READ FIRST TIME 04/05/13.   

     AN ACT Relating to state technology expenditures; amending RCW 43.41A.025, 39.26.100, 43.41A.010, 43.88.092, and 42.56.420; adding a new section to chapter 43.41 RCW; adding a new section to chapter 43.41A RCW; and creating new sections.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

Sec. 1   RCW 43.41A.025 and 2011 1st sp.s. c 43 s 706 are each amended to read as follows:
     (1) The chief information officer shall establish standards and policies to govern information technology in the state of Washington.
     (2) The office shall have the following powers and duties related to information services:
     (a) To develop statewide standards and policies governing the acquisition and disposition of equipment, software, and personal and purchased services, licensing of the radio spectrum by or on behalf of state agencies, and confidentiality of computerized data;
     (b) To develop statewide or interagency technical policies, standards, and procedures;
     (c) To review and approve standards and common specifications for new or expanded telecommunications networks proposed by agencies, public postsecondary education institutions, educational service districts, or statewide or regional providers of K-12 information technology services;
     (d) To develop a detailed business plan for any service or activity to be contracted under RCW 41.06.142(7)(b) by the consolidated technology services agency;
     (e) To provide direction concerning strategic planning goals and objectives for the state. The office shall seek input from the legislature and the judiciary; ((and))
     (f) To establish policies for the periodic review by the office of agency performance which may include but are not limited to analysis of:
     (i) Planning, management, control, and use of information services;
     (ii) Training and education; and
     (iii) Project management;
     (g) To coordinate with state agencies with an annual information technology expenditure that exceeds ten million dollars to implement a technology business management program to identify opportunities for savings and efficiencies in information technology expenditures and to monitor ongoing financial performance of technology investments; and
     (h) In conjunction with the consolidated technology services agency, to develop statewide standards for agency purchases of technology networking equipment and services.
     (3) Statewide technical standards to promote and facilitate electronic information sharing and access are an essential component of acceptable and reliable public access service and complement content-related standards designed to meet those goals. The office shall:
     (a) Establish technical standards to facilitate electronic access to government information and interoperability of information systems, including wireless communications systems; and
     (b) Require agencies to include an evaluation of electronic public access needs when planning new information systems or major upgrades of systems.
     In developing these standards, the office is encouraged to include the state library, state archives, and appropriate representatives of state and local government.
     (4) The office shall perform other matters and things necessary to carry out the purposes and provisions of this chapter.

Sec. 2   RCW 39.26.100 and 2012 c 224 s 11 are each amended to read as follows:
     (1) The provisions of this chapter do not apply in any manner to the operation of the state legislature except as requested by the legislature.
     (2) The provisions of this chapter do not apply to the contracting for services, equipment, and activities that are necessary to establish, operate, or manage the state data center, including architecture, design, engineering, installation, and operation of the facility, that are approved by the technology services board or the acquisition of proprietary software, equipment, and information technology services necessary for or part of the provision of services offered by the consolidated technology services agency.
     (3) Primary authority for the purchase of specialized equipment, and instructional and research material, for their own use rests with the institutions of higher education as defined in RCW 28B.10.016.
     (4) Universities operating hospitals with approval from the director, as the agent for state hospitals as defined in RCW 72.23.010, and for health care programs provided in state correctional institutions as defined in RCW 72.65.010(3) and veterans' institutions as defined in RCW 72.36.010 and 72.36.070, may make purchases for hospital operation by participating in contracts for materials, supplies, and equipment entered into by nonprofit cooperative hospital group purchasing organizations if documented to be more cost-effective.
     (5) Primary authority for the purchase of materials, supplies, and equipment, for resale to other than public agencies, rests with the state agency concerned.
     (6) The authority for the purchase of insurance and bonds rests with the risk manager under RCW 43.19.769, except for institutions of higher education that choose to exercise independent purchasing authority under RCW 28B.10.029.
     (7) The authority to purchase interpreter services and interpreter brokerage services on behalf of limited-English speaking or sensory-impaired applicants and recipients of public assistance rests with the department of social and health services and the health care authority.
     (8) The provisions of this chapter do not apply to information technology purchases by state agencies, other than institutions of higher education and agencies of the judicial branch, if (a) the purchase is less than one hundred thousand dollars, (b) the initial purchase is approved by the chief information officer of the state, and (c) the agency director and the chief information officer of the state jointly prepare a public document providing a detailed justification for the expenditure.

Sec. 3   RCW 43.41A.010 and 2011 1st sp.s. c 43 s 702 are each amended to read as follows:
     (1) The office of the chief information officer is created within the office of financial management.
     (2) Powers, duties, and functions assigned to the department of information services as specified in this chapter shall be transferred to the office of chief information officer as provided in this chapter.
     (3) The primary duties of the office are:
     (a) To prepare and lead the implementation of a strategic direction and enterprise architecture for information technology for state government;
     (b) To enable the standardization and consolidation of information technology infrastructure across all state agencies to support enterprise-based system development and improve and maintain service delivery;
     (c) To establish standards and policies for the consistent and efficient operation of information technology services throughout state government;
     (d) To establish statewide enterprise architecture that will serve as the organizing standard for information technology for state agencies;
     (e) (([To])) To educate and inform state managers and policymakers on technological developments, industry trends and best practices, industry benchmarks that strengthen decision making and professional development, and industry understanding for public managers and decision makers.
     (4) In the case of institutions of higher education, the powers of the office and the provisions of this chapter apply to business and administrative applications but do not apply to (a) academic and research applications; and (b) medical, clinical, and health care applications, including the business and administrative applications for such operations. However, institutions of higher education must disclose to the office any proposed academic applications that are enterprise-wide in nature relative to the needs and interests of other institutions of higher education. Institutions of higher education shall provide to the chief information officer sufficient data and information on proposed expenditures on business and administrative applications to permit the chief information officer to evaluate the proposed expenditures pursuant to RCW 43.88.092(3).
     (5) The legislature and the judiciary, which are constitutionally recognized as separate branches of government, are strongly encouraged to coordinate with the office and participate in shared services initiatives and the development of enterprise-based strategies, where appropriate. Legislative and judicial agencies of the state shall submit to the chief information officer information on proposed information technology expenditures to allow the chief information officer to evaluate the proposed expenditures on an advisory basis.

Sec. 4   RCW 43.88.092 and 2011 1st sp.s. c 43 s 733 are each amended to read as follows:
     (1) As part of the biennial budget process, the office of financial management shall collect from agencies, and agencies shall provide, information to produce reports, summaries, and budget detail sufficient to allow review, analysis, and documentation of all current and proposed expenditures for information technology by state agencies. Information technology budget detail must be included as part of the budget submittal documentation required pursuant to RCW 43.88.030.
     (2) The office of financial management must collect, and present as part of the biennial budget documentation, information for all existing information technology projects as defined by ((information)) technology services board policy. The office of financial management must work with the office of the chief information officer to maximize the ability to draw this information from the information technology portfolio management data collected by the ((department of information services pursuant to RCW 43.105.170)) consolidated technology services agency. Connecting project information collected through the portfolio management process with financial data developed under subsection (1) of this section provides transparency regarding expenditure data for existing technology projects.
     (3) The chief information officer shall evaluate proposed information technology expenditures and establish priority ranking categories of the proposals. No more than one-third of the proposed expenditures shall be ranked in the highest priority category.
     (4) The biennial budget documentation submitted by the office of financial management pursuant to RCW 43.88.030 must include an information technology plan and a technology budget for the state identifying current baseline funding for information technology, proposed and ongoing major information technology projects, and their associated costs. This plan and technology budget must be presented using a method similar to the capital budget, identifying project costs through stages of the project and across fiscal periods and biennia from project initiation to implementation. This information must be submitted electronically, in a format to be determined by the office of financial management and the legislative evaluation and accountability program committee.
     (((4))) (5) The office of financial management shall also institute a method of accounting for information technology-related expenditures, including creating common definitions for what constitutes an information technology investment.
     (((5))) (6) For the purposes of this section, "major information technology projects" includes projects that have a significant anticipated cost, complexity, or are of statewide significance, such as enterprise-level solutions, enterprise resource planning, and shared services initiatives.

NEW SECTION.  Sec. 5   A new section is added to chapter 43.41 RCW to read as follows:
     (1) Subject to funds appropriated for this specific purpose, the office of financial management may establish an information technology investment pool and may enter into financial contracts for the acquisition of information technology projects for state agencies. Information technology projects funded under this section must meet the following requirements:
     (a) The project begins or continues replacement of information technology systems with modern and more efficient information technology systems;
     (b) The project improves the ability of an agency to recover from major disaster; or
     (c) The project provides future savings and efficiencies for an agency through reduced operating costs, improved customer service, or increased revenue collections.
     (2) Preference for project approval under this section must be given to an agency that has prior project approval from the office of the chief information officer and an approved business plan, and the primary hurdle to project funding is the lack of funding capacity.
     (3) The office of financial management with assistance from the office of the chief information officer shall report to the governor and the fiscal committees of the legislature by November 1st of each year on the status of distributions and expenditures on information technology projects and improved statewide or agency performance results achieved by project funding.

NEW SECTION.  Sec. 6   The consolidated technology services agency, in consultation with the office of the chief information officer, shall review and assess the current state telecommunications and information services network model of the executive branch with the objective of agency network consolidation into consolidated technology services. The assessment must include a review of cost management, state and federal regulatory issues, development and feasibility of each option, and a migration strategy and implementation plan for each option. The report is due to the office of financial management and the fiscal committees of the legislature by December 30, 2013.

NEW SECTION.  Sec. 7   The office of the chief information officer must prepare a report that inventories legacy information technology systems of the executive branch, both enterprise-wide and agency specific, and develop a prioritized plan for the modernization and funding of these systems. The report is due to the office of financial management and the fiscal committees of the legislature by December 1, 2014.

NEW SECTION.  Sec. 8   A new section is added to chapter 43.41A RCW to read as follows:
     The office shall establish security standards and policies to ensure the confidentiality, availability, and integrity of the information transacted, stored, or processed in the state's information technology systems and infrastructure. Each state agency, institution of higher education, the legislature, and the judiciary must develop an information technology security plan and program.
     (1) Each state agency information technology security plan and program must adhere to the office's security standards and policies. Each state agency must review and update its plan and program annually and certify to the office that its plan and program is in compliance with the office's security standards and policies. The office may require an agency to obtain an independent compliance audit of its information technology security plan and program.
     (2) In the case of institutions of higher education, the judiciary, and the legislature, each information technology security plan and program must be comparable to the intended outcomes of the office's security standards and policies. Each institution, the legislature, and the judiciary shall submit their information technology security plan and program to the office annually for review and comment.

Sec. 9   RCW 42.56.420 and 2009 c 67 s 1 are each amended to read as follows:
     The following information relating to security is exempt from disclosure under this chapter:
     (1) Those portions of records assembled, prepared, or maintained to prevent, mitigate, or respond to criminal terrorist acts, which are acts that significantly disrupt the conduct of government or of the general civilian population of the state or the United States and that manifest an extreme indifference to human life, the public disclosure of which would have a substantial likelihood of threatening public safety, consisting of:
     (a) Specific and unique vulnerability assessments or specific and unique response or deployment plans, including compiled underlying data collected in preparation of or essential to the assessments, or to the response or deployment plans; and
     (b) Records not subject to public disclosure under federal law that are shared by federal or international agencies, and information prepared from national security briefings provided to state or local government officials related to domestic preparedness for acts of terrorism;
     (2) Those portions of records containing specific and unique vulnerability assessments or specific and unique emergency and escape response plans at a city, county, or state adult or juvenile correctional facility, or secure facility for persons civilly confined under chapter 71.09 RCW, the public disclosure of which would have a substantial likelihood of threatening the security of a city, county, or state adult or juvenile correctional facility, secure facility for persons civilly confined under chapter 71.09 RCW, or any individual's safety;
     (3) Information compiled by school districts or schools in the development of their comprehensive safe school plans under RCW 28A.320.125, to the extent that they identify specific vulnerabilities of school districts and each individual school;
     (4) Information regarding the infrastructure and security of computer and telecommunications networks, consisting of security passwords, security access codes and programs, access codes for secure software applications, security and service recovery plans, security risk assessments, and security test results to the extent that they identify specific system vulnerabilities, and other such information the release of which may increase risk to the confidentiality, integrity, or availability of agency security, information technology infrastructure, or assets; and
     (5) The system security ((section of transportation system safety)) and ((security program plans)) emergency preparedness plan required under RCW 35.21.228, 35A.21.300, 36.01.210, 36.57.120, 36.57A.170, and 81.112.180.