State Information Technology. General. The Consolidated Technology Services Agency, also known as Washington Technology Services (WaTech), supports state agencies as a centralized provider and procurer of information technology (IT) services. The director of WaTech is the state Chief Information Officer (CIO). Within WaTech, the Office of the Chief Information Officer (OCIO) has primary duties related to IT for state government, which include establishing statewide enterprise architecture and standards.
Policy and Standard. OCIO policy and standard on securing IT assets require agencies to implement common IT security standards. A component of this policy outlines data security requirements such as data classification. Agencies must classify data based on its sensitivity. Data must be translated to the following classification categories:
Another component of this policy specifies data and program backup requirements such as implementing procedures for periodic tests to restore agency data from backup media, testing recovery procedure for critical systems as specified in the agency IT Security Program, and establishing methods to secure their backup media.
Technology Services Board. The Technology Services Board (TSB) is created within WaTech. Membership is composed of legislators and representatives from state and local government and the private sector. The TSB has specified powers and duties related to information services including to review and approve standards and policies developed by the OCIO and provide oversight of major IT projects.
Public Records Act. Under the Public Records Act (PRA), all state and local agencies must make all public records available for public inspection and copying, unless a specific exemption in the PRA or another statute applies. The PRA must be liberally construed and its exemptions narrowly construed to promote a general public policy favoring disclosure.
The Office of the Chief Information Officer's Responsibilities. The OCIO:
State Agency Responsibilities. Each state agency, excluding institutions of higher education, must ensure all mission critical applications, business essential applications, and other resources containing category 3 or category 4 data have immutable backups.
By September 30, 2023, and biannually thereafter, each state agency must review all of its mission critical applications, business essential applications, and other resources containing category 3 or category 4 data and report to the OCIO the certain data, such as a list of applications, that have and do not have immutable backup.
By March 31, 2024, state agencies must ensure all mission critical applications, business essential applications, and other resources containing category 3 or category 4 data are compliant with the reporting requirement and report to the OCIO whether they are in compliance. If any state agency reasonably anticipates it cannot comply with this requirement, it must submit a plan to the OCIO by March 31, 2024, detailing steps it will take to comply.
Report to the Technology Service Board. By December 31, 2024, and biannually thereafter, the OCIO must provide an oral report to the members of the TSB during an executive session which is closed to the public, the chairs and ranking members of the appropriate fiscal committees of the Legislature, and the appropriate policy staff in the Office of the Governor. The oral report must include certain information regarding mission critical applications, business essential applications, and other resources containing category 3 or category 4 data.
Consolidated Technology Services Revolving Account. In addition to current statutory authority to approve expenditures from the Consolidated Technology Services Revolving Account, the state CIO, with the approval of the TSB, is authorized to expend up to $5,000,000 per fiscal biennium for the TSB to provide funding to state agencies for procuring immutable data backup and disaster recovery services for mission critical application, business essential applications, or other critical IT systems, containing category 3 or category 4 data.
Public Records Act Exemption. The reports produced and information compiled pursuant to this act are confidential and may not be disclosed under the PRA.
PRO: This bill establishes an internal process based on best practices to prevent ransomware attacks that devastate local communities and protect the collection and security of constituent’s data. It creates an area where we can support WaTech and the work it is doing. A recent auditor's report identified gaps in agency compliance with current security policies. We are a data and technology leading state, and we need transparency and funding to address the issues included in the report.
OTHER: The use of backups and their role in disaster recovery are important parts of an IT organization's operating model and provide many benefits and protections to ensure availability of state services in the event of a cybersecurity incident. To meet the deadlines and reporting requirements, WaTech may have to reprioritize some of its statewide program initiatives.