Substitute House Bill 2044 as Recommended by State Government & Tribal Relations

Source

Section 1

Washington state branches of government, agencies, boards, and commissions manage and protect highly sensitive data in order to best serve constituents. The data managed by public entities is a high value target for domestic and international perpetrators of for-profit ransomware and other malicious cyber activities. Breaches in data security prevent state agencies from protecting confidential and sensitive information stored in technology systems. In the absence of immutable data backup capabilities and reliable disaster recovery practices, state agency information technology systems are vulnerable to such breaches in security. The legislature finds that enterprise technology programs, standards, and policies have been developed for data backup and recovery practices that agencies must implement to protect confidential and sensitive information contained in enterprise and individual agencies' information technology systems. The legislature further finds that the availability of an enterprise identity management solution, the active promotion of cybersecurity awareness practices, readiness of state resources for incident management, and the availability of immutable data backups of critical, sensitive, and confidential data are the best protection that the state can offer to combat ransomware and other malicious cyber activities. The legislature recognizes that action must be taken at each state agency to ensure data backup and disaster recovery practices are consistent with enterprise technology standards and is aware that additional investments in technology, training, and personnel will be needed.

Section 2

This section adds a new section to an existing chapter 43.105. Here is the modified chapter for context.

  1. The office shall design, develop, and implement enterprise technology standards specific to malware and ransomware protection, backup, and recovery, as well as prevention education for state employees and constituents using state technology services.

  2. [Empty]

    1. The office shall establish a ransomware education and outreach program dedicated to educating public agencies on prevention, response, and remediation of ransomware.

    2. The office shall document, publish, and distribute ransomware response educational materials specifically for chief executive officers, chief financial officers, chief information officers, and chief information security officers, or their equivalents, to each state agency, board, and commission, which outlines specific steps to take in the event of a malware attack. Distribution of materials must be determined at the discretion of the office.

  3. Each state agency must ensure that all mission critical applications, business essential applications, and other resources containing data that requires special handling, as defined in enterprise technology standards developed pursuant to RCW 43.105.054, must be protected.

  4. [Empty]

    1. Each state agency must perform an assessment of all their applications and resources containing data and report to the office the sizing of managed data to include identifying mission critical applications, business essential applications, and categorizing all data attributes, as defined in enterprise technology standards developed pursuant to RCW 43.105.054, and develop a list of prioritized applications based on mission criticality and impact to constituents in the event of system failure or data loss and submit the list to the office.

    2. Each state agency must submit the sizing of managed data and the list required in (a) of this subsection to the office by September 30, 2022.

  5. [Empty]

    1. The office must analyze and aggregate data reported pursuant to subsection (4) of this section.

    2. By October 31, 2023, the office must submit a report to the governor and the appropriate committees of the legislature on the following:

      1. The total number of mission critical applications, the total amount of data associated with each mission critical application, the percentage of mission critical applications with immutable backups, the estimated annual data change and growth rates for each mission critical application, the percentage of mission critical applications that undergo annual continuity of operations exercises, and the percentage that meet enterprise technology standards;

      2. The total number of business essential applications, the total amount of data associated with each business essential application, the estimated annual data change and growth rates for each business essential application, the percentage of business essential applications with immutable backups, the percentage of business essential applications that undergo annual continuity of operations exercises, and the percentage that meet backup and recovery standards of the office;

      3. The percentage of applications with catalogued and categorized data;

      4. Each state agency that received waivers pursuant to subsection (4) of this section;

    3. Prioritized applications identified by each state agency as required in subsection (4)(a) of this section; and

    1. Recommendations for further legislation, rules, and policy that will increase protections against ransomware.
  6. Agencies must ensure that all mission critical applications, business essential applications, and other resources containing category 3 and category 4 data are protected in accordance with enterprise technology standards developed under RCW 43.105.054.

  7. The office of financial management, department of enterprise services, and consolidated technology services agency must ensure that all mission critical and business essential information technology systems, in accordance with enterprise technology standards developed under RCW 43.105.054, are compliant with the provisions of this act and are supported by immutable backups by December 31, 2025.

  8. The office shall provide ongoing assistance to the legislature by identifying mission critical systems, as defined in enterprise technology standards, that do not maintain backup and recovery capabilities and may require further investment to do so. The office shall modify existing portfolio reporting mechanisms already in place to support the collection of relevant data necessary to baseline and monitor risk associated with malware and ransomware protections as prescribed by this act. The agency-reported data must be analyzed for risk and used to provide the legislature with a prioritized list of mission critical systems that require additional protections to maintain continuity of operations in the event of malicious cyber activity.

  9. The reports produced and information compiled pursuant to subsection (5) of this section are confidential and may not be disclosed under chapter 42.56 RCW.

  10. This section does not apply to institutions of higher education.

Section 3

This section adds a new section to an existing chapter 43.105. Here is the modified chapter for context.

  1. The information technology security account is created in the custody of the state treasurer. All receipts from legislative appropriations to the account must be deposited in the account. Expenditures from the account may only be used for the purposes specified in subsection (2) of this section. Only the director of the consolidated technology services agency or the director's designee may authorize expenditures from the account. The account is subject to allotment procedures under chapter 43.88 RCW, but an appropriation is not required for expenditures.

  2. State agencies may apply to the consolidated technology services agency to receive a disbursement from the account for the purposes of procuring immutable data backup and disaster recovery services for mission critical and business essential applications or other critical information technology systems. When selecting agencies to receive disbursements from the account, the consolidated technology services agency must consider the agency's prioritized application list created under section 2 of this act, in order to ensure that funding is allocated to protecting the most vulnerable systems containing the most sensitive public information.

  3. Moneys in the account must supplement, and may supplant, existing funding to the consolidated technology services agency or the office of the state chief information officer.

Section 4

This section adds a new section to an existing chapter 42.56. Here is the modified chapter for context.

The reports and information compiled pursuant to section 2 (4) and (5)(b) of this act are confidential and may not be disclosed under this chapter.

Section 6

This section modifies existing section 43.105.054. Here is the modified chapter for context.

  1. The director shall establish standards and policies to govern information technology in the state of Washington.

  2. The office shall have the following powers and duties related to information services:

    1. To develop statewide standards and policies governing the:

      1. Acquisition of equipment, software, and technology-related services;

      2. Disposition of equipment;

      3. Licensing of the radio spectrum by or on behalf of state agencies; and

      4. Confidentiality of computerized data;

    2. To develop statewide and interagency technical policies, standards, and procedures;

    3. To review and approve standards and common specifications for new or expanded telecommunications networks proposed by agencies, public postsecondary education institutions, educational service districts, or statewide or regional providers of K-12 information technology services;

    4. With input from the legislature and the judiciary, to provide direction concerning strategic planning goals and objectives for the state;

    5. To establish policies for the periodic review by the director of state agency performance which may include but are not limited to analysis of:

      1. Planning, management, control, and use of information services;

      2. Training and education;

      3. Project management; and

      4. Cybersecurity, in coordination with the office of cybersecurity;

    6. To coordinate with state agencies with an annual information technology expenditure that exceeds ten million dollars to implement a technology business management program to identify opportunities for savings and efficiencies in information technology expenditures and to monitor ongoing financial performance of technology investments;

    7. In conjunction with the consolidated technology services agency, to develop statewide standards for agency purchases of technology networking equipment and services;

    8. To implement a process for detecting, reporting, and responding to security incidents consistent with the information security standards, policies, and guidelines adopted by the director;

    9. To develop plans and procedures to ensure the continuity of commerce for information resources that support the operations and assets of state agencies in the event of a security incident;

    10. To design, develop, and implement enterprise technology standards specific to malware and ransomware protection, backup, and recovery; and

    11. To work with the office of cybersecurity, department of commerce, and other economic development stakeholders to facilitate the development of a strategy that includes key local, state, and federal assets that will create Washington as a national leader in cybersecurity. The office shall collaborate with, including but not limited to, community colleges, universities, the national guard, the department of defense, the department of energy, and national laboratories to develop the strategy.

  3. Statewide technical standards to promote and facilitate electronic information sharing and access are an essential component of acceptable and reliable public access service and complement content-related standards designed to meet those goals. The office shall:

    1. Establish technical standards to facilitate electronic access to government information and interoperability of information systems, including wireless communications systems; and

    2. Require agencies to include an evaluation of electronic public access needs when planning new information systems or major upgrades of systems.

In developing these standards, the office is encouraged to include the state library, state archives, and appropriate representatives of state and local government.

Section 7

This section modifies existing section 43.105.220. Here is the modified chapter for context.

  1. [Empty]

    1. The office shall prepare a state strategic information technology plan which shall establish a statewide mission, goals, and objectives for the use of information technology, including goals for electronic access to government records, information, and services. The plan shall be developed in accordance with the standards and policies established by the office. The office shall seek the advice of the board in the development of this plan.

    2. The plan shall be updated as necessary and submitted to the governor and the legislature.

  2. [Empty]

    1. The office shall prepare a biennial state performance report on information technology based on state agency performance reports required under RCW 43.105.235 and other information deemed appropriate by the office. The report shall include, but not be limited to:

      1. An analysis, based upon agency portfolios, of the state's information technology infrastructure, including its value, condition, and capacity;

      2. An evaluation of performance relating to information technology;

      3. An assessment of progress made toward implementing the state strategic information technology plan, including progress toward electronic access to public information and enabling citizens to have two-way access to public records, information, and services; and

      4. An analysis of the success or failure, feasibility, progress, costs, and timeliness of implementation of major information technology projects under RCW 43.105.245. At a minimum, the portion of the report regarding major technology projects must include:

(A) The total cost data for the entire life-cycle of the project, including capital and operational costs, broken down by staffing costs, contracted service, hardware purchase or lease, software purchase or lease, travel, and training. The original budget must also be shown for comparison;

(B) The original proposed project schedule and the final actual project schedule;

(C) Data regarding progress towards meeting the original goals and performance measures of the project;

(D) Discussion of lessons learned on the project, performance of any contractors used, and reasons for project delays or cost increases; and

(E) Identification of benefits generated by major information technology projects developed under RCW 43.105.245.

b. Copies of the report shall be distributed biennially to the governor and the legislature. The major technology section of the report must examine major information technology projects completed in the previous biennium.
  1. [Empty]

    1. By December 31, 2024, the office shall initiate a biannual report to the legislature, governor, and technology services board sharing information garnered from the agency reports that includes:

      1. The number of mission critical applications;

      2. The number of mission critical applications with immutable backups;

      3. The number of business essential applications;

      4. The number of business essential applications with backups meeting enterprise technology standards;

    2. The number of applications containing either category 3 data or category 4 data, or both;

    1. The number of applications containing either category 3 data or category 4 data, or both, with immutable backups;

    2. The breadth of threat landscape;

    3. A prioritized list of systems within the enterprise requiring immutable backups;

     ix. **The cost of implementing immutable backups for each prioritized application;**
    
    1. The number of full-time equivalents required to manage malware prevention and response policies and agency incident response assistance;
    1. Progress toward protection compared with the last submitted report; and

    2. Recommendations for further work to protect critical state systems.

    1. These additional reporting requirements are not subject to public disclosure under chapter 42.56 RCW.

Section 8

This section adds a new section to an existing chapter 43.105. Here is the modified chapter for context.

The office must apply for any federal grant or other financial assistance program, excluding loans, that meets the purposes of this act. Any federal revenues received from these grants or programs that may be used to provide security and protection to critical state agency information technology systems must be deposited into the information technology security account created in section 3 of this act.

Section 9

The sum of $5,000,000, or as much thereof as may be necessary, is appropriated for the fiscal year ending June 30, 2023, from the general fund to the information technology security account created in section 3 of this act for the purposes of this act.

Section 10

This act may be known and cited as the Washington state ransomware protection act.


Created by @tannewt. Contribute on GitHub.