Senate File 307 - Introduced SENATE FILE 307 BY COMMITTEE ON STATE GOVERNMENT (SUCCESSOR TO SSB 1083) A BILL FOR An Act relating to matters under the purview of the department 1 of management, making appropriations, and including 2 applicability provisions. 3 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 4 TLSB 1362SV (2) 91 sc/ns
S.F. 307 Section 1. Section 8.23, Code 2025, is amended by adding the 1 following new subsection: 2 NEW SUBSECTION . 3. A transmittal to the department of 3 management pursuant to this section, and any document created 4 based on such transmittal, shall be considered confidential 5 until the governor transmits the budget in accordance with 6 section 8.21. 7 Sec. 2. Section 8.57C, subsections 2, 3, and 4, Code 2025, 8 are amended to read as follows: 9 2. Moneys in the fund in a fiscal year shall be used as 10 appropriated by the general assembly for the acquisition 11 of computer hardware and software, software development, 12 telecommunications equipment, and maintenance and lease 13 agreements associated with technology components and for the 14 purchase of equipment intended to provide an uninterruptible 15 power supply are appropriated to the department of management 16 to provide a stable funding source for implementation costs 17 of state information technology projects that enhance the 18 states technology infrastructure, improve government services, 19 and promote innovation and economic development, including 20 but not limited to new information technology projects 21 and infrastructure replacement efforts of a department or 22 establishment . 23 a. The department shall prioritize proposed projects based 24 on all of the following considerations: 25 (1) Whether the project aligns with the states strategic 26 priorities. 27 (2) Whether the project promotes or introduces new 28 technology or significantly improves an existing system. 29 (3) Whether the project is feasible and whether the 30 department or establishment has established readiness for the 31 project to proceed, including a clear assessment of timelines, 32 budgets, and measurable outcomes. 33 (4) Whether the project includes a clear change management 34 strategy to support user adoption and aligns with lean 35 -1- LSB 1362SV (2) 91 sc/ns 1/ 15
S.F. 307 enterprise principles to maximize value, minimize waste, and 1 ensure continuous improvement. 2 (5) Whether the project provides a positive return on 3 investment, considering both financial returns and nonfinancial 4 benefits such as improved public safety, education, or health 5 care. 6 (6) Whether the project results in infrastructure that is 7 scalable across the state enterprise. 8 (7) Whether the department or establishment has identified 9 how the completed project will be sustained beyond the initial 10 funding period. 11 (8) Whether the project improves access to governmental 12 services, particularly in rural communities. 13 (9) Whether the project involves an infrastructure project 14 as opposed to maintenance or standard upgrades of existing 15 technology. 16 b. The department shall provide a prioritized list of 17 proposed projects for funding to the governor, who shall use 18 the list in developing a budgetary recommendation for the 19 general assembly pursuant to section 8.21. 20 3. a. There is appropriated from the general fund of the 21 state to the technology reinvestment fund for the fiscal year 22 beginning July 1, 2025, and for each subsequent fiscal year 23 thereafter, the sum of seventeen million five hundred thousand 24 dollars. 25 b. There is appropriated from the rebuild Iowa 26 infrastructure fund for the fiscal year beginning July 1, 2023, 27 and ending June 30, 2024, the sum of eighteen million three 28 hundred ninety thousand two hundred ninety dollars to the 29 technology reinvestment fund, notwithstanding section 8.57, 30 subsection 3 , paragraph c . 31 c. There is appropriated from the rebuild Iowa 32 infrastructure fund for the fiscal year beginning July 1, 2024, 33 and ending June 30, 2025, the sum of twenty-one million one 34 hundred thirty-one thousand eight hundred seventy-three dollars 35 -2- LSB 1362SV (2) 91 sc/ns 2/ 15
S.F. 307 to the technology reinvestment fund, notwithstanding section 1 8.57, subsection 3 , paragraph c . 2 b. Notwithstanding section 8.33, moneys in the fund 3 that remain unencumbered or unobligated at the close of a 4 fiscal year shall not revert but shall remain available for 5 expenditure for the purposes designated. Notwithstanding 6 section 12C.7, subsection 2, interest or earnings on moneys in 7 the fund shall be credited to the fund. 8 4. Annually, on On or before January 15 of each year, a 9 state agency that received an appropriation from this fund 10 the department of management shall report to the legislative 11 services agency and the department of management general 12 assembly the status of all projects funded under this section 13 that have been completed since the previous report was 14 submitted or that are in progress. The report shall must 15 include a description of the project, the progress of work 16 completed, the total estimated cost of the project, a list of 17 all revenue sources being used to fund the project, the amount 18 of funds moneys expended, the amount of funds moneys obligated, 19 and the date the project was completed or an estimated 20 completion date of the project, where applicable. 21 Sec. 3. Section 8.78, Code 2025, is amended to read as 22 follows: 23 8.78 Background checks. 24 An applicant for employment with the department, or 25 an applicant for employment with a supported entity for a 26 position as information technology staff, may be subject to a 27 background investigation by the department. The background 28 investigation may include, without limitation, a work history, 29 financial review, request for criminal history data, and 30 national criminal history check through the federal bureau of 31 investigation. In addition, a contractor, vendor, employee, or 32 any other individual performing work for the department, or an 33 individual on the information technology staff of a supported 34 entity, may be subject to a national criminal history check 35 -3- LSB 1362SV (2) 91 sc/ns 3/ 15
S.F. 307 through the federal bureau of investigation at least once 1 every ten five years, including, without limitation, any time 2 the department or supported entity has reason to believe an 3 individual has been convicted of a crime. The department may 4 request the national criminal history check and, if requested, 5 shall provide the individuals fingerprints to the department 6 of public safety for submission through the state criminal 7 history repository to the federal bureau of investigation. 8 The individual shall authorize release of the results of the 9 national criminal history check to the department and the 10 applicable supported entity. The department shall pay the 11 actual cost of the fingerprinting and national criminal history 12 check, if any, unless otherwise agreed as part of a contract 13 between the department or supported entity and a vendor or 14 contractor performing work for the department or supported 15 entity. The results of a criminal history check conducted 16 pursuant to this section shall not be considered a public 17 record under chapter 22 . 18 Sec. 4. NEW SECTION . 8.94 Contracts prohibited terms. 19 Provisions included in a contract entered into pursuant to 20 this subchapter that impose terms or conditions prohibited by 21 this section are void ab initio as contrary to public policy. 22 Such a contract shall be interpreted and enforced as if the 23 contract did not include the prohibited terms or conditions. 24 Prohibited terms and conditions include all of the following: 25 1. A provision requiring the department or a supported 26 entity to defend, indemnify, hold harmless another person, or 27 otherwise assume the debt or liability of another person in 28 violation of Article VII, section 1, of the Constitution of the 29 State of Iowa. 30 2. A provision that seeks to impose a term that is unknown 31 to the department or supported entity at the time of signing 32 the contract or that can be unilaterally changed by an entity 33 other than the department or a supported entity. 34 3. A provision that violates chapter 13 by not allowing 35 -4- LSB 1362SV (2) 91 sc/ns 4/ 15
S.F. 307 the department or a supported entity to participate in its own 1 defense through representation by the attorney general. 2 4. A provision that grants to a person other than the 3 attorney general the authority to convey to a court or litigant 4 the states consent to any settlement of a suit involving the 5 contract when such settlement could impose liability on the 6 state. 7 5. A provision that specifies that the contract is governed 8 by the laws of a foreign state or nation. 9 6. A provision that claims blanket confidentiality of the 10 contracts terms. 11 7. A provision that claims that payment terms, including but 12 not limited to cost proposals or other pricing information, of 13 the contract are confidential. 14 8. A provision that authorizes or requires a venue for 15 litigation other than the district court of Polk county, Iowa, 16 or the United States district court for the southern district 17 of Iowa sitting in Des Moines, Iowa. 18 9. A provision that requires the department or a supported 19 entity to pay attorney fees, court costs, or other litigation 20 expenses in the event of a contractual dispute. 21 10. A provision that imposes on the department or a 22 supported entity binding arbitration or any other binding 23 extrajudicial dispute resolution process in which the final 24 resolution is not determined by the state. 25 11. A provision that waives the departments or a supported 26 entitys right to a jury trial. 27 12. A provision that obligates the department or a supported 28 entity to pay late payment charges not consistent with section 29 8A.514, interest greater than allowed under section 8A.514 or 30 other applicable law, or any cancellation charges, as such 31 charges constitute pledges of the states credit. 32 13. A provision that obligates the department or a supported 33 entity to pay a tax. 34 14. A provision that imposes a prior notice obligation 35 -5- LSB 1362SV (2) 91 sc/ns 5/ 15
S.F. 307 on the department or a supported entity as a condition for 1 the automatic renewal of a software license. The department 2 or a supported entity may provide notice of its intent to 3 terminate a software license at any time before the renewal 4 date established in the contract. 5 15. A provision that obligates the department or a supported 6 entity to accept risk of loss before the receipt of items or 7 goods. 8 16. A provision that obligates the department or a supported 9 entity to have commercial insurance. 10 17. A provision that obligates the department or a supported 11 entity to grant to a nongovernmental entity full or partial 12 ownership of intellectual property developed pursuant to the 13 contract when the intellectual property is developed in whole 14 or in part using federal funding. 15 18. A provision that limits the time in which the department 16 or a supported entity may bring a legal claim under the 17 contract to a period shorter than that provided in Iowa law. 18 19. A boilerplate provision included in transactional 19 documents received by the department or a supported entity that 20 seeks to alter the terms of the contract or to impose new terms 21 in the contract. 22 Sec. 5. NEW SECTION . 8.95 Contracts required terms. 23 All of the following provisions shall be deemed to be 24 included in a contract entered into by the department or a 25 supported entity under this subchapter: 26 1. Governing law. The contract shall be governed by 27 the laws of the state of Iowa, without giving effect to any 28 conflicts of law principles of Iowa law that may require the 29 application of another jurisdictions law. 30 2. Venue. Any litigation commenced in connection with the 31 contract shall be brought and maintained in the district court 32 of Polk county, Iowa, or the United States district court for 33 the southern district of Iowa sitting in Des Moines, Iowa, as 34 appropriate. 35 -6- LSB 1362SV (2) 91 sc/ns 6/ 15
S.F. 307 Sec. 6. NEW SECTION . 8.96 Contracts limitation of 1 liability prohibited terms. 2 Notwithstanding section 8A.311, subsection 22, and rules 3 adopted pursuant to that subsection, the director may include 4 a contractual limitation of vendor liability in information 5 technology goods and services contracts. A contractual 6 limitation of vendor liability must take into consideration the 7 public interest and the mitigation of risks associated with the 8 use of information technology goods or services. Any portion 9 of a contractual limitation of vendor liability that includes 10 a repudiation of all liability for cybersecurity incidents or 11 a limitation on the vendors liability for intentional torts, 12 criminal acts, fraudulent conduct, intentional or willful 13 misconduct, gross negligence, death, bodily injury, damage to 14 real or personal property, intellectual property violations, 15 liquidated damages, compliance with applicable laws, violations 16 of confidential information obligations, or contractual 17 obligations of the vendor pertaining to indemnification shall 18 be void as a matter of law as contrary to public policy. A 19 contractual limit of vendor liability that does not apply 20 equally to the contracted parties or that limits a vendors 21 liability to less than the contract value inclusive of all 22 possible extensions is void as a matter of law as contrary to 23 public policy. 24 Sec. 7. NEW SECTION . 8.97 Confidentiality of communications 25 with chief information security officer. 26 In the interest of facilitating communication between 27 the chief information security officer and other entities 28 concerning security incidents and security breaches, all such 29 communications and any documents generated based in whole or in 30 part on such communications are confidential. Notwithstanding 31 chapter 22 or any other provision of law to the contrary, the 32 department shall not release such communications pursuant to 33 state open records laws, and such communications shall not be 34 received into evidence, subject to discovery, or otherwise 35 -7- LSB 1362SV (2) 91 sc/ns 7/ 15
S.F. 307 used in a trial, hearing, or other proceeding in or before any 1 court, regulatory body, or other authority of the state or a 2 political subdivision of the state, unless the communications 3 are subject to a protective order that prohibits further 4 disclosure of such communications and requires any court 5 filings of such communications to be made under seal. It is 6 the intent of the general assembly that these prohibitions and 7 restrictions also apply to federal courts, regulatory bodies, 8 and other authorities and for purposes of federal open records 9 laws, to the extent allowed by federal law and court rules. 10 The chief information security officer shall not release such 11 communications other than for any of the following purposes: 12 1. Identifying a cybersecurity threat, including the source 13 of the cybersecurity threat, or a security vulnerability, and 14 then only to government officials for purposes of addressing 15 the threat. 16 2. Responding to, or otherwise preventing or mitigating, 17 a specific threat of death, serious bodily harm, or serious 18 economic harm. 19 3. Responding to, investigating, prosecuting, or otherwise 20 preventing or mitigating a serious threat to a minor, including 21 sexual exploitation and threats to physical safety. 22 4. Preventing, investigating, disrupting, or prosecuting an 23 offense under state or federal law. 24 5. Providing a confidential cybersecurity briefing to the 25 governor or a member of the general assembly. 26 Sec. 8. NEW SECTION . 8.98 Criminal justice information. 27 1. The department is authorized to maintain an integrated 28 information system that enables automated data sharing among 29 the executive branch, judicial branch, and local agencies. 30 2. The department is designated as the Iowa statistical 31 analysis center for the purpose of coordinating with data 32 resource agencies to provide data and analytical information 33 to federal, state, and local governments. Notwithstanding any 34 other provision of state law to the contrary, unless prohibited 35 -8- LSB 1362SV (2) 91 sc/ns 8/ 15
S.F. 307 by federal law or regulation, the department shall be granted 1 access, for purposes of research and evaluation, to all of 2 the data listed in this subsection, except that intelligence 3 data and peace officer investigative reports maintained 4 by the department of public safety shall not be considered 5 data for the purposes of this section. The department of 6 management and any record, data, or information obtained by the 7 department under this subsection is subject to the federal and 8 state confidentiality laws and rules, including as described 9 in chapter 22, applicable to the original record, data, or 10 information, and to the original custodian of the record, 11 data, or information. Authorized access under this subsection 12 includes but is not limited to all of the following: 13 a. Juvenile court records and all other information 14 maintained under sections 232.147 through 232.151. 15 b. Child abuse information under sections 235A.15 through 16 235A.19. 17 c. Dependent adult abuse records maintained under chapter 18 235B. 19 d. Criminal history data maintained under chapter 692. 20 e. Sex offender registry information maintained under 21 chapter 692A. 22 f. Presentence investigation reports maintained under 23 section 901.4. 24 g. Corrections records maintained under sections 904.601 and 25 904.602. 26 h. Community-based correctional program records maintained 27 under chapter 904. 28 i. Parole records maintained under chapter 906. 29 j. Deferred judgment, deferred or suspended sentence, and 30 probation records maintained under chapter 907. 31 k. Violation of parole or probation records maintained under 32 chapter 908. 33 l. Fine and victim restitution records maintained under 34 chapters 909 and 910. 35 -9- LSB 1362SV (2) 91 sc/ns 9/ 15
S.F. 307 m. Child welfare records maintained under chapter 235. 1 3. The department is authorized to provide data analysis and 2 reporting on issues that may affect the states correctional 3 population and various subgroups of the population. This 4 reporting may include the review of filed, public legislative 5 bills, joint resolutions, and amendments, and compiling 6 criminal justice data for completion of correctional impact 7 statements under section 2.56, racial impact statements, and an 8 annual prison population forecast. 9 4. The department is authorized to maintain a multiagency 10 information system to track the progress of juveniles and 11 adults who have been charged with a criminal offense in 12 the court system through various state and local agencies 13 and programs. This system must utilize existing databases, 14 including the Iowa court information system, the Iowa 15 corrections offender network, the child welfare information 16 system of the department of health and human services, 17 the federally mandated national adoption and foster care 18 information system, and other state and local databases 19 pertaining to juveniles and to adults who have been charged 20 with a criminal offense in the court system, to the extent 21 practicable. 22 5. The multiagency information system is authorized to 23 count and track decision points for juveniles in the juvenile 24 justice system and minors in the child welfare system, evaluate 25 the experiences of the juveniles and minors, and evaluate 26 the success of the services provided. The system is also 27 authorized to count and track decision points for adults who 28 have been charged with a criminal offense in the court system, 29 including but not limited to dismissed charges, convictions, 30 deferred judgments, and sentence information. 31 6. If the department has insufficient moneys or resources 32 to implement this section, the department is authorized to 33 determine which portion of this section may be implemented, if 34 any, and the remainder of this section shall not apply. 35 -10- LSB 1362SV (2) 91 sc/ns 10/ 15
S.F. 307 Sec. 9. NEW SECTION . 8.99 Confidentiality of data. 1 1. For purposes of chapter 22, the department shall not be 2 deemed to be the lawful custodian of records the department 3 maintains for another department or establishment under this 4 subchapter, to the extent the records in question are held 5 by the department as an automated data processing unit of 6 government or held by the department solely for storage for 7 another department or establishment. Such records include but 8 are not limited to all of the following: 9 a. Electronic messaging system data. 10 b. Mainframe data. 11 c. Storage solutions or other electronic information, such 12 as on-premises server data storage and cloud data storage. 13 2. If the department receives a request pursuant to chapter 14 22 for records over which the department has determined it is 15 not the lawful custodian, the department shall deny the request 16 and inform the requester to seek the information from the 17 lawful custodian as provided in chapter 22. The departments 18 determination that it is not the lawful custodian of records is 19 presumed valid. The presumption may be rebutted by clear and 20 convincing evidence to the contrary. 21 3. The department shall provide assistance to the lawful 22 custodian of records held by the department so that the lawful 23 custodian can comply with the production obligations of chapter 24 22. 25 4. If the department receives a subpoena in an 26 administrative, civil, or criminal case for records for which 27 the department is not the lawful custodian, the department 28 shall notify the lawful custodian and the attorney generals 29 office and cooperate in any efforts to resist the subpoena. 30 Sec. 10. Section 216A.131A, Code 2025, is amended to read 31 as follows: 32 216A.131A Criminal and juvenile justice planning. 33 The department shall fulfill the responsibilities of 34 this subchapter , including the duties specified in sections 35 -11- LSB 1362SV (2) 91 sc/ns 11/ 15
S.F. 307 216A.133, 216A.135 , 216A.136 , 216A.137 , 216A.138 , and 216A.140 . 1 Sec. 11. Section 216A.133, subsection 1, paragraphs d, e, f, 2 l, and t, Code 2025, are amended by striking the paragraphs. 3 Sec. 12. Section 216A.133, subsection 1, paragraph q, 4 subparagraphs (1) and (6), Code 2025, are amended by striking 5 the subparagraphs. 6 Sec. 13. Section 216A.133, subsection 1, paragraph s, Code 7 2025, is amended to read as follows: 8 s. Provide expertise and advice to the legislative 9 services agency, the department of management, the department 10 of corrections, the judicial branch, and others charged 11 with formulating fiscal, correctional, or minority impact 12 statements. 13 Sec. 14. Section 216A.135, subsection 2, paragraph e, Code 14 2025, is amended by striking the paragraph. 15 Sec. 15. Section 232.147, subsection 2, paragraph i, Code 16 2025, is amended to read as follows: 17 i. The statistical analysis center for the purposes stated 18 in section 216A.136 8.98 . 19 Sec. 16. Section 232.147, subsection 3, paragraph n, Code 20 2025, is amended to read as follows: 21 n. The statistical analysis center for the purposes stated 22 in section 216A.136 8.98 . 23 Sec. 17. Section 232.147, subsection 4, paragraph i, Code 24 2025, is amended to read as follows: 25 i. The statistical analysis center for the purposes stated 26 in section 216A.136 8.98 . 27 Sec. 18. Section 232.149, subsection 5, paragraph f, Code 28 2025, is amended to read as follows: 29 f. The statistical analysis center for the purposes stated 30 in section 216A.136 8.98 . 31 Sec. 19. Section 232.149A, subsection 3, paragraph m, Code 32 2025, is amended to read as follows: 33 m. The statistical analysis center for the purposes stated 34 in section 216A.136 8.98 . 35 -12- LSB 1362SV (2) 91 sc/ns 12/ 15
S.F. 307 Sec. 20. REPEAL. Sections 216A.136, 216A.137, and 1 216A.138, Code 2025, are repealed. 2 Sec. 21. APPLICABILITY. The following apply to contracts 3 entered into or renewed on or after the effective date of this 4 Act: 5 1. The section of this Act enacting section 8.94. 6 2. The section of this Act enacting section 8.95. 7 3. The section of this Act enacting section 8.96. 8 EXPLANATION 9 The inclusion of this explanation does not constitute agreement with 10 the explanations substance by the members of the general assembly. 11 This bill relates to matters under the purview of the 12 department of management (DOM). 13 Under current law, the governors budget recommendation is 14 considered confidential by the legislative services agency 15 until it is made public by the governor. The bill states that 16 information transmitted by state entities to DOM for developing 17 the budget as required by law, and documents based on the 18 transmittals, are confidential until the governor transmits the 19 budget to the general assembly. 20 The bill strikes current law providing for the use of moneys 21 in the technology reinvestment fund for certain technology 22 projects and instead appropriates moneys in the fund to DOM for 23 technology projects using factors set forth in the bill. The 24 bill requires DOM to provide a prioritized list of proposed 25 projects to the governor, who must use the list to develop 26 a budgetary recommendation to the general assembly, and to 27 report completed and ongoing projects to the general assembly 28 annually. 29 The bill increases the frequency at which a person 30 performing work for DOM or an individual on the information 31 technology staff of a supported entity may be subject to a 32 national criminal history check through the federal bureau of 33 investigation from at least once every 10 years to every 5 34 years. 35 -13- LSB 1362SV (2) 91 sc/ns 13/ 15
S.F. 307 The bill prohibits the inclusion of certain provisions in 1 information technology contracts and declares those provisions 2 void if present in such contracts. The bill also provides that 3 such contracts are deemed to include provisions requiring the 4 contract to be governed by Iowa law and litigation related to 5 the contract to be brought and maintained in Polk county. The 6 bill authorizes the director of DOM to include limitations of 7 vendor liability in information technology goods and services 8 contracts, but sets forth prohibited terms in such limitations 9 of liability. 10 The bill makes all communication concerning cybersecurity 11 between the chief information security officer and other 12 entities confidential and allows the communications to be 13 released only for specific purposes. 14 Under current law, the department of health and human 15 services serves as the Iowa statistical analysis center and 16 maintains an integrated information system for data sharing 17 among federal, state, and local governments. The bill 18 transfers these powers and duties to DOM and grants DOM access 19 to criminal justice information other than intelligence data 20 and peace officer investigative reports maintained by the 21 department of public safety. DOM is authorized to provide 22 data analysis and reporting on issues that may affect the 23 states correctional population and various subgroups of the 24 population, to maintain a multiagency information system to 25 track the progress of juveniles and adults charged with a 26 criminal offense through state and local agencies and programs, 27 and to count and track decision points for individuals in 28 the juvenile justice system, child welfare system, and 29 court system. If DOM lacks sufficient moneys to perform the 30 authorized tasks of the Iowa statistical analysis center, the 31 bill allows DOM to determine which, if any, to implement. 32 The bill states that DOM is not the lawful custodian under 33 Code chapter 22 (open records) for records DOM maintains in 34 DOMs information technology capacity for other state entities 35 -14- LSB 1362SV (2) 91 sc/ns 14/ 15
S.F. 307 as an automated data processing unit of government or when 1 held by DOM solely for storage for another department or 2 establishment. The bill requires DOM to deny requests for 3 information for which DOM is not the lawful custodian, to 4 provide assistance to the lawful custodian to comply with 5 production obligations, and to cooperate in any efforts to 6 resist associated subpoenas. 7 -15- LSB 1362SV (2) 91 sc/ns 15/ 15