HB207ENGROSSED
Page 0
HB207
EJJ5D99-2
By Representative Shaw
RFD: State Government
First Read: 06-Feb-25
1
2
3
4
5 HB207 Engrossed
Page 1
First Read: 06-Feb-25
A BILL
TO BE ENTITLED
AN ACT
Relating to the Office of Information Technology; to
amend Sections 41-28-1, 41-28-2, 41-28-4, and 41-28-5, Code of
Alabama 1975, to provide further for definitions; to expand
the services provided by the office to include cybersecurity
and tasks performed by the Division of Data Systems Management
and the Telecommunications Division of the Department of
Finance; to authorize the office, in consultation with the
Governor, to create a technology quality assurance board; to
create a Telecommunications Revolving Fund in the State
Treasury and provide for the deposit of certain fees and
appropriations into the fund and the use of those funds; to
add Sections 41-28-11, 41-28-12, 41-28-13, 41-28-14, 41-28-15,
41-28-16, 41-28-17, and 41-28-18 to the Code of Alabama 1975,
to provide further for the powers of the office, for criminal
history background checks, and exemptions; and to repeal
Article 8 of Chapter 4 of Title 41, Code of Alabama 1975,
consisting of Sections 41-4-220 through 41-4-224, Code of
Alabama 1975, providing for the Division of Data Systems
Management of the Department of Finance; and to repeal Article
9 of Chapter 4 of Title 41, Code of Alabama 1975, consisting
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28 HB207 Engrossed
Page 2
9 of Chapter 4 of Title 41, Code of Alabama 1975, consisting
of Sections 41-4-240 through 41-4-243, Code of Alabama 1975,
providing for the manager of printing and publications for the
Department of Finance; and to repeal Article 11 of Chapter 4
of Title 41, consisting of Sections 41-4-280 through 41-4-293,
Code of Alabama 1975, providing for the Telecommunications
Division of the Department of Finance.
BE IT ENACTED BY THE LEGISLATURE OF ALABAMA:
Section 1. Sections 41-28-1, 41-28-2, 41-28-4, and
41-28-5 of the Code of Alabama 1975, are amended to read as
follows:
"§41-28-1
There is in state government the Office of Information
Technology, which shall be headed by the Secretary of
Information Technology who shall also be known as the Chief
Information Officer of the state ."
"§41-28-2
As used in this chapter, the following terms shall have
the following meanings:
(1) COMMITTEE. The Permanent Legislative Oversight
Committee on Information Technology.
(2) CYBERSECURITY. The protection of critical
infrastructure, data, and digital networks through the
implementation of security measures, risk management
processes, disaster recovery, business continuity, and
incident response protocols to safeguard against cyber
threats.
(3) ELECTROMAGNETIC TRANSMISSION EQUIPMENT. Any
transmission medium, switch, instrument, network node, inside
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56 HB207 Engrossed
Page 3
transmission medium, switch, instrument, network node, inside
wiring system, wireless system, fiber-optic system, or other
facility which is used, in whole or in part, to provide any
transmission, communication, or processing of information.
(2)(4) INFORMATION TECHNOLOGY. Automated All forms of
automated data processing, communications systems , subsystems,
or interconnected systems and services, wide area and local
area networks, the Internet, computer networks, electronic
information systems and related information, databases,
equipment, goods, and services used for gathering, storing,
transmitting, retrieving, manipulating, moving, controlling,
managing, displaying, interchanging, receiving, processing, or
protecting of information .
(3)(5) OFFICE. The Office of Information Technology.
(4)(6) SECRETARY OF INFORMATION TECHNOLOGY. The chief
administrative and executive officer of the Office of
Information Technology who is also known as the Chief
Information Officer of the state .
(5)(7) STATE AGENCIES. All departments, agencies,
offices, boards, commissions, bureaus, and authorities of
state government. The term shall not include counties,
municipalities and their instrumentalities , the Alabama State
Port Authority, the State Department of Education, the
Retirement Systems of Alabama, or institutions of higher
education governed by a separate board of trustees, although
these entities and institutions may enter into cooperative
agreements and contracts related to information technology
efforts with the state information technology system.
(8) TECHNOLOGY CONTRACT. A contract entered into by any
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84 HB207 Engrossed
Page 4
(8) TECHNOLOGY CONTRACT. A contract entered into by any
state agency concerning information technology, cybersecurity,
electromagnetic transmission equipment, or telecommunications
equipment, systems, or related services.
(9) TELECOMMUNICATIONS EQUIPMENT, SYSTEMS, OR RELATED
SERVICES. Includes all of the following:
a. Devices including, but not limited to, telephone
instruments, modulators, headsets, and coders, used to convert
voices, voice information, or digital data into a form
suitable for transmission by electronic, electric current,
electromagnetic wave, or any technological means from one
point to another point.
b. Devices including, but not limited to, telephone
receivers, demodulators, and decoders, used to receive voices,
voice information, or digital data in a form suitable for
converting this information into usable form by an electronic,
electric current, electromagnetic wave, or any technological
means.
c. Wiring, waveguides, optical fibers, wireless, or
other physical means used to convey electric currents or
electromagnetic waves containing voice information or digital
data.
d. Switches, wireless access points, routers, virtual
private networks, network concentrators, firewalls, nodes,
branch exchanges, software, and other devices used to
selectively interconnect devices which use electric current or
electromagnetic waves for the purpose of communicating voice
signals or digital data from one point to another point.
e. Maintenance of the types of devices and means listed
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112 HB207 Engrossed
Page 5
e. Maintenance of the types of devices and means listed
in paragraphs a. through d. and all consulting, designs,
implementation, customization, or management services related
to those devices, their interconnection, and their use. "
"§41-28-4
The secretary shall have all of the following powers
and duties:
(1) Develop a comprehensive four-year strategic plan
for the state's information technology to include acquisition,
management, and use of information technology by state
agencies. The plan shall be developed in conjunction with the
planning and budgeting processes for state agencies and may
include review of state agencies' information technology
plans, capital budgets, and operating budgets as appropriate
to accomplish the goals of reducing redundant expenditures and
maximizing the return on information technology investments.
The plan shall be updated annually and submitted to the
Governor and shall be presented during a public meeting to the
Permanent Legislative Oversight Committee on Information
Technology. The plan shall further be coordinated with the
Boards of Directors of the Alabama Supercomputer Authority.
(2) Collaborate and coordinate with the Division of
Data Systems Management of the Department of Finance as set
forth in Article 8 of Chapter 4 of this title, the Alabama
Supercomputer Authority , or any state authority, board, or
agency of like kind , and promote standards and coordinate
services and infrastructure to ensure that information
technology is and cybersecurity are used to support designated
needs areas, including identifying applications, equipment,
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140 HB207 Engrossed
Page 6
needs areas, including identifying applications, equipment,
and services that may be statewide in scope and assisting
state agencies in avoiding duplication of applications,
equipment, and services.
(3) Serve as a member of the board, or boards, for the
Alabama Supercomputer Authority.
(4) Solicit, receive, and administer funds, goods,
services, and equipment from public and private entities to be
used for the purchase of computers, satellites, hardware,
software, and other information technology and cybersecurity
equipment and services and for staff training in the use of
information technology and cybersecurity development programs.
(5) Establish an inventory of information technology
resources to allow identification of underutilized or idle
resources and all data and data systems in state agencies to
promote improved asset management, information security, and
cybersecurity utilization, intelligence, and data sharing,
with information technology resources to include personnel,
software, hardware goods, and services. The inventory is not
subject to public disclosure.
(6) Manage, plan, and coordinate all telecommunications
and cybersecurity systems under the jurisdiction of the state
through coordination of existing system activities, vendors,
service orders, billing, and recordkeeping functions in
accordance with records retention requirements established by
the State Records Commission and other applicable law;
planning and implementing new systems or services; designing
replacement systems; project management during specification
writing, bid letting, proposal evaluation, and contract
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168 HB207 Engrossed
Page 7
writing, bid letting, proposal evaluation, and contract
negotiations; implementation and supervision of new systems
and ongoing support; implementation of long-term state plans;
and management of telecommunications networks.
(7) Establish and coordinate through either state
ownership or commercial leasing, all telecommunications and
cybersecurity equipment, systems, and related services
affecting the management and operations of the state or any
county office of a state agency.
(8) Act as the centralized approving authority for the
acquisition of all telecommunications, information technology,
and cybersecurity systems or services provided to state
agencies via state procurement means, including pay
telephones, computer services, Internet delivery systems,
radio communications, or any combination thereof, located on
or off premises owned or operated by the state or any of its
agencies.
(9) Charge respective user agencies for their
proportionate cost of the installation, maintenance, and
operation of the telecommunications, information technology,
and cybersecurity equipment, systems, and services, including
the operation of the office.
(10) Develop coordinated telecommunications,
information technology, and cybersecurity equipment, systems,
and related services including, but not limited to, data,
voice, and Internet systems or services within and among all
state agencies both on and off premises and require, where
appropriate, cooperative utilization of telecommunications
equipment, facilities, and services by aggregating users.
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196 HB207 Engrossed
Page 8
equipment, facilities, and services by aggregating users.
(11) Review, coordinate, approve, or disapprove all
requests by state agencies for the procurement, through
purchase or lease, of radio communications and
telecommunications, information technology, and cybersecurity
equipment, systems, and related services, including
telecommunications, data, Internet protocol, maintenance,
implementation, and consultation contracts.
(12) Establish and define telecommunications and
cybersecurity system and service specifications and designs so
as to assure compatibility of telecommunications, information
technology, and cybersecurity equipment, systems, and related
services within state government and any county office of a
state agency.
(13) Provide a continuous, comprehensive analysis and
inventory of telecommunications, information technology, and
cybersecurity costs, facilities, and systems within state
government and any county offices of state agencies.
(14) Advise and provide consultation services to state
agencies with respect to telecommunications, information
technology, and cybersecurity management planning and related
matters, including training within state agencies.
(15) Establish and supervise the administration of data
processing centers deemed necessary to best serve the data
processing needs of all state agencies.
(16) Provide for the centralization, consolidation, and
shared use of equipment and services deemed necessary to
obtain maximum utilization and efficiency in data processing
operations.
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224 HB207 Engrossed
Page 9
operations.
(17) Transfer to any data processing center the data
processing activities of any state agency.
(18) Provide systems design and programming services to
all state agencies.
(19) Select and procure, by purchase or lease, any data
processing systems and associated software deemed necessary to
best serve the data processing needs of the office.
(20) Conduct data processing studies as deemed
necessary and enter into contracts with other state agencies,
organizations, corporations, or individuals to complete those
studies.
(21) Prepare contract specifications for data systems
equipment and services.
(6)(22) Establish and administer a structured system
for review and approval of new information technology and
cybersecurity initiatives and projects, including business
case, cost benefit analysis, and compatibility analysis.
(7)(23) Administer any funds appropriated to the
secretary by the Legislature for the establishment, operation,
and coordination of the office.
(8)(24) Represent state information technology ,
cybersecurity, and related areas with both the private and
public sectors, including the federal government.
(9)(25) Issue annual reports to the Governor, the
Legislature, and the general public concerning the
coordination and operation of the office.
(10) Promulgate(26) Adopt rules, regulations, and
policies and establish procedures and standards for the
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252 HB207 Engrossed
Page 10
policies and establish procedures and standards for the
management and operation of information technology by state
agencies to carry out this chapter, including coordinating
state information technology; providing technical assistance
to state agency administrators on design and management of
state information technology systems; evaluating and approving
the cost, system design, and suitability of information
technology equipment and related services; establishing and
enforcing cybersecurity governance for state agencies,
including supporting operations and technology controls;
establishing standards and policies for program and project
management and project methodologies; and developing a unified
and integrated structure and enterprise architecture for
information technology systems for all state agencies.
(27) In consultation with the Governor, adopt rules to
provide for the creation, operation, and oversight of a
technology quality assurance board that will promote the
responsible and transparent procurement, development, and use
of novel technologies within state agencies through
establishing and enforcing the following measures for these
technologies:
a. Ethical guidelines and frameworks.
b. Security and privacy controls.
c. Ongoing compliance mechanisms.
(11)(28) Plan and coordinate information technology and
cybersecurity activities for state agencies in such a manner
as to promote the most economical and effective use of state
resources."
"§41-28-5
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280 HB207 Engrossed
Page 11
"§41-28-5
(a) No public monies shall be expended by the secretary
for any purpose unless the monies have been appropriated by
the Legislature to the entity from which the funds are
received or to the office. Any monies appropriated shall be
budgeted and allotted pursuant to the Budget Management Act in
accordance with Article 4, commencing with Section 41-4-80, of
Chapter 4 of this title, and only in the amounts provided by
the Legislature in the general appropriations act or other
appropriation acts.
(b) All user fees collected, direct appropriations, and
other funds received relating to the provision of
telecommunications services under this chapter shall be
deposited into a revolving fund in the State Treasury
designated as the Telecommunications Revolving Fund, and the
secretary may make deposits and expenditures from time to time
from the fund to implement this chapter. All balances of
revenue, income, and receipts remaining in the fund at the end
of each fiscal year shall carry over to the next fiscal year
and shall not revert to the State General Fund or any other
fund."
Section 2. Sections 41-28-11, 41-28-12, 41-28-13,
41-28-14, 41-28-15, 41-28-16, 41-28-17, and 41-28-18 are added
to the Code of Alabama 1975, to read as follows:
§41-28-11
No state agency shall rent, lease, lease to purchase,
or in any way own or pay for the operation of any
telecommunications, information technology, or cybersecurity
equipment, system, or related services or computer networks
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308 HB207 Engrossed
Page 12
equipment, system, or related services or computer networks
out of any funds available for that purpose without the
written approval of the office.
§41-28-12
The office, on behalf of any state agency, may enter
into an equipment support contract with a vendor of
telecommunications, information technology, or cybersecurity
equipment for the purchase, lease, or lease to purchase of the
equipment in accordance with state competitive bid laws. Each
contract shall be valid for not more than five fiscal years
and shall include the following annual appropriation
dependence clause: "The continuation of the contract is
contingent upon the appropriation by the Legislature of funds
to fulfill the requirements of the contract. If the
Legislature fails to appropriate sufficient monies to provide
for the continuance of the contract, or if funds from other
sources are not available, the contract shall terminate on the
date of the beginning of the fiscal year for which funds are
not appropriated or available."
§41-28-13
Subject to the approval of the state purchasing agent,
the office may allow the trade-in of telecommunications,
information technology, or cybersecurity equipment, the value
of which may be credited against the cost of replacement
equipment purchased in accordance with state competitive bid
laws.
§41-28-14
The office may enter into contracts for the lease of
telecommunications, information technology, or cybersecurity
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336 HB207 Engrossed
Page 13
telecommunications, information technology, or cybersecurity
equipment, systems, or related services. The contract shall be
valid for not more than five fiscal years and the office may
directly contract for or approve contracts for regulated or
tariffed telecommunications, information technology, or
cybersecurity services upon a determination that the
application of the service is in the best interests of the
state.
§41-28-15
(a) Pursuant to the requirements of Public Law 92-544,
the office may conduct a state and national criminal history
background check on current or prospective state employees and
contractors for the purpose of determining whether those
individuals who have or may have access to the state's
telecommunications, information technology, or cybersecurity
infrastructure or otherwise perform functions that impact the
technical operations of state government have been convicted
of a crime that would warrant denying the employee or
contractor access to information technology services to state
government agencies.
(b) State and national criminal history records checks
shall be requested by the office from the Alabama State Law
Enforcement Agency (ALEA) and shall be applicable to the
individual identified in the request. The office shall arrange
for the fingerprinting of the individual or for conducting any
other method of positive identification required by ALEA. The
request shall also specify whether a national criminal history
records check is requested by the Federal Bureau of
Investigation on the specified individual in addition to a
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364 HB207 Engrossed
Page 14
Investigation on the specified individual in addition to a
state criminal history records check. ALEA shall submit the
verified fingerprints or other positive identifying
information to the Federal Bureau of Investigation for a
national criminal history records check when requested by the
office. The results of the state and national criminal history
records checks shall be returned to the office by ALEA.
(c) Any criminal history reports received by the office
from ALEA shall be marked confidential and shall not be
disclosed or made available for public inspection. All
criminal history reports received pursuant to this section are
specifically excluded from any requirement of public
disclosure as a public record. The Secretary of ALEA shall
limit access to these reports and may only use the information
contained in the reports for the purposes set out in this
section.
(d) The Secretary of ALEA may charge fees to the office
subject to a fee schedule adopted by the Alabama Justice
Information Commission for conducting state and national
criminal history records checks.
(e) In conjunction with making criminal history records
checks, the Secretary of ALEA shall establish a policy for
determining which criminal elements would result in preventing
or removing an employee's or contractor's access to sensitive
or protected information handled by the office.
§41-28-16
This chapter shall not apply to two-way radio
communications equipment, systems, or networks operated by
state agencies for purposes related to public safety, the
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392 HB207 Engrossed
Page 15
state agencies for purposes related to public safety, the
administration of criminal justice, or highway maintenance and
construction operations.
§41-28-17
The provisions of this chapter concerning
telecommunications, information technology, or cybersecurity
equipment, services, and solutioning shall not apply to any
county or city board of education, the education television
commission, entities that originated within the State
Department of Education, the Alabama Community College System,
or any public four-year institution of higher education. Upon
request, the office may provide technical consultation and
procurement services for telecommunications, information
technology, or cybersecurity to any county or city board of
education, the education television commission, the Alabama
Community College System, and any public four-year institution
of higher education. The county and city boards of education,
the education television commission, the Alabama Community
College System, and public four-year institutions of higher
education shall continue to be provided instate and
out-of-state long distance voice service by the office, so
long as funding is provided to the Telephone Revolving Fund
from the Education Trust Fund, and shall not be required to
pay any additional charge for that service; however, any
county or city board of education shall have the option of
utilizing the office for instate and out-of-state long
distance voice service only if reimbursement for actual costs
are remitted to the office.
§41-28-18
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420 HB207 Engrossed
Page 16
§41-28-18
The legislative and judicial branches of government are
exempt from the requirements of this chapter, except under
terms and conditions mutually agreed to in writing between the
office and the branch of government.
Section 3. Article 8 of Chapter 4 of Title 41,
consisting of Sections 41-4-220 through 41-4-224, Code of
Alabama 1975, providing for the Division of Data Systems
Management of the Department of Finance, Article 9 of Chapter
4 of Title 41, Consisting of Sections 41-4-240 through
41-4-243, Code of Alabama 1975, providing for the manager of
printing and publications of the Department of Finance, and
Article 11 of Chapter 4 of Title 41, consisting of Sections
41-4-280 through 41-4-293, Code of Alabama 1975, providing for
the Telecommunications Division of the Department of Finance,
are repealed.
Section 4. This act shall become effective on October
1, 2025.
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437 HB207 Engrossed
Page 17
1, 2025.
House of Representatives
Read for the first time and referred
to the House of Representatives
committee on State Government
................06-Feb-25
Read for the second time and placed
on the calendar:
1 amendment
................27-Feb-25
Read for the third time and passed
as amended
Yeas 103
Nays 0
Abstains 0
................18-Mar-25
John Treadwell
Clerk
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458