Background: Washington's Continuity of Government Act provides direction for the continuity of government and operations in the event of an attack taken against the United States in the state of Washington. An attack means any act of warfare taken by an enemy of the United States causing substantial damage or injury to persons or property in the United States and the state of Washington. Under Washington's Continuity of Government Act, during any time period when an enemy attack takes place:

if the Governor and all successors of the Office of the Governor are unavailable, then the powers and duties of the Governor must be exercised and discharged by the Speaker of the House;
the Governor must call the Legislature into session as soon as practicable and in any case within 30 days following the inception of the attack. If the Governor fails to issue the call of the Legislature into session, then the Legislature must convene at a place where the Governor has established office on the 30th day following the date of the inception of the attack;
if the number of legislators available for duty is reduced, then those remaining legislators that are available for duty will constitute the Legislature and will have the power to act by the majority of those present. All quorum requirements are suspended and in instances where an affirmative vote is needed of a specified proportion of members for an approval of a bill then the same proportion of those voting is sufficient;
if, according to the Governor, it becomes impracticable for the Legislature to convene in its usual Olympia location, then the Governor may call the Legislature into emergency session in an alternative location;
if the enemy attack reduces the number of county commissioners of a county, then those remaining commissioners available for duty have full authority to act on all matters of the Board of County Commissioners;
if the executive head of any city or town is unavailable due to the enemy attack to fulfill respective responsibilities, then those available members of the city or town council or commission must vote one of their counterparts to act as executive head of the city or town. If the attack reduces the number of council or commission members, then those remaining members available for duty have the full power to act by majority vote of those present; and
if it becomes impossible to conduct affairs of a political subdivision at its usual location, then the governing body may meet at an alternative location.

The Military Department administers the state's comprehensive program of emergency management. The Adjutant General is responsible for developing a comprehensive, all-hazard emergency plan for the state that includes an analysis of natural, technological, or human-caused hazards, and procedures to coordinate local and state resources in responding to such hazards. Governor Inslee issued Directive 13-02 in March 2013 that requires each individual agency, board, commission, and council to develop a Continuity of Operations Plan (COOP) for their organization. Each agency, board, commission, and council head will conduct a review of and exercise their COOP to ensure that:

employee contact lists are current;
the plan identifies staff who perform essential functions, that those staff members know their responsibilities, and that they have access to phones and other technology to carry out those responsibilities;
procedures exist to determine the status of the organization, i.e. open, closed, or delayed;
procedures exist for updating organizational websites in a timely manner to reflect current organizational status, i.e. open, closed, or delayed;
procedures exist for internal and external communication when normal methods may be disrupted, including information on whether the organization is open or closed; and
performance of the organizational critical functions, including technology systems that support those functions, are possible when disruptions occur due to to an emergency or disaster.

The Office of the Chief Information Officer (OCIO) was created within the Office of Financial Management by the Legislature in 2011. OCIO is responsible for the preparation and implementation of a strategic direction and enterprise architecture for information technology for the state. OCIO must work toward standardization and consolidation of information technology infrastructure across state agencies, establish standards and policies to govern information technology in the state, and educate and inform the state on information technology matters. Other OCIO duties include establishing policies for the periodic review of agency performance and establishing technical standards to facilitate electronic access to government information.

Summary of Bill (Proposed Substitute): OCIO is given the following powers and duties, including to:

develop and assist in the updating of information security procedures, standards, and guidelines for state agencies;
ensure the incorporation of and compliance with information security policies, standards, and guidelines in the information security plans (plans) developed by state agencies;
direct information security audits and assessments in state agencies in order to ensure program compliance and adjustments;
establish and direct a risk management process to identify information security risks in state agencies and deploy risk mitigation strategies, processes, and procedures, including but not limited to an information security breach response plan;
annually review and approve the information security plans of state agencies; and
conduct information security awareness and training programs.

Each state agency must develop a plan and submit the plan to the Chief Information Officer by July 1 of each year. The plan must provide information security for the communication and information resources that support the operations and assets of the state agency, and include the following:

a process for providing adequate information security for the communication and information resources of the state agency;
a schedule for periodic security awareness training to inform the employees and users of the state agency's communication and information resources about information security risks and the responsibility of employees and users to comply with agency policies, standards, and procedures designed to reduce those risks;
a plan for periodic vulnerability assessment testing and evaluation of the effectiveness of information security for the state agency, which must be performed at least once per year; and
plans and procedures to ensure the continuity of operations for information resources that support the operations and assets of the state agency in the event of a security incident.

In the event that a state agency fails to submit a plan to the Chief Information Officer by July 1 of each year, or the plan is not approved by the Chief Information Officer, the Chief Information Officer must notify the Governor and the director of the state agency of noncompliance by the state agency. OCIO must prepare a biennial report to the Governor and the Legislature concerning the implementation of the plans.

The Military Department must provide for the development and exercise of continuity of operations plans by the state. The Adjutant General is responsible to the Governor for developing and implementing a program for interagency coordination of continuity of operations planning by state agencies, boards, and commissions. Each state agency, board, and commission is responsible for developing an organizational continuity of operations plan that is updated and exercised annually in compliance with the program for interagency COOP.

The Continuity of Government Act is clarified to include enemy attacks, whether foreign or domestic.

Staff Summary of Public Testimony: CON: There are concerns about the continuity of government portions of this bill. There are concerns about putting cyber security portions into this bill. There should be two bills. The definition of communication and information resources should specify that it applies to state agencies. The continuity of operations planning portions of this bill including emergencies and disasters is a good idea, but this bill only looks at enemy attack. The continuity of government portions of this bill should be removed.

OTHER: This bill puts a focus on cyber security. There are some concerns about this bill because it takes many of the activities that OCIO is currently doing and puts them into statute, but there is a fear of spending valuable resources fighting current issues in cyber security and not being able to evolve as the threats change. Cyber security moves very, very quickly. If specifics around how the state is defending itself are put in statute, the state may not have the flexibility to adjust to the changing landscape. The continuity of operations planning portions of the bill have been widely vetted and are unopposed.