As Amended by Senate Committee
{As Amended by House Committee of the Whole}
Session of 2023
Substitute for HOUSE BILL No. 2077
By Committee on Appropriations
2-9
AN ACT concerning information technology; requiring reporting of
significant cybersecurity incidents; changing membership, terms and
quorum requirements for the information technology executive council;
relating to information technology projects and reporting requirements;
information technology security training and cybersecurity reports;
duties of the chief information security officer; requiring certain
information to be provided to the joint committee on information
technology; amending K.S.A. 46-2102, {74-5704,} 75-7201, 75-7202,
75-7205, 75-7206, 75-7208, 75-7209, 75-7210, 75-7211, 75-7237, 75-
7238, 75-7239, 75-7240 and 75-7242 and repealing the existing
sections.
Be it enacted by the Legislature of the State of Kansas:
New Section 1. (a) {Except as provided in subsection (b),} any
entity that transmits, receives, processes or stores personal information that
is provided by the state of Kansas or supports information systems
operated by the state of Kansas or any governmental entity that accesses
information systems operated by the state of Kansas that has a significant
cybersecurity incident shall, not later than 12 48 hours after the discovery
of the significant cybersecurity incident, notify the Kansas information
security office and, if the significant cybersecurity incident involves
election data, the secretary of state.
(b) (1){ Any entity that is connected to the Kansas criminal justice
information system shall report any cybersecurity incident in
accordance with rules and regulations adopted by the Kansas criminal
justice information system committee pursuant to K.S.A. 74-5704, and
amendments thereto.}
{(2) An entity that is connected to the Kansas criminal justice
information system and is not connected to any other state of Kansas
information system shall not be required to make the report required
in subsection (a).}
{(3) The Kansas bureau of investigation shall notify the Kansas
information security office of any significant cybersecurity incident
report it receives in accordance with rules and regulations adopted
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34 Sub HB 2077—Am. by SC 2
pursuant to K.S.A. 74-5704, and amendments thereto, not later than
12 48 hours after receipt of such report.}
{(c)(1)} The information provided pursuant to subsection (a) {this
section} shall only be shared with individuals who need to know such
information for response and defensive activities to preserve the integrity
of state information systems and networks or to provide assistance if
requested.
(2) Such information shall be confidential and shall not be subject to
disclosure pursuant to the open records act, K.S.A. 45-215 et seq., and
amendments thereto. This paragraph shall expire on July 1, 2028, unless
the legislature reviews and acts to continue such provision pursuant to
K.S.A. 45-229, and amendments thereto, prior to July 1, 2028.
(3) The Kansas information security office shall only report the
information provided pursuant to subsection (a) {this section} as
aggregate data.
(c){(d)} For the purposes of this section, "significant cybersecurity
incident" means a cybersecurity event, incident, breach, suspected breach
or unauthorized disclsosure {disclosure} that requires the entity to initiate
a response or recovery.
Sec. 2. K.S.A. 46-2102 is hereby amended to read as follows: 46-
2102. In addition to other powers and duties authorized or prescribed by
law or by the legislative coordinating council, the joint committee on
information technology shall:
(a) Study the use by state agencies and institutions of computers,
telecommunications and other information technologies;
(b) review new governmental computer hardware and software
acquisition, information storage, transmission, processing and
telecommunications technologies proposed by state agencies and
institutions, and the implementation plans therefor, including all
information technology project budget estimates and three-year strategic
information technology plans that are submitted to the joint committee
pursuant to K.S.A. 75-7210, and amendments thereto;
(c) advise and consult on all state agency information technology
projects, as defined in K.S.A. 75-7201, and amendments thereto, that pose
a significant business risk as determined by the information technology
executive council's policies and in accordance with K.S.A. 75-7209, and
amendments thereto;
(d) make recommendations on all such implementation plans, budget
estimates, requests for proposals for information technology projects and
three-year plans to the ways and means committee of the senate and the
committee on appropriations of the house of representatives;
(d)(e) study the progress and results of all newly implemented
governmental computer hardware and software, information storage,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 3
transmission, processing and telecommunications technologies of state
agencies and institutions including all information technology projects for
state agencies which have been authorized or for which appropriations
have been approved by the legislature; and
(e)(f) make an annual report to the legislative coordinating council as
provided in K.S.A. 46-1207, and amendments thereto, and such special
reports to committees of the house of representatives and senate as are
deemed appropriate by the joint committee.
{Sec. 3. K.S.A. 74-5704 is hereby amended to read as follows: 74-
5704. The committee shall:
(a) Adopt and enforce such rules, regulations and policies as that
are necessary for the establishment, maintenance, upgrading and
operation of the statewide criminal justice information system; and
(b) adopt rules and regulations that require entities connected to the
Kansas criminal justice information system to report any cybersecurity
incident to the Kansas bureau of investigation not later than 12 48 hours
after the discovery of such cybersecurity incident.}
Sec. 3. {4.} K.S.A. 75-7201 is hereby amended to read as follows: 75-
7201. As used in K.S.A. 75-7201 through 75-7212, and amendments
thereto:
(a) "Business risk" means the overall level of risk determined by a
business risk assessment that includes, but is not limited to, cost,
information security and other elements as determined by the information
technology executive council's policies.
(b) "Cumulative cost" means the total expenditures, from all sources,
for any information technology project by one or more state agencies to
meet project objectives from project start to project completion or the date
and time the project is terminated if it is not completed.
(b)(c) "Executive agency" means any state agency in the executive
branch of government.
(c)(d) "Information technology project" means a project for a major
computer, telecommunications or other information technology
improvement with an estimated cumulative cost of $250,000 or more and
includes any such project that has proposed expenditures for: (1) New or
replacement equipment or software; (2) upgrade improvements to existing
equipment and any computer systems, programs or software upgrades
therefor; or (3) data or consulting or other professional services for such a
project an information technology effort by a state agency of defined and
limited duration that implements, effects a change in or presents a risk to
processes, services, security, systems, records, data, human resources or
architecture.
(d)(e) "Information technology project change or overrun" means any
of the following any change in:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 4
(1) Any change in Planned expenditures for an information
technology project that would result in the total authorized cost of the
project being increased above the currently authorized cost of such project
by more than either $1,000,000 or 10% of such currently authorized cost
of such project, whichever is lower or an established threshold within the
information technology executive council's policies;
(2) any change in the scope or project timeline of an information
technology project, as such scope or timeline was presented to and
reviewed by the joint committee or the chief information technology
officer to whom the project was submitted pursuant to K.S.A. 75-7209,
and amendments thereto, that is a change of more than 10% or a change
that is significant as determined by the information technology executive
council's policies; or
(3) any change in the proposed use of any new or replacement
information technology equipment or in the use of any existing
information technology equipment that has been significantly upgraded.
(e)(f) "Joint committee" means the joint committee on information
technology.
(f)(g) "Judicial agency" means any state agency in the judicial branch
of government.
(g)(h) "Legislative agency" means any state agency in the legislative
branch of government.
(h)(i) "Project" means a planned series of events or activities that is
intended to accomplish a specified outcome in a specified time period,
under consistent management direction within a state agency or shared
among two or more state agencies, and that has an identifiable budget for
anticipated expenses.
(i)(j) "Project completion" means the date and time when the head of
a state agency having primary responsibility for an information technology
project certifies that the improvement being produced or altered under the
project is ready for operational use.
(j)(k) "Project start" means the date and time when a state agency
begins a formal study of a business process or technology concept to
assess the needs of the state agency, determines project feasibility or
prepares an information technology project budget estimate under K.S.A.
75-7209, and amendments thereto.
(k)(l) "State agency" means any state office or officer, department,
board, commission, institution or bureau, or any agency, division or unit
thereof.
Sec. 4. {5.} K.S.A. 75-7202 is hereby amended to read as follows: 75-
7202. (a) There is hereby established the information technology executive
council which shall be attached to the office of information technology
services for purposes of administrative functions.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 5
(b) (1) The council shall be composed of 17 voting members as
follows:
(A) Two cabinet agency heads or such persons' designees;
(B) two noncabinet agency heads or such persons' designees;
(C) the executive chief information technology officer;
(D) the legislative chief information technology officer;
(E) the judicial chief information technology officer;
(F) the chief executive officer of the state board of regents or such
person's designee;
(G) one representative of cities;
(H) one representative of counties; the network manager of the
information network of Kansas (INK);
(I) one representative with background and knowledge in technology
and cybersecurity from the private sector, however, except that such
representative or such representative's employer shall not be an
information technology or cybersecurity vendor that does business with
the state of Kansas;
(J) one representative appointed by the Kansas criminal justice
information system committee;
(K) one member of the senate ways and means committee appointed
by the president of the senate or such member's designee;
(L) one member of the senate ways and means committee appointed
by the minority leader of the senate or such member's designee;
(M) one member of the house government, technology and security
committee or its successor committee of representatives appointed by the
speaker of the house of representatives or such member's designee; and
(N) one member of the house government, technology and security
committee or its successor committee of representatives appointed by the
minority leader of the house of representatives or such member's designee.
(2) The chief information technology architect shall be a nonvoting
member of the council.
(3) The cabinet agency heads, the noncabinet agency heads, the
representative of cities, the representative of counties and the
representative from the private sector shall be appointed by the governor
for a term not to exceed 18 months. Upon expiration of an appointed
member's term, the member shall continue to hold office until the
appointment of a successor. Legislative members shall remain members of
the legislature in order to retain membership on the council and shall
serve until replaced pursuant to this section. Vacancies of members during
a term shall be filled in the same manner as the original appointment only
for the unexpired part of the term. The appointing authority for a member
may remove the member, reappoint the member or substitute another
appointee for the member at any time. Nonappointed members shall serve
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 6
ex officio.
(c) The chairperson of the council shall be drawn from the chief
information technology officers, with each chief information technology
officer serving a one-year term. The term of chairperson shall rotate
among the chief information technology officers on an annual basis.
(d) The council shall hold quarterly meetings and hearings in the city
of Topeka or at such other places as the council designates, on call of the
executive chief information technology officer or on request of four or
more members. A quorum of the council shall be nine. All actions of the
council shall be taken by a majority of all of the members of the council.
(e) Except for members specified as a designee in subsection (b),
members of the council may not appoint an individual to represent them
on the council and only members of the council may vote.
(f) Members of the council shall receive mileage, tolls and parking as
provided in K.S.A. 75-3223, and amendments thereto, for attendance at
any meeting of the council or any subcommittee meeting authorized by the
council.
Sec. 5. {6.} K.S.A. 75-7205 is hereby amended to read as follows: 75-
7205. (a) There is hereby established within and as a part of the office of
information technology services the position of executive chief
information technology officer. The executive chief information
technology officer shall be in the unclassified service under the Kansas
civil service act, shall be appointed by the governor, and shall receive
compensation in an amount fixed by the governor. The executive chief
information technology officer shall maintain a presence in any cabinet
established by the governor and shall report to the governor.
(b) The executive chief information technology officer shall:
(1) Review and consult with each executive agency regarding
information technology plans, deviations from the state information
technology architecture, information technology project estimates and
information technology project changes and overruns submitted by such
agency pursuant to K.S.A. 75-7209, and amendments thereto, to determine
whether the agency has complied with:
(A) The information technology resource policies and procedures and
project management methodologies adopted by the information technology
executive council;
(B) the information technology architecture adopted by the
information technology executive council;
(C) the standards for data management adopted by the information
technology executive council; and
(D) the strategic information technology management plan adopted
by the information technology executive council;
(2) report to the chief information technology architect all deviations
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 7
from the state information architecture that are reported to the executive
information technology officer by executive agencies;
(3) submit recommendations to the division of the budget as to the
technical and management merit of information technology project
estimates projects and information technology project changes and
overruns submitted by executive agencies that are reportable pursuant to
K.S.A. 75-7209, and amendments thereto, based on the determinations
made pursuant to subsection (b)(1);
(4) monitor executive agencies' compliance with:
(A) The information technology resource policies and procedures and
project management methodologies adopted by the information technology
executive council;
(B) the information technology architecture adopted by the
information technology executive council;
(C) the standards for data management adopted by the information
technology executive council; and
(D) the strategic information technology management plan adopted
by the information technology executive council;
(5) coordinate implementation of new information technology among
executive agencies and with the judicial and legislative chief information
technology officers;
(6) designate the ownership of information resource processes and the
lead agency for implementation of new technologies and networks shared
by multiple agencies within the executive branch of state government; and
(7) perform such other functions and duties as provided by law or as
directed by the governor.
Sec. 6. {7.} K.S.A. 75-7206 is hereby amended to read as follows: 75-
7206. (a) There is hereby established within and as a part of the office of
the state judicial administrator the position of judicial chief information
technology officer. The judicial chief information technology officer shall
be appointed by the judicial administrator, subject to approval of the chief
justice, and shall receive compensation determined by the judicial
administrator, subject to approval of the chief justice.
(b) The judicial chief information technology officer shall:
(1) Review and consult with each judicial agency regarding
information technology plans, deviations from the state information
technology architecture, information technology project estimates and
information technology project changes and overruns submitted by such
agency pursuant to K.S.A. 75-7209, and amendments thereto, to determine
whether the agency has complied with:
(A) The information technology resource policies and procedures and
project management methodologies adopted by the information technology
executive council;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 8
(B) the information technology architecture adopted by the
information technology executive council;
(C) the standards for data management adopted by the information
technology executive council; and
(D) the strategic information technology management plan adopted
by the information technology executive council;
(2) report to the chief information technology architect all deviations
from the state information architecture that are reported to the judicial
information technology officer by judicial agencies;
(3) submit recommendations to the judicial administrator as to the
technical and management merit of information technology project
estimates projects and information technology project changes and
overruns submitted by judicial agencies that are reportable pursuant to
K.S.A. 75-7209, and amendments thereto, based on the determinations
pursuant to subsection (b)(1);
(4) monitor judicial agencies' compliance with:
(A) The information technology resource policies and procedures and
project management methodologies adopted by the information technology
executive council;
(B) the information technology architecture adopted by the
information technology executive council;
(C) the standards for data management adopted by the information
technology executive council; and
(D) the strategic information technology management plan adopted
by the information technology executive council;
(5) coordinate implementation of new information technology among
judicial agencies and with the executive and legislative chief information
technology officers;
(6) designate the ownership of information resource processes and the
lead agency for implementation of new technologies and networks shared
by multiple agencies within the judicial branch of state government; and
(7) perform such other functions and duties as provided by law or as
directed by the judicial administrator.
Sec. 7. {8.} K.S.A. 75-7208 is hereby amended to read as follows: 75-
7208. The legislative chief information technology officer shall:
(a) Review and consult with each legislative agency regarding
information technology plans, deviations from the state information
technology architecture, information technology project estimates and
information technology project changes and overruns submitted by such
agency pursuant to K.S.A. 75-7209, and amendments thereto, to determine
whether the agency has complied with the:
(1)The Information technology resource policies and procedures and
project management methodologies adopted by the information technology
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 9
executive council;
(2)the information technology architecture adopted by the
information technology executive council;
(3)the standards for data management adopted by the information
technology executive council; and
(4)the strategic information technology management plan adopted by
the information technology executive council;
(b) report to the chief information technology architect all deviations
from the state information architecture that are reported to the legislative
information technology officer by legislative agencies;
(c) submit recommendations to the legislative coordinating council as
to the technical and management merit of information technology project
estimates projects and information technology project changes and
overruns submitted by legislative agencies that are reportable pursuant to
K.S.A. 75-7209, and amendments thereto, based on the determinations
pursuant to subsection (a);
(d) monitor legislative agencies' compliance with the:
(1) The Information technology resource policies and procedures and
project management methodologies adopted by the information technology
executive council;
(2) the information technology architecture adopted by the
information technology executive council;
(3) the standards for data management adopted by the information
technology executive council; and
(4) the strategic information technology management plan adopted by
the information technology executive council;
(e) coordinate implementation of new information technology among
legislative agencies and with the executive and judicial chief information
technology officers;
(f) designate the ownership of information resource processes and the
lead agency for implementation of new technologies and networks shared
by multiple agencies within the legislative branch of state government;
(g) serve as staff of the joint committee; and
(h) perform such other functions and duties as provided by law or as
directed by the legislative coordinating council or the joint committee.
Sec. 8. {9.} K.S.A. 75-7209 is hereby amended to read as follows: 75-
7209. (a) (1) Whenever an agency proposes an information technology
project, such agency shall prepare and submit information technology
project documentation to the chief information technology officer of the
branch of state government of which the agency is a part of a project
budget estimate therefor, and for each amendment or revision thereof, in
accordance with this section. Each information technology project budget
estimate shall be in such form as required by the director of the budget, in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 10
consultation with the chief information technology architect, and by this
section. In each case, the agency shall prepare and include as a part of such
project budget estimate a plan consisting of a written program statement
describing the project. The program statement shall:
(1) Include a detailed description of and justification for the project,
including: (A) An analysis of the programs, activities and other needs and
intended uses for the additional or improved information technology; (B) a
statement of project scope including identification of the organizations and
individuals to be affected by the project and a definition of the
functionality to result from the project; and (C) an analysis of the
alternative means by which such information technology needs and uses
could be satisfied;
(2) describe the tasks and schedule for the project and for each phase
of the project, if the project is to be completed in more than one phase;
(3) include a financial plan showing: (A) The proposed source of
funding and categorized expenditures for each phase of the project; and
(B) cost estimates for any needs analyses or other investigations,
consulting or other professional services, computer programs, data,
equipment, buildings or major repairs or improvements to buildings and
other items or services necessary for the project; and
(4) include a cost-benefit statement based on an analysis of
qualitative as well as financial benefits. Such information technology
project documentation shall:
(A) Include a financial plan showing the proposed source of funding
and categorized expenditures for each phase of the project and cost
estimates for any needs analyses or other investigations, consulting or
other professional services, computer programs, data, equipment,
buildings or major repairs or improvements to buildings and other items
or services necessary for the project; and
(B) be consistent with:
(i) Information technology resource policies and procedures and
project management methodologies for all state agencies;
(ii) an information technology architecture, including
telecommunications systems, networks and equipment, that covers all state
agencies;
(iii) standards for data management for all state agencies; and
(iv) a strategic information technology management plan for the
state.
(2) Any information technology project with significant business risk,
as determined pursuant to the information technology executive council's
policies, shall be presented to the joint committee on information
technology by such branch chief information technology officer.
(b) (1) Before one or more state agencies proposing an information
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 11
technology project begin implementation of the project, the project plan,
including the architecture and the cost-benefit analysis, shall be approved
by the head of each state agency proposing the project and by the chief
information technology officer of each branch of state government of
which the agency or agencies are a part. Approval of those projects that
involve telecommunications services shall also be subject to the provisions
of K.S.A. 75-4709, 75-4710 and 75-4712, and amendments thereto.
(2) All specifications for bids or proposals related to an approved
information technology project of one or more state agencies shall be
reviewed by the chief information technology officer of each branch of
state government of which the agency or agencies are a part Prior to the
release of any request for proposal for an information technology project
with significant business risk:
(A) Specifications for bids or proposals for such project shall be
submitted to the chief information technology officer of the branch of state
government of which the agency or agencies are a part. Information
technology projects requiring chief information technology officer
approval shall also require the chief information technology officer's
written approval on specifications for bids or proposals; and
(B) (i) The chief information technology officer of the appropriate
branch over the state agency or agencies that are involved in such project
shall submit the project, the project plan, including the architecture, and
the cost-benefit analysis to the joint committee on information technology
to advise and consult on the project. Such chief information technology
officer shall submit such information to each member of the joint
committee and to the director of the legislative research department. Each
such project plan summary shall include a notice specifying the date the
summary was mailed or emailed. After receiving any such project plan
summary, each member shall review the information and may submit
questions, requests for additional information or request a presentation
and review of the proposed project at a meeting of the joint committee. If
two or more members of the joint committee contact the director of the
legislative research department within seven business days of the date
specified in the summary description and request that the joint committee
schedule a meeting for such presentation and review, then the director of
the legislative research department shall notify the chief information
technology officer of the appropriate branch, the head of such agency and
the chairperson of the joint committee that a meeting has been requested
for such presentation and review on the next business day following the
members' contact with the director of the legislative research department.
Upon receiving such notification, the chairperson shall call a meeting of
the joint committee as soon as practicable for the purpose of such
presentation and review and shall furnish the chief information technology
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 12
officer of the appropriate branch and the head of such agency with notice
of the time, date and place of the meeting. Except as provided in
subsection (b)(1)(B)(ii), the state agency shall not authorize or approve
the release of any request for proposal or other bid event for an
information technology project without having first advised and consulted
with the joint committee at a meeting.
(ii) The state agency or agencies shall be deemed to have advised
and consulted with the joint committee about such proposed release of any
request for proposal or other bid event for an information technology
project and may authorize or approve such proposed release of any
request for proposal or other bid event for an information technology
project if:
(a) Fewer than two members of the joint committee contact the
director of the legislative research department within seven business days
of the date the project plan summary was mailed and request a committee
meeting for a presentation and review of any such proposed request for
proposal or other bid event for an information technology project; or
(b) a committee meeting is requested by at least two members of the
joint committee pursuant to this paragraph, but such meeting does not
occur within two calendar weeks of the chairperson receiving the
notification from the director of the legislative research department of a
request for such meeting.
(3)(2) (A) Agencies are prohibited from contracting with a vendor to
implement the project if that vendor prepared or assisted in the preparation
of the program statement required under subsection (a), the project
planning documents required under subsection (b)(1), or any other project
plans prepared prior to the project being approved by the chief information
technology officer as required under subsection (b)(1) by this section.
(B) Information technology projects with an estimated cumulative
cost of less than $5,000,000 are exempted from the provisions of
subparagraph (A).
(C) The provisions of subparagraph (A) may be waived with prior
written permission from the chief information technology officer.
(c) Annually at the time specified by the chief information technology
officer of the branch of state government of which the agency is a part,
each agency shall submit to such officer:
(1) A copy of a three-year strategic information technology plan that
sets forth the agency's current and future information technology needs
and utilization plans for the next three ensuing fiscal years, in such form
and containing such additional information as prescribed by the chief
information technology officer; and
(2) any deviations from the state information technology architecture
adopted by the information technology executive council.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 13
(d) The provisions of this section shall not apply to the information
network of Kansas (INK).
Sec. 9. {10.} K.S.A. 75-7210 is hereby amended to read as follows:
75-7210. (a) Not later than October November 1 of each year, the
executive, judicial and legislative chief information technology officers
shall submit to the joint committee and to the legislative research
department all information technology project budget estimates and
amendments and revisions thereto, all three-year plans and all deviations
from the state information technology architecture submitted to such
officers pursuant to K.S.A. 75-7209, and amendments thereto. The
legislative chief information technology officer joint committee shall
review all such estimates and amendments and revisions thereto, plans and
deviations and shall make recommendations to the joint committee house
standing committee on appropriations and the senate standing committee
on ways and means regarding the merit thereof and appropriations
therefor.
(b) The executive and judicial chief information technology officers
shall report to the legislative chief information technology officer, at times
agreed upon by the three officers:
(1) Progress regarding implementation of information technology
projects of state agencies within the executive and judicial branches of
state government; and
(2) all proposed expenditures for such projects, including all revisions
to such proposed expenditures, for the current fiscal year and for ensuing
fiscal years.
Sec. 10. {11.} K.S.A. 75-7211 is hereby amended to read as follows:
75-7211. (a) The legislative chief information technology officer, under the
direction of the joint committee, shall monitor state agency execution of
reported information technology projects and, at times agreed upon by.
The joint committee shall require the three chief information technology
officers, shall to report progress regarding the implementation of such
projects and all proposed expenditures therefor, including all revisions to
such proposed expenditures for the current fiscal year and for ensuing
fiscal years.
(b) For information technology projects, the joint committee may:
(1) Require the head of a any state agency with primary responsibility
for an information technology project may authorize or approve, without
prior consultation with the joint committee, any change in planned
expenditures for an information technology project that would result in the
total cost of the project being increased above the currently authorized cost
of such project but that increases the total cost of such project by less than
the lower of either $1,000,000 or 10% of the currently authorized cost, and
any change in planned expenditures for an information technology project
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 14
involving a cost reduction, other than a change in the proposed use of any
new or replacement information technology equipment or in the use of any
existing information technology equipment that has been significantly
upgraded to advise and consult on the status and progress of such
information technology project, including revisions to expenditures for the
current fiscal year and ensuing fiscal years; and
(2) report on the status and progress of such information technology
projects to the senate standing committee on ways and means, the house of
representatives standing committee on appropriations and the legislative
budget committee.
(c) Prior to authorizing or approving any information technology
project change or overrun, the head of a state agency with primary
responsibility for an such information technology project shall not
authorize or approve, without first advising and consulting with the joint
committee any information technology project change or overrun report
all such information technology project changes or overruns to the joint
committee through the chief information technology officer of the branch
of state government of which the agency is a part pursuant to the
information technology executive council's policy. The joint committee
shall report all such changes and overruns to the senate standing
committee on ways and means and, the house of representatives standing
committee on appropriations and the legislative budget committee.
Sec. 11. {12.} K.S.A. 75-7237 is hereby amended to read as follows:
75-7237. As used in K.S.A. 75-7236 through 75-7243, and amendments
thereto:
(a) "Act" means the Kansas cybersecurity act.
(b) "Breach" or "breach of security" means unauthorized access of
data in electronic form containing personal information. Good faith access
of personal information by an employee or agent of an executive branch
agency does not constitute a breach of security, provided that the
information is not used for a purpose unrelated to the business or subject to
further unauthorized use.
(c) "CISO" means the executive branch chief information security
officer.
(d) "Cybersecurity" is the body of information technologies,
processes and practices designed to protect networks, computers, programs
and data from attack, damage or unauthorized access.
(e) "Cybersecurity positions" do not include information technology
positions within executive branch agencies.
(f) "Data in electronic form" means any data stored electronically or
digitally on any computer system or other database and includes
recordable tapes and other mass storage devices.
(g) "Executive branch agency" means any agency in the executive
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 15
branch of the state of Kansas, but does not include elected office agencies,
the adjutant general's department, the Kansas public employees retirement
system, regents' institutions, or the board of regents.
(h) "KISO" means the Kansas information security office.
(i) (1) "Personal information" means:
(A) An individual's first name or first initial and last name, in
combination with at least one of the following data elements for that
individual:
(i) Social security number;
(ii) driver's license or identification card number, passport number,
military identification number or other similar number issued on a
government document used to verify identity;
(iii) financial account number or credit or debit card number, in
combination with any security code, access code or password that is
necessary to permit access to an individual's financial account;
(iv) any information regarding an individual's medical history, mental
or physical condition or medical treatment or diagnosis by a healthcare
professional; or
(v) an individual's health insurance policy number or subscriber
identification number and any unique identifier used by a health insurer to
identify the individual; or
(B) a user name or email address, in combination with a password or
security question and answer that would permit access to an online
account.
(2) "Personal information" does not include information:
(A) About an individual that has been made publicly available by a
federal agency, state agency or municipality; or
(B) that is encrypted, secured or modified by any other method or
technology that removes elements that personally identify an individual or
that otherwise renders the information unusable.
(j) "State agency" means the same as defined in K.S.A. 75-7201, and
amendments thereto.
Sec. 12. {13.} K.S.A. 75-7238 is hereby amended to read as follows:
75-7238. (a) There is hereby established the position of executive branch
chief information security officer. The CISO shall be in the unclassified
service under the Kansas civil service act, shall be appointed by the
governor and shall receive compensation in an amount fixed by the
governor.
(b) The CISO shall:
(1) Report to the executive branch chief information technology
officer;
(2) serve as the state's CISO;
(3) serve as the executive branch chief cybersecurity strategist and
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 16
authority on policies, compliance, procedures, guidance and technologies
impacting executive branch cybersecurity programs;
(4) ensure Kansas information security office resources assigned or
provided to executive branch agencies are in compliance with applicable
laws and rules and regulations;
(5) coordinate cybersecurity efforts between executive branch
agencies;
(6) provide guidance to executive branch agencies when compromise
of personal information or computer resources has occurred or is likely to
occur as the result of an identified high-risk vulnerability or threat; and
(7) set cybersecurity policy and standards for executive branch
agencies; and
(8) perform such other functions and duties as provided by law and as
directed by the executive chief information technology officer.
Sec. 13. {14.} K.S.A. 75-7239 is hereby amended to read as follows:
75-7239. (a) There is hereby established within and as a part of the office
of information technology services the Kansas information security office.
The Kansas information security office shall be administered by the CISO
and be staffed appropriately to effect the provisions of the Kansas
cybersecurity act.
(b) For the purpose of preparing the governor's budget report and
related legislative measures submitted to the legislature, the Kansas
information security office, established in this section, shall be considered
a separate state agency and shall be titled for such purpose as the "Kansas
information security office." The budget estimates and requests of such
office shall be presented as from a state agency separate from the
department of administration office of information technology services,
and such separation shall be maintained in the budget documents and
reports prepared by the director of the budget and the governor, or either of
them, including all related legislative reports and measures submitted to
the legislature.
(c) Under direction of the CISO, the KISO shall:
(1) Administer the Kansas cybersecurity act;
(2) assist the executive branch in developing, implementing and
monitoring strategic and comprehensive information security risk-
management programs;
(3) facilitate executive branch information security governance,
including the consistent application of information security programs,
plans and procedures;
(4) using standards adopted by the information technology executive
council, create and manage a unified and flexible control framework to
integrate and normalize requirements resulting from applicable state and
federal laws, and rules and regulations;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 17
(5) facilitate a metrics, logging and reporting framework to measure
the efficiency and effectiveness of state information security programs;
(6) provide the executive branch strategic risk guidance for
information technology projects, including the evaluation and
recommendation of technical controls;
(7) assist in the development of executive branch agency
cybersecurity programs that are in to ensure compliance with applicable
state and federal laws and, rules and regulations, executive branch policies
and standards and policies and standards adopted by the information
technology executive council;
(8) perform audits of executive branch agencies for compliance with
applicable state and federal laws, rules and regulations, executive branch
policies and standards and policies and standards adopted by the
information technology executive council;
(9) coordinate the use of external resources involved in information
security programs, including, but not limited to, interviewing and
negotiating contracts and fees;
(9)(10) liaise with external agencies, such as law enforcement and
other advisory bodies as necessary, to ensure a strong security posture;
(10)(11) assist in the development of plans and procedures to manage
and recover business-critical services in the event of a cyberattack or other
disaster;
(11)(12) assist executive branch agencies to create a framework for
roles and responsibilities relating to information ownership, classification,
accountability and protection;
(12)(13) ensure a cybersecurity training program is provided to
executive branch agencies at no cost to the agencies awareness training
program is made available to all branches of state government;
(13) provide cybersecurity threat briefings to the information
technology executive council;
(14) provide an annual status report of executive branch cybersecurity
programs of executive branch agencies to the joint committee on
information technology and the house committee on government,
technology and security; and
(15)(14) perform such other functions and duties as provided by law
and as directed by the CISO.
(d) Results of audits conducted pursuant to subsection (c)(8) shall be
confidential and shall not be subject to discovery or disclosure pursuant to
the open records act, K.S.A. 45-215 et seq., and amendments thereto. The
provisions of this subsection shall expire on July 1, 2028, unless the
legislature reviews and acts to continue such provision pursuant to K.S.A.
45-229, and amendments thereto, prior to July 1, 2028.
Sec. 14. {15.} K.S.A. 75-7240 is hereby amended to read as follows:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 18
75-7240. (a) The executive branch agency heads shall:
(a)(1) Be solely responsible for security of all data and information
technology resources under such agency's purview, irrespective of the
location of the data or resources. Locations of data may include:
(1)(A) Agency sites;
(2)(B) agency real property;
(3)(C) infrastructure in state data centers;
(4)(D) third-party locations; and
(5)(E) in transit between locations;
(b)(2) ensure that an agency-wide information security program is in
place;
(c)(3) designate an information security officer to administer the
agency's information security program that reports directly to executive
leadership;
(d)(4) participate in CISO-sponsored statewide cybersecurity program
initiatives and services;
(e)(5) implement policies and standards to ensure that all the agency's
data and information technology resources are maintained in compliance
with applicable state and federal laws and rules and regulations;
(f)(6) implement appropriate cost-effective safeguards to reduce,
eliminate or recover from identified threats to data and information
technology resources;
(g)(7) include all appropriate cybersecurity requirements in the
agency's request for proposal specifications for procuring data and
information technology systems and services;
(h) (1)(8) (A) submit a cybersecurity assessment self-assessment
report to the CISO by October 16 of each even-numbered year, including
an executive summary of the findings, that assesses the extent to which a
computer, a computer program, a computer network, a computer system, a
printer, an interface to a computer system, including mobile and peripheral
devices, computer software, or the data processing of the agency or of a
contractor of the agency is vulnerable to unauthorized access or harm,
including the extent to which the agency's or contractor's electronically
stored information is vulnerable to alteration, damage, erasure or
inappropriate use;
(2)(B) ensure that the agency conducts annual internal assessments of
its security program. Internal assessment results shall be considered
confidential and shall not be subject to discovery by or release to any
person or agency, outside of the KISO or CISO, without authorization
from the executive branch agency director or head. This provision
regarding confidentiality shall expire on July 1, 2023, unless the
legislature reviews and reenacts such provision pursuant to K.S.A. 45-229,
and amendments thereto, prior to July 1, 2023; and
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 19
(3)(C) prepare or have prepared a summary financial summary
identifying cybersecurity expenditures addressing the findings of the
cybersecurity assessment self-assessment report required in paragraph (1)
subparagraph (A), excluding information that might put the data or
information resources of the agency or its contractors at risk and submit
such report to the house of representatives committee on government,
technology and security or its successor committee appropriations and the
senate committee on ways and means;
(i) participate in annual agency leadership training to ensure
understanding of: (1) The information and information systems that
support the operations and assets of the agency; (2) The potential impact of
common types of cyberattacks and data breaches on the agency's
operations and assets; (3) how cyberattacks and data breaches on the
agency's operations and assets could impact the operations and assets of
other governmental entities on the state enterprise network; (4) how
cyberattacks and data breaches occur; (5) steps to be undertaken by the
executive director or agency head and agency employees to protect their
information and information systems; and (6) the annual reporting
requirements required of the executive director or agency head; and
(j)(9) ensure that if an agency owns, licenses or maintains
computerized data that includes personal information, confidential
information or information, the disclosure of which is regulated by law,
such agency shall, in the event of a breach or suspected breach of system
security or an unauthorized exposure of that information:
(1)(A) Comply with the notification requirements set out in K.S.A.
2022 Supp. 50-7a01 et seq., and amendments thereto, and applicable
federal laws and rules and regulations, to the same extent as a person who
conducts business in this state; and
(2)(B) not later than 48 hours after the discovery of the breach,
suspected breach or unauthorized exposure, notify: (A)(i) The CISO; and
(B)(ii) if the breach, suspected breach or unauthorized exposure involves
election data, the secretary of state.
(b) The director or head of each state agency shall:
(1) Participate in annual agency leadership training to ensure
understanding of:
(A) The potential impact of common types of cyberattacks and data
breaches on the agency's operations and assets;
(B) how cyberattacks and data breaches on the agency's operations
and assets may impact the operations and assets of other governmental
entities on the state enterprise network;
(C) how cyberattacks and data breaches occur; and
(D) steps to be undertaken by the executive director or agency head
and agency employees to protect their information and information
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 Sub HB 2077—Am. by SC 20
systems;
(2) ensure that all information technology login credentials are
disabled the same day that any employee ends their employment with the
state; and
(3) require that all employees with access to information technology
receive a minimum of one hour of information technology security training
per year.
(c) (1) The CISO, with input from the joint committee on information
technology and the joint committee on Kansas security, shall develop a
self-assessment report template for use under subsection (a)(8)(A). The
most recent version of such template shall be made available to state
agencies prior to July 1 of each even-numbered year. The CISO shall
aggregate data from the self-assessments received under subsection (a)(8)
(A) and provide a summary of such data to the joint committee on
information technology and the joint committee on Kansas security.
(2) Self-assessment reports made to the CISO pursuant to subsection
(a)(8)(A) shall be confidential and shall not be subject to the provisions of
the Kansas open records act, K.S.A. 45-215 et seq., and amendments
thereto. The provisions of this paragraph shall expire on July 1, 2028,
unless the legislature reviews and reenacts this provision pursuant to
K.S.A. 45-229, and amendments thereto, prior to July 1, 2028.
Sec. 15. {16.} K.S.A. 75-7242 is hereby amended to read as follows:
75-7242. Information collected to effectuate this act shall be considered
confidential by the executive branch agency and KISO all state and local
governmental organizations unless all data elements or information that
specifically identifies a target, vulnerability or weakness that would place
the organization at risk have been redacted, including: (a) System
information logs; (b) vulnerability reports; (c) risk assessment reports; (d)
system security plans; (e) detailed system design plans; (f) network or
system diagrams; and (g) audit reports. The provisions of this section shall
expire on July 1, 2023, unless the legislature reviews and reenacts this
provision pursuant to K.S.A. 45-229, and amendments thereto, prior to
July 1, 2023.
Sec. 16. {17.} K.S.A. 46-2102, {74-5704,} 75-7201, 75-7202, 75-
7205, 75-7206, 75-7208, 75-7209, 75-7210, 75-7211, 75-7237, 75-7238,
75-7239, 75-7240 and 75-7242 are hereby repealed.
Sec. 17. {18.} This act shall take effect and be in force from and after
its publication in the statute book.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38