Washington State

House of Representatives

Office of Program Research

BILL

ANALYSIS

State Government, Elections & Information Technology Committee

HB 1929

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

Brief Description: Concerning independent security testing of state agencies' information technology systems and infrastructure by the military department.

Sponsors: Representatives Hudgins, Harmsworth and Tarleton.

Brief Summary of Bill

  • Directs the Consolidated Technology Services agency to test the security vulnerabilities of state agency information technology systems.

  • Authorizes the Military Department to test, upon request of any local government or private entity, the security of the entities' critical infrastructure.

Hearing Date: 2/14/17

Staff: Sean Flynn (786-7124).

Background:

State Cybersecurity Programs.

Consolidated Technology Services. In 2011 the Consolidated Technology Services (CTS) agency was created as part of a reorganization of state government information technology (IT) infrastructure functions and services. The CTS provides information services to public agencies, operates the state data center, and offers IT services, including data security and storage. In 2015 the CTS also assumed IT functions from the Department of Enterprise Services.

In 2015 the Legislature also directed the CTS to establish statewide security standards and policies to protect the information processed in the state IT systems, and appoint a state chief information security officer. All state agencies were directed to develop an IT security program in accordance with the state standards established by the CTS. Each agency must certify its compliance with the state security standards, and must obtain an independent compliance audit every three years.

The Military Department. The Military Department administers the state's comprehensive program of emergency management. The Adjutant General, acting as Director of the Military Department, is responsible for directing and coordinating the state preparation, response and recover from emergencies and disasters.

In 2013 Governor Inslee designated the Military Department as the primary agency for external communication with the federal Department of Homeland Security for all cybersecurity matters within state government. The Governor appointed the Adjutant General as the senior official representing Washington for management and coordination of cybersecurity issues within the state and at the federal level.

Summary of Bill:

The CTS is authorized to test the security vulnerability of any state agency's IT systems, without disrupting the agency's business operations. The test results must be shared with the agency and the CTS may assist the agency in addressing any vulnerabilities identified in the test.

The Military Department may conduct independent security testing of any local government or private entity involved in critical infrastructure management, upon the request of the governmental or private entity. Critical infrastructure includes systems or assets vital to the national security, economy, and public health and safety. The Military Department may assist the entity in addressing any vulnerabilities identified in the test.

Appropriation: None.

Fiscal Note: Requested on February 13, 2017.

Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed.