BILL REQ. #:  S-4066.1 

READ FIRST TIME 02/04/14.   

     AN ACT Relating to plans and protections in the event of a cyber attack, emergency, or disaster; amending RCW 43.41A.006, 43.41A.025, 38.52.010, 38.52.020, and 38.52.030; and creating a new section.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

NEW SECTION.  Sec. 1   The legislature finds that:
     (1) Communication and information resources in the various state agencies are strategic and vital assets belonging to the people of Washington. Coordinated efforts and a sense of urgency are necessary to protect these assets against unauthorized access, disclosure, use, and modification or destruction, whether accidental or deliberate, as well as to assure the confidentiality, integrity, and availability of information.
     (2) State government has a duty to its citizens to ensure that the information entrusted to state agencies is safe, secure, and protected from unauthorized access, unauthorized use, or destruction.
     (3) Securing the state's communication and information resources is a statewide imperative requiring a coordinated and shared effort from all departments, agencies, and political subdivisions of the state.
     (4) Risks to communication and information resources must be managed, and the integrity of data and the source, destination, and processes applied to data must be assured.
     (5) Information security standards, policies, and guidelines must be promulgated and implemented throughout state agencies to ensure the development and maintenance of minimum information security controls to protect communication and information resources that support the operations and assets of those agencies.

Sec. 2   RCW 43.41A.006 and 2011 1st sp.s. c 43 s 705 are each amended to read as follows:
     The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.
     (1) "Backbone network" means the shared high-density portions of the state's telecommunications transmission facilities. It includes specially conditioned high-speed communications carrier lines, multiplexors, switches associated with such communications lines, and any equipment and software components necessary for management and control of the backbone network.
     (2) "Board" means the technology services board.
     (3) "Committee" means the state interoperability executive committee.
     (4) "Educational sectors" means those institutions of higher education, school districts, and educational service districts that use the network for distance education, data transmission, and other uses permitted by the board.
     (5) "Enterprise architecture" means an ongoing program for translating business vision and strategy into effective enterprise change. It is a continuous activity. Enterprise architecture creates, communicates, and improves the key principles and models that describe the enterprise's future state and enable its evolution.
     (6) "Equipment" means the machines, devices, and transmission facilities used in information processing, including but not limited to computers, terminals, telephones, wireless communications system facilities, cables, and any physical facility necessary for the operation of such equipment.
     (7) "Information" includes, but is not limited to, data, text, voice, and video.
     (8) "Information technology" includes, but is not limited to, all electronic technology systems and services, automated information handling, system design and analysis, conversion of data, computer programming, information storage and retrieval, telecommunications, requisite system controls, simulation, electronic commerce, and all related interactions between people and machines.
     (9) "Information technology portfolio" or "portfolio" means a strategic management process documenting relationships between agency missions and information technology and telecommunications investments.
     (10) "K-20 network" means the network established in RCW 43.41A.085.
     (11) "Local governments" includes all municipal and quasi-municipal corporations and political subdivisions, and all agencies of such corporations and subdivisions authorized to contract separately.
     (12) "Office" means the office of the chief information officer.
     (13) "Oversight" means a process of comprehensive risk analysis and management designed to ensure optimum use of information technology resources and telecommunications.
     (14) "Proprietary software" means that software offered for sale or license.
     (15) "State agency" or "agency" means every state office, department, division, bureau, board, commission, or other state agency, including offices headed by a statewide elected official.
     (16) "Telecommunications" includes, but is not limited to, wireless or wired systems for transport of voice, video, and data communications, network systems, requisite facilities, equipment, system controls, simulation, electronic commerce, and all related interactions between people and machines. "Telecommunications" does not include public safety communications.
     (17) "Communication and information resources" includes, but is not limited to, procedures, equipment, and software that are designed, built, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information.
     (18) "Information security" means the protection of communication and information resources from unauthorized access, use, disclosure, disruption, modification, or destruction in order to:
     (a) Prevent improper information modification or destruction;
     (b) Preserve authorized restrictions on information access and disclosure;
     (c) Ensure timely and reliable access to and use of information; and
     (d) Maintain the confidentiality, integrity, and availability of information.
     (19) "Information technology security program" means the program developed by a state agency in accordance with the information security policies, standards, and guidelines developed by the office.

Sec. 3   RCW 43.41A.025 and 2013 2nd sp.s. c 33 s 1 are each amended to read as follows:
     (1) The chief information officer shall establish standards and policies to govern information technology in the state of Washington.
     (2) The office shall have the following powers and duties related to information services:
     (a) To develop statewide standards and policies governing the acquisition and disposition of equipment, software, and personal and purchased services, licensing of the radio spectrum by or on behalf of state agencies, and confidentiality of computerized data;
     (b) To develop statewide or interagency technical policies, standards, and procedures;
     (c) To review and approve standards and common specifications for new or expanded telecommunications networks proposed by agencies, public postsecondary education institutions, educational service districts, or statewide or regional providers of K-12 information technology services;
     (d) To develop a detailed business plan for any service or activity to be contracted under RCW 41.06.142(7)(b) by the consolidated technology services agency;
     (e) To provide direction concerning strategic planning goals and objectives for the state. The office shall seek input from the legislature and the judiciary;
     (f) To establish policies for the periodic review by the office of agency performance which may include but are not limited to analysis of:
     (i) Planning, management, control, and use of information services;
     (ii) Training and education; and
     (iii) Project management;
     (g) To coordinate with state agencies with an annual information technology expenditure that exceeds ten million dollars to implement a technology business management program to identify opportunities for savings and efficiencies in information technology expenditures and to monitor ongoing financial performance of technology investments; and
     (h) In conjunction with the consolidated technology services agency, to develop statewide standards for agency purchases of technology networking equipment and services.
     (3) The office has the following powers and duties related to information security:
     (a) To develop and assist in the updating of information security procedures, standards, and guidelines for state agencies;
     (b) To assist with the development of information technology security programs developed by state agencies that incorporate the information security policies, standards, and guidelines;
     (c) To review information security audits and assessments in state agencies in order to assess risks and recommend adjustments;
     (d) To establish and direct a risk management process to identify information security risks in state agencies and deploy risk mitigation strategies, processes, and procedures, including but not limited to an information security breach response plan; and
     (e) To require agencies to immediately correct security vulnerabilities that, in the judgment of the office, pose an unacceptable risk to the agency or the state. The office may withhold further agency information technology spending authority if the agency fails to remediate the risk in a timely manner.
     (4) Statewide technical standards to promote and facilitate electronic information sharing and access are an essential component of acceptable and reliable public access service and complement content-related standards designed to meet those goals. The office shall:
     (a) Establish technical standards to facilitate electronic access to government information and interoperability of information systems, including wireless communications systems; and
     (b) Require agencies to include an evaluation of electronic public access needs when planning new information systems or major upgrades of systems.
     In developing these standards, the office is encouraged to include the state library, state archives, and appropriate representatives of state and local government.
     (((4))) (5) The office shall perform other matters and things necessary to carry out the purposes and provisions of this chapter.

Sec. 4   RCW 38.52.010 and 2007 c 292 s 1 are each amended to read as follows:
     As used in this chapter:
     (1) "Emergency management" or "comprehensive emergency management" means the preparation for and the carrying out of all emergency functions, other than functions for which the military forces are primarily responsible, to mitigate, prepare for, respond to, and recover from emergencies and disasters, and to aid victims suffering from injury or damage, resulting from disasters caused by all hazards, whether natural, technological, or human caused, and to provide support for search and rescue operations for persons and property in distress. However, "emergency management" or "comprehensive emergency management" does not mean preparation for emergency evacuation or relocation of residents in anticipation of nuclear attack.
     (2) "Local organization for emergency services or management" means an organization created in accordance with the provisions of this chapter by state or local authority to perform local emergency management functions.
     (3) "Political subdivision" means any county, city or town.
     (4) "Emergency worker" means any person who is registered with a local emergency management organization or the department and holds an identification card issued by the local emergency management director or the department for the purpose of engaging in authorized emergency management activities or is an employee of the state of Washington or any political subdivision thereof who is called upon to perform emergency management activities.
     (5) "Injury" as used in this chapter shall mean and include accidental injuries and/or occupational diseases arising out of emergency management activities.
     (6)(a) "Emergency or disaster" as used in all sections of this chapter except RCW 38.52.430 shall mean an event or set of circumstances which: (i) Demands immediate action to preserve public health, protect life, protect public property, or to provide relief to any stricken community overtaken by such occurrences, or (ii) reaches such a dimension or degree of destructiveness as to warrant the governor declaring a state of emergency pursuant to RCW 43.06.010.
     (b) "Emergency" as used in RCW 38.52.430 means an incident that requires a normal police, coroner, fire, rescue, emergency medical services, or utility response as a result of a violation of one of the statutes enumerated in RCW 38.52.430.
     (7) "Search and rescue" means the acts of searching for, rescuing, or recovering by means of ground, marine, or air activity any person who becomes lost, injured, or is killed while outdoors or as a result of a natural, technological, or human caused disaster, including instances involving searches for downed aircraft when ground personnel are used. Nothing in this section shall affect appropriate activity by the department of transportation under chapter 47.68 RCW.
     (8) "Executive head" and "executive heads" means the county executive in those charter counties with an elective office of county executive, however designated, and, in the case of other counties, the county legislative authority. In the case of cities and towns, it means the mayor in those cities and towns with mayor-council or commission forms of government, where the mayor is directly elected, and it means the city manager in those cities and towns with council manager forms of government. Cities and towns may also designate an executive head for the purposes of this chapter by ordinance.
     (9) "Director" means the adjutant general.
     (10) "Local director" means the director of a local organization of emergency management or emergency services.
     (11) "Department" means the state military department.
     (12) "Emergency response" as used in RCW 38.52.430 means a public agency's use of emergency services during an emergency or disaster as defined in subsection (6)(b) of this section.
     (13) "Expense of an emergency response" as used in RCW 38.52.430 means reasonable costs incurred by a public agency in reasonably making an appropriate emergency response to the incident, but shall only include those costs directly arising from the response to the particular incident. Reasonable costs shall include the costs of providing police, coroner, firefighting, rescue, emergency medical services, or utility response at the scene of the incident, as well as the salaries of the personnel responding to the incident.
     (14) "Public agency" means the state, and a city, county, municipal corporation, district, town, or public authority located, in whole or in part, within this state which provides or may provide firefighting, police, ambulance, medical, or other emergency services.
     (15) "Incident command system" means: (a) An all-hazards, on-scene functional management system that establishes common standards in organization, terminology, and procedures; provides a means (unified command) for the establishment of a common set of incident objectives and strategies during multiagency/multijurisdiction operations while maintaining individual agency/jurisdiction authority, responsibility, and accountability; and is a component of the national interagency incident management system; or (b) an equivalent and compatible all-hazards, on-scene functional management system.
     (16) "Radio communications service company" has the meaning ascribed to it in RCW 82.14B.020.
     (17) "Continuity of operations planning" means the internal effort of an organization to assure that the capability exists to continue essential functions and services in response to a comprehensive array of potential emergencies or disasters.

Sec. 5   RCW 38.52.020 and 1986 c 266 s 24 are each amended to read as follows:
     (1) Because of the existing and increasing possibility of the occurrence of disasters of unprecedented size and destructiveness as defined in RCW 38.52.010(6), and in order to insure that preparations of this state will be adequate to deal with such disasters, to insure the administration of state and federal programs providing disaster relief to individuals, and further to insure adequate support for search and rescue operations, and generally to protect the public peace, health, and safety, and to preserve the lives and property of the people of the state, it is hereby found and declared to be necessary:
     (a) To provide for emergency management by the state, and to authorize the creation of local organizations for emergency management in the political subdivisions of the state;
     (b) To confer upon the governor and upon the executive heads of the political subdivisions of the state the emergency powers provided herein;
     (c) To provide for the rendering of mutual aid among the political subdivisions of the state and with other states and to cooperate with the federal government with respect to the carrying out of emergency management functions;
     (d) To provide a means of compensating emergency management workers who may suffer any injury, as herein defined, or death; who suffer economic harm including personal property damage or loss; or who incur expenses for transportation, telephone or other methods of communication, and the use of personal supplies as a result of participation in emergency management activities; ((and))
     (e) To provide programs, with intergovernmental cooperation, to educate and train the public to be prepared for emergencies; and
     (f) To provide for the development and exercise of continuity of operations plans by the state.
     (2) It is further declared to be the purpose of this chapter and the policy of the state that all emergency management functions of this state and its political subdivisions be coordinated to the maximum extent with the comparable functions of the federal government including its various departments and agencies of other states and localities, and of private agencies of every type, to the end that the most effective preparation and use may be made of the nation's manpower, resources, and facilities for dealing with any disaster that may occur.

Sec. 6   RCW 38.52.030 and 1997 c 49 s 2 are each amended to read as follows:
     (1) The director may employ such personnel and may make such expenditures within the appropriation therefor, or from other funds made available for purposes of emergency management, as may be necessary to carry out the purposes of this chapter.
     (2) The director, subject to the direction and control of the governor, shall be responsible to the governor for carrying out the program for emergency management of this state. The director shall coordinate the activities of all organizations for emergency management within the state, and shall maintain liaison with and cooperate with emergency management agencies and organizations of other states and of the federal government, and shall have such additional authority, duties, and responsibilities authorized by this chapter, as may be prescribed by the governor.
     (3) The director shall develop and maintain a comprehensive, all-hazard emergency plan for the state which shall include an analysis of the natural, technological, or human caused hazards which could affect the state of Washington, and shall include the procedures to be used during emergencies for coordinating local resources, as necessary, and the resources of all state agencies, departments, commissions, and boards. The comprehensive emergency management plan shall direct the department in times of state emergency to administer and manage the state's emergency operations center. This will include representation from all appropriate state agencies and be available as a single point of contact for the authorizing of state resources or actions, including emergency permits. The comprehensive emergency management plan must specify the use of the incident command system for multiagency/multijurisdiction operations. The comprehensive, all-hazard emergency plan authorized under this subsection may not include preparation for emergency evacuation or relocation of residents in anticipation of nuclear attack. This plan shall be known as the comprehensive emergency management plan.
     (4) In accordance with the comprehensive emergency management plans and the programs for the emergency management of this state, the director shall procure supplies and equipment, institute training programs and public information programs, and shall take all other preparatory steps, including the partial or full mobilization of emergency management organizations in advance of actual disaster, to insure the furnishing of adequately trained and equipped forces of emergency management personnel in time of need.
     (5) The director shall make such studies and surveys of the industries, resources, and facilities in this state as may be necessary to ascertain the capabilities of the state for emergency management, and shall plan for the most efficient emergency use thereof.
     (6) The emergency management council shall advise the director on all aspects of the communications and warning systems and facilities operated or controlled under the provisions of this chapter.
     (7) The director, through the state enhanced 911 coordinator, shall coordinate and facilitate implementation and operation of a statewide enhanced 911 emergency communications network.
     (8) The director shall appoint a state coordinator of search and rescue operations to coordinate those state resources, services and facilities (other than those for which the state director of aeronautics is directly responsible) requested by political subdivisions in support of search and rescue operations, and on request to maintain liaison with and coordinate the resources, services, and facilities of political subdivisions when more than one political subdivision is engaged in joint search and rescue operations.
     (9) The director, subject to the direction and control of the governor, shall prepare and administer a state program for emergency assistance to individuals within the state who are victims of a natural, technological, or human caused disaster, as defined by RCW 38.52.010(6). Such program may be integrated into and coordinated with disaster assistance plans and programs of the federal government which provide to the state, or through the state to any political subdivision thereof, services, equipment, supplies, materials, or funds by way of gift, grant, or loan for purposes of assistance to individuals affected by a disaster. Further, such program may include, but shall not be limited to, grants, loans, or gifts of services, equipment, supplies, materials, or funds of the state, or any political subdivision thereof, to individuals who, as a result of a disaster, are in need of assistance and who meet standards of eligibility for disaster assistance established by the department of social and health services: PROVIDED, HOWEVER, That nothing herein shall be construed in any manner inconsistent with the provisions of Article VIII, section 5 or section 7 of the Washington state Constitution.
     (10) The director shall appoint a state coordinator for radioactive and hazardous waste emergency response programs. The coordinator shall consult with the state radiation control officer in matters relating to radioactive materials. The duties of the state coordinator for radioactive and hazardous waste emergency response programs shall include:
     (a) Assessing the current needs and capabilities of state and local radioactive and hazardous waste emergency response teams on an ongoing basis;
     (b) Coordinating training programs for state and local officials for the purpose of updating skills relating to emergency mitigation, preparedness, response, and recovery;
     (c) Utilizing appropriate training programs such as those offered by the federal emergency management agency, the department of transportation and the environmental protection agency; and
     (d) Undertaking other duties in this area that are deemed appropriate by the director.
     (11) The director is responsible to the governor for developing and implementing a program for interagency coordination of continuity of operations planning by state agencies, boards, and commissions. Each state agency, board, and commission is responsible for developing an organizational continuity of operations plan that is updated and exercised annually in compliance with the program for interagency coordination of continuity of operations planning.