Background: The Office of the Chief Information Officer (OCIO) was created within the Office of Financial Management by the Legislature in 2011. OCIO is responsible for the preparation and implementation of a strategic direction and enterprise architecture for information technology for the state. OCIO must work toward standardization and consolidation of information technology infrastructure across state agencies, establish standards and policies to govern information technology in the state, and educate and inform the state on information technology matters. Other OCIO duties include establishing policies for the periodic review of agency performance and establishing technical standards to facilitate electronic access to government information.

The Military Department administers the state's comprehensive program of emergency management. The Adjutant General is responsible for developing a comprehensive, all-hazard emergency plan for the state that includes an analysis of natural, technological, or human-caused hazards, and procedures to coordinate local and state resources in responding to such hazards. Governor Inslee issued Directive 13-02 in March 2013 that requires each individual agency, board, commission, and council to develop a Continuity of Operations Plan (COOP) for their organization. Each agency, board, commission, and council head will conduct a review of and exercise their COOP to ensure that:

employee contact lists are current;
the plan identifies staff who perform essential functions, that those staff members know their responsibilities, and that they have access to phones and other technology to carry out those responsibilities;
procedures exist to determine the status of the organization, i.e. open, closed, or delayed;
procedures exist for updating organizational websites in a timely manner to reflect current organizational status, i.e. open, closed, or delayed;
procedures exist for internal and external communication when normal methods may be disrupted, including information on whether the organization is open or closed; and
performance of the organizational critical functions, including technology systems that support those functions, are possible when disruptions occur due to to an emergency or disaster.

Summary of Bill (Recommended Substitute): OCIO is given the following powers and duties, including to:

develop and assist in the updating of information security procedures, standards, and guidelines for state agencies;
assist with the development of information technology security programs developed by state agencies;
review information security audits and assessments in state agencies in order to assess risks and recommend adjustments; and
establish and direct a risk management process to identify information security risks in state agencies and deploy risk mitigation strategies, processes, and procedures, including but not limited to an information security breach response plan.

OCIO may require agencies to immediately correct security vulnerabilities that, in the judgment of OCIO, pose an unacceptable risk to the agency or the state. The OCIO may withhold further agency information technology spending authority should the agency fail to remediate the risk in a timely manner.

The Military Department must provide for the development and exercise of COOPs by the state. The Adjutant General is responsible to the Governor for developing and implementing a program for interagency coordination of continuity of operations planning by state agencies, boards, and commissions. Each state agency, board, and commission is responsible for developing an organizational COOP that is updated and exercised annually in compliance with the program for interagency COOP.

EFFECT OF CHANGES MADE BY GOVERNMENTAL OPERATIONS COMMITTEE (Recommended Substitute as Passed Committee):

Changes the title to An act relating to plans and protections in the event of a cyber-attack, emergency, or disaster. The title change reflects the inclusion of the cyber-attacks and the inclusion of the continuity of operations planning pieces from the bill as introduced – the pieces that the Military Department is most interested in.
Provides that OCIO will assist with the development of information technology security programs developed by state agencies that incorporate information security policies, standards, and guidelines.
Establishes that OCIO will require agencies to immediately correct security vulnerabilities that, in the judgment of OCIO, pose an unacceptable risk to the agency or the state. OCIO may withhold further agency information technology spending authority should the agency fail to remediate the risk in a timely manner.
Removes the requirement that each state agency develop an information security plan and submit the plan to the Chief Information Officer by July 1 of each year. State agencies have already established an information technology security program in consultation with OCIO.
Removes the requirement that OCIO prepare a biennial report to the Governor and the Legislature concerning the implementation of information security plans.
Removes the change to the Continuity of Government Act to clarify that enemy attacks include both foreign or domestic enemy attacks.

Staff Summary of Public Testimony on Proposed Substitute as Heard in Committee: CON: There are concerns about the continuity of government portions of this bill. There are concerns about putting cyber security portions into this bill. There should be two bills. The definition of communication and information resources should specify that it applies to state agencies. The continuity of operations planning portions of this bill including emergencies and disasters is a good idea, but this bill only looks at enemy attack. The continuity of government portions of this bill should be removed.

OTHER: This bill puts a focus on cyber security. There are some concerns about this bill because it takes many of the activities that OCIO is currently doing and puts them into statute, but there is a fear of spending valuable resources fighting current issues in cyber security and not being able to evolve as the threats change. Cyber security moves very, very quickly. If specifics around how the state is defending itself are put in statute, the state may not have the flexibility to adjust to the changing landscape. The continuity of operations planning portions of the bill have been widely vetted and are unopposed.