Find Bill
Find Your Legislator
Legislative Deadlines
June 17, 2024
RSS Feed Permanent URL -A +A

Minutes for HB2077 - Committee on Appropriations

Short Title

Implementing additional reporting requirements for informational technology projects and state agencies and requiring additional information technology security training and status reports.

Minutes Content for Tue, Jan 31, 2023

Chairperson Waymaster opened the hearing on HB2077.

Revisor Natalie Scott provided information about HB2077, implementing additional technology projects and state agencies and requiring additional information technology security training and status reports. (Attachment 1)

Revisor Natalie Scott stood for questions relating to how changes in the bill would impact a situation wherein a federal agency provides certain fixes and federal funds for fixes, and if the state agency would have to get approval first if the project was over the 10 percent threshold. The response to the question was she wasn't exactly sure of the impact. It would depend on if the fix was related to an existing information technology upgrade project at the time. If the total project cost changes, then the Chief Information Technology Officer (CITO) would have to report to the Joint Committee on Information Technology (JCIT). If the agency starts an information technology project to deal with an emergency, it will go through the same reporting process as other projects. The committee gets quarterly reports so depending on how fast the project goes, it could be into development before the committee gets a report. The JCIT chairperson can always get a briefing from the CITO or from the agency head, during an emergency situation.

Proponent testimony in person:

Representative Kyle Hoffman, Kansas State House of Representatives, District 116, and Vice Chairperson of the Joint Committee on Information Technology (Attachment 2) This bill is the same bill, (2022)HB2548, that the Appropriations Committee and the House passed last year. The Senate did not take up the bill. Since the bill did not pass, a proviso was added to the budget for some provisions to go into effect. For the last six months, JCIT has received updates. If two people do not agree on the need for a meeting, then it automatically follows the procedure jointly developed with former Secretary Angela Burns-Wallace, to make sure the process was not slowed down more than needed. To add to the topic discussed earlier with the revisor, it is not believed that the process would go into effect because there wasn't a request for proposal nor would it have affected their ability to make needed upgrades timely. In nearly every budget, computer systems upgrades are needed due to their age. Over the years, there has been little oversight before projects go into effect. Most oversight occurs afterward.

The main part of this bill is JCIT oversight before projects go into effect. Another change is going from a $250,000 threshold to risk assessment, due to a potential change impacting multiple agencies. JCIT will see high-risk changes, not low-risk changes, that are independent of the estimated cost of the project. Cybersecurity and reporting changes are necessary.

Representative Hoffman stood for questions regarding the potential impact this bill would have had if it had been implemented 14 years ago during the timeframe when the Department of Labor started their modernization project. Oversight might have kept the modernization on track, eliminated the entire issue experienced, and eliminated the millions of dollars studying it.

A question was directed toward the RFP process and the response was JCIT cannot stop a request for proposal due to separation of powers between the legislative branch and administration. The legislative branch can say they are not going to fund it. Through oversight, the JCIT can get clarity of projects earlier in the process.

A question was asked about who determines the risk and the response was the Information Technology Executive Council will create policy to determine the risk assessment done by the agency. The agency will follow the procedures to determine whether or not it's at-risk. Risks can be skewed either way, and work is still needed to achieve the desired balance of being fair for agencies and getting good oversight.

Representative Hoffman was asked to talk more about the reporting aspects due to many outside agencies and entities connected to state system, which creates vulnerabilities particularly in the cybersecurity area and local units of government requesting assistance with cybersecurity. It was acknowledged that the sooner a breach is able to be mitigated, that it costs less. The response was that mandatory breach notifications of any systems on the state network is not in the bill presently and there might be an amendment coming. There are severing link protocols in order to safeguard the state system.

A question was asked if the bill includes higher education and the response was that it encompasses all public universities. A clarification was made that community colleges and technical colleges are not included, because they are not state agencies as defined under the bill.

There was no opponent testimony.

Neutral testimony in person:

Jeff Maxon, Interim Chief Information Technology Officer for the Executive Branch and also serving as the State Chief Information Security Officer. (Attachment 3) The bill has three parts: changing to a risk-based model and away from the cost threshold, improving the communication and reporting process from the agencies to JCIT, and updates to the Kansas Cybersecurity Act.

Since the Act is being opened up and is based on the audit of the Kansas Information Security Office by Legislative Post Audit, a request was made to include language that allows the Chief Information Security Officer for the state to set cybersecurity policy for executive branch agencies and the authority and ability to audit executive branch agencies, which currently does not exist. The bill is set up so the Chief Information Security Officer is an advisory and consultant position. They would assess and set policy and audit agencies against said policy.

Jeff Maxon stood for questions about the current process for when there is a breach and what other states are doing. He responded that many states have created statutes to require all public entities report any cybersecurity incident to the state. Multiple states have put it in place. Kansas has processes in place where entities can report a breach to the state, but there is no requirement for reporting. Some agencies have had to set up agreements with local governments that they notify them because of those connections. No single point notification exists, allowing the state to defend its network, offer assistance, and save some costly situations.

Chairperson Waymaster closed the public hearing on HB2077.