Bill Text: NC S448 | 2013-2014 | Regular Session | Amended

North Carolina Senate Bill 448 (Prior Session Legislation)

Bill Title: Omnibus State IT Governance Changes

Spectrum: Partisan Bill (Republican 2-0)

Status: (Introduced - Dead) 2013-03-27 - Ref To Com On Program Evaluation [S448 Detail]

Download: North_Carolina-2013-S448-Amended.html

GENERAL ASSEMBLY OF NORTH CAROLINA

SESSION 2013

S 1

SENATE BILL 448*

Short Title: Omnibus State IT Governance Changes.		(Public)
Sponsors:	Senators Brock (Primary Sponsor); and Hise.
Referred to:	Program Evaluation.

March 27, 2013

A BILL TO BE ENTITLED

AN ACT making omnibus changes to the laws relating to state information technology governance.

The General Assembly of North Carolina enacts:

SECTION 1. G.S. 143‑135.9(a)(3) is repealed.

SECTION 2. G.S. 147‑33.72C(e) reads as rewritten:

"(e) Performance Contracting. � All contracts between a State agency and a private party for information technology projects shall include provisions for vendor performance review and accountability. The State CIO may require that these contract provisions require a performance bond, include monetary ~~penalties~~ penalties, or require other performance assurance measures for projects that are not completed or performed within the specified time period or that involve costs in excess of those specified in the contract. The State CIO may ~~require contract provisions requiring a vendor to provide a performance bond.~~utilize cost savings realized on government‑vendor partnerships, as defined in G.S. 143‑135.9, as performance incentives for an information technology project vendor."

SECTION 3. G.S. 147‑33.91(a) reads as rewritten:

"(a) With respect to State agencies, the State Chief Information Officer shall exercise general coordinating authority for all telecommunications matters relating to the internal management and operations of those agencies. In discharging that responsibility, the State Chief Information Officer, in cooperation with affected State agency heads, may:

(1) Provide for the establishment, management, and operation, through either State ownership, contract, or commercial leasing, of the following systems and services as they affect the internal management and operation of State agencies:

a. Central telephone systems and telephone networks.

b. Repealed by Session Laws 2004‑129, s. 23, effective July 1, 2004.

c. Repealed by Session Laws 2004‑129, s. 23, effective July 1, 2004.

d. Satellite services.

e. Closed‑circuit TV systems.

f. Two‑way radio systems.

g. Microwave systems.

h. Related systems based on telecommunication technologies.

i. The "State Network", managed by the Office, which means any connectivity designed for the purpose of providing Internet Protocol transport of information to any building.

(2) Coordinate the development of cost‑sharing systems for respective user agencies for their proportionate parts of the cost of maintenance and operation of the systems and services listed in subdivision (1) of this subsection.

(3) Assist in the development of coordinated telecommunications services or systems within and among all State agencies and recommend, where appropriate, cooperative utilization of telecommunication facilities by aggregating users.

(4) Perform traffic analysis and engineering for all telecommunications services and systems listed in subdivision (1) of this subsection.

(5) ~~Pursuant to G.S. 143‑49, establish~~ Establish telecommunications specifications and designs so as to promote and support compatibility of the systems within State agencies.

(6) ~~Pursuant to G.S. 143‑49 and G.S. 143‑50, coordinate~~ Coordinate the review of requests by State agencies for the procurement of telecommunications systems or services.

(7) ~~Pursuant to G.S. 143‑341 and Chapter 146 of the General Statutes, coordinate~~ Coordinate the review of requests by State agencies for State government property acquisition, disposition, or construction for telecommunications systems requirements.

(8) Provide a periodic inventory of telecommunications costs, facilities, systems, and personnel within State agencies.

(9) Promote, coordinate, and assist in the design and engineering of emergency telecommunications systems, including, but not limited to, the 911 emergency telephone number program, Emergency Medical Services, and other emergency telecommunications services.

(10) Perform frequency coordination and management for State agencies and local governments, including all public safety radio service frequencies, in accordance with the rules and regulations of the Federal Communications Commission or any successor federal agency.

(11) Advise all State agencies on telecommunications management planning and related matters and provide through the State Personnel Training Center or the Office of Information Technology Services training to users within State agencies in telecommunications technology and systems.

(12) Assist and coordinate the development of policies and long‑range plans, consistent with the protection of citizens' rights to privacy and access to information, for the acquisition and use of telecommunications systems, and base such policies and plans on current information about State telecommunications activities in relation to the full range of emerging technologies.

~~(13)~~ ~~Work cooperatively with the North Carolina Agency for Public Telecommunications in furthering the purpose of this section.~~"

SECTION 4. G.S. 147‑33.92(b) reads as rewritten:

"(b) The State Chief Information Officer shall establish ~~switched~~ broadband telecommunications services and permit, in addition to State agencies, cities, counties, and other local government entities, the following organizations and entities to share on a not‑for‑profit basis:

(1) Nonprofit educational institutions.

~~(2)~~ ~~MCNC.~~

(3) ~~Research~~ MCNC, and research affiliates of MCNC for use only in connection with research activities sponsored or funded, in whole or in part, by MCNC, if such research activities relate to health care or education in North Carolina.

(4) Agencies of the United States government operating in North Carolina for use only in connection with activities that relate to health care or education in North Carolina.

(5) Hospitals, clinics, and other health care facilities for use only in connection with activities that relate to health care or education in North Carolina.

Provided, however, that sharing of the ~~switched~~ broadband telecommunications services by State agencies with entities or organizations in the categories set forth in this subsection shall not cause the State, the Office of Information Technology Services, or the MCNC to be classified as a public utility as that term is defined in G.S. 62‑3(23) a.6. Nor shall the State, the Office of Information Technology Services, or the MCNC engage in any activities that may cause those entities to be classified as a common carrier as that term is defined in the Communications Act of 1934, 47 U.S.C. § 153(10). Provided further, authority to share the ~~switched~~ broadband telecommunications services with the non‑State agencies set forth in subdivisions (1) through (5) of this subsection shall terminate one year from the effective date of a tariff that makes the broadband services available to any customer."

SECTION 5. G.S. 150B‑2(8a) reads as rewritten:

"§ 150B‑2. Definitions.

As used in this Chapter,

�

(8a) "Rule" means any agency regulation, standard, or statement of general applicability that implements or interprets an enactment of the General Assembly or Congress or a regulation adopted by a federal agency or that describes the procedure or practice requirements of an agency. The term includes the establishment of a fee and the amendment or repeal of a prior rule. The term does not include the following:

a. Statements concerning only the internal management of an agency or group of agencies within the same principal office or department enumerated in G.S. 143A‑11 or 143B‑6, including policies and procedures manuals, if the statement does not directly or substantially affect the procedural or substantive rights or duties of a person not employed by the agency or group of agencies.

b. Budgets and budget policies and procedures issued by the Director of the Budget, by the head of a department, as defined by G.S. 143A‑2 or G.S. 143B‑3, by an occupational licensing board, as defined by G.S. 93B‑1, or by the State Board of Elections.

c. Nonbinding interpretative statements within the delegated authority of an agency that merely define, interpret, or explain the meaning of a statute or rule.

d. A form, the contents or substantive requirements of which are prescribed by rule or statute.

e. Statements of agency policy made in the context of another proceeding, including:

1. Declaratory rulings under G.S. 150B‑4.

2. Orders establishing or fixing rates or tariffs.

f. Requirements, communicated to the public by the use of signs or symbols, concerning the use of public roads, bridges, ferries, buildings, or facilities.

g. Statements that set forth criteria or guidelines to be used by the staff of an agency in performing audits, investigations, or inspections; in settling financial disputes or negotiating financial arrangements; or in the defense, prosecution, or settlement of cases.

h. Scientific, architectural, or engineering standards, forms, or procedures, including design criteria and construction standards used to construct or maintain highways, bridges, or ferries.

i. Job classification standards, job qualifications, and salaries established for positions under the jurisdiction of the State Personnel Commission.

j. Establishment of the interest rate that applies to tax assessments under G.S. 105‑241.21 and the variable component of the excise tax on motor fuel under G.S. 105‑449.80.

k. The State Medical Facilities Plan, if the Plan has been prepared with public notice and hearing as provided in G.S. 131E‑176(25), reviewed by the Commission for compliance with G.S. 131E‑176(25), and approved by the Governor.

l. Standards adopted by the Office of Information Technology Services applied to information technology as defined by G.S. 147‑33.81."

SECTION 6. G.S. 147‑33.72B(b)(1) reads as rewritten:

"(b) The Plan shall include the following elements:

(1) An inventory of current information technology assets and major projects currently in progress. As used in this subdivision, the term "major project" includes projects subject to review and approval under ~~G.S. 147‑33.72C, or that cost more than five hundred thousand dollars ($500,000) to implement.~~G.S. 147‑33.72C."

SECTION 7. G.S. 147‑33.72C reads as rewritten:

"§ 147‑33.72C. Project approval standards.

(a) Project Review and Approval. � The State Chief Information Officer shall:

(1) Review all State agency information technology ~~projects that cost or are expected to cost more than five hundred thousand dollars ($500,000), whether the project is undertaken in a single phase or component or in multiple phases or components.~~ projects. If the State Chief Information Officer determines a project meets the quality assurance requirements established under this Article, the State Chief Information Officer shall approve the project.

~~(2)~~ Establish thresholds for determining which information technology projects costing or expected to cost five hundred thousand dollars ($500,000) or less shall be subject to review and approval under subdivision (a)(1) of this section. When establishing the thresholds, the State Chief Information Officer shall consider factors such as project cost, potential project risk, agency size, and projected budget.

(b) Project Implementation. � No State agency shall proceed with an information technology project that is subject to review and approval under subsection (a) of this section until the State CIO approves the project. If a project is not approved, the State CIO shall specify in writing to the agency the grounds for denying the approval. The State CIO shall provide this information to the agency within five business days of the denial.

(c) Suspension of Approval. � The State Chief Information Officer may suspend the approval of any information technology project that does not continue to meet the applicable quality assurance standards. This authority extends to any information technology project that costs more than five hundred thousand dollars ($500,000) to implement regardless of whether the project was originally subject to review and approval under subsection (a) of this section. If the State CIO suspends approval of a project, the State CIO shall specify in writing to the agency the grounds for suspending the approval. The State CIO shall provide this information to the agency within five business days of the suspension.

The Office of Information Technology Services shall report any suspension immediately to the Office of the State Controller and the Office of State Budget and Management. The Office of State Budget and Management shall not allow any additional expenditure of funds for a project that is no longer approved by the State Chief Information Officer.

~~(d)~~ General Quality Assurance. � Information technology projects that are not subject to review and approval under subsection (a) of this section shall meet all other standards established under this Article.

(e) Performance Contracting. � All contracts between a State agency and a private party for information technology projects shall include provisions for vendor performance review and accountability. The State CIO ~~may~~ must require that these contract provisions include a performance bond and may require that the contract provisions include monetary penalties or other performance assurance measures for projects that are not completed or performed within the specified time period or that involve costs in excess of those specified in the contract. ~~The State CIO may require contract provisions requiring a vendor to provide a performance bond.~~ The State CIO may utilize, as performance incentives, for an information technology projects cost savings realized in government‑vendor partnerships, as defined in G.S. 143‑135.9.

(f) Notwithstanding the provisions of G.S. 114‑2.3, any State agency developing and implementing an information technology project with a total cost of ownership in excess of five million dollars ($5,000,000) shall engage the services of private counsel with the appropriate information technology and intellectual property expertise. The private counsel shall review requests for proposals; review and provide advice and assistance during the evaluation of proposals and selection of any vendors; and review and negotiate contracts associated with the development, implementation, operation, and maintenance of the project. This requirement shall also apply to information technology programs that are separated into individual projects, if the total cost of ownership for the overall program exceeds five million dollars ($5,000,000)."

SECTION 8. G.S. 147‑33.72H reads as rewritten:

"§ 147‑33.72H. Information Technology Fund.

There is established a special revenue fund to be known as the Information Technology Fund, which may receive transfers or other credits as authorized by the General Assembly. Money shall be appropriated from the Information Technology Fund to support the operation and administration of the Office of the State Chief Information Officer. Money may be appropriated from the Information Technology Fund to meet statewide requirements, including planning, project management, security, electronic mail, State portal operations, and the administration of systemwide procurement procedures. Expenditures involving funds appropriated to the Office of Information Technology Services from the Information Technology Fund shall be made by the CIO. By October 1 of each year, the State CIO shall submit to the Joint Legislative Oversight Committee on Information Technology a report on all expenditures involving funds appropriated to the Office of Information Technology Services from the Information Technology Fund for the preceding fiscal year. Interest earnings on the Information Technology Fund balance shall be credited to the Information Technology Fund."

SECTION 9. G.S. 147‑33.76 reads as rewritten:

§ 147‑33.76. Qualification, appointment, and duties of the State Chief Information ~~Officer.~~Officer; role of chief deputy information officer.

(a) The Office of Information Technology Services shall be managed and administered by the State Chief Information Officer ("State CIO"). The State Chief Information Officer shall be ~~qualified by education and experience for the office and shall be appointed by and serve at the pleasure of the Governor.~~appointed by the Governor and confirmed by joint resolution of the General Assembly to serve a five‑year term. The State Chief Information Officer shall be qualified for the office by education and experience.

(b) Repealed by Session Laws 2004‑129, s. 3.

(b1) The State CIO shall be responsible for developing and administering a comprehensive long‑range plan to ensure the proper management of the State's information technology resources. The State CIO shall set technical standards for information technology, review and approve major information technology projects, review and approve State agency information technology budget requests, establish information technology security standards, provide for the procurement of information technology resources, and develop a schedule for the replacement or modification of major systems. The State CIO is authorized to adopt rules to implement this Article.

(c) The salary of the State Chief Information Officer shall be set by the Governor. The State Chief Information Officer is exempt from the State Personnel Act, ~~The State Chief Information Officer~~however, the State CIO shall receive longevity pay on the same basis as is provided to employees of the State who are subject to the State Personnel Act.

(d) The State Chief Information Officer may appoint a chief deputy information officer. The salary of the chief deputy information officer shall be set by the State CIO. The State CIO may appoint all employees, including legal counsel, necessary to carry out the powers and duties of the office. These employees are exempt from the State Personnel Act."

SECTION 10. G.S. 147‑33.77 reads as rewritten:

§ 147‑33.77. Office of Information Technology Services; organization and operation.

~~(a)~~ The State Chief Information Officer may appoint a Chief Deputy Information Officer. The salary of the Chief Deputy Information Officer shall be set by the State Chief Information Officer. The State Chief Information Officer may appoint all employees, including legal counsel, necessary to carry out the powers and duties of the office. These employees shall be subject to the State Personnel Act.

(b) All employees of the office shall be under the supervision, direction, and control of the State Chief Information Officer. Except as otherwise provided by this Article, the State Chief Information Officer may assign any function vested in the State Chief Information Officer or the Office of Information Technology Services to any subordinate officer or employee of the office.

(c) The State Chief Information Officer may, subject to the provisions of G.S. 147‑64.7(b)(2), obtain the services of independent public accountants, qualified management consultants, and other professional persons or experts to carry out powers and duties of the office.

(d) The State Chief Information Officer shall have legal custody of all books, papers, documents, and other records of the office.

(e) The State Chief Information Officer shall be responsible for the preparation of and the presentation of the office budget request, including all funds requested and all receipts expected for all elements of the budget.

(f) The State Chief Information Officer may adopt regulations for the administration of the office, the conduct of employees of the office, the distribution and performance of business, the performance of the functions assigned to the State Chief Information Officer and the Office of Information Technology Services, and the custody, use, and preservation of the records, documents, and property pertaining to the business of the office.

(g) The State Chief Information Officer may require background investigations of any employee or prospective employee, including a criminal history record check, which may include a search of the State and National Repositories of Criminal Histories based on the person's fingerprints. A criminal history record check shall be conducted by the State Bureau of Investigation upon receiving fingerprints and other information provided by the employee or prospective employee. If the employee or prospective employee has been a resident of the State for less than five years, the background report shall include a review of criminal information from both the State and National Repositories of Criminal Histories. The criminal background report shall be provided to the State Chief Information Officer and is not a public record under Chapter 132 of the General Statutes."

SECTION 11. G.S. 147‑33.111 reads as rewritten:

"§ 147‑33.111. State CIO approval of security standards and security assessments.

(a) Notwithstanding G.S. 143‑48.3 or any other provision of law, and except as otherwise provided by this section, all information technology security purchased using State funds, or for use by a State agency or in a State facility, shall be subject to approval by the State Chief Information Officer in accordance with security standards adopted under this Article.

(a1) The State Chief Information Officer shall conduct assessments of information system security, network vulnerability, including network penetration or any similar procedure. The State Chief Information Officer may contract with another party or parties to perform the assessments. Detailed reports of the security issues identified shall be kept confidential as provided in G.S. 132‑6.1(c).

(b) If the legislative branch, the judicial branch, The University of North Carolina and its constituent institutions, local school administrative units as defined by G.S. 115C‑5, or the North Carolina Community Colleges System develop their own security standards, taking into consideration the mission and functions of that entity, that are comparable to or exceed those set by the State Chief Information Officer under this section, then these entities may elect to be governed by their own respective security standards, and approval of the State Chief Information Officer shall not be required before the purchase of information technology security. The State Chief Information Officer shall consult with the legislative branch, the judicial branch, The University of North Carolina and its constituent institutions, local school administrative units, and the North Carolina Community Colleges System in reviewing the security standards adopted by those entities.

(c) Before a State agency may enter into any contract with another party for an assessment of information system security and network vulnerability, the State agency shall notify the State Chief Information Officer and obtain approval of the request. If the State agency enters into a contract with another party for assessment and testing, after approval of the State Chief Information Officer, the State agency shall issue public reports on the general results of the reviews. The contractor shall provide the State agency with detailed reports of the security issues identified that shall not be disclosed as provided in G.S. 132‑6.1(c). The State agency shall provide the State Chief Information Officer with copies of the detailed reports that shall not be disclosed as provided in G.S. 132‑6.1(c).

(d) Nothing in this section shall be construed to preclude the Office of the State Auditor from assessing the security practices of State information technology systems as part of that Office's duties and responsibilities."

SECTION 12. G.S. 147‑33.112 reads as rewritten:

"§ 147‑33.112. Assessment of agency compliance with security standards.

The State Chief Information Officer shall assess periodically the ability of each ~~agency~~ agency, and each agency's contracted vendors, to comply with the current security enterprise‑wide set of standards established pursuant to this section. The assessment shall include, at a minimum, the rate of compliance with the enterprise‑wide security standards ~~in each agency~~ and an assessment of ~~each agency's~~ security organization, security practices, security industry standards, network security architecture, and current expenditures of State funds for information technology security. The assessment of an agency shall also estimate the cost to implement the security measures needed for agencies to fully comply with the standards. Each agency subject to the standards shall submit information required by the State Chief Information Officer for purposes of this assessment. The State Chief Information Officer shall include the information obtained from the assessment in the State Information Technology Plan required under G.S. 147‑33.72B."

SECTION 13. This act is effective when it becomes law.