HOUSE BILL REPORT

ESSB 6528

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As Reported by House Committee On:

Technology & Economic Development

General Government & Information Technology

Title: An act relating to promoting economic development through protection of information technology resources.

Brief Description: Enacting the cybersecurity jobs act.

Sponsors: Senate Committee on Trade & Economic Development (originally sponsored by Senators Brown, Sheldon, Dammeier, Parlette, Schoesler, Warnick, Honeyford, Braun, Angel, Hewitt, Miloscia, O'Ban, Becker, Rivers and Rolfes).

Brief History:

Committee Activity:

Technology & Economic Development: 2/23/16, 2/26/16 [DPA];

General Government & Information Technology: 2/29/16 [DPA(GGIT w/o TED)].

Brief Summary of Engrossed Substitute Bill

(As Amended by Committee)

  • Requires the Office of the Chief Information Officer (OCIO) to implement a process for detecting and responding to security incidents and to develop plans to ensure continuity of commerce in the event of a security incident.

  • Requires the OCIO to work with stakeholders to develop a strategy that will make Washington a national leader in cybersecurity.

  • Establishes performance metrics and requires the OCIO to report to the Legislature by December 1, 2020, on its achievement of these metrics.

HOUSE COMMITTEE ON TECHNOLOGY & ECONOMIC DEVELOPMENT

Majority Report: Do pass as amended. Signed by 11 members: Representatives Morris, Chair; Tarleton, Vice Chair; Smith, Ranking Minority Member; DeBolt, Assistant Ranking Minority Member; Fey, Hudgins, Magendanz, Nealey, Rossetti, Wylie and Young.

Staff: Jasmine Vasavada (786-7301).

Background:

The Office of the Chief Information Officer.

The Office of the Chief Information Officer (OCIO) sits within the Consolidated Technology Services agency and is responsible for the preparation and implementation of a strategic information technology (IT) plan and enterprise architecture (EA) for the state. Led by the Chief Information Officer (CIO), the OCIO works toward standardization and consolidation of IT infrastructure, establishes standards and policies for EA, educates and informs the state on IT matters, evaluates current IT spending and budget requests, and oversees major IT projects, including procurements.

Consolidated Technology Services Agency.

In 2015 the Legislature consolidated functions of the OCIO, Consolidated Technology Services (CTS), and the enterprise applications division of the Department of Enterprise Services in a new executive branch agency, legally known as the CTS Agency and branded to the public in certain contexts as "WaTech."

–––––––––––––––––––––––––––––––––

Summary of Amended Bill:

Duties of the Office of the Chief Information Officer.

The OCIO must implement a process for detecting and responding to security incidents consistent with information security standards, policies, and guidelines adopted by the CIO. "Security incident" means an accidental or deliberate event that results in unauthorized access, loss, disruption, or destruction of communication and IT resources. "Information security" means the protection of communication and information resources from unauthorized access, use, disclosure, disruption, modification, or destruction in order to prevent improper information modification or destruction, preserve authorized restrictions on information access and disclosure, ensure timely and reliable access to and use of information, and maintain the confidentiality, integrity, and availability of information.

The OCIO must develop plans and procedures to ensure the continuity of operations for IT resources in the event of a security incident. The OCIO must work with the Department of Commerce and other economic development stakeholders to facilitate the development of a strategy that includes key local, state, and federal assets that will make Washington a national leader in cybersecurity. The OCIO must collaborate with community colleges, universities, the National Guard, the Department of Defense, the Department of Energy, and national laboratories to develop the strategy.

Placement of the Office of the Chief Information Officer.

The OCIO is placed within Washington Technology Solutions, rather than within the CTS Agency.

Performance Metrics.

The OCIO must evaluate the state's performance in achieving leadership in cybersecurity, by measuring and reporting to the Legislature by December 1, 2020, on the extent to which the state has achieved the following objectives, as measured by concrete metrics: high levels of compliance with the state's IT security policy and standards; recognition from the federal government; development of future leaders in cybersecurity; and broad participation in cybersecurity training and exercises or outreach.

Title.

The act may be known and cited as the Cybersecurity Jobs Act of 2016.

Amended Bill Compared to Engrossed Substitute Bill:

The amended bill specifies performance metrics by which the OCIO must evaluate the state's achievement of leadership in cybersecurity and requires the OCIO to report on the state's performance to the Legislature by December 1, 2020. The title by which the act may be known and cited is modified from the "Cybersecurity Jobs Act" to the "Cybersecurity Jobs Act of 2016."

–––––––––––––––––––––––––––––––––

Appropriation: None.

Fiscal Note: Available. New fiscal note requested on February 26, 2016.

Effective Date of Amended Bill: The bill takes effect 90 days after adjournment of the session in which the bill is passed.

Staff Summary of Public Testimony:

(In support) News of cyberattacks is increasing and makes citizens nervous about the safety of personal and private information. The state must grow its own leaders in cybersecurity and educate children so that they will want to earn a degree in this field. These jobs are high-paying, some starting at more than $100,000 a year. Washington is a leader. Many regional activities are occurring here, including research and development, private cyber assessments, and workforce development. This bill brings together stakeholders, including the national laboratories, universities, and community colleges. There are clear national standards, best practices, and management controls the state can benchmark its performance against.

(Opposed) None.

Persons Testifying: Senator Brown, prime sponsor; Jim Jesernig and Ann Lesperance, Battelle; and Michael Cockrill and Agnes Kirk, Washington Technology Solutions.

Persons Signed In To Testify But Not Testifying: None.

HOUSE COMMITTEE ON GENERAL GOVERNMENT & INFORMATION TECHNOLOGY

Majority Report: Do pass as amended by Committee on General Government & Information Technology and without amendment by Committee on Technology & Economic Development. Signed by 7 members: Representatives Hudgins, Chair; Kuderer, Vice Chair; MacEwen, Ranking Minority Member; Caldier, Assistant Ranking Minority Member; Johnson, Morris and Senn.

Staff: James Mackison (786-7104).

Summary of Recommendation of Committee On General Government & Information Technology Compared to Recommendation of Committee On Technology & Economic Development:

A reference to Washington Technology Solutions in the definition of "office" was reverted back to the Consolidated Technology Services agency to remain consistent with other statutory references.

Appropriation: None.

Fiscal Note: Available.

Effective Date of Amended Bill: The bill takes effect 90 days after adjournment of the session in which the bill is passed.

Staff Summary of Public Testimony:

(In support) The bill takes what is already being done and puts it into law.  The Chief Information Security Officer is responsible for actions required in the bill.  Requiring metrics, as is done in the amendment, is good public policy.  Input was provided on the definitions within the bill.  The committee and sponsors are commended for focusing on this issue on behalf of citizens and those involved in cybersecurity.

(Opposed) None.

Persons Testifying: Michael Cockrill and Agnes Kirk, Washington Technology Solutions.

Persons Signed In To Testify But Not Testifying: None.