AN ACT Relating to cloud computing solutions; amending RCW 43.105.020; adding new sections to chapter 43.105 RCW; creating a new section; and repealing RCW 43.105.375.

NEW SECTION. Sec. 1. (1) The legislature finds that the advent of the COVID-19 pandemic has increased the needs of the people of Washington for state services. From unemployment benefits to information on the incidence of disease in the state, Washingtonians have increasingly turned to state government for vital services and information.

(2) The legislature further finds that the state's information technology infrastructure is outdated and with insufficient capacity to handle the increased demand and has, in many cases, not been adequate to enable the state to provide the needed services effectively and efficiently.

(3) Therefore, the legislature intends to migrate the state's information technology toward modern cloud services, offered by third-party cloud providers operating at hyper scale, which will deliver the capacity, security, resiliency, disaster recovery capability, and data analytics necessary to allow the state to provide Washingtonians the services they require during this pandemic and in the future.

(3) "Cloud computing" has the same meaning as provided by the special publication 800-145 issued by the national institute of standards and technology of the United States department of commerce as of September 2011 or its successor publications.

(4) "Customer agencies" means all entities that purchase or use information technology resources, telecommunications, or services from the consolidated technology services agency.

(((5)))(6) "Enterprise architecture" means an ongoing activity for translating business vision and strategy into effective enterprise change. It is a continuous activity. Enterprise architecture creates, communicates, and improves the key principles and models that describe the enterprise's future state and enable its evolution.

(((6)))(7) "Equipment" means the machines, devices, and transmission facilities used in information processing, including but not limited to computers, terminals, telephones, wireless communications system facilities, cables, and any physical facility necessary for the operation of such equipment.

(((8)))(9) "Information security" means the protection of communication and information resources from unauthorized access, use, disclosure, disruption, modification, or destruction in order to:

(((9)))(10) "Information technology" includes, but is not limited to, all electronic technology systems and services, automated information handling, system design and analysis, conversion of data, computer programming, information storage and retrieval, telecommunications, requisite system controls, simulation, electronic commerce, radio technologies, and all related interactions between people and machines.

(((10)))(11) "Information technology portfolio" or "portfolio" means a strategic management process documenting relationships between agency missions and information technology and telecommunications investments.

(((12)))(13) "Local governments" includes all municipal and quasi-municipal corporations and political subdivisions, and all agencies of such corporations and subdivisions authorized to contract separately.

(((14)))(15) "Oversight" means a process of comprehensive risk analysis and management designed to ensure optimum use of information technology resources and telecommunications.

(((16)))(17) "Public agency" means any agency of this state or another state; any political subdivision or unit of local government of this state or another state including, but not limited to, municipal corporations, quasi-municipal corporations, special purpose districts, and local service districts; any public benefit nonprofit corporation; any agency of the United States; and any Indian tribe recognized as such by the federal government.

(((17)))(18) "Public benefit nonprofit corporation" means a public benefit nonprofit corporation as defined in RCW 24.03.005 that is receiving local, state, or federal funds either directly or through a public agency other than an Indian tribe or political subdivision of another state.

(((18)))(19) "Public record" has the definitions in RCW 42.56.010 and chapter 40.14 RCW and includes legislative records and court records that are available for public inspection.

(((20)))(21) "Security incident" means an accidental or deliberative event that results in or constitutes an imminent threat of the unauthorized access, loss, disclosure, modification, disruption, or destruction of communication and information resources.

(((21)))(22) "State agency" means every state office, department, division, bureau, board, commission, or other state agency, including offices headed by a statewide elected official.

(((22)))(23) "Telecommunications" includes, but is not limited to, wireless or wired systems for transport of voice, video, and data communications, network systems, requisite facilities, equipment, system controls, simulation, electronic commerce, and all related interactions between people and machines.

(((23)))(24) "Utility-based infrastructure services" includes personal computer and portable device support, servers and server administration, security administration, network administration, telephony, email, and other information technology services commonly used by state agencies.

(1) State agencies must adopt third-party, commercial cloud computing services for any new information technology or telecommunications investments except as provided in subsection (2) of this section. The office shall develop standards and guidelines for adoption of commercial cloud computing services. Prior to selecting and implementing a cloud computing service, state agencies must evaluate:

(a) The ability of the cloud computing service to meet security and compliance requirements for all workload types including low, moderate, and high impact data, leveraging defined federal authorization or accreditation programs to the fullest extent possible; and

(2) State agencies must receive a waiver from the office if there is a service requirement that prohibits the adoption of a cloud computing service, as required in subsection (1) of this section.

(a) Waivers must be based on written justification from the requesting state agency citing specific services or performance requirements for not utilizing a cloud computing service.

(b) Information on waiver applications, requested and granted, must be submitted by the office to the appropriate committees of the legislature by December 30th each calendar year.

(3) The agency must oversee and provide technical specifications to the department of enterprise services who must conduct competitive procurement processes that include the evaluation of services offered by several cloud providers per procurement. All procurements must be reopened and contracts must be renegotiated at a minimum every five years.

(5) Subject to the availability of amounts appropriated for this specific purpose, starting December 1, 2021, state agency directors of human resources must report annually to the office and the employment security department on impacts to staffing related to state employees who could not be reassigned to other duties within the state agency as a result of the cloud migration.

(6) Subject to the availability of amounts appropriated for this specific purpose, there is created a training program for employees who could not be reassigned to other duties within the state agency as a result of the cloud migration. The state human resources department of the office of financial management, in coordination with the office and the employment security department, must oversee requests for training and allocation of moneys. By January 1, 2022, the employment security department, in coordination with the office of financial management, must develop a program to support employees and dislocated workers identified in this subsection and affected by the policies created in this section.

(1) State agencies must migrate their existing on-premises applications to third-party, commercial cloud computing solutions by June 30, 2025, except as provided in subsection (2) of this section. The office will report to relevant legislative committees the status of existing agency on-premises application migration by January 1, 2024. State agencies shall accelerate cloud migration, modernization, and end-of-life migration activities in alignment with industry and existing state standards and guidelines.

(2) The office shall implement a program to facilitate the secure and timely migration to cloud services, while preserving department operational autonomy, and establish related standards.

(3) State agencies must receive a waiver from the office if an application cannot migrate to the cloud by the deadline in subsection (1) of this section.

(a) Waivers must be based on written justification from the requesting state agency citing specific service or performance requirements for not utilizing a cloud computing solution.

(b) Information on waiver applications, requested and granted, must be submitted by the office to the appropriate committees of the legislature by December 30th each calendar year, beginning in 2023.

NEW SECTION. Sec. 5. RCW 43.105.375 (Use of state data center—Business plan and migration schedule for state agencies—Exceptions) and 2015 3rd sp.s. c 1 s 219 & 2011 1st sp.s. c 43 s 735 are each repealed.