HOUSE BILL REPORT
ESSB 5432
As Reported by House Committee On:
State Government & Tribal Relations
Appropriations
Title: An act relating to cybersecurity in state government.
Brief Description: Concerning cybersecurity and data sharing in Washington state government.
Sponsors: Senate Committee on Environment, Energy & Technology (originally sponsored by Senators Carlyle, Nguyen, Conway, Das, Dhingra, Keiser, Liias, Nobles and Randall; by request of Office of the Governor).
Brief History:
Committee Activity:
State Government & Tribal Relations: 3/10/21, 3/17/21 [DPA];
Appropriations: 3/22/21, 3/25/21 [DPA(SGOV)].
Brief Summary of Engrossed Substitute Bill
(As Amended By Committee)
  • Creates the Office of Cybersecurity (OCS) within the Office of the Chief Information Officer (OCIO) and transfers the OCIO's responsibilities relating to state information technology (IT) security programs to the OCS.
  • Requires the OCS to collaborate with state agencies to develop a catalog of cybersecurity services and functions for the OCS to perform.
  • Requires the OCS to contract for an independent security assessment of state agency information technology program audits.
  • Sets standards for data sharing and major cybersecurity incident reporting.
HOUSE COMMITTEE ON STATE GOVERNMENT & TRIBAL RELATIONS
Majority Report: Do pass as amended.Signed by 4 members:Representatives Valdez, Chair; Lekanoff, Vice Chair; Dolan and Gregerson.
Minority Report: Without recommendation.Signed by 3 members:Representatives Volz, Ranking Minority Member; Walsh, Assistant Ranking Minority Member; Graham.
Staff: Desiree Omli (786-7105).
Background:

The Consolidated Technology Services Agency.
General.  The Consolidated Technology Services agency, also known as the Washington Technology Solutions (WaTech), supports state agencies as a centralized provider and procurer of certain information technology (IT) services.  The Director of WaTech is the state Chief Information Officer (CIO).
 
Office of the Chief Information Officer.   The Office of the Chief Information Officer (OCIO) is statutorily established within WaTech and has certain primary duties related to state government IT, which include establishing statewide enterprise architecture for IT and standards for consistent and efficient operation of IT services throughout state government.  The OCIO also establishes security standards and policies to ensure the confidentiality and integrity of information transacted, stored, or processed in the state's IT systems and infrastructure.
 
Under OCIO-issued policy, agencies must classify data into categories based on the sensitivity of the data as follows:

  • Category 1:  Public information.
  • Category 2:  Sensitive information.
  • Category 3:  Confidential information.
  • Category 4:  Confidential information requiring special handling.

 

Examples of confidential information included under Category 3 is information that is specifically protected from disclosure by law; "personal information" as defined under statute such as a person's first name or initial and last name in combination with a Social Security number, driver's license number, security code, or similar data; data pertaining to public employment such as test questions, scoring keys, and applications for employment; information in personnel records held by a public agency; and data concerning the infrastructure and security of computer and telecommunication networks.

 

Office of Cybersecurity.  The Office of Cybersecurity (OCS) is housed within WaTech but is not statutorily created.  The OCIO is, however, statutorily required to appoint a state Chief Information Security Officer (CISO).  The CISO leads the existing OCS, which provides strategic direction for cybersecurity and protects the state government network from growing cyber threats.  The OCS also detects, blocks, and responds to cyberattacks on state networks, and helps prevent and mitigate threats.
 
Office of Privacy and Data Protection.  The Office of Privacy and Data Protection (OPDP) is statutorily created within the OCIO and serves as a central point of contact for state agencies on policy matters involving data privacy and data protection.  The primary duties of the OPDP with respect to state agencies include conducting privacy reviews and training, coordinating data protection, articulating privacy principles and best policies, and working with the CIO in the review of major state agency projects involving personally identifiable information.
 
State Information Technology Security Programs.
Each state agency, institution of higher education, the Legislature, and the judiciary must develop an IT security program.  The IT security programs developed by institutions of higher education, the Legislature, and the judiciary, must be comparable to the intended outcomes of the OCIO's security standards and policies.
 
State agencies are subject to additional statutory requirements.  Each state agency must annually review and update its IT security program and certify to the OCIO that its program is compliant with the OCIO's security standards and policies.  The OCIO must require state agencies to obtain an independent compliance audit of its IT security program and controls once every three years.  The purpose of the audit is to determine whether the agency's IT security program is compliant with the standards and policies established by the agency, and that security controls are operating efficiently.
 
Public Records Act.
The Public Records Act (PRA) requires state and local agencies to make all public records available for public inspection and copying unless a record falls within an exemption under the PRA or another statute that exempts or prohibits disclosure of specific information or records.  The PRA is liberally construed, and its exemptions interpreted narrowly.  To the extent necessary to prevent an unreasonable invasion of personal privacy, an agency must delete identifying details from the records sought when it makes a record available.  A person's right to privacy is violated only if disclosure would be highly offensive to a reasonable person and is not of legitimate concern to the public.  Exemptions under the PRA are permissive, meaning that an agency, although not required to disclose, has the discretion to provide an exempt record.
 
Certain information relating to security is exempt from disclosure under the PRA.  For example, information regarding the public and private infrastructure and security of computer and telecommunications networks are exempt.  Public and private infrastructure and security of computer and telecommunications networks includes:  security passwords; security access codes and programs; security risk assessments; security test results to the extent that they identify specific system vulnerabilities; and any other information which, if released, may increase the risk to the confidentiality, integrity, or availability or security of IT infrastructure or assets.
 
Federal Cybersecurity Framework.
Federal Executive Order 13636 directed the National Institute of Standards and Technology (NIST) to develop a voluntary framework for reducing cyber risks to critical infrastructure.  The cybersecurity framework developed by the NIST is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.

Summary of Amended Bill:

Office of Cybersecurity.
Creation and Principle Responsibilities.  The OCS is statutorily created within the OCIO.  The CIO appoints the CISO who will act as the director of the OCS.  The CISO or his or her designee serves as the state's point of contact for all major cybersecurity incidents.
 
The OCS's responsibilities include:

  • establishing standards and policies to protect the state's information technology systems and infrastructure;
  • developing a centralized cybersecurity protocol for protecting and managing state IT assets and infrastructure, and providing formal guidance to agencies on practices and standards to ensure a whole government approach to cybersecurity;
  • detecting and responding to security incidents;
  • creating a model incident response plan for agencies to adopt for certain incidents;
  • ensuring the continuity of state business in the event of a security incident;
  • defining core services that are required to be managed by agency IT security programs; and
  • developing a process for reviewing and evaluating agency proposals for additional cybersecurity services to ensure alignment with enterprise IT security strategy.

 
In carrying out these duties, the OCS must use or rely on industry standards and widely adopted cybersecurity standards with a preference for United States federal standards.
 
Catalog of Services.  The OCS must collaborate with state agencies to develop a catalog of cybersecurity services and functions for the OCS to perform.  By July 1, 2022, the OCS must report to the Legislature and the Governor on cybersecurity services and functions that should be performed by the OCS, core capabilities of the OCS, security functions which should remain within agency IT security programs, a model for accountability of agency security programs, and services and functions required to protect confidential information that is specifically protected from disclosure by state or federal law.  The OCS must update and publish its catalog of services and performance metrics on a biennial basis.
 
State Information Technology Security Programs.
Transfer of OCIO Responsibilities.  With respect to state IT security programs, the OCIO's oversight and statutory responsibilities are transferred to the new OCS.  Information technology security program standards and policies are now set by the OCS, and any IT security program required to be developed must be comparable to the intended outcomes of the OCS's standards and policies, or, in the case of state agencies, compliant with the OCS's standards and policies.  An additional requirement is imposed on state agencies to provide the OCS with a list of business needs and agency program metrics.
 
Reporting of Agency Review and Audit Findings.  In the event that an agency review or audit identifies any failure to comply with the standards and policies of the OCS or identifies any material cybersecurity risk, the OCS must require the agency to develop and implement a plan to resolve the failure or risk.  The OCS must report annually to the Governor and appropriate committees of the Legislature on any identified risk or failure to comply with established standards and policies.  On a quarterly basis, the OCS must review any identified risks that are not mitigated by an agency with the Governor and the chairs and ranking members of the appropriate committees of the Legislature.  The reports and related information compiled for the reports are confidential and may not be disclosed under the PRA.

Independent Security Evaluation Audit.  The OCS must contract for an independent security assessment of all state agency information technology security program audits that have been conducted since July 1, 2015.  The assessment must:

  • evaluate the content of any audit findings relative to industry standards at the time of the audit;
  • evaluate the state's performance in implementing recommendations from the audit;
  • evaluate the policies and standards established by the OCS and provide recommendations for improvement; and
  • provide recommendations for both short-term and long-term programs and strategies designed to implement audit findings.

 
The OCS must use a Department of Enterprise Services (DES) master contract or the competitive solicitation process required by law when contracting for the independent security assessment.  If the OCS uses the competitive solicitation process, it must work with the DES, the Office of Minority and Women's Business Enterprises (OMWBE), and the Washington State Department of Veterans Affairs (WDVA) to engage in outreach to veteran-owned businesses, small businesses, and minority and women-owned businesses, to encourage these entities to submit a bid.

 

A report summarizing findings and recommendations from the assessment must be submitted to the Governor and appropriate committees of the Legislature by August 31, 2022.  The report and information compiled in relation to the report is confidential and may not be disclosed under the PRA.
 
Major Cybersecurity Incident Response.
Agencies must report any major cybersecurity incident, as defined by the OCS, to the OCS within 24 hours of discovering the incident.  The OCS must then investigate the incident and facilitate any necessary incident response measures.
 
Report on Best Practices.
The OCS must collaborate with the OPDP and the Office of the Attorney General to research and examine best practices for data governance, data protection, sharing data relating to cybersecurity, and protection of state and local government IT systems and infrastructure.  The research must include an examination of model terms for data sharing contracts and adherence to privacy principles.  The OCS must report on its findings and specific recommendations to the Governor and Legislature by December 1, 2021.
 
Data Sharing Agreements.
Before sharing Category 3 data or higher with a contractor, an agency must have a written data sharing agreement in place that conforms to statutory requirements on policies for data sharing.
 
A public agency that requests Category 3 data or higher from another public agency must provide a written agreement between the agencies that conforms to the policies of the OCS.

Amended Bill Compared to Engrossed Substitute Bill:

The requirement that the Office of Financial Management (OFM) contract for an independent security audit of state agency information technology is removed, and instead requires the OCS to contract for an independent security assessment of the state agency IT security program audits that have been conducted since July 1, 2015.  The elements which the assessment must evaluate are specified.  In contracting for the assessment, the OCS must use a DES master contract or the competitive solicitation process.  If the OCS engages in the competitive solicitation process, it must work with the DES, the OMWBE, and the WDVA to engage in outreach to veteran-owned businesses, small businesses, and minority and women-owned businesses, to encourage these entities to submit a bid.  A report summarizing findings and recommendations from the assessment of state agency IT security program audits must be submitted to the Governor and appropriate committees of the Legislature by August 31, 2022.  The assessment report and information compiled pertaining to the assessment are confidential and may not be disclosed under the PRA.
 
In addition to the reports pertaining to the state agency IT security program reviews and audits, information compiled in relation to the reports and reviews are confidential.  The reports and related information may not be disclosed under the PRA.
 
In addition to the Governor, the OCS is required to provide its report and briefing pertaining to the state agency IT security program reviews and audits to appropriate committees of the Legislature.
 
A "major cybersecurity incident" is defined by OCS policy.

Appropriation: None.
Fiscal Note: Preliminary fiscal note available.  New fiscal note requested on March 17, 2021.
Effective Date of Amended Bill: The bill takes effect 90 days after adjournment of the session in which the bill is passed.
Staff Summary of Public Testimony:

(In support) Cyber threats are real and cyber attacks are on the rise both in frequency and sophistication.  In the past year, the state has experienced multiple serious cybersecurity incidences and was also the target of national breaches.  Because the state is named Washington, the state has become a special target to those who think it is Washington D.C.  In addition, the state is home to premier global brand companies that capture a lot of attention.  With the pandemic, agencies have had to move its services, operations, and employees to a remote environment, exposing vulnerabilities and highlighting areas of improvement for the state's cybersecurity posture.  The state's cybersecurity standards and oversight do not meet global best practices and standards.  Certain aspects are decentralized, which is not the best practice for cybersecurity protection.

 

This bill acknowledges the key role that state agencies play in cybersecurity response.  It addresses a variety of issues around governance, procedure, oversight, accountability, and the management of data by providing for a much-needed enterprise-wide strategic program that allows the type of accountability that the public deserves.  Elevating the OCS to be a statutory office would provide clear responsibilities for enterprise security and strategy, as well as ensuring a higher degree of accountability and confidence that the resources allocated to cybersecurity protection is used strategically.

 

The provisions requiring the OFM to contract for an independent statewide audit need to be worked out.  The provisions require a statewide audit, which may be costly and duplicative of the agency audits.

 

(Opposed) None.

Persons Testifying: Senator Carlyle, prime sponsor; Sheri Sawyer, Office of the Governor; and Mark Quimby, Washington Technology Solutions.
Persons Signed In To Testify But Not Testifying: None.
HOUSE COMMITTEE ON APPROPRIATIONS
Majority Report: Do pass as amended by Committee on State Government & Tribal Relations.Signed by 21 members:Representatives Ormsby, Chair; Bergquist, Vice Chair; Gregerson, Vice Chair; Macri, Vice Chair; Stokesbary, Ranking Minority Member; MacEwen, Assistant Ranking Minority Member; Chopp, Cody, Dolan, Fitzgibbon, Frame, Hansen, Johnson, J., Lekanoff, Pollet, Ryu, Senn, Springer, Stonier, Sullivan and Tharinger.
Minority Report: Do not pass.Signed by 4 members:Representatives Hoff, Rude, Schmick and Steele.
Minority Report: Without recommendation.Signed by 8 members:Representatives Chambers, Assistant Ranking Minority Member; Corry, Assistant Ranking Minority Member; Boehnke, Caldier, Chandler, Dye, Harris and Jacobsen.
Staff: Jessica Van Horne (786-7288).
Summary of Recommendation of Committee On Appropriations Compared to Recommendation of Committee On State Government & Tribal Relations:

No new changes were recommended.

Appropriation: None.
Fiscal Note: Preliminary fiscal note available.
Effective Date of Amended Bill: The bill takes effect 90 days after adjournment of the session in which the bill is passed.
Staff Summary of Public Testimony:

(In support) None.

 

(Opposed) None.

Persons Testifying: None.
Persons Signed In To Testify But Not Testifying: None.