HOUSE BILL REPORT

2SHB 1929

As Passed House:

March 6, 2017

Title: An act relating to building a more robust state information technology security posture by leveraging assets at the military department and other agencies responsible for information technology systems and infrastructure.

Brief Description: Concerning independent security testing of state agencies' information technology systems and infrastructure by the military department.

Sponsors: House Committee on Appropriations (originally sponsored by Representatives Hudgins, Harmsworth and Tarleton).

Brief History:

Committee Activity:

State Government, Elections & Information Technology: 2/14/17, 2/15/17 [DPS];

Appropriations: 2/23/17 [DP2S(w/o sub SEIT)].

Floor Activity:

Passed House: 3/6/17, 98-0.

Majority Report: The substitute bill be substituted therefor and the substitute bill do pass. Signed by 9 members: Representatives Hudgins, Chair; Dolan, Vice Chair; Koster, Ranking Minority Member; Volz, Assistant Ranking Minority Member; Appleton, Gregerson, Irwin, Kraft and Pellicciotti.

Staff: Sean Flynn (786-7124).

Majority Report: The second substitute bill be substituted therefor and the second substitute bill do pass and do not pass the substitute bill by Committee on State Government, Elections & Information Technology. Signed by 32 members: Representatives Ormsby, Chair; Robinson, Vice Chair; Chandler, Ranking Minority Member; MacEwen, Assistant Ranking Minority Member; Stokesbary, Assistant Ranking Minority Member; Bergquist, Buys, Caldier, Cody, Condotta, Fitzgibbon, Haler, Hansen, Harris, Hudgins, Jinkins, Kagi, Lytton, Manweller, Nealey, Pettigrew, Pollet, Sawyer, Schmick, Senn, Springer, Sullivan, Taylor, Tharinger, Vick, Volz and Wilcox.

Staff: James Mackison (786-7104).

Background:

State Cybersecurity Programs.

Consolidated Technology Services. In 2011 the Consolidated Technology Services (CTS) agency was created as part of a reorganization of state government information technology (IT) infrastructure functions and services. The CTS provides information services to public agencies, operates the state data center, and offers IT services, including data security and storage. In 2015 the CTS also assumed IT functions from the Department of Enterprise Services.

In 2015 the Legislature also directed the CTS to establish statewide security standards and policies to protect the information processed in the state IT systems, and appoint a state chief information security officer. All state agencies were directed to develop an IT security program in accordance with the state standards established by the CTS. Each agency must certify its compliance with the state security standards, and must obtain an independent compliance audit every three years.

The Military Department. The Military Department administers the state's comprehensive program of emergency management. The Adjutant General, acting as Director of the Military Department, is responsible for directing and coordinating the state preparation, response, and recovery from emergencies and disasters.

In 2013 Governor Inslee designated the Military Department as the primary agency for external communication with the federal Department of Homeland Security for all cybersecurity matters within state government. The Governor appointed the Adjutant General as the senior official representing Washington for management and coordination of cybersecurity issues within the state and at the federal level.

Summary of Second Substitute Bill:

The CTS is authorized to test the security vulnerability of any state agency's IT systems, without disrupting the agency's business operations. The test results must be shared with the agency and the CTS may assist the agency in addressing any vulnerabilities identified in the test.

The Military Department may conduct independent security testing of any local government or private entity involved in critical infrastructure management, upon the request of the governmental or private entity. Critical infrastructure includes systems or assets vital to the national security, economy, and public health and safety. The Military Department may assist the entity in addressing any vulnerabilities identified in the test. The Military Department, chief information security officer, and the Utilities and Transportation Commission must meet regularly to discuss best practices and trends regarding IT systems security testing.

Appropriation: None.

Fiscal Note: Available.

Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed. However, the bill is null and void unless funded in the budget.

Staff Summary of Public Testimony (State Government, Elections & Information Technology):

(In support) None.

(Opposed) None.

(Other) The Military Department has considerable cybersecurity capabilities that can be used by the private entities that hold significant sensitive information. The Military Department uses memoranda of understanding with private entities to test the vulnerabilities of private systems. The information gathered through IT systems security testing is very sensitive. It is important that the such information is not shared with other entities.

Staff Summary of Public Testimony (Appropriations):

(In support) None.

(Opposed) None.

Persons Testifying (State Government, Elections & Information Technology): Ken Borchers, Washington National Guard; and Dave Arbaugh, Snohomish Public Utility District.

Persons Testifying (Appropriations): None.

Persons Signed In To Testify But Not Testifying (State Government, Elections & Information Technology): None.

Persons Signed In To Testify But Not Testifying (Appropriations): None.