SENATE BILL REPORT

SB 5455

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As Reported by Senate Committee On:

State Government, February 17, 2017

Title: An act relating to enhancing statewide cybersecurity performance through information assessment.

Brief Description: Concerning statewide cybersecurity performance.

Sponsors: Senators Miloscia, Zeiger and Pearson.

Brief History:

Committee Activity: State Government: 2/01/17, 2/17/17 [DPS-WM, DNP].

Brief Summary of Substitute Bill

  • Requires Washington Technology Solutions (WaTech) to mutually develop procedures with the Legislature for providing cybersecurity information to members of the Legislature and to conduct an excellence assessment every two years.

  • Requires the state Chief Information Officer (CIO) to set one- and five-year performance projections, rather than goals, and update the Legislature on performance annually.

  • Requires inclusion of one-year and five-year projections in the state strategic information technology (IT) plan.

SENATE COMMITTEE ON STATE GOVERNMENT

Majority Report: That Substitute Senate Bill No. 5455 be substituted therefor, and the substitute bill do pass and be referred to Committee on Ways & Means.

Signed by Senators Miloscia, Chair; Zeiger, Vice Chair; Pearson.

Minority Report: Do not pass.

Signed by Senators Hunt, Ranking Minority Member; Kuderer.

Staff: Melissa Van Gorkom (786-7491)

Background: WaTech. The Legislature established the Consolidated Technology Services agency, most commonly referred to as WaTech, and the Office of the Chief Information Officer (OCIO) in 2011. The CIO serves as Director of WaTech.

The CIO sets performance targets and approves plans for achieving measurable and specific goals for the agency and reports to the Governor on agency performance quarterly, at least.

The OCIO prepares a state strategic IT plan that includes a statewide mission, goals, and objectives for the use of IT, including goals for electronic access to government records, information, and services.

Performance Assessments. A 1987 act established a federal program to evaluate management quality of U.S. businesses. Both the Baldrige Performance Excellence Program and the Malcolm Baldrige National Quality Award are administered by the National Institute of Standards and Technology (NIST) within the U.S. Department of Commerce. The program currently publishes performance excellence frameworks used by trained examiners to evaluate management in both for-profit and nonprofit organizations, including government entities. Following an assessment, an examiner scores an organization's management quality.

Summary of Bill (First Substitute): CIO. The CIO must set one- and five-year projections, rather than goals, and update the Legislature on performance annually.

OCIO. The OCIO must include one-year and five-year projections in the state strategic IT plan.

WaTech. WaTech must:

If the agency meets that goal, WaTech must apply for a quality award and need only conduct assessments every four years. WaTech must report assessment results to relevant legislative committees.

Excellence Assessment. An excellence assessment is an assessment of enterprise security operational performance using a framework approved by the NIST, U.S. Department of Commerce.

EFFECT OF CHANGES MADE BY STATE GOVERNMENT COMMITTEE (First Substitute): Requires an excellence assessment, rather than a cybersecurity excellence assessment, of agency operational performance.

Clarifies that the procedures for providing information about the state's cybersecurity infrastructure, performance, and posture to the members of the Legislature will be developed mutually with the Legislature and include enforceable nondisclosure agreements.

Appropriation: None.

Fiscal Note: Available.

Creates Committee/Commission/Task Force that includes Legislative members: No.

Effective Date: Ninety days after adjournment of session in which bill is passed.

Staff Summary of Public Testimony on Original Bill: The committee recommended a different version of the bill than what was heard. PRO: The goal is for Washington to have the best cybersecurity and performance in the nation.

OTHER: Cybersecurity has moved out of the technology realm and into the policy realm and this bill is a reflection of that. This bill gets the conversation going and we appreciate the intention but want to work through the minutia of the bill.

Persons Testifying: PRO: Senator Mark Miloscia, Prime Sponsor. OTHER: Rob St. John, Office of the Chief Information Officer.

Persons Signed In To Testify But Not Testifying: No one.