SENATE BILL REPORT

SB 5455

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As of February 1, 2017

Title: An act relating to enhancing statewide cybersecurity performance through information assessment.

Brief Description: Concerning statewide cybersecurity performance.

Sponsors: Senators Miloscia, Zeiger and Pearson.

Brief History:

Committee Activity: State Government: 2/01/17.

Brief Summary of Bill

  • Requires Washington Technology Solutions (WaTech) to develop procedures for providing cybersecurity information to members of the Legislature and to conduct a cybersecurity excellence assessment every two years.

  • Requires the state Chief Information Officer (CIO) to set one- and five-year performance projections, rather than goals, and update the Legislature on performance annually.

  • Requires inclusion of one-year and five-year projections in the state strategic information technology (IT) plan.

SENATE COMMITTEE ON STATE GOVERNMENT

Staff: Melissa Van Gorkom (786-7491)

Background: WaTech. The Legislature established the Consolidated Technology Services agency, most commonly referred to as WaTech, and the Office of the Chief Information Officer (OCIO) in 2011. The CIO serves as Director of WaTech.

The CIO sets performance targets and approves plans for achieving measurable and specific goals for the agency and reports to the Governor on agency performance quarterly, at least.

The OCIO prepares a state strategic IT plan that includes a statewide mission, goals, and objectives for the use of IT, including goals for electronic access to government records, information, and services.

Performance Assessments. A 1987 act established a federal program to evaluate management quality of U.S. businesses. Both the Baldrige Performance Excellence Program and the Malcolm Baldrige National Quality Award are administered by the National Institute of Standards and Technology (NIST) within the U.S. Department of Commerce. The program currently publishes performance excellence frameworks used by trained examiners to evaluate management in both for-profit and nonprofit organizations, including government entities. Following an assessment, an examiner scores an organization's management quality.

Summary of Bill: CIO. The CIO must set one- and five-year projections, rather than goals, and update the Legislature on performance annually.

OCIO. The OCIO must include one-year and five-year projections in the state strategic IT plan.

WaTech. WaTech must:

If the agency meets that goal, WaTech must apply for a quality award and need only conduct assessments every four years. WaTech must report assessment results to relevant legislative committees.

Cybersecurity Excellence Assessment. A cybersecurity excellence assessment is an assessment of enterprise security operational performance using a framework approved by the NIST, U.S. Department of Commerce.

Appropriation: None.

Fiscal Note: Available.

Creates Committee/Commission/Task Force that includes Legislative members: No.

Effective Date: Ninety days after adjournment of session in which bill is passed.

Staff Summary of Public Testimony: PRO: The goal is for Washington to have the best cybersecurity and performance in the nation.

OTHER: Cybersecurity has moved out of the technology realm and into the policy realm and this bill is a reflection of that. This bill gets the conversation going and we appreciate the intention but want to work through the minutia of the bill.

Persons Testifying: PRO: Senator Mark Miloscia, Prime Sponsor. OTHER: Rob St. John, Office of the Chief Information Officer.

Persons Signed In To Testify But Not Testifying: No one.