By Senator Wilson, L.
"NEW SECTION. Sec. 7. (1) The office of financial management shall contract for an independent security evaluation audit of state agency information technology in the state of Washington. The independent third party must audit the security and protection of digital assets for the state of Washington to test and assess the overall security posture including, but not limited to, cybersecurity.
(2) The audit must, at a minimum:
(a) Define threats, and include recommendations to mitigate the threats to include real-time security assessments of applications, systems, and networks to identify and assess risks and determine if they could be exploited by bad actors;
(b) Review security protocols and identify flaws in both physical and digital systems, to include data transfers;
(c) Assess the current security performance of existing security structures, to include penetration testing;
(d) Prioritize and complete risk scoring of identified threats and risks; and
(e) Formulate security solutions with estimated costs, to include what can be achieved in the short term, or less than 12 months, and what can be achieved in the mid to long term.
(3) The independent audit team must include the chair and ranking member of the senate environment, energy, and technology committee and two members of the house of representatives in executive briefings throughout the audit, and the four members must be updated, at least monthly, on the progress of the audit.
(4) The security evaluation audit report must be submitted to the fiscal committees of the legislature by August 31, 2022.
(5) Reports shared and submitted by the independent audit team, the office of financial management, and the office of cybersecurity to the members identified in subsections (3) and (4) of this section are exempt from disclosure under chapter
42.56 RCW.
NEW SECTION. Sec. 8. A new section is added to chapter
42.56 RCW to read as follows:
Reports shared and submitted by the independent audit team, the office of financial management, and the office of cybersecurity to the members identified in section 7 (3) and (4) of this act in accordance with the requirements in section 7 of this act are exempt from disclosure under this chapter."
By Senator Wilson, L.