Bill Text: NC S448 | 2013-2014 | Regular Session | Amended
Bill Title: Omnibus State IT Governance Changes
Spectrum: Partisan Bill (Republican 2-0)
Status: (Introduced - Dead) 2013-03-27 - Ref To Com On Program Evaluation [S448 Detail]
Download: North_Carolina-2013-S448-Amended.html
GENERAL ASSEMBLY OF NORTH CAROLINA
SESSION 2013
S 1
SENATE BILL 448*
Short Title: Omnibus State IT Governance Changes. |
(Public) |
|
Sponsors: |
Senators Brock (Primary Sponsor); and Hise. |
|
Referred to: |
Program Evaluation. |
|
March 27, 2013
A BILL TO BE ENTITLED
AN ACT making omnibus changes to the laws relating to state information technology governance.
The General Assembly of North Carolina enacts:
SECTION 1. G.S. 143‑135.9(a)(3) is repealed.
SECTION 2. G.S. 147‑33.72C(e) reads as rewritten:
"(e) Performance Contracting. All contracts
between a State agency and a private party for information technology projects
shall include provisions for vendor performance review and accountability. The
State CIO may require that these contract provisions require a performance
bond, include monetary penalties penalties, or require other
performance assurance measures for projects that are not completed or
performed within the specified time period or that involve costs in excess
of those specified in the contract. The State CIO may require contract
provisions requiring a vendor to provide a performance bond.utilize cost
savings realized on government‑vendor partnerships, as defined in G.S. 143‑135.9,
as performance incentives for an information technology project vendor."
SECTION 3. G.S. 147‑33.91(a) reads as rewritten:
"(a) With respect to State agencies, the State Chief Information Officer shall exercise general coordinating authority for all telecommunications matters relating to the internal management and operations of those agencies. In discharging that responsibility, the State Chief Information Officer, in cooperation with affected State agency heads, may:
(1) Provide for the establishment, management, and operation, through either State ownership, contract, or commercial leasing, of the following systems and services as they affect the internal management and operation of State agencies:
a. Central telephone systems and telephone networks.
b. Repealed by Session Laws 2004‑129, s. 23, effective July 1, 2004.
c. Repealed by Session Laws 2004‑129, s. 23, effective July 1, 2004.
d. Satellite services.
e. Closed‑circuit TV systems.
f. Two‑way radio systems.
g. Microwave systems.
h. Related systems based on telecommunication technologies.
i. The "State Network", managed by the Office, which means any connectivity designed for the purpose of providing Internet Protocol transport of information to any building.
(2) Coordinate the development of cost‑sharing systems for respective user agencies for their proportionate parts of the cost of maintenance and operation of the systems and services listed in subdivision (1) of this subsection.
(3) Assist in the development of coordinated telecommunications services or systems within and among all State agencies and recommend, where appropriate, cooperative utilization of telecommunication facilities by aggregating users.
(4) Perform traffic analysis and engineering for all telecommunications services and systems listed in subdivision (1) of this subsection.
(5) Pursuant to G.S. 143‑49, establish Establish
telecommunications specifications and designs so as to promote and support
compatibility of the systems within State agencies.
(6) Pursuant to G.S. 143‑49 and G.S. 143‑50,
coordinate Coordinate the review of requests by State agencies for
the procurement of telecommunications systems or services.
(7) Pursuant to G.S. 143‑341 and Chapter
146 of the General Statutes, coordinate Coordinate the review of
requests by State agencies for State government property acquisition,
disposition, or construction for telecommunications systems requirements.
(8) Provide a periodic inventory of telecommunications costs, facilities, systems, and personnel within State agencies.
(9) Promote, coordinate, and assist in the design and engineering of emergency telecommunications systems, including, but not limited to, the 911 emergency telephone number program, Emergency Medical Services, and other emergency telecommunications services.
(10) Perform frequency coordination and management for State agencies and local governments, including all public safety radio service frequencies, in accordance with the rules and regulations of the Federal Communications Commission or any successor federal agency.
(11) Advise all State agencies on telecommunications management planning and related matters and provide through the State Personnel Training Center or the Office of Information Technology Services training to users within State agencies in telecommunications technology and systems.
(12) Assist and coordinate the development of policies and long‑range plans, consistent with the protection of citizens' rights to privacy and access to information, for the acquisition and use of telecommunications systems, and base such policies and plans on current information about State telecommunications activities in relation to the full range of emerging technologies.
(13) Work cooperatively with the North Carolina
Agency for Public Telecommunications in furthering the purpose of this section."
SECTION 4. G.S. 147‑33.92(b) reads as rewritten:
"(b) The State Chief Information Officer shall
establish switched broadband telecommunications services and permit, in
addition to State agencies, cities, counties, and other local government
entities, the following organizations and entities to share on a not‑for‑profit
basis:
(1) Nonprofit educational institutions.
(2) MCNC.
(3) Research MCNC, and research affiliates
of MCNC for use only in connection with research activities sponsored or
funded, in whole or in part, by MCNC, if such research activities relate to
health care or education in North Carolina.
(4) Agencies of the United States government operating in North Carolina for use only in connection with activities that relate to health care or education in North Carolina.
(5) Hospitals, clinics, and other health care facilities for use only in connection with activities that relate to health care or education in North Carolina.
Provided, however, that sharing of the switched broadband
telecommunications services by State agencies with entities or organizations in
the categories set forth in this subsection shall not cause the State, the
Office of Information Technology Services, or the MCNC to be classified as a
public utility as that term is defined in G.S. 62‑3(23) a.6. Nor
shall the State, the Office of Information Technology Services, or the MCNC
engage in any activities that may cause those entities to be classified as a
common carrier as that term is defined in the Communications Act of 1934, 47
U.S.C. § 153(10). Provided further, authority to share the switched broadband
telecommunications services with the non‑State agencies set forth in
subdivisions (1) through (5) of this subsection shall terminate one year from
the effective date of a tariff that makes the broadband services available to
any customer."
SECTION 5. G.S. 150B‑2(8a) reads as rewritten:
"§ 150B‑2. Definitions.
As used in this Chapter,
(8a) "Rule" means any agency regulation, standard, or statement of general applicability that implements or interprets an enactment of the General Assembly or Congress or a regulation adopted by a federal agency or that describes the procedure or practice requirements of an agency. The term includes the establishment of a fee and the amendment or repeal of a prior rule. The term does not include the following:
a. Statements concerning only the internal management of an agency or group of agencies within the same principal office or department enumerated in G.S. 143A‑11 or 143B‑6, including policies and procedures manuals, if the statement does not directly or substantially affect the procedural or substantive rights or duties of a person not employed by the agency or group of agencies.
b. Budgets and budget policies and procedures issued by the Director of the Budget, by the head of a department, as defined by G.S. 143A‑2 or G.S. 143B‑3, by an occupational licensing board, as defined by G.S. 93B‑1, or by the State Board of Elections.
c. Nonbinding interpretative statements within the delegated authority of an agency that merely define, interpret, or explain the meaning of a statute or rule.
d. A form, the contents or substantive requirements of which are prescribed by rule or statute.
e. Statements of agency policy made in the context of another proceeding, including:
1. Declaratory rulings under G.S. 150B‑4.
2. Orders establishing or fixing rates or tariffs.
f. Requirements, communicated to the public by the use of signs or symbols, concerning the use of public roads, bridges, ferries, buildings, or facilities.
g. Statements that set forth criteria or guidelines to be used by the staff of an agency in performing audits, investigations, or inspections; in settling financial disputes or negotiating financial arrangements; or in the defense, prosecution, or settlement of cases.
h. Scientific, architectural, or engineering standards, forms, or procedures, including design criteria and construction standards used to construct or maintain highways, bridges, or ferries.
i. Job classification standards, job qualifications, and salaries established for positions under the jurisdiction of the State Personnel Commission.
j. Establishment of the interest rate that applies to tax assessments under G.S. 105‑241.21 and the variable component of the excise tax on motor fuel under G.S. 105‑449.80.
k. The State Medical Facilities Plan, if the Plan has been prepared with public notice and hearing as provided in G.S. 131E‑176(25), reviewed by the Commission for compliance with G.S. 131E‑176(25), and approved by the Governor.
l. Standards adopted by the Office of Information Technology Services applied to information technology as defined by G.S. 147‑33.81."
SECTION 6. G.S. 147‑33.72B(b)(1) reads as rewritten:
"(b) The Plan shall include the following elements:
(1) An inventory of current information technology
assets and major projects currently in progress. As used in this subdivision,
the term "major project" includes projects subject to review and
approval under G.S. 147‑33.72C, or that cost more than five
hundred thousand dollars ($500,000) to implement.G.S. 147‑33.72C."
SECTION 7. G.S. 147‑33.72C reads as rewritten:
"§ 147‑33.72C. Project approval standards.
(a) Project Review and Approval. The State Chief Information Officer shall:
(1) Review all State agency information technology projects
that cost or are expected to cost more than five hundred thousand dollars
($500,000), whether the project is undertaken in a single phase or component or
in multiple phases or components. projects. If the State Chief
Information Officer determines a project meets the quality assurance
requirements established under this Article, the State Chief Information
Officer shall approve the project.
(2) Establish thresholds for determining
which information technology projects costing or expected to cost five hundred
thousand dollars ($500,000) or less shall be subject to review and approval
under subdivision (a)(1) of this section. When establishing the thresholds, the
State Chief Information Officer shall consider factors such as project cost,
potential project risk, agency size, and projected budget.
(b) Project Implementation. No State agency shall proceed with an information technology project that is subject to review and approval under subsection (a) of this section until the State CIO approves the project. If a project is not approved, the State CIO shall specify in writing to the agency the grounds for denying the approval. The State CIO shall provide this information to the agency within five business days of the denial.
(c) Suspension of Approval. The State Chief
Information Officer may suspend the approval of any information technology
project that does not continue to meet the applicable quality assurance
standards. This authority extends to any information technology project that
costs more than five hundred thousand dollars ($500,000) to implement
regardless of whether the project was originally subject to review and approval
under subsection (a) of this section. If the State CIO suspends approval of
a project, the State CIO shall specify in writing to the agency the grounds for
suspending the approval. The State CIO shall provide this information to the
agency within five business days of the suspension.
The Office of Information Technology Services shall report any suspension immediately to the Office of the State Controller and the Office of State Budget and Management. The Office of State Budget and Management shall not allow any additional expenditure of funds for a project that is no longer approved by the State Chief Information Officer.
(d) General Quality Assurance. Information
technology projects that are not subject to review and approval under
subsection (a) of this section shall meet all other standards established under
this Article.
(e) Performance Contracting. All contracts between a
State agency and a private party for information technology projects shall
include provisions for vendor performance review and accountability. The State
CIO may must require that these contract provisions include a
performance bond and may require that the contract provisions include
monetary penalties or other performance assurance measures for projects
that are not completed or performed within the specified time period or
that involve costs in excess of those specified in the contract. The State
CIO may require contract provisions requiring a vendor to provide a performance
bond. The State CIO may utilize, as performance incentives, for an information
technology projects cost savings realized in government‑vendor partnerships,
as defined in G.S. 143‑135.9.
(f) Notwithstanding the provisions of G.S. 114‑2.3, any State agency developing and implementing an information technology project with a total cost of ownership in excess of five million dollars ($5,000,000) shall engage the services of private counsel with the appropriate information technology and intellectual property expertise. The private counsel shall review requests for proposals; review and provide advice and assistance during the evaluation of proposals and selection of any vendors; and review and negotiate contracts associated with the development, implementation, operation, and maintenance of the project. This requirement shall also apply to information technology programs that are separated into individual projects, if the total cost of ownership for the overall program exceeds five million dollars ($5,000,000)."
SECTION 8. G.S. 147‑33.72H reads as rewritten:
"§ 147‑33.72H. Information Technology Fund.
There is established a special revenue fund to be known as the Information Technology Fund, which may receive transfers or other credits as authorized by the General Assembly. Money shall be appropriated from the Information Technology Fund to support the operation and administration of the Office of the State Chief Information Officer. Money may be appropriated from the Information Technology Fund to meet statewide requirements, including planning, project management, security, electronic mail, State portal operations, and the administration of systemwide procurement procedures. Expenditures involving funds appropriated to the Office of Information Technology Services from the Information Technology Fund shall be made by the CIO. By October 1 of each year, the State CIO shall submit to the Joint Legislative Oversight Committee on Information Technology a report on all expenditures involving funds appropriated to the Office of Information Technology Services from the Information Technology Fund for the preceding fiscal year. Interest earnings on the Information Technology Fund balance shall be credited to the Information Technology Fund."
SECTION 9. G.S. 147‑33.76 reads as rewritten:
§ 147‑33.76. Qualification, appointment, and duties of
the State Chief Information Officer.Officer; role of chief deputy
information officer.
(a) The Office of Information Technology Services
shall be managed and administered by the State Chief Information Officer ("State
CIO"). The State Chief Information Officer shall be qualified by
education and experience for the office and shall be appointed by and serve at
the pleasure of the Governor.appointed by the Governor and confirmed by joint
resolution of the General Assembly to serve a five‑year term. The State
Chief Information Officer shall be qualified for the office by education and
experience.
(b) Repealed by Session Laws 2004‑129, s. 3.
(b1) The State CIO shall be responsible for developing and administering a comprehensive long‑range plan to ensure the proper management of the State's information technology resources. The State CIO shall set technical standards for information technology, review and approve major information technology projects, review and approve State agency information technology budget requests, establish information technology security standards, provide for the procurement of information technology resources, and develop a schedule for the replacement or modification of major systems. The State CIO is authorized to adopt rules to implement this Article.
(c) The salary of the State Chief Information Officer
shall be set by the Governor. The State Chief Information Officer is exempt
from the State Personnel Act, The State Chief Information Officerhowever,
the State CIO shall receive longevity pay on the same basis as is provided
to employees of the State who are subject to the State Personnel Act.
(d) The State Chief Information Officer may appoint a chief deputy information officer. The salary of the chief deputy information officer shall be set by the State CIO. The State CIO may appoint all employees, including legal counsel, necessary to carry out the powers and duties of the office. These employees are exempt from the State Personnel Act."
SECTION 10. G.S. 147‑33.77 reads as rewritten:
§ 147‑33.77. Office of Information Technology Services; organization and operation.
(a) The State Chief Information Officer may
appoint a Chief Deputy Information Officer. The salary of the Chief Deputy
Information Officer shall be set by the State Chief Information Officer. The
State Chief Information Officer may appoint all employees, including legal
counsel, necessary to carry out the powers and duties of the office. These
employees shall be subject to the State Personnel Act.
(b) All employees of the office shall be under the supervision, direction, and control of the State Chief Information Officer. Except as otherwise provided by this Article, the State Chief Information Officer may assign any function vested in the State Chief Information Officer or the Office of Information Technology Services to any subordinate officer or employee of the office.
(c) The State Chief Information Officer may, subject to the provisions of G.S. 147‑64.7(b)(2), obtain the services of independent public accountants, qualified management consultants, and other professional persons or experts to carry out powers and duties of the office.
(d) The State Chief Information Officer shall have legal custody of all books, papers, documents, and other records of the office.
(e) The State Chief Information Officer shall be responsible for the preparation of and the presentation of the office budget request, including all funds requested and all receipts expected for all elements of the budget.
(f) The State Chief Information Officer may adopt regulations for the administration of the office, the conduct of employees of the office, the distribution and performance of business, the performance of the functions assigned to the State Chief Information Officer and the Office of Information Technology Services, and the custody, use, and preservation of the records, documents, and property pertaining to the business of the office.
(g) The State Chief Information Officer may require background investigations of any employee or prospective employee, including a criminal history record check, which may include a search of the State and National Repositories of Criminal Histories based on the person's fingerprints. A criminal history record check shall be conducted by the State Bureau of Investigation upon receiving fingerprints and other information provided by the employee or prospective employee. If the employee or prospective employee has been a resident of the State for less than five years, the background report shall include a review of criminal information from both the State and National Repositories of Criminal Histories. The criminal background report shall be provided to the State Chief Information Officer and is not a public record under Chapter 132 of the General Statutes."
SECTION 11. G.S. 147‑33.111 reads as rewritten:
"§ 147‑33.111. State CIO approval of security standards and security assessments.
(a) Notwithstanding G.S. 143‑48.3 or any other provision of law, and except as otherwise provided by this section, all information technology security purchased using State funds, or for use by a State agency or in a State facility, shall be subject to approval by the State Chief Information Officer in accordance with security standards adopted under this Article.
(a1) The State Chief Information Officer shall conduct assessments of information system security, network vulnerability, including network penetration or any similar procedure. The State Chief Information Officer may contract with another party or parties to perform the assessments. Detailed reports of the security issues identified shall be kept confidential as provided in G.S. 132‑6.1(c).
(b) If the legislative branch, the judicial branch, The University of North Carolina and its constituent institutions, local school administrative units as defined by G.S. 115C‑5, or the North Carolina Community Colleges System develop their own security standards, taking into consideration the mission and functions of that entity, that are comparable to or exceed those set by the State Chief Information Officer under this section, then these entities may elect to be governed by their own respective security standards, and approval of the State Chief Information Officer shall not be required before the purchase of information technology security. The State Chief Information Officer shall consult with the legislative branch, the judicial branch, The University of North Carolina and its constituent institutions, local school administrative units, and the North Carolina Community Colleges System in reviewing the security standards adopted by those entities.
(c) Before a State agency may enter into any contract with another party for an assessment of information system security and network vulnerability, the State agency shall notify the State Chief Information Officer and obtain approval of the request. If the State agency enters into a contract with another party for assessment and testing, after approval of the State Chief Information Officer, the State agency shall issue public reports on the general results of the reviews. The contractor shall provide the State agency with detailed reports of the security issues identified that shall not be disclosed as provided in G.S. 132‑6.1(c). The State agency shall provide the State Chief Information Officer with copies of the detailed reports that shall not be disclosed as provided in G.S. 132‑6.1(c).
(d) Nothing in this section shall be construed to preclude the Office of the State Auditor from assessing the security practices of State information technology systems as part of that Office's duties and responsibilities."
SECTION 12. G.S. 147‑33.112 reads as rewritten:
"§ 147‑33.112. Assessment of agency compliance with security standards.
The State Chief Information Officer shall assess periodically
the ability of each agency agency, and each agency's contracted
vendors, to comply with the current security enterprise‑wide set of
standards established pursuant to this section. The assessment shall include,
at a minimum, the rate of compliance with the enterprise‑wide security
standards in each agency and an assessment of each agency's security
organization, security practices, security industry standards, network
security architecture, and current expenditures of State funds for
information technology security. The assessment of an agency shall also
estimate the cost to implement the security measures needed for agencies to
fully comply with the standards. Each agency subject to the standards shall
submit information required by the State Chief Information Officer for purposes
of this assessment. The State Chief Information Officer shall include the
information obtained from the assessment in the State Information Technology
Plan required under G.S. 147‑33.72B."
SECTION 13. This act is effective when it becomes law.