wa-law.org > bill > 2023-24 > SB 5518 > Original Bill
The legislature finds that Washington state branches of government, agencies, boards, and commissions manage and protect highly sensitive data to best serve constituents. The data managed by public entities is a high value target for domestic and international perpetrators of for-profit ransomware and other malicious cyber activities. Breaches in data security prevent state agencies from protecting confidential and sensitive information stored in technology systems.
In the absence of immutable data protection capabilities and reliable disaster recovery practices, the legislature finds that a breach of state agency information technology systems may result in the reduction of critical constituent services and increased risk of financial harm related to identity theft.
The legislature finds that state agencies have implemented enterprise technology programs, standards, and policies for data backup and recovery practices to protect confidential and sensitive information contained in enterprise and individual state agencies' information technology systems. The legislature further finds that combining these data protection practices with preventative practices, such as an enterprise identity management solution, the active promotion of cybersecurity awareness practices, and maintaining the readiness of state resources for incident management is the best protection that the state can offer to combat the effects of ransomware and other malicious cyber activities.
The legislature recognizes that action must be taken at each state agency to ensure data protection and disaster recovery practices are consistent with enterprise technology standards and is aware that additional investments in technology, training, and personnel will be needed. The legislature further recognizes that adequate funding must be provided to support agency efforts to protect confidential and sensitive data stored in technology systems.
The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.
The office shall design, develop, and implement enterprise technology standards specific to malware and ransomware protection, backup, and recovery, as well as prevention education for state employees and constituents who use state technology services. The office shall refer to the national institute of standards and technology (NIST) ransomware profile contained in the NIST ransomware Risk Management: A Cybersecurity Framework Profile published February 2022, or its successor publication, as guidance to support the prevention of, response to, and recovery from, ransomware events.
[Empty]
The office shall establish a ransomware education and outreach program dedicated to educating public agencies on the prevention, response, and remediation of malware and ransomware.
The office shall document, publish, and distribute malware and ransomware response educational materials specifically for chief executive officers, chief financial officers, chief information officers, and chief information security officers, or their equivalents, to each state agency, which outlines specific steps to take in the event of a malware attack that destroys, encrypts, exfiltrates, obfuscates, or otherwise prevents the owning organization from accessing their data.
Each state agency must ensure that all mission critical applications, business essential applications, and other resources containing category 3 or category 4 data as defined in enterprise technology standards developed pursuant to RCW 43.105.054, have immutable backups.
By September 30, 2023, and biannually thereafter, each state agency shall review all of its mission critical applications, business essential applications, and other resources containing category 3 or category 4 data, as described in the enterprise technology standards developed pursuant to RCW 43.105.054, and report to the office:
The total size of managed data;
A list of mission critical applications and business essential applications, containing category 3 or category 4 data, as described in the enterprise technology standards developed pursuant to RCW 43.105.054;
A list of the applications described in (b) of this subsection that do not have immutable backup; and
A list of prioritized applications based on mission criticality and impact to constituents in the event of system failure or data loss.
[Empty]
By March 31, 2024, except as provided in (b) of this subsection, state agencies shall:
Ensure that all mission critical applications, business essential applications, and other resources containing category 3 or category 4 data, as described in enterprise technology standards developed under RCW 43.105.054, are compliant with subsection (3) of this section; and
Report to the office whether they are in compliance with this subsection (5)(a).
If any state agency reasonably anticipates that it cannot comply with (a) of this subsection by March 31, 2024, it shall submit a plan by March 31, 2024, to the office detailing steps it will take to comply with the requirement in (a) of this subsection.
The reports produced and information compiled pursuant to this section are confidential, and may not be disclosed under chapter 42.56 RCW.
This section does not apply to institutions of higher education.
[Empty]
The office shall prepare a state strategic information technology plan which shall establish a statewide mission, goals, and objectives for the use of information technology, including goals for electronic access to government records, information, and services. The plan shall be developed in accordance with the standards and policies established by the office. The office shall seek the advice of the board in the development of this plan.
The plan shall be updated as necessary and submitted to the governor and the legislature.
[Empty]
The office shall prepare a biennial state performance report on information technology based on state agency performance reports required under RCW 43.105.235 and other information deemed appropriate by the office. The report shall include, but not be limited to:
An analysis, based upon agency portfolios, of the state's information technology infrastructure, including its value, condition, and capacity;
An evaluation of performance relating to information technology;
An assessment of progress made toward implementing the state strategic information technology plan, including progress toward electronic access to public information and enabling citizens to have two-way access to public records, information, and services; and
An analysis of the success or failure, feasibility, progress, costs, and timeliness of implementation of major information technology projects under RCW 43.105.245. At a minimum, the portion of the report regarding major technology projects must include:
(A) The total cost data for the entire life-cycle of the project, including capital and operational costs, broken down by staffing costs, contracted service, hardware purchase or lease, software purchase or lease, travel, and training. The original budget must also be shown for comparison;
(B) The original proposed project schedule and the final actual project schedule;
(C) Data regarding progress towards meeting the original goals and performance measures of the project;
(D) Discussion of lessons learned on the project, performance of any contractors used, and reasons for project delays or cost increases; and
(E) Identification of benefits generated by major information technology projects developed under RCW 43.105.245.
b. Copies of the report shall be distributed biennially to the governor and the legislature. The major technology section of the report must examine major information technology projects completed in the previous biennium.
[Empty]
By December 31, 2024, and biannually thereafter, the office shall provide an oral report to the members of the technology services board during an executive session which is closed to the public, the chairs and ranking members of the appropriate fiscal committees of the senate and house of representatives, and the appropriate policy staff in the office of the governor which must include the following information based on the data reported by state agencies pursuant to section 3(4) of this act:
The total number of mission critical applications within state agencies;
The total number of mission critical applications within state agencies with immutable backups;
The total number of business essential applications within state agencies;
The total number of business essential applications held by state agencies with immutable backups;
The total number of applications held by state agencies containing either category 3 data or category 4 data, or both;
The total number of applications held by state agencies containing either category 3 data or category 4 data, or both, with immutable backups;
The breadth of threat landscape;
A prioritized list of applications within each state agency requiring immutable backups;
ix. The cost of implementing immutable backups for each prioritized application;
Progress toward protection compared with the last submitted report; and
Recommendations for further work to protect critical state systems.
The reports and information compiled pursuant to section 3 of this act and RCW 43.105.220(3) are confidential, and may not be disclosed under this chapter.
The consolidated technology services revolving account is created in the custody of the state treasurer. All receipts from agency fees and charges for services collected from public agencies must be deposited into the account. The account must be used for the:
Acquisition of equipment, software, supplies, and services; and
Payment of salaries, wages, and other costs incidental to the acquisition, development, maintenance, operation, and administration of: (i) Information services; (ii) telecommunications; (iii) systems; (iv) software; (v) supplies; and (vi) equipment, including the payment of principal and interest on debt by the agency and other users as determined by the office of financial management.
The director or the director's designee, with the approval of the technology services board, is authorized to expend :
Up to $1,000,000 per fiscal biennium for the technology services board to conduct independent technical and financial analysis of proposed information technology projects; and
Up to $5,000,000 per fiscal biennium for the board to provide funding to state agencies for the purposes of procuring immutable data backup and disaster recovery services for mission critical applications, business essential applications, or other critical information technology systems, containing category 3 or category 4 data as described in enterprise technology standards developed under RCW 43.105.054. When selecting state agencies to receive funding under this subsection, the board must consider the agency's prioritized application list under section 3 of this act, in order to ensure that funding is allocated to protecting the most vulnerable systems containing the most sensitive public information.
Only the director or the director's designee may authorize expenditures from the account. The account is subject to allotment procedures under chapter 43.88 RCW, but no appropriation is required for expenditures except as provided in subsection (4) of this section.
Expenditures for the strategic planning and policy component of the agency are subject to appropriation.
This act may be known and cited as the Washington state ransomware protection act.