Passed by the Senate June 27, 2013 YEAS 48   ________________________________________ President of the Senate Passed by the House June 27, 2013 YEAS 90   ________________________________________ Speaker of the House of Representatives | I, Hunter G. Goodman, Secretary of the Senate of the State of Washington, do hereby certify that the attached is ENGROSSED SUBSTITUTE SENATE BILL 5891 as passed by the Senate and the House of Representatives on the dates hereon set forth. ________________________________________ Secretary | |
Approved ________________________________________ Governor of the State of Washington | Secretary of State State of Washington |
State of Washington | 63rd Legislature | 2013 2nd Special Session |
READ FIRST TIME 04/05/13.
AN ACT Relating to state technology expenditures; amending RCW 43.41A.025, 39.26.100, 43.41A.010, 43.88.092, and 42.56.420; adding a new section to chapter 43.41 RCW; adding a new section to chapter 43.41A RCW; and creating new sections.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
Sec. 1 RCW 43.41A.025 and 2011 1st sp.s. c 43 s 706 are each
amended to read as follows:
(1) The chief information officer shall establish standards and
policies to govern information technology in the state of Washington.
(2) The office shall have the following powers and duties related
to information services:
(a) To develop statewide standards and policies governing the
acquisition and disposition of equipment, software, and personal and
purchased services, licensing of the radio spectrum by or on behalf of
state agencies, and confidentiality of computerized data;
(b) To develop statewide or interagency technical policies,
standards, and procedures;
(c) To review and approve standards and common specifications for
new or expanded telecommunications networks proposed by agencies,
public postsecondary education institutions, educational service
districts, or statewide or regional providers of K-12 information
technology services;
(d) To develop a detailed business plan for any service or activity
to be contracted under RCW 41.06.142(7)(b) by the consolidated
technology services agency;
(e) To provide direction concerning strategic planning goals and
objectives for the state. The office shall seek input from the
legislature and the judiciary; ((and))
(f) To establish policies for the periodic review by the office of
agency performance which may include but are not limited to analysis
of:
(i) Planning, management, control, and use of information services;
(ii) Training and education; and
(iii) Project management;
(g) To coordinate with state agencies with an annual information
technology expenditure that exceeds ten million dollars to implement a
technology business management program to identify opportunities for
savings and efficiencies in information technology expenditures and to
monitor ongoing financial performance of technology investments; and
(h) In conjunction with the consolidated technology services
agency, to develop statewide standards for agency purchases of
technology networking equipment and services.
(3) Statewide technical standards to promote and facilitate
electronic information sharing and access are an essential component of
acceptable and reliable public access service and complement content-related standards designed to meet those goals. The office shall:
(a) Establish technical standards to facilitate electronic access
to government information and interoperability of information systems,
including wireless communications systems; and
(b) Require agencies to include an evaluation of electronic public
access needs when planning new information systems or major upgrades of
systems.
In developing these standards, the office is encouraged to include
the state library, state archives, and appropriate representatives of
state and local government.
(4) The office shall perform other matters and things necessary to
carry out the purposes and provisions of this chapter.
Sec. 2 RCW 39.26.100 and 2012 c 224 s 11 are each amended to read
as follows:
(1) The provisions of this chapter do not apply in any manner to
the operation of the state legislature except as requested by the
legislature.
(2) The provisions of this chapter do not apply to the contracting
for services, equipment, and activities that are necessary to
establish, operate, or manage the state data center, including
architecture, design, engineering, installation, and operation of the
facility, that are approved by the technology services board or the
acquisition of proprietary software, equipment, and information
technology services necessary for or part of the provision of services
offered by the consolidated technology services agency.
(3) Primary authority for the purchase of specialized equipment,
and instructional and research material, for their own use rests with
the institutions of higher education as defined in RCW 28B.10.016.
(4) Universities operating hospitals with approval from the
director, as the agent for state hospitals as defined in RCW 72.23.010,
and for health care programs provided in state correctional
institutions as defined in RCW 72.65.010(3) and veterans' institutions
as defined in RCW 72.36.010 and 72.36.070, may make purchases for
hospital operation by participating in contracts for materials,
supplies, and equipment entered into by nonprofit cooperative hospital
group purchasing organizations if documented to be more cost-effective.
(5) Primary authority for the purchase of materials, supplies, and
equipment, for resale to other than public agencies, rests with the
state agency concerned.
(6) The authority for the purchase of insurance and bonds rests
with the risk manager under RCW 43.19.769, except for institutions of
higher education that choose to exercise independent purchasing
authority under RCW 28B.10.029.
(7) The authority to purchase interpreter services and interpreter
brokerage services on behalf of limited-English speaking or sensory-impaired applicants and recipients of public assistance rests with the
department of social and health services and the health care authority.
(8) The provisions of this chapter do not apply to information
technology purchases by state agencies, other than institutions of
higher education and agencies of the judicial branch, if (a) the
purchase is less than one hundred thousand dollars, (b) the initial
purchase is approved by the chief information officer of the state, and
(c) the agency director and the chief information officer of the state
jointly prepare a public document providing a detailed justification
for the expenditure.
Sec. 3 RCW 43.41A.010 and 2011 1st sp.s. c 43 s 702 are each
amended to read as follows:
(1) The office of the chief information officer is created within
the office of financial management.
(2) Powers, duties, and functions assigned to the department of
information services as specified in this chapter shall be transferred
to the office of chief information officer as provided in this chapter.
(3) The primary duties of the office are:
(a) To prepare and lead the implementation of a strategic direction
and enterprise architecture for information technology for state
government;
(b) To enable the standardization and consolidation of information
technology infrastructure across all state agencies to support
enterprise-based system development and improve and maintain service
delivery;
(c) To establish standards and policies for the consistent and
efficient operation of information technology services throughout state
government;
(d) To establish statewide enterprise architecture that will serve
as the organizing standard for information technology for state
agencies;
(e) (([To])) To educate and inform state managers and policymakers
on technological developments, industry trends and best practices,
industry benchmarks that strengthen decision making and professional
development, and industry understanding for public managers and
decision makers.
(4) In the case of institutions of higher education, the powers of
the office and the provisions of this chapter apply to business and
administrative applications but do not apply to (a) academic and
research applications; and (b) medical, clinical, and health care
applications, including the business and administrative applications
for such operations. However, institutions of higher education must
disclose to the office any proposed academic applications that are
enterprise-wide in nature relative to the needs and interests of other
institutions of higher education. Institutions of higher education
shall provide to the chief information officer sufficient data and
information on proposed expenditures on business and administrative
applications to permit the chief information officer to evaluate the
proposed expenditures pursuant to RCW 43.88.092(3).
(5) The legislature and the judiciary, which are constitutionally
recognized as separate branches of government, are strongly encouraged
to coordinate with the office and participate in shared services
initiatives and the development of enterprise-based strategies, where
appropriate. Legislative and judicial agencies of the state shall
submit to the chief information officer information on proposed
information technology expenditures to allow the chief information
officer to evaluate the proposed expenditures on an advisory basis.
Sec. 4 RCW 43.88.092 and 2011 1st sp.s. c 43 s 733 are each
amended to read as follows:
(1) As part of the biennial budget process, the office of financial
management shall collect from agencies, and agencies shall provide,
information to produce reports, summaries, and budget detail sufficient
to allow review, analysis, and documentation of all current and
proposed expenditures for information technology by state agencies.
Information technology budget detail must be included as part of the
budget submittal documentation required pursuant to RCW 43.88.030.
(2) The office of financial management must collect, and present as
part of the biennial budget documentation, information for all existing
information technology projects as defined by ((information))
technology services board policy. The office of financial management
must work with the office of the chief information officer to maximize
the ability to draw this information from the information technology
portfolio management data collected by the ((department of information
services pursuant to RCW 43.105.170)) consolidated technology services
agency. Connecting project information collected through the portfolio
management process with financial data developed under subsection (1)
of this section provides transparency regarding expenditure data for
existing technology projects.
(3) The chief information officer shall evaluate proposed
information technology expenditures and establish priority ranking
categories of the proposals. No more than one-third of the proposed
expenditures shall be ranked in the highest priority category.
(4) The biennial budget documentation submitted by the office of
financial management pursuant to RCW 43.88.030 must include an
information technology plan and a technology budget for the state
identifying current baseline funding for information technology,
proposed and ongoing major information technology projects, and their
associated costs. This plan and technology budget must be presented
using a method similar to the capital budget, identifying project costs
through stages of the project and across fiscal periods and biennia
from project initiation to implementation. This information must be
submitted electronically, in a format to be determined by the office of
financial management and the legislative evaluation and accountability
program committee.
(((4))) (5) The office of financial management shall also institute
a method of accounting for information technology-related expenditures,
including creating common definitions for what constitutes an
information technology investment.
(((5))) (6) For the purposes of this section, "major information
technology projects" includes projects that have a significant
anticipated cost, complexity, or are of statewide significance, such as
enterprise-level solutions, enterprise resource planning, and shared
services initiatives.
NEW SECTION. Sec. 5 A new section is added to chapter 43.41 RCW
to read as follows:
(1) Subject to funds appropriated for this specific purpose, the
office of financial management may establish an information technology
investment pool and may enter into financial contracts for the
acquisition of information technology projects for state agencies.
Information technology projects funded under this section must meet the
following requirements:
(a) The project begins or continues replacement of information
technology systems with modern and more efficient information
technology systems;
(b) The project improves the ability of an agency to recover from
major disaster; or
(c) The project provides future savings and efficiencies for an
agency through reduced operating costs, improved customer service, or
increased revenue collections.
(2) Preference for project approval under this section must be
given to an agency that has prior project approval from the office of
the chief information officer and an approved business plan, and the
primary hurdle to project funding is the lack of funding capacity.
(3) The office of financial management with assistance from the
office of the chief information officer shall report to the governor
and the fiscal committees of the legislature by November 1st of each
year on the status of distributions and expenditures on information
technology projects and improved statewide or agency performance
results achieved by project funding.
NEW SECTION. Sec. 6 The consolidated technology services agency,
in consultation with the office of the chief information officer, shall
review and assess the current state telecommunications and information
services network model of the executive branch with the objective of
agency network consolidation into consolidated technology services.
The assessment must include a review of cost management, state and
federal regulatory issues, development and feasibility of each option,
and a migration strategy and implementation plan for each option. The
report is due to the office of financial management and the fiscal
committees of the legislature by December 30, 2013.
NEW SECTION. Sec. 7 The office of the chief information officer
must prepare a report that inventories legacy information technology
systems of the executive branch, both enterprise-wide and agency
specific, and develop a prioritized plan for the modernization and
funding of these systems. The report is due to the office of financial
management and the fiscal committees of the legislature by December 1,
2014.
NEW SECTION. Sec. 8 A new section is added to chapter 43.41A RCW
to read as follows:
The office shall establish security standards and policies to
ensure the confidentiality, availability, and integrity of the
information transacted, stored, or processed in the state's information
technology systems and infrastructure. Each state agency, institution
of higher education, the legislature, and the judiciary must develop an
information technology security plan and program.
(1) Each state agency information technology security plan and
program must adhere to the office's security standards and policies.
Each state agency must review and update its plan and program annually
and certify to the office that its plan and program is in compliance
with the office's security standards and policies. The office may
require an agency to obtain an independent compliance audit of its
information technology security plan and program.
(2) In the case of institutions of higher education, the judiciary,
and the legislature, each information technology security plan and
program must be comparable to the intended outcomes of the office's
security standards and policies. Each institution, the legislature,
and the judiciary shall submit their information technology security
plan and program to the office annually for review and comment.
Sec. 9 RCW 42.56.420 and 2009 c 67 s 1 are each amended to read
as follows:
The following information relating to security is exempt from
disclosure under this chapter:
(1) Those portions of records assembled, prepared, or maintained to
prevent, mitigate, or respond to criminal terrorist acts, which are
acts that significantly disrupt the conduct of government or of the
general civilian population of the state or the United States and that
manifest an extreme indifference to human life, the public disclosure
of which would have a substantial likelihood of threatening public
safety, consisting of:
(a) Specific and unique vulnerability assessments or specific and
unique response or deployment plans, including compiled underlying data
collected in preparation of or essential to the assessments, or to the
response or deployment plans; and
(b) Records not subject to public disclosure under federal law that
are shared by federal or international agencies, and information
prepared from national security briefings provided to state or local
government officials related to domestic preparedness for acts of
terrorism;
(2) Those portions of records containing specific and unique
vulnerability assessments or specific and unique emergency and escape
response plans at a city, county, or state adult or juvenile
correctional facility, or secure facility for persons civilly confined
under chapter 71.09 RCW, the public disclosure of which would have a
substantial likelihood of threatening the security of a city, county,
or state adult or juvenile correctional facility, secure facility for
persons civilly confined under chapter 71.09 RCW, or any individual's
safety;
(3) Information compiled by school districts or schools in the
development of their comprehensive safe school plans under RCW
28A.320.125, to the extent that they identify specific vulnerabilities
of school districts and each individual school;
(4) Information regarding the infrastructure and security of
computer and telecommunications networks, consisting of security
passwords, security access codes and programs, access codes for secure
software applications, security and service recovery plans, security
risk assessments, and security test results to the extent that they
identify specific system vulnerabilities, and other such information
the release of which may increase risk to the confidentiality,
integrity, or availability of agency security, information technology
infrastructure, or assets; and
(5) The system security ((section of transportation system safety))
and ((security program plans)) emergency preparedness plan required
under RCW 35.21.228, 35A.21.300, 36.01.210, 36.57.120, 36.57A.170, and
81.112.180.