies, and to all current suppliers of computer equipment and services to the state, and to all prospective suppliers requesting the same.  Such rules and regulations shall be kept current, be periodically revised, and copies thereof shall be available at all times for inspection by the public at reasonable hours in the offices of the authority.  Whenever possible no rule, regulation or any proposed amendment to such rules and regulations shall be finally adopted or enforced until copies of the proposed rules and regulations have been * * *furnished to all interested parties for their comment and suggestions published.

          ( * * *kj)  The authority shall establish rules and regulations which shall provide for the submission of all contracts proposed to be executed by the executive director for * * *computer equipment and/or telecommunications or services information technology, including cloud computing, to the authority for approval before final execution, and the authority may provide that such contracts involving the expenditure of less than such specified amount as may be established by the authority may be finally executed by the executive director without first obtaining such approval by the authority.

          ( * * *lk)  The authority is authorized to consider new technologies, such as cloud computing, to purchase, lease, or rent * * *computer equipment or services information technology and to operate that * * *equipment and use those services in providing services to one or more state agencies information technology when in its opinion such operation will provide maximum efficiency and economy in the functions of any such agency or agencies.

          ( * * *ml)  Upon the request of the governing body of a political subdivision or instrumentality, the authority shall assist the political subdivision or instrumentality in its development of plans for the efficient acquisition and utilization of * * *computer equipment and services information technology.  An appropriate fee shall be charged the political subdivision by the authority for such assistance.

          ( * * *nm)  The authority shall adopt rules and regulations governing the protest procedures to be followed by any actual or prospective bidder, offerer or contractor who is aggrieved in connection with the solicitation or award of a contract for the acquisition of * * *computer equipment or services information technology.  Such rules and regulations shall prescribe the manner, time and procedure for making protests and may provide that a protest not timely filed shall be summarily denied.  The authority may require the protesting party, at the time of filing the protest, to post a bond, payable to the state, in an amount that the authority determines sufficient to cover any expense or loss incurred by the state * * *, the authority or any state agency as a result of the protest if the protest subsequently is determined by a court of competent jurisdiction to have been filed without any substantial basis or reasonable expectation to believe that the protest was meritorious; however, in no event may the amount of the bond required exceed a reasonable estimate of the total project cost.  The authority, in its discretion, also may prohibit any prospective bidder, offerer or contractor who is a party to any protest or litigation involving any such contract with the state, the authority or any agency of the state to participate in any other such bid, offer or contract, or to be awarded any such contract, during the pendency of the protest or litigation.

          ( * * *on)  The authority shall make a report in writing to the Legislature each year in the month of January.  Such report shall contain a full and detailed account of the work of the authority for the preceding year as specified in Section 25-53-29(3).

     All acquisitions of * * *computer equipment and services information technology involving the expenditure of funds in excess of the dollar amount established in Section 31-7-13(c), or rentals or leases in excess of the dollar amount established in Section 31-7-13(c) for the term of the contract, shall be based upon * * *competitive and open specifications, and contracts therefor shall be entered into only after advertisements for bids are published in one or more daily newspapers having a general circulation in the state not less than fourteen (14) days prior to receiving sealed bids therefor bid.  The authority may reserve the right to reject any or all bids, and if all bids are rejected, the authority may negotiate a contract within the limitations of the specifications so long as the terms of any such negotiated contract are equal to or better than * * *the comparable terms submitted by the lowest * * *and best bidder, and so long as the total cost to the State of Mississippi does not exceed the lowest bid.  If the authority accepts one (1) of such bids, it shall be that which is the lowest and best.  * * *Through June 30, 2024, The provisions of this paragraph shall not apply to acquisitions of information technology equipment and services made by the Mississippi Department of Health and the Mississippi Department of Revenue for the purposes of implementing, administering and enforcing the provisions of the Mississippi Medical Cannabis Act by June 30, 2024.

          ( * * *po)  When applicable, the authority may procure * * *equipment, systems and related services information technology in accordance with the law or regulations, or both, which govern the Bureau of Purchasing of the Office of General Services or which govern the Mississippi Department of Information Technology Services procurement of * * *telecommunications equipment, software and services information technology.

          ( * * *qp)  The authority is authorized to purchase, lease, or rent information technology * * *and services for the purpose of establishing pilot projects to investigate emerging technologies.  These acquisitions shall be limited to new technologies and shall be limited to an amount set by annual appropriation of the Legislature.  These acquisitions shall be exempt from the advertising and bidding requirement.

          ( * * *rq)  To promote the maximum use and benefit from technology and services now in operation or which will in the future be placed in operation and to identify opportunities, minimize duplication, reduce costs and improve the efficiency of providing common technology services the authority is authorized to:

              (i)  Enter into master agreements for * * *computer or telecommunications equipment or services information technology, including cloud computing, available for shared use by state agencies, * * *institutes institutions of higher learning and governing authorities; and

              (ii)  Enter into contracts for the acquisition of * * *computer or telecommunications equipment or services information technology, including cloud computing, that have been acquired by other entities, located within or outside of the State of Mississippi, so long as it is determined by the authority to be in the best interest of the state.  The acquisitions provided in this paragraph ( * * *rq) shall be exempt from the advertising and bidding requirements of Sections 25-53-1 et seq. and 31-7-1 et seq.

          ( * * *sr)  All fees collected by the Mississippi Department of Information Technology Services shall be deposited into the Mississippi Department of Information Technology Services Revolving Fund unless otherwise specified by the Legislature.

          ( * * *ts)  The authority shall work closely with the council to bring about effective coordination of policies, standards and procedures relating to procurement of remote sensing and geographic information systems (GIS) resources. * * *  In addition, the authority is responsible for development, operation and maintenance of a delivery system infrastructure for geographic information systems data.  The authority shall provide a warehouse for Mississippi's geographic information systems data.

          ( * * *ut)  The authority shall manage one or more State Data Centers to provide information technology services on a cost-sharing basis.  In determining the appropriate services to be provided through the State Data Center, the authority should consider those services that:

              (i)  Result in savings to the state as a whole;

              (ii)  Improve and enhance the security and reliability of the state's information and business systems; and

              (iii)  Optimize the efficient use of the state's information technology assets, including, but not limited to, promoting partnerships with the state institutions of higher learning and community colleges to capitalize on advanced information technology resources.

          ( * * *vu)  The authority shall increase federal participation in the cost of the State Data Center to the extent provided by law and its shared technology infrastructure through providing such shared services to agencies that receive federal funds.  With regard to state institutions of higher learning and community colleges, the authority may provide shared services when mutually agreeable, following a determination by both the authority and the Board of Trustees of State Institutions of Higher Learning or the Mississippi Community College Board, as the case may be, that the sharing of services is mutually beneficial.

          ( * * *wv)  The authority, in its discretion, may require new or replacement agency business applications to be hosted at the State Data Center.  With regard to state institutions of higher learning and community colleges, the authority and the Board of Trustees of State Institutions of Higher Learning or the Mississippi Community College Board, as the case may be, may agree that institutions of higher learning or community colleges may utilize business applications that are hosted at the State Data Center, following a determination by both the authority and the applicable board that the hosting of those applications is mutually beneficial.  In addition, the authority may establish partnerships to capitalize on the advanced technology resources of the Board of Trustees of State Institutions of Higher Learning or the Mississippi Community College Board, following a determination by both the authority and the applicable board that such a partnership is mutually beneficial.

          ( * * *xw)  The authority shall provide a periodic update regarding reform-based information technology initiatives to the Chairmen of the House and Senate Accountability, Efficiency and Transparency Committees.

     From and after July 1, 2018, the expenses of this agency shall be defrayed by appropriation from the State General Fund.  In addition, in order to receive the maximum use and benefit from information technology and services, expenses for the provision of statewide shared services that facilitate cost-effective information * * *processing and telecommunication solutions technology shall be defrayed by pass-through funding and shall be deposited into the Mississippi Department of Information Technology Services Revolving Fund unless otherwise specified by the Legislature.  These funds shall only be utilized to pay the actual costs incurred by the Mississippi Department of Information Technology Services for providing these shared services to state agencies.  Furthermore, state agencies shall work in full cooperation with the Board of the Mississippi Department of Information Technology Services to identify * * *computer equipment or services information technology to minimize duplication, reduce costs, and improve the efficiency of providing common technology services across agency boundaries.

     SECTION 4.  Section 25-53-21, Mississippi Code of 1972, is amended as follows:

     25-53-21.  The executive director shall have the following duties, responsibilities and authority:

          (a)  He shall conduct continuing studies of all information technology activities carried out by all agencies of the state and shall develop a long-range plan for the efficient and economical performance of such activities in state government.  Such plan shall be submitted to the authority for its approval and, having been approved by the authority, shall be implemented by the executive director and all state agencies.  Such plan shall be continuously reviewed and modifications thereof shall be proposed to the authority by the executive director as developments in information technology techniques and changes in the structure, activities, and functions of state government may require.

          (b)  He shall review the purchasing practices of all state agencies in the area of the purchasing of supplies for information technology and make recommendations to the authority * * *and to the Public Procurement Review Board for the institution of purchasing procedures which will ensure the most economical procurement of such supplies commensurate with the efficient operation of all departments and agencies of state government.

          (c)  He shall see that all reports required of all agencies are promptly and accurately made in accordance with the rules and regulations adopted by the authority.  Either in person or through his authorized agents, he shall make such inspections of information technology operations being conducted by any of the agencies of the state as may be necessary for the performance of his duties.

          (d)  He shall suggest and cause to be brought about cooperation between the several state agencies in order to provide efficiency in information technology operation.  He shall, together with the heads of the agencies involved, reduce to writing and execute cooperative plans for the acquisition and operation of information technology equipment, and any such plan so adopted shall be carried out in accordance with the provisions of such plan unless the same shall be amended by the joint action of the executive director and the heads of agencies involved.  The executive director shall report to the authority the details of any plan so adopted and all amendments or modifications thereof, and shall otherwise report to the authority * * *and to the Public Procurement Review Board any failure on the part of any agency to carry out the provisions of such plan.  In the event the head of any agency involved or the executive director shall propose amendments to a plan so adopted and such amendment is disapproved by the head of another agency involved or the executive director, an appeal may be taken to the authority which may, after full consideration thereof, order the adoption of the proposed amendment or any modification thereof.  The executive director shall make decisions on all questions of the division of the cost of information technology operations among the several agencies, but his findings shall be subject to the approval or modification by the authority on appeal to it.

          (e)  He shall review all contracts for acquisition of * * *computer and/or telecommunications equipment or services information technology now or hereafter in force and may require the renegotiation, termination, amendment or execution of any such contracts in proper form and in accordance with the policies and rules and regulations and subject to the direction of the authority.  A contract that expires by its terms may be renewed if it is the intent of all parties to renew the contract within a reasonable timeframe.  In the negotiation and execution of such contracts, the executive director may negotiate a limitation on the liability to the state of prospective contractors provided such limitation affords the state reasonable protection and the limitation is approved by the state entity for whom the acquisition is being made.  For purposes of this section, reasonable protection does not include limitations on intentional torts, negligence, death, bodily injury, bad faith, breach of state data, infringement issues and damage to tangible state property.

          (f)  He shall act as the purchasing and contracting agent for the State of Mississippi in the negotiation and execution of all contracts for the acquisition of * * *computer equipment or services information technology.  He shall receive, review, and promptly approve or disapprove all requests of agencies of the state for the acquisition of * * *computer equipment or services information technology, which are submitted in accordance with rules and regulations of the authority.  In the event that any such request is disapproved, he shall immediately notify the requesting agency and the members of the authority in writing of such disapproval, stating his reasons therefor.  The disapproval of any request by the executive director of the authority may be appealed to the authority * * *or to the Public Procurement Review Board, respectively, in such manner as may be authorized by such reasonable rules and regulations hereby authorized to be adopted by the authority * * * and by the Public Procurement Review Board to govern the same.  The executive director shall report the approval of all such requests to the  authority in such manner as may be directed by the authority, and shall execute any such contracts only after complying with rules and regulations which may be adopted by the authority in relation thereto.  Any contracts for personal or professional services entered into by the executive director shall be exempted from the requirements of Section 25-9-120(3) relating to submission of such contract to the State Personal Service Contract Review Board.

          (g)  He shall suggest and cause to be brought about cooperation between the several state agencies, departments and institutions in order that work may be done by one agency for another agency, and equipment in one agency may be made available to another agency, and suggest and cause to be brought about such improvements as may be necessary in joint or cooperative information technology operations.

          (h)  He shall be designated as the "Chief Information Confidentiality Officer" after being duly sworn to the oath of this office by the chairman of the authority and shall be responsible for administering the oath to other qualified officers he may designate.

          (i)  He shall appoint employees of the Mississippi Department of Information Technology Services, or at his discretion, employees of other state agencies and institutions that are responsible for handling or processing data for any agency or institution other than that for which they are employed, to a position of information custodial care that shall be known as "Information Confidentiality Officer."  The selection and swearing of all officers shall be reported to the authority at the next regular meeting and names, affirmation dates and employment dates shall be recorded in the permanent minutes of the authority.

     SECTION 5.  Section 25-53-25, Mississippi Code of 1972, is amended as follows:

     25-53-25.  (1)  * * *Nothing Except as otherwise provided in Section 25-53-5, 25-53-25(5) or any other provision of law, nothing in this chapter shall be construed to imply exemption from the public purchases law, being Section 31-7-1 et seq.

     (2)  The authority may establish policies and procedures for the purpose of delegating the * * *bidding acquisition and contracting responsibilities related to the procurement of * * *computer equipment or services information technology to the purchasing agency.  Such policies and procedures must address the following issues:

          (a)  Establish categories of equipment or services affected;

          (b)  Establish maximum unit and/or ceiling prices of such procurements;

          (c)  Establish reporting, monitoring and control of such procurements; and

          (d)  Establish other such rules and regulations as necessary to fully implement the purposes of this section.  Nothing in this subsection shall be construed to imply exemption from the public purchases law, being Section 31-7-1 et seq.

     (3)  Acquisitions of * * *computer equipment and services information technology by institutions of higher learning or junior colleges wholly with federal funds and not with state general funds shall be exempt from the provisions of this chapter; however, nothing in this subsection shall be construed to imply an exemption of such acquisitions from the public purchases law, being Section 31-7-1 et seq.

     (4)  [Repealed]

     (5)  Acquisitions of information technology made by agencies while exempt from the public purchasing requirements of this chapter and/or as specified in the authority's regulations shall remain exempt until a new acquisition is required, as determined by ITS.

     SECTION 6.  Section 25-53-29, Mississippi Code of 1972, is amended as follows:

     25-53-29.  (1)  For the purposes of this section the term "bureau" shall mean the "Mississippi Department of Information Technology Services."  The authority shall have the following powers and responsibilities to carry out the establishment of policy and provide for long-range planning and consulting:

          (a)  Provide a high level of technical expertise for agencies, institutions, political subdivisions and other governmental entities as follows:  planning; consulting; project management; systems and performance review; system definition; design; application programming; training; development and documentation; implementation; maintenance; and other tasks as may be required, within the resources available to the bureau.

          (b)  Publish written planning guides, policies and procedures for use by agencies and institutions in planning future * * *electronic information service systems information technology.  The bureau may require agencies and institutions to submit data, including periodic electronic equipment inventory listings, information on agency staffing, systems under study, planned applications for the future, and other information needed for the purposes of preparing the state master plan.  The bureau may require agencies and institutions to submit any additional data required for purposes of preparing the state master plan.

          (c)  Inspect agency facilities and equipment, interview agency employees and review records at any time deemed necessary by the bureau for the purpose of identifying cost-effective applications of electronic information technology.  Upon conclusion of any inspection, the bureau shall issue a management letter containing cost estimates and recommendations to the agency head and governing board concerning applications identified that would result in staff reductions, other monetary savings and improved delivery of public services.

          (d)  Conduct classroom and on-site training for end users for applications and systems developed by the bureau.

          (e)  Provide consulting services to agencies and institutions or Mississippi governmental subdivisions requesting technical assistance in * * *electronic information services technology applications and systems information technology.  The bureau may submit proposals and enter into contracts to provide services to agencies and institutions or governmental subdivisions for such purposes.

     (2)  The bureau shall annually issue a three-year master plan in writing to the Governor, available on request to any member of the Legislature, including recommended statewide strategies and goals for the effective and efficient use of information technology * * * and services in state government.  The report shall also include recommended information policy actions and other recommendations for consideration by the Governor and members of the Legislature.

     (3)  The bureau shall make an annual report in writing to the Governor, available on request to any member of the Legislature, to include a full and detailed account of the work of the authority for the preceding year.  The report shall contain recommendations to agencies and institutions resulting from inspections or consulting contracts.  The report shall also contain a summary of the master plan, progress made, and legislative and policy recommendations for consideration by the Governor and members of the Legislature.

     (4)  The bureau may charge fees to agencies and institutions for services rendered to them.  The bureau may charge fees to vendors to recover the cost of providing procurement services and  the delivery of procurement awards to public bodies.  The amounts of such fees shall be set by the authority upon recommendation of the Executive Director of the * * *MDITS ITS, and all such fees collected shall be paid into the fund established for carrying out the purposes of this section.

     (5)  * * *It is the intention of the Legislature that the employees of the bureau performing services defined by this section be staffed by highly qualified persons possessing technical, consulting and programming expertise.  Such employees shall be considered nonstate service employees as defined in Section 25‑9‑107(c)(x) and may be compensated at a rate comparable to the prevailing rate of individuals in qualified professional consulting firms in the private sector.  Such compensation rates shall be determined by the State Personnel Director.  The number of such positions shall be set by annual appropriation of the Legislature.  Qualifications and compensation of the bureau employees shall be set by the State Personnel Board upon recommendation of the Executive Director of the MDITS.  The total number of positions and classification of positions may be increased or decreased during a fiscal year depending upon work load and availability of funds.

(6)  The bureau may, from time to time, at the discretion of the Executive Director of * * *the MDITS ITS, contract with firms or qualified individuals to be used to augment the bureau's professional staff in order to assure timely completion and implementation of assigned tasks, provided that funds are available in the fund established for carrying out the purposes of this section.  Such individuals may be employees of any agency, bureau or institution provided that these individuals or firms meet the requirements of other individuals or firms doing business with the state through the * * *Mississippi Department of Information Technology Services ITS.  Individuals who are employees of an agency or institution may contract with the * * *Mississippi Department of Information Technology Services ITS only with the concurrence of the agency or institution for whom they are employed.

     From and after July 1, 2018, the expenses of this agency shall be defrayed by appropriation from the State General Fund.  In addition, in order to receive the maximum use and benefit from information technology * * * and services, expenses for the provision of statewide shared services that facilitate cost-effective information processing and telecommunication solutions shall be defrayed by pass-through funding and shall be deposited into the Mississippi Department of Information Technology Services Revolving Fund unless otherwise specified by the Legislature.  These funds shall only be utilized to pay the actual costs incurred by the * * *Mississippi Department of Information Technology Services ITS for providing these shared services to state agencies.  Furthermore, state agencies shall work in full cooperation with the * * *Board of the Mississippi Department of Information Technology Services (MDITS) ITS to identify * * *computer equipment or services information technology to minimize duplication, reduce costs, and improve the efficiency of providing common technology services across agency boundaries.

     SECTION 7.  Section 25-53-121, Mississippi Code of 1972, is amended as follows:

     25-53-121.  (1)  The types of contracts permitted in the procurement of telecommunications equipment, systems and related services are defined herein, and the provisions in Sections

25-53-101 through 25-53-125 and 25-53-5 supplement the provisions of Chapter 7, Title 31, Mississippi Code of 1972.

     (2)  The Mississippi Department of Information Technology Services may, on behalf of any state agency, enter into an equipment support contract with a vendor of telecommunications equipment or services for the purchase or lease of such equipment or services in accordance with the following provisions:

          (a)  Specifications for equipment support contracts shall be developed in advance and shall conform to the following requirements:

              (i)  Specifications for equipment support contracts shall cover a specific class or classes of equipment and service and may include all features associated with that class or classes.

              (ii)  Specifications in the * * *request for proposals bid for equipment support contracts shall be developed by the Mississippi Department of Information Technology Services.

              (iii)  Specifications shall be based on the projected needs of user agencies.

              (iv)  Specifications for equipment support contracts for purchase or lease of telecommunications equipment may include specifications for the maintenance of the equipment desired.

          (b)  The initial procurement of an equipment support contract, and procurement of equipment and services to be utilized by agencies under an equipment support contract, shall be as follows:

              (i)  Equipment support contracts shall be awarded * * *by competitive sealed bidding in accordance with Section 25-53-5.

              (ii)  A using agency may procure required telecommunications equipment and service available under an equipment support contract through release of a purchase order for the required equipment and service to the vendor holding an equipment support contract.  However, such procurement by purchase order shall be accomplished in accordance with the procedures and regulations prescribed by the Mississippi Department of Information Technology Services, and shall be subject to all other statutory requirements including approval by the bureau.

          (c)  The final authority for entering into equipment support contracts shall rest with the bureau, and such contracts shall be executed by the Mississippi Department of Information Technology Services in accordance with the procedures and regulations defined by said authority.

          (d)  * * *Equipment support contracts shall include the following terms and conditions:

   (i)  Equipment support contracts shall be valid for not more than one (1) fiscal year with the Mississippi Department of Information Technology Services having an option to renew for two (2) additional fiscal years.  The vendor may vary lease or purchase prices for the optional renewal period(s) by an amount equal to the lesser of the lease or purchase price permitted by that vendor's contract with the General Services Administration of the United States government for such equipment and services, or any variance in that vendor's published list prices for such equipment and services during that fiscal year, provided that any increase may not exceed five percent (5%) and the variance must have been authorized by the initial equipment and service order contract.

   (ii)  The prices stated in such contract shall not change for the period of the contract.

   (iii)  Individual items of telecommunications equipment and service which may be included under an equipment support contract may not have a purchase price greater than Fifty Thousand Dollars ($50,000.00) or a monthly lease price greater than Three Thousand Dollars ($3,000.00).  Such price shall not include costs of maintenance, taxes or transportation.

   (iv)  Equipment support contracts shall include the following annual appropriation dependency clause:

     "The continuation of this contract is contingent upon the appropriation of funds to fulfill the requirements of the contract by the Legislature.  If the Legislature fails to appropriate sufficient monies to provide for the continuance of the contract, the contract shall terminate on the date of the beginning of the first fiscal year for which funds are not appropriated."

     (3)  The Mississippi Department of Information Technology Services may on behalf of any state agency enter into contracts for the lease or purchase of telecommunications equipment systems or services in accordance with the following provisions:

          (a)  The bureau may directly contract for or approve contracts for regulated or tariffed telecommunications services upon determination by the bureau that the application of such service is in the best interests of the State of Mississippi.

          (b)  All other contracts of this type shall be entered into through * * *request for proposals a bid as defined in * * *Sections 25‑53‑101 through 25‑53‑125 Section 25-53-3.

          (c)  The justification of such contracts must be presented to the bureau * * * prior to issuance of a request for proposals.  Such justification shall identify and consider all cost factors relevant to that contract.

          (d)  * * *The term of a lease contract shall not exceed sixty (60) months for a system lease valued less than One Million Dollars ($1,000,000.00) and shall not exceed one hundred twenty (120) months for a system lease valued One Million Dollars ($1,000,000.00) or more. [Deleted]

          (e)  All lease contracts must contain the following annual appropriation dependency clause:

     "The continuation of this contract is contingent upon the appropriation of funds to fulfill the requirements of the contract by the Legislature.  If the Legislature fails to appropriate sufficient monies to provide for the continuation of a contract, the contract shall terminate on the date of the beginning of the first fiscal year for which funds are not appropriated."

          (f)  The Mississippi Department of Information Technology Services shall maintain a list of all such contracts.  This list shall show as a minimum the name of the vendor, the annual cost of each contract and the term of the contract or the purchase cost.

 * * *  (g)  Upon the advance written approval of the bureau, state agencies may extend contracts for the lease of telecommunications equipment, systems and related services on a month‑to‑month basis for a period not to extend more than one (1) calendar year for the stated lease prices.

     SECTION 8.  Section 25-53-123, Mississippi Code of 1972, is amended as follows:

     25-53-123.  (1)  The only method of procurement permitted for the acquisition of nonregulated telecommunications systems, including equipment and related services, shall be in conformity with * * *the following requirements:  All acquisitions of telecommunications equipment, systems and related services involving the expenditures of funds in excess of the dollar amount established in Section 31‑7‑13(c), or rentals or leases in excess of the dollar amount established in Section 31‑7‑13(c), for the term of the contract, shall be based upon competitive and open specifications, and contracts therefor shall be entered into only after advertisements for bids are published in one or more daily newspapers having a general circulation in the state not less than fourteen (14) days prior to receiving sealed bids therefor.  The authority may reserve the right to reject any or all bids, and if all bids are rejected, the authority may negotiate a contract within the limitations of the specifications so long as the terms of any such negotiated contract are equal to or better than the comparable terms submitted by the lowest and best bidder, and so long as the total cost to the State of Mississippi does not exceed the lowest bid.  If the authority accepts one (1) of such bids, it shall be that which is the lowest and best.  

(2)  When applicable, the bureau may procure equipment, systems and related services in accordance with the law or regulations, or both, which govern the Bureau of Purchasing of the Governor's Office of General Services or which govern the Mississippi Department of Information Technology Services procurement of computer equipment, software and services Section 25-53-5.  

     SECTION 9.  Section 25-53-201, Mississippi Code of 1972, is amended as follows:

     25-53-201.  (1)  There is hereby established the Enterprise Security Program which shall provide for the coordinated oversight of the cybersecurity efforts across all state agencies, including cybersecurity systems, services and the development of policies, standards and guidelines.

     (2)  The Mississippi Department of Information Technology Services (MDITS), in conjunction with all state agencies, shall provide centralized management and coordination of state policies for the security of data and information technology resources, which such information shall be compiled by MDITS and distributed to each participating state agency.  MDITS shall:

          (a)  Serve as sole authority, within the constraints of this statute, for defining the specific enterprise cybersecurity systems and services to which this statute is applicable;

          (b)  Acquire and operate enterprise technology solutions to provide services to state agencies when it is determined that such operation will improve the cybersecurity posture in the function of any agency, institution or function of state government as a whole;

          (c)  Provide oversight of enterprise security policies for state data and information technology (IT) resources including, the following:

              (i)  Establishing and maintaining the security standards and policies for all state data and IT resources state agencies shall implement to the extent that they apply; and

              (ii)  Including the defined enterprise security requirements as minimum requirements in the specifications for solicitation of state contracts for procuring data and information technology systems and services;

          (d)  Adhere to all policies, standards and guidelines in the management of technology infrastructure supporting the state data centers, telecommunications networks and backup facilities;

          (e)  Coordinate and promote efficiency and security with all applicable laws and regulations in the acquisition, operation and maintenance of state data, cybersecurity systems and services used by agencies of the state;

          (f)  Manage, plan and coordinate all enterprise cybersecurity systems under the jurisdiction of the state;

          (g)  Develop, in conjunction with agencies of the state, coordinated enterprise cybersecurity systems and services for all state agencies;

          (h)  Provide ongoing analysis of enterprise cybersecurity systems and services costs, facilities and systems within state government;

          (i)  Develop policies, procedures and long-range plans for the use of enterprise cybersecurity systems and services;

          (j)  Form an advisory council of information security officers from each state agency to plan, develop and implement cybersecurity initiatives;

          (k)  Coordinate the activities of the advisory council to provide education and awareness, identify cybersecurity-related issues, set future direction for cybersecurity plans and policy, and provide a forum for interagency communications regarding cybersecurity;

          (l)  Charge respective user agencies on a reimbursement basis for their proportionate cost of the installation, maintenance and operation of the cybersecurity systems and services; and

          (m)  Require cooperative utilization of cybersecurity systems and services by aggregating users.

     (3)  Each state agency's executive director or agency head shall:

          (a)  Be solely responsible for the security of all data and IT resources under its purview, irrespective of the location of the data or resources.  Locations include data residing:

              (i)  At agency sites;

              (ii)  On agency real property and tangible and intangible assets;

              (iii)  On infrastructure in the State Data Centers;

              (iv)  At a third-party location;

              (v)  In transit between locations;

          (b)  Ensure that an agency-wide security program is in place;

          (c)  Designate an information security officer to administer the agency's security program;

          (d)  Ensure the agency adheres to the requirements established by the Enterprise Security Program, to the extent that they apply;

          (e)  Participate in all Enterprise Security Program initiatives and services in lieu of deploying duplicate services specific to the agency;

          (f)  Develop, implement and maintain written agency policies and procedures to ensure the security of data and IT resources.  The agency policies and procedures are confidential information and exempt from public inspection, except that the information must be available to the Office of the State Auditor in performing auditing duties;

          (g)  Implement policies and standards to ensure that all of the agency's data and IT resources are maintained in compliance with state and federal laws and regulations, to the extent that they apply;

          (h)  Implement appropriate cost-effective safeguards to reduce, eliminate or recover from identified threats to data and IT resources;

          (i)  Ensure that internal assessments of the security program are conducted.  The results of the internal assessments are confidential and exempt from public inspection, except that the information must be available to the Office of the State Auditor in performing auditing duties;

          (j)  Include all appropriate cybersecurity requirements in the specifications for the agency's solicitation of state contracts for procuring data and information technology systems and services;

          (k)  Include a general description of the security program and future plans for ensuring security of data in the agency long-range information technology plan;

          (l)  Participate in annual information security training designed specifically for the executive director or agency head to ensure that such individual has an understanding of:

              (i)  The information and information systems that support the operations and assets of the agency;

              (ii)  The potential impact of common types of cyber-attacks and data breaches on the agency's operations and assets;

              (iii)  How cyber-attacks and data breaches on the agency's operations and assets could impact the operations and assets of other state agencies on the Enterprise State Network;

              (iv)  How cyber-attacks and data breaches occur;

              (v)  Steps to be undertaken by the executive director or agency head and agency employees to protect their information and information systems; and

              (vi)  The annual reporting requirements required of the executive director or agency head.

     (4)  The Mississippi Department of Information Technology Services shall evaluate the Enterprise Security Program.  Such evaluation shall include the following factors:

          (a)  Whether the Enterprise Security Program incorporates nationwide best practices;

          (b)  Whether opportunities exist to centralize and coordinate oversight of cybersecurity efforts across all state agencies;

          (c)  A review of the minimum enterprise security requirements that must be incorporated in solicitations for state contracts for procuring data and information technology systems and services; and

          (d)  Whether opportunities exist to expand the Enterprise Security Program, including providing oversight of cybersecurity efforts of those governing authorities as defined in Section 25-53-3( * * *fe).

     In performing such evaluation, the Mississippi Department of Information Technology Services may retain experts.  This evaluation shall be completed by November 1, 2023.  All records in connection with this evaluation shall be exempt from the Mississippi Public Records Act of 1983, pursuant to Section 25-61-11.2(f) and (k).

     (5)  For the purpose of this subsection, the following words shall have the meanings ascribed herein, unless the context clearly indicates otherwise:

          (a)  "Cyberattack" shall mean any attempt to gain illegal access, including any data breach, to a computer, computer system or computer network for purposes of causing damage, disruption or harm.

          (b)  "Ransomware" shall mean a computer contaminant or lock placed or introduced without authorization into a computer, computer system or computer network that restricts access by an authorized person to the computer, computer system, computer network or any data therein under circumstances in which the person responsible for the placement or introduction of the ransomware demands payment of money or other consideration to remove the computer contaminant, restore access to the computer, computer system, computer network or data, or otherwise remediate the impact of the computer contaminant or lock.

          (c)  From and after July 1, 2023, all state agencies shall notify the Mississippi Department of Information Technology Services of any cyberattack or demand for payment as a result of ransomware no later than the close of the next business day following the discovery of such cyberattack or demand.  The Mississippi Department of Information Technology Services shall develop a reporting format to be utilized by state agencies to provide such notification.  The Mississippi Department of Information Technology Services shall periodically analyze all such reports and attempt to identify any patterns or weaknesses in the state's cybersecurity efforts.  Such reports shall be exempt from the Mississippi Public Records Act of 1983, pursuant to Section 25-61-11.2(j).

     SECTION 10.  This act shall take effect and be in force from and after July 1, 2025.
