House File 1028 - Introduced HOUSE FILE 1028 BY COMMITTEE ON APPROPRIATIONS (SUCCESSOR TO HF 756) (SUCCESSOR TO HSB 72) A BILL FOR An Act relating to matters under the purview of the department 1 of management, making appropriations, and including 2 applicability provisions. 3 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 4 TLSB 1362HZ (3) 91 sc/ns
H.F. 1028 Section 1. Section 8.57C, subsections 2, 3, and 4, Code 1 2025, are amended to read as follows: 2 2. Moneys in the fund in a fiscal year shall be used as 3 appropriated by the general assembly for the acquisition 4 of computer hardware and software, software development, 5 telecommunications equipment, and maintenance and lease 6 agreements associated with technology components and for the 7 purchase of equipment intended to provide an uninterruptible 8 power supply are appropriated to the department of management 9 to provide a stable funding source for implementation costs 10 of state information technology projects that enhance the 11 states technology infrastructure, improve government services, 12 and promote innovation and economic development, including 13 but not limited to new information technology projects 14 and infrastructure replacement efforts of a department or 15 establishment . 16 a. The department shall prioritize proposed projects based 17 on all of the following considerations: 18 (1) Whether the project aligns with the states strategic 19 priorities. 20 (2) Whether the project promotes or introduces new 21 technology or significantly improves an existing system. 22 (3) Whether the project is feasible and whether the 23 department or establishment has established readiness for the 24 project to proceed, including a clear assessment of timelines, 25 budgets, and measurable outcomes. 26 (4) Whether the project includes a clear change management 27 strategy to support user adoption and aligns with lean 28 enterprise principles to maximize value, minimize waste, and 29 ensure continuous improvement. 30 (5) Whether the project provides a positive return on 31 investment, considering both financial returns and nonfinancial 32 benefits such as improved public safety, education, or health 33 care. 34 (6) Whether the project results in infrastructure that is 35 -1- LSB 1362HZ (3) 91 sc/ns 1/ 14
H.F. 1028 scalable across the state enterprise. 1 (7) Whether the department or establishment has identified 2 how the completed project will be sustained beyond the initial 3 funding period. 4 (8) Whether the project improves access to governmental 5 services, particularly in rural communities. 6 (9) Whether the project involves an infrastructure project 7 as opposed to maintenance or standard upgrades of existing 8 technology. 9 b. The department shall provide a prioritized list of 10 proposed projects for funding to the governor, who shall use 11 the list in developing a budgetary recommendation for the 12 general assembly pursuant to section 8.21. 13 3. a. There is appropriated from the general fund of the 14 state to the technology reinvestment fund for the fiscal year 15 beginning July 1, 2025, and for each subsequent fiscal year 16 thereafter, the sum of seventeen million five hundred thousand 17 dollars. 18 b. There is appropriated from the rebuild Iowa 19 infrastructure fund for the fiscal year beginning July 1, 2023, 20 and ending June 30, 2024, the sum of eighteen million three 21 hundred ninety thousand two hundred ninety dollars to the 22 technology reinvestment fund, notwithstanding section 8.57, 23 subsection 3 , paragraph c . 24 c. There is appropriated from the rebuild Iowa 25 infrastructure fund for the fiscal year beginning July 1, 2024, 26 and ending June 30, 2025, the sum of twenty-one million one 27 hundred thirty-one thousand eight hundred seventy-three dollars 28 to the technology reinvestment fund, notwithstanding section 29 8.57, subsection 3 , paragraph c . 30 b. Notwithstanding section 8.33, moneys in the fund 31 that remain unencumbered or unobligated at the close of a 32 fiscal year shall not revert but shall remain available for 33 expenditure for the purposes designated. Notwithstanding 34 section 12C.7, subsection 2, interest or earnings on moneys in 35 -2- LSB 1362HZ (3) 91 sc/ns 2/ 14
H.F. 1028 the fund shall be credited to the fund. 1 4. Annually, on On or before January 15 of each year, a 2 state agency that received an appropriation from this fund 3 the department of management shall report to the legislative 4 services agency and the department of management general 5 assembly the status of all projects funded under this section 6 that have been completed since the previous report was 7 submitted or that are in progress. The report shall must 8 include a description of the project, the progress of work 9 completed, the total estimated cost of the project, a list of 10 all revenue sources being used to fund the project, the amount 11 of funds moneys expended, the amount of funds moneys obligated, 12 and the date the project was completed or an estimated 13 completion date of the project, where applicable. 14 Sec. 2. Section 8.78, Code 2025, is amended to read as 15 follows: 16 8.78 Background checks. 17 An applicant for employment with the department, or 18 an applicant for employment with a supported entity for a 19 position as information technology staff, may be subject to a 20 background investigation by the department. The background 21 investigation may include, without limitation, a work history, 22 financial review, request for criminal history data, and 23 national criminal history check through the federal bureau of 24 investigation. In addition, a contractor, vendor, employee, or 25 any other individual performing work for the department, or an 26 individual on the information technology staff of a supported 27 entity, may be subject to a national criminal history check 28 through the federal bureau of investigation at least once 29 every ten five years, including, without limitation, any time 30 the department or supported entity has reason to believe an 31 individual has been convicted of a crime. The department may 32 request the national criminal history check and, if requested, 33 shall provide the individuals fingerprints to the department 34 of public safety for submission through the state criminal 35 -3- LSB 1362HZ (3) 91 sc/ns 3/ 14
H.F. 1028 history repository to the federal bureau of investigation. 1 The individual shall authorize release of the results of the 2 national criminal history check to the department and the 3 applicable supported entity. The department shall pay the 4 actual cost of the fingerprinting and national criminal history 5 check, if any, unless otherwise agreed as part of a contract 6 between the department or supported entity and a vendor or 7 contractor performing work for the department or supported 8 entity. The results of a criminal history check conducted 9 pursuant to this section shall not be considered a public 10 record under chapter 22 . 11 Sec. 3. NEW SECTION . 8.94 Contracts prohibited terms. 12 Provisions included in a contract entered into pursuant to 13 this subchapter that impose terms or conditions prohibited by 14 this section are void as contrary to public policy. Such a 15 contract shall be interpreted and enforced as if the contract 16 did not include the prohibited terms or conditions. Prohibited 17 terms and conditions include all of the following: 18 1. A provision requiring the department or a supported 19 entity to defend, indemnify, hold harmless another person, or 20 otherwise assume the debt or liability of another person in 21 violation of Article VII, section 1, of the Constitution of the 22 State of Iowa. 23 2. A provision that seeks to impose a term that is unknown 24 to the department or supported entity at the time of signing 25 the contract or that can be unilaterally changed by an entity 26 other than the department or a supported entity. 27 3. A provision that violates chapter 13 by not allowing 28 the department or a supported entity to participate in its own 29 defense through representation by the attorney general. 30 4. A provision that grants to a person other than the 31 attorney general the authority to convey to a court or litigant 32 the states consent to any settlement of a suit involving the 33 contract when such settlement could impose liability on the 34 state. 35 -4- LSB 1362HZ (3) 91 sc/ns 4/ 14
H.F. 1028 5. A provision that specifies that the contract is governed 1 by the laws of a foreign state or nation. 2 6. A provision that claims blanket confidentiality of the 3 contracts terms. 4 7. A provision that claims that payment terms, including but 5 not limited to cost proposals or other pricing information, of 6 the contract are confidential. 7 8. A provision that authorizes or requires a venue for 8 litigation other than an appropriate state or federal court 9 sitting in Iowa. 10 9. A provision that requires the department or a supported 11 entity to pay attorney fees, court costs, or other litigation 12 expenses in the event of a contractual dispute. 13 10. A provision that imposes on the department or a 14 supported entity binding arbitration or any other binding 15 extrajudicial dispute resolution process in which the final 16 resolution is not determined by the state. 17 11. A provision that waives the departments or a supported 18 entitys right to a jury trial. 19 12. A provision that obligates the department or a supported 20 entity to pay late payment charges not consistent with section 21 8A.514, interest greater than allowed under section 8A.514 or 22 other applicable law, or any cancellation charges, as such 23 charges constitute pledges of the states credit. 24 13. A provision that obligates the department or a supported 25 entity to pay a tax. 26 14. A provision that imposes a prior notice obligation 27 on the department or a supported entity as a condition for 28 the automatic renewal of a software license. The department 29 or a supported entity may provide notice of its intent to 30 terminate a software license at any time before the renewal 31 date established in the contract. 32 15. A provision that obligates the department or a supported 33 entity to accept risk of loss before the receipt of items or 34 goods. 35 -5- LSB 1362HZ (3) 91 sc/ns 5/ 14
H.F. 1028 16. A provision that obligates the department or a supported 1 entity to have commercial insurance. 2 17. A provision that obligates the department or a supported 3 entity to grant to a nongovernmental entity full or partial 4 ownership of intellectual property developed pursuant to the 5 contract when the intellectual property is developed in whole 6 or in part using federal funding. 7 18. A provision that limits the time in which the department 8 or a supported entity may bring a legal claim under the 9 contract to a period shorter than that provided in Iowa law. 10 19. A boilerplate provision included in transactional 11 documents received by the department or a supported entity that 12 seeks to alter the terms of the contract or to impose new terms 13 in the contract. 14 Sec. 4. NEW SECTION . 8.95 Contracts required terms. 15 All of the following provisions shall be deemed to be 16 included in a contract entered into by the department or a 17 supported entity under this subchapter: 18 1. Governing law. The contract shall be governed by 19 the laws of the state of Iowa, without giving effect to any 20 conflicts of law principles of Iowa law that may require the 21 application of another jurisdictions law. 22 2. Venue. Any litigation commenced in connection with the 23 contract shall be brought and maintained in an appropriate 24 state or federal court sitting in Iowa. 25 Sec. 5. NEW SECTION . 8.96 Contracts limitation of 26 liability prohibited terms. 27 Notwithstanding section 8A.311, subsection 22, and rules 28 adopted pursuant to that subsection, the director may include 29 a contractual limitation of vendor liability in information 30 technology goods and services contracts. A contractual 31 limitation of vendor liability must take into consideration the 32 public interest and the mitigation of risks associated with the 33 use of information technology goods or services. Any portion 34 of a contractual limitation of vendor liability that includes 35 -6- LSB 1362HZ (3) 91 sc/ns 6/ 14
H.F. 1028 a repudiation of all liability for cybersecurity incidents or 1 a limitation on the vendors liability for intentional torts, 2 criminal acts, fraudulent conduct, intentional or willful 3 misconduct, gross negligence, death, bodily injury, damage to 4 real or personal property, intellectual property violations, 5 liquidated damages, compliance with applicable laws, violations 6 of confidential information obligations, or contractual 7 obligations of the vendor pertaining to indemnification shall 8 be void as a matter of law as contrary to public policy. A 9 contractual limit of vendor liability that does not apply 10 equally to the contracted parties or that limits a vendors 11 liability to less than the contract value inclusive of all 12 possible extensions is void as a matter of law as contrary to 13 public policy. 14 Sec. 6. NEW SECTION . 8.97 Confidentiality of communications 15 with chief information security officer. 16 In the interest of facilitating communication between 17 the chief information security officer and other entities 18 concerning security incidents and security breaches, all such 19 communications and any documents generated based in whole or in 20 part on such communications are confidential. Notwithstanding 21 chapter 22 or any other provision of law to the contrary, the 22 department shall not release such communications pursuant to 23 state open records laws, and such communications shall not be 24 received into evidence, subject to discovery, or otherwise 25 used in a trial, hearing, or other proceeding in or before any 26 court, regulatory body, or other authority of the state or a 27 political subdivision of the state, unless the communications 28 are subject to a protective order that prohibits further 29 disclosure of such communications and requires any court 30 filings of such communications to be made under seal. It is 31 the intent of the general assembly that these prohibitions and 32 restrictions also apply to federal courts, regulatory bodies, 33 and other authorities and for purposes of federal open records 34 laws, to the extent allowed by federal law and court rules. 35 -7- LSB 1362HZ (3) 91 sc/ns 7/ 14
H.F. 1028 The chief information security officer shall not release such 1 communications other than for any of the following purposes: 2 1. Identifying a cybersecurity threat, including the source 3 of the cybersecurity threat, or a security vulnerability, and 4 then only to government officials for purposes of addressing 5 the threat. 6 2. Responding to, or otherwise preventing or mitigating, 7 a specific threat of death, serious bodily harm, or serious 8 economic harm. 9 3. Responding to, investigating, prosecuting, or otherwise 10 preventing or mitigating a serious threat to a minor, including 11 sexual exploitation and threats to physical safety. 12 4. Preventing, investigating, disrupting, or prosecuting an 13 offense under state or federal law. 14 5. Providing a confidential cybersecurity briefing to the 15 governor or a member of the general assembly. 16 Sec. 7. NEW SECTION . 8.98 Criminal justice information. 17 1. The department is authorized to maintain an integrated 18 information system that enables automated data sharing among 19 the executive branch, judicial branch, and local agencies. 20 2. The department is designated as the Iowa statistical 21 analysis center for the purpose of coordinating with data 22 resource agencies to provide data and analytical information 23 to federal, state, and local governments. Notwithstanding any 24 other provision of state law to the contrary, unless prohibited 25 by federal law or regulation, the department shall be granted 26 access, for purposes of research and evaluation, to all of 27 the data listed in this subsection, except that intelligence 28 data and peace officer investigative reports maintained 29 by the department of public safety shall not be considered 30 data for the purposes of this section. The department of 31 management and any record, data, or information obtained by the 32 department under this subsection is subject to the federal and 33 state confidentiality laws and rules, including as described 34 in chapter 22, applicable to the original record, data, or 35 -8- LSB 1362HZ (3) 91 sc/ns 8/ 14
H.F. 1028 information, and to the original custodian of the record, 1 data, or information. Authorized access under this subsection 2 includes but is not limited to all of the following: 3 a. Juvenile court records and all other information 4 maintained under sections 232.147 through 232.151. 5 b. Child abuse information under sections 235A.15 through 6 235A.19. 7 c. Dependent adult abuse records maintained under chapter 8 235B. 9 d. Criminal history data maintained under chapter 692. 10 e. Sex offender registry information maintained under 11 chapter 692A. 12 f. Presentence investigation reports maintained under 13 section 901.4. 14 g. Corrections records maintained under sections 904.601 and 15 904.602. 16 h. Community-based correctional program records maintained 17 under chapter 904. 18 i. Parole records maintained under chapter 906. 19 j. Deferred judgment, deferred or suspended sentence, and 20 probation records maintained under chapter 907. 21 k. Violation of parole or probation records maintained under 22 chapter 908. 23 l. Fine and victim restitution records maintained under 24 chapters 909 and 910. 25 m. Child welfare records maintained under chapter 235. 26 3. The department is authorized to provide data analysis and 27 reporting on issues that may affect the states correctional 28 population and various subgroups of the population. This 29 reporting may include the review of filed, public legislative 30 bills, joint resolutions, and amendments, and compiling 31 criminal justice data for completion of correctional impact 32 statements under section 2.56, racial impact statements, and an 33 annual prison population forecast. 34 4. The department is authorized to maintain a multiagency 35 -9- LSB 1362HZ (3) 91 sc/ns 9/ 14
H.F. 1028 information system to track the progress of juveniles and 1 adults who have been charged with a criminal offense in 2 the court system through various state and local agencies 3 and programs. This system must utilize existing databases, 4 including the Iowa court information system, the Iowa 5 corrections offender network, the child welfare information 6 system of the department of health and human services, 7 the federally mandated national adoption and foster care 8 information system, and other state and local databases 9 pertaining to juveniles and to adults who have been charged 10 with a criminal offense in the court system, to the extent 11 practicable. 12 5. The multiagency information system is authorized to 13 count and track decision points for juveniles in the juvenile 14 justice system and minors in the child welfare system, evaluate 15 the experiences of the juveniles and minors, and evaluate 16 the success of the services provided. The system is also 17 authorized to count and track decision points for adults who 18 have been charged with a criminal offense in the court system, 19 including but not limited to dismissed charges, convictions, 20 deferred judgments, and sentence information. 21 6. If the department has insufficient moneys or resources 22 to implement this section, the department is authorized to 23 determine which portion of this section may be implemented, if 24 any, and the remainder of this section shall not apply. 25 Sec. 8. NEW SECTION . 8.99 Confidentiality of data. 26 1. For purposes of chapter 22, the department shall not be 27 deemed to be the lawful custodian of records the department 28 maintains for another department or establishment under this 29 subchapter, to the extent the records in question are held 30 by the department as an automated data processing unit of 31 government or held by the department solely for storage for 32 another department or establishment. Such records include but 33 are not limited to all of the following: 34 a. Electronic messaging system data. 35 -10- LSB 1362HZ (3) 91 sc/ns 10/ 14
H.F. 1028 b. Mainframe data. 1 c. Storage solutions or other electronic information, such 2 as on-premises server data storage and cloud data storage. 3 2. If the department receives a request pursuant to chapter 4 22 for records over which the department has determined it is 5 not the lawful custodian, the department shall deny the request 6 and inform the requester to seek the information from the 7 lawful custodian as provided in chapter 22. The departments 8 determination that it is not the lawful custodian of records is 9 presumed valid. The presumption may be rebutted by clear and 10 convincing evidence to the contrary. 11 3. The department shall provide assistance to the lawful 12 custodian of records held by the department so that the lawful 13 custodian can comply with the production obligations of chapter 14 22. 15 4. If the department receives a subpoena in an 16 administrative, civil, or criminal case for records for which 17 the department is not the lawful custodian, the department 18 shall notify the lawful custodian and the attorney generals 19 office and cooperate in any efforts to resist the subpoena. 20 Sec. 9. Section 216A.131A, Code 2025, is amended to read as 21 follows: 22 216A.131A Criminal and juvenile justice planning. 23 The department shall fulfill the responsibilities of 24 this subchapter , including the duties specified in sections 25 216A.133, 216A.135 , 216A.136 , 216A.137 , 216A.138 , and 216A.140 . 26 Sec. 10. Section 216A.133, subsection 1, paragraphs d, e, f, 27 l, and t, Code 2025, are amended by striking the paragraphs. 28 Sec. 11. Section 216A.133, subsection 1, paragraph q, 29 subparagraphs (1) and (6), Code 2025, are amended by striking 30 the subparagraphs. 31 Sec. 12. Section 216A.133, subsection 1, paragraph s, Code 32 2025, is amended to read as follows: 33 s. Provide expertise and advice to the legislative 34 services agency, the department of management, the department 35 -11- LSB 1362HZ (3) 91 sc/ns 11/ 14
H.F. 1028 of corrections, the judicial branch, and others charged 1 with formulating fiscal, correctional, or minority impact 2 statements. 3 Sec. 13. Section 216A.135, subsection 2, paragraph e, Code 4 2025, is amended by striking the paragraph. 5 Sec. 14. Section 232.147, subsection 2, paragraph i, Code 6 2025, is amended to read as follows: 7 i. The statistical analysis center for the purposes stated 8 in section 216A.136 8.98 . 9 Sec. 15. Section 232.147, subsection 3, paragraph n, Code 10 2025, is amended to read as follows: 11 n. The statistical analysis center for the purposes stated 12 in section 216A.136 8.98 . 13 Sec. 16. Section 232.147, subsection 4, paragraph i, Code 14 2025, is amended to read as follows: 15 i. The statistical analysis center for the purposes stated 16 in section 216A.136 8.98 . 17 Sec. 17. Section 232.149, subsection 5, paragraph f, Code 18 2025, is amended to read as follows: 19 f. The statistical analysis center for the purposes stated 20 in section 216A.136 8.98 . 21 Sec. 18. Section 232.149A, subsection 3, paragraph m, Code 22 2025, is amended to read as follows: 23 m. The statistical analysis center for the purposes stated 24 in section 216A.136 8.98 . 25 Sec. 19. REPEAL. Sections 216A.136, 216A.137, and 26 216A.138, Code 2025, are repealed. 27 Sec. 20. APPLICABILITY. The following apply to contracts 28 entered into or renewed on or after the effective date of this 29 Act: 30 1. The section of this Act enacting section 8.94. 31 2. The section of this Act enacting section 8.95. 32 3. The section of this Act enacting section 8.96. 33 EXPLANATION 34 The inclusion of this explanation does not constitute agreement with 35 -12- LSB 1362HZ (3) 91 sc/ns 12/ 14
H.F. 1028 the explanations substance by the members of the general assembly. 1 This bill relates to matters under the purview of the 2 department of management (DOM). 3 The bill strikes current law providing for the use of moneys 4 in the technology reinvestment fund for certain technology 5 projects and instead appropriates moneys in the fund to DOM for 6 technology projects using factors set forth in the bill. The 7 bill requires DOM to provide a prioritized list of proposed 8 projects to the governor, who must use the list to develop 9 a budgetary recommendation to the general assembly, and to 10 report completed and ongoing projects to the general assembly 11 annually. 12 The bill increases the frequency at which a person 13 performing work for DOM or an individual on the information 14 technology staff of a supported entity may be subject to a 15 national criminal history check through the federal bureau of 16 investigation from at least once every 10 years to every 5 17 years. 18 The bill prohibits the inclusion of certain provisions in 19 information technology contracts and declares those provisions 20 void if present in such contracts. The bill also provides that 21 such contracts are deemed to include provisions requiring the 22 contract to be governed by Iowa law and litigation related to 23 the contract to be brought and maintained in an appropriate 24 state or federal court sitting in Iowa. The bill authorizes 25 the director of DOM to include limitations of vendor liability 26 in information technology goods and services contracts, but 27 sets forth prohibited terms in such limitations of liability. 28 The bill makes all communication concerning cybersecurity 29 between the chief information security officer and other 30 entities confidential and allows the communications to be 31 released only for specific purposes. 32 Under current law, the department of health and human 33 services serves as the Iowa statistical analysis center and 34 maintains an integrated information system for data sharing 35 -13- LSB 1362HZ (3) 91 sc/ns 13/ 14
H.F. 1028 among federal, state, and local governments. The bill 1 transfers these powers and duties to DOM and grants DOM access 2 to criminal justice information other than intelligence data 3 and peace officer investigative reports maintained by the 4 department of public safety. DOM is authorized to provide 5 data analysis and reporting on issues that may affect the 6 states correctional population and various subgroups of the 7 population, to maintain a multiagency information system to 8 track the progress of juveniles and adults charged with a 9 criminal offense through state and local agencies and programs, 10 and to count and track decision points for individuals in 11 the juvenile justice system, child welfare system, and 12 court system. If DOM lacks sufficient moneys to perform the 13 authorized tasks of the Iowa statistical analysis center, the 14 bill allows DOM to determine which, if any, to implement. 15 The bill states that DOM is not the lawful custodian under 16 Code chapter 22 (open records) for records DOM maintains in 17 DOMs information technology capacity for other state entities 18 as an automated data processing unit of government or when 19 held by DOM solely for storage for another department or 20 establishment. The bill requires DOM to deny requests for 21 information for which DOM is not the lawful custodian, to 22 provide assistance to the lawful custodian to comply with 23 production obligations, and to cooperate in any efforts to 24 resist associated subpoenas. 25 -14- LSB 1362HZ (3) 91 sc/ns 14/ 14