Kansas 2023-2024 Regular Session

Kansas House Bill HB2077 Compare Versions

The same version is selected twice. Please select two different versions to compare.

Version 1 (Old)

Version 2 (New)

Old	New	Differences
1	1	Session of 2023
2	2	HOUSE BILL No. 2077
3	3	By Joint Committee on Information Technology
4	4	1-18
5	5	AN ACT concerning information technology; relating to information
6	6	technology projects and reporting requirements; information
7	7	technology security training and cybersecurity reports; requiring certain
8	8	information to be provided to the joint committee on information
9	9	technology; amending K.S.A. 46-2102, 75-7201, 75-7205, 75-7206,
10	10	75-7208, 75-7209, 75-7210, 75-7211, 75-7237, 75-7239, 75-7240 and
11	11	75-7242 and repealing the existing sections.
12	12	Be it enacted by the Legislature of the State of Kansas:
13	13	Section 1. K.S.A. 46-2102 is hereby amended to read as follows: 46-
14	14	2102. In addition to other powers and duties authorized or prescribed by
15	15	law or by the legislative coordinating council, the joint committee on
16	16	information technology shall:
17	17	(a) Study the use by state agencies and institutions of computers,
18	18	telecommunications and other information technologies;
19	19	(b) review new governmental computer hardware and software
20	20	acquisition, information storage, transmission, processing and
21	21	telecommunications technologies proposed by state agencies and
22	22	institutions, and the implementation plans therefor, including all
23	23	information technology project budget estimates and three-year strategic
24	24	information technology plans that are submitted to the joint committee
25	25	pursuant to K.S.A. 2000 Supp. 75-7210, and amendments thereto;
26	26	(c) advise and consult on all state agency information technology
27	27	projects, as defined in K.S.A. 75-7201, and amendments thereto, that pose
28	28	a significant business risk as determined by the information technology
29	29	executive council's policies and in accordance with K.S.A. 75-7209, and
30	30	amendments thereto;
31	31	(d) make recommendations on all such implementation plans, budget
32	32	estimates, requests for proposals for information technology projects and
33	33	three-year plans to the ways and means committee of the senate and the
34	34	committee on appropriations of the house of representatives;
35	35	(d)(e) study the progress and results of all newly implemented
36	36	governmental computer hardware and software, information storage,
37	37	transmission, processing and telecommunications technologies of state
38	38	agencies and institutions including all information technology projects for
39	39	state agencies which have been authorized or for which appropriations
40	40	1
41	41	2
42	42	3
43	43	4
44	44	5
45	45	6
46	46	7
47	47	8
48	48	9
49	49	10
50	50	11
51	51	12
52	52	13
53	53	14
54	54	15
55	55	16
56	56	17
57	57	18
58	58	19
59	59	20
60	60	21
61	61	22
62	62	23
63	63	24
64	64	25
65	65	26
66	66	27
67	67	28
68	68	29
69	69	30
70	70	31
71	71	32
72	72	33
73	73	34
74	74	35
75	75	36 HB 2077 2
76	76	have been approved by the legislature; and
77	77	(e)(f) make an annual report to the legislative coordinating council as
78	78	provided in K.S.A. 46-1207, and amendments thereto, and such special
79	79	reports to committees of the house of representatives and senate as are
80	80	deemed appropriate by the joint committee.
81	81	Sec. 2. K.S.A. 75-7201 is hereby amended to read as follows: 75-
82	82	7201. As used in K.S.A. 75-7201 through 75-7212, and amendments
83	83	thereto:
84	84	(a) "Business risk" means the overall level of risk determined by a
85	85	business risk assessment that includes, but is not limited to, cost,
86	86	information security and other elements as determined by the information
87	87	technology executive council's policies.
88	88	(b) "Cumulative cost" means the total expenditures, from all sources,
89	89	for any information technology project by one or more state agencies to
90	90	meet project objectives from project start to project completion or the date
91	91	and time the project is terminated if it is not completed.
92	92	(b)(c) "Executive agency" means any state agency in the executive
93	93	branch of government.
94	94	(c)(d) "Information technology project" means a project for a major
95	95	computer, telecommunications or other information technology
96	96	improvement with an estimated cumulative cost of $250,000 or more and
97	97	includes any such project that has proposed expenditures for: (1) New or
98	98	replacement equipment or software; (2) upgrade improvements to existing
99	99	equipment and any computer systems, programs or software upgrades
100	100	therefor; or (3) data or consulting or other professional services for such a
101	101	project an information technology effort by a state agency of defined and
102	102	limited duration that implements, effects a change in or presents a risk to
103	103	processes, services, security, systems, records, data, human resources or
104	104	architecture.
105	105	(d)(e) "Information technology project change or overrun" means any
106	106	of the following any change in:
107	107	(1) Any change in Planned expenditures for an information
108	108	technology project that would result in the total authorized cost of the
109	109	project being increased above the currently authorized cost of such project
110	110	by more than either $1,000,000 or 10% of such currently authorized cost
111	111	of such project, whichever is lower or an established threshold within the
112	112	information technology executive council's policies;
113	113	(2) any change in the scope or project timeline of an information
114	114	technology project, as such scope or timeline was presented to and
115	115	reviewed by the joint committee or the chief information technology
116	116	officer to whom the project was submitted pursuant to K.S.A. 75-7209,
117	117	and amendments thereto, that is a change of more than 10% or a change
118	118	that is significant as determined by the information technology executive
119	119	1
120	120	2
121	121	3
122	122	4
123	123	5
124	124	6
125	125	7
126	126	8
127	127	9
128	128	10
129	129	11
130	130	12
131	131	13
132	132	14
133	133	15
134	134	16
135	135	17
136	136	18
137	137	19
138	138	20
139	139	21
140	140	22
141	141	23
142	142	24
143	143	25
144	144	26
145	145	27
146	146	28
147	147	29
148	148	30
149	149	31
150	150	32
151	151	33
152	152	34
153	153	35
154	154	36
155	155	37
156	156	38
157	157	39
158	158	40
159	159	41
160	160	42
161	161	43 HB 2077 3
162	162	council's policies; or
163	163	(3) any change in the proposed use of any new or replacement
164	164	information technology equipment or in the use of any existing
165	165	information technology equipment that has been significantly upgraded.
166	166	(e)(f) "Joint committee" means the joint committee on information
167	167	technology.
168	168	(f)(g) "Judicial agency" means any state agency in the judicial branch
169	169	of government.
170	170	(g)(h) "Legislative agency" means any state agency in the legislative
171	171	branch of government.
172	172	(h)(i) "Project" means a planned series of events or activities that is
173	173	intended to accomplish a specified outcome in a specified time period,
174	174	under consistent management direction within a state agency or shared
175	175	among two or more state agencies, and that has an identifiable budget for
176	176	anticipated expenses.
177	177	(i)(j) "Project completion" means the date and time when the head of
178	178	a state agency having primary responsibility for an information technology
179	179	project certifies that the improvement being produced or altered under the
180	180	project is ready for operational use.
181	181	(j)(k) "Project start" means the date and time when a state agency
182	182	begins a formal study of a business process or technology concept to
183	183	assess the needs of the state agency, determines project feasibility or
184	184	prepares an information technology project budget estimate under K.S.A.
185	185	75-7209, and amendments thereto.
186	186	(k)(l) "State agency" means any state office or officer, department,
187	187	board, commission, institution or bureau, or any agency, division or unit
188	188	thereof.
189	189	Sec. 3. K.S.A. 75-7205 is hereby amended to read as follows: 75-
190	190	7205. (a) There is hereby established within and as a part of the office of
191	191	information technology services the position of executive chief
192	192	information technology officer. The executive chief information
193	193	technology officer shall be in the unclassified service under the Kansas
194	194	civil service act, shall be appointed by the governor, and shall receive
195	195	compensation in an amount fixed by the governor. The executive chief
196	196	information technology officer shall maintain a presence in any cabinet
197	197	established by the governor and shall report to the governor.
198	198	(b) The executive chief information technology officer shall:
199	199	(1) Review and consult with each executive agency regarding
200	200	information technology plans, deviations from the state information
201	201	technology architecture, information technology project estimates and
202	202	information technology project changes and overruns submitted by such
203	203	agency pursuant to K.S.A. 75-7209, and amendments thereto, to determine
204	204	whether the agency has complied with:
205	205	1
206	206	2
207	207	3
208	208	4
209	209	5
210	210	6
211	211	7
212	212	8
213	213	9
214	214	10
215	215	11
216	216	12
217	217	13
218	218	14
219	219	15
220	220	16
221	221	17
222	222	18
223	223	19
224	224	20
225	225	21
226	226	22
227	227	23
228	228	24
229	229	25
230	230	26
231	231	27
232	232	28
233	233	29
234	234	30
235	235	31
236	236	32
237	237	33
238	238	34
239	239	35
240	240	36
241	241	37
242	242	38
243	243	39
244	244	40
245	245	41
246	246	42
247	247	43 HB 2077 4
248	248	(A) The information technology resource policies and procedures and
249	249	project management methodologies adopted by the information technology
250	250	executive council;
251	251	(B) the information technology architecture adopted by the
252	252	information technology executive council;
253	253	(C) the standards for data management adopted by the information
254	254	technology executive council; and
255	255	(D) the strategic information technology management plan adopted
256	256	by the information technology executive council;
257	257	(2) report to the chief information technology architect all deviations
258	258	from the state information architecture that are reported to the executive
259	259	information technology officer by executive agencies;
260	260	(3) submit recommendations to the division of the budget as to the
261	261	technical and management merit of information technology project
262	262	estimates projects and information technology project changes and
263	263	overruns submitted by executive agencies that are reportable pursuant to
264	264	K.S.A. 75-7209, and amendments thereto, based on the determinations
265	265	made pursuant to subsection (b)(1);
266	266	(4) monitor executive agencies' compliance with:
267	267	(A) The information technology resource policies and procedures and
268	268	project management methodologies adopted by the information technology
269	269	executive council;
270	270	(B) the information technology architecture adopted by the
271	271	information technology executive council;
272	272	(C) the standards for data management adopted by the information
273	273	technology executive council; and
274	274	(D) the strategic information technology management plan adopted
275	275	by the information technology executive council;
276	276	(5) coordinate implementation of new information technology among
277	277	executive agencies and with the judicial and legislative chief information
278	278	technology officers;
279	279	(6) designate the ownership of information resource processes and the
280	280	lead agency for implementation of new technologies and networks shared
281	281	by multiple agencies within the executive branch of state government; and
282	282	(7) perform such other functions and duties as provided by law or as
283	283	directed by the governor.
284	284	Sec. 4. K.S.A. 75-7206 is hereby amended to read as follows: 75-
285	285	7206. (a) There is hereby established within and as a part of the office of
286	286	the state judicial administrator the position of judicial chief information
287	287	technology officer. The judicial chief information technology officer shall
288	288	be appointed by the judicial administrator, subject to approval of the chief
289	289	justice, and shall receive compensation determined by the judicial
290	290	administrator, subject to approval of the chief justice.
291	291	1
292	292	2
293	293	3
294	294	4
295	295	5
296	296	6
297	297	7
298	298	8
299	299	9
300	300	10
301	301	11
302	302	12
303	303	13
304	304	14
305	305	15
306	306	16
307	307	17
308	308	18
309	309	19
310	310	20
311	311	21
312	312	22
313	313	23
314	314	24
315	315	25
316	316	26
317	317	27
318	318	28
319	319	29
320	320	30
321	321	31
322	322	32
323	323	33
324	324	34
325	325	35
326	326	36
327	327	37
328	328	38
329	329	39
330	330	40
331	331	41
332	332	42
333	333	43 HB 2077 5
334	334	(b) The judicial chief information technology officer shall:
335	335	(1) Review and consult with each judicial agency regarding
336	336	information technology plans, deviations from the state information
337	337	technology architecture, information technology project estimates and
338	338	information technology project changes and overruns submitted by such
339	339	agency pursuant to K.S.A. 75-7209, and amendments thereto, to determine
340	340	whether the agency has complied with:
341	341	(A) The information technology resource policies and procedures and
342	342	project management methodologies adopted by the information technology
343	343	executive council;
344	344	(B) the information technology architecture adopted by the
345	345	information technology executive council;
346	346	(C) the standards for data management adopted by the information
347	347	technology executive council; and
348	348	(D) the strategic information technology management plan adopted
349	349	by the information technology executive council;
350	350	(2) report to the chief information technology architect all deviations
351	351	from the state information architecture that are reported to the judicial
352	352	information technology officer by judicial agencies;
353	353	(3) submit recommendations to the judicial administrator as to the
354	354	technical and management merit of information technology project
355	355	estimates projects and information technology project changes and
356	356	overruns submitted by judicial agencies that are reportable pursuant to
357	357	K.S.A. 75-7209, and amendments thereto, based on the determinations
358	358	pursuant to subsection (b)(1);
359	359	(4) monitor judicial agencies' compliance with:
360	360	(A) The information technology resource policies and procedures and
361	361	project management methodologies adopted by the information technology
362	362	executive council;
363	363	(B) the information technology architecture adopted by the
364	364	information technology executive council;
365	365	(C) the standards for data management adopted by the information
366	366	technology executive council; and
367	367	(D) the strategic information technology management plan adopted
368	368	by the information technology executive council;
369	369	(5) coordinate implementation of new information technology among
370	370	judicial agencies and with the executive and legislative chief information
371	371	technology officers;
372	372	(6) designate the ownership of information resource processes and the
373	373	lead agency for implementation of new technologies and networks shared
374	374	by multiple agencies within the judicial branch of state government; and
375	375	(7) perform such other functions and duties as provided by law or as
376	376	directed by the judicial administrator.
377	377	1
378	378	2
379	379	3
380	380	4
381	381	5
382	382	6
383	383	7
384	384	8
385	385	9
386	386	10
387	387	11
388	388	12
389	389	13
390	390	14
391	391	15
392	392	16
393	393	17
394	394	18
395	395	19
396	396	20
397	397	21
398	398	22
399	399	23
400	400	24
401	401	25
402	402	26
403	403	27
404	404	28
405	405	29
406	406	30
407	407	31
408	408	32
409	409	33
410	410	34
411	411	35
412	412	36
413	413	37
414	414	38
415	415	39
416	416	40
417	417	41
418	418	42
419	419	43 HB 2077 6
420	420	Sec. 5. K.S.A. 75-7208 is hereby amended to read as follows: 75-
421	421	7208. The legislative chief information technology officer shall:
422	422	(a) Review and consult with each legislative agency regarding
423	423	information technology plans, deviations from the state information
424	424	technology architecture, information technology project estimates and
425	425	information technology project changes and overruns submitted by such
426	426	agency pursuant to K.S.A. 75-7209, and amendments thereto, to determine
427	427	whether the agency has complied with the:
428	428	(1)The Information technology resource policies and procedures and
429	429	project management methodologies adopted by the information technology
430	430	executive council;
431	431	(2)the information technology architecture adopted by the
432	432	information technology executive council;
433	433	(3)the standards for data management adopted by the information
434	434	technology executive council; and
435	435	(4)the strategic information technology management plan adopted by
436	436	the information technology executive council;
437	437	(b) report to the chief information technology architect all deviations
438	438	from the state information architecture that are reported to the legislative
439	439	information technology officer by legislative agencies;
440	440	(c) submit recommendations to the legislative coordinating council as
441	441	to the technical and management merit of information technology project
442	442	estimates projects and information technology project changes and
443	443	overruns submitted by legislative agencies that are reportable pursuant to
444	444	K.S.A. 75-7209, and amendments thereto, based on the determinations
445	445	pursuant to subsection (a);
446	446	(d) monitor legislative agencies' compliance with the:
447	447	(1) The Information technology resource policies and procedures and
448	448	project management methodologies adopted by the information technology
449	449	executive council;
450	450	(2) the information technology architecture adopted by the
451	451	information technology executive council;
452	452	(3) the standards for data management adopted by the information
453	453	technology executive council; and
454	454	(4) the strategic information technology management plan adopted by
455	455	the information technology executive council;
456	456	(e) coordinate implementation of new information technology among
457	457	legislative agencies and with the executive and judicial chief information
458	458	technology officers;
459	459	(f) designate the ownership of information resource processes and the
460	460	lead agency for implementation of new technologies and networks shared
461	461	by multiple agencies within the legislative branch of state government;
462	462	(g) serve as staff of the joint committee; and
463	463	1
464	464	2
465	465	3
466	466	4
467	467	5
468	468	6
469	469	7
470	470	8
471	471	9
472	472	10
473	473	11
474	474	12
475	475	13
476	476	14
477	477	15
478	478	16
479	479	17
480	480	18
481	481	19
482	482	20
483	483	21
484	484	22
485	485	23
486	486	24
487	487	25
488	488	26
489	489	27
490	490	28
491	491	29
492	492	30
493	493	31
494	494	32
495	495	33
496	496	34
497	497	35
498	498	36
499	499	37
500	500	38
501	501	39
502	502	40
503	503	41
504	504	42
505	505	43 HB 2077 7
506	506	(h) perform such other functions and duties as provided by law or as
507	507	directed by the legislative coordinating council or the joint committee.
508	508	Sec. 6. K.S.A. 75-7209 is hereby amended to read as follows: 75-
509	509	7209. (a) (1) Whenever an agency proposes an information technology
510	510	project, such agency shall prepare and submit information technology
511	511	project documentation to the chief information technology officer of the
512	512	branch of state government of which the agency is a part of a project
513	513	budget estimate therefor, and for each amendment or revision thereof, in
514	514	accordance with this section. Each information technology project budget
515	515	estimate shall be in such form as required by the director of the budget, in
516	516	consultation with the chief information technology architect, and by this
517	517	section. In each case, the agency shall prepare and include as a part of such
518	518	project budget estimate a plan consisting of a written program statement
519	519	describing the project. The program statement shall:
520	520	(1) Include a detailed description of and justification for the project,
521	521	including: (A) An analysis of the programs, activities and other needs and
522	522	intended uses for the additional or improved information technology; (B) a
523	523	statement of project scope including identification of the organizations and
524	524	individuals to be affected by the project and a definition of the
525	525	functionality to result from the project; and (C) an analysis of the
526	526	alternative means by which such information technology needs and uses
527	527	could be satisfied;
528	528	(2) describe the tasks and schedule for the project and for each phase
529	529	of the project, if the project is to be completed in more than one phase;
530	530	(3) include a financial plan showing: (A) The proposed source of
531	531	funding and categorized expenditures for each phase of the project; and
532	532	(B) cost estimates for any needs analyses or other investigations,
533	533	consulting or other professional services, computer programs, data,
534	534	equipment, buildings or major repairs or improvements to buildings and
535	535	other items or services necessary for the project; and
536	536	(4) include a cost-benefit statement based on an analysis of
537	537	qualitative as well as financial benefits. Such information technology
538	538	project documentation shall:
539	539	(A) Include a financial plan showing the proposed source of funding
540	540	and categorized expenditures for each phase of the project and cost
541	541	estimates for any needs analyses or other investigations, consulting or
542	542	other professional services, computer programs, data, equipment,
543	543	buildings or major repairs or improvements to buildings and other items
544	544	or services necessary for the project; and
545	545	(B) be consistent with:
546	546	(i) Information technology resource policies and procedures and
547	547	project management methodologies for all state agencies;
548	548	(ii) an information technology architecture, including
549	549	1
550	550	2
551	551	3
552	552	4
553	553	5
554	554	6
555	555	7
556	556	8
557	557	9
558	558	10
559	559	11
560	560	12
561	561	13
562	562	14
563	563	15
564	564	16
565	565	17
566	566	18
567	567	19
568	568	20
569	569	21
570	570	22
571	571	23
572	572	24
573	573	25
574	574	26
575	575	27
576	576	28
577	577	29
578	578	30
579	579	31
580	580	32
581	581	33
582	582	34
583	583	35
584	584	36
585	585	37
586	586	38
587	587	39
588	588	40
589	589	41
590	590	42
591	591	43 HB 2077 8
592	592	telecommunications systems, networks and equipment, that covers all state
593	593	agencies;
594	594	(iii) standards for data management for all state agencies; and
595	595	(iv) a strategic information technology management plan for the
596	596	state.
597	597	(2) Any information technology project with significant business risk,
598	598	as determined pursuant to the information technology executive council's
599	599	policies, shall be presented to the joint committee on information
600	600	technology by such branch chief information technology officer.
601	601	(b) (1) Before one or more state agencies proposing an information
602	602	technology project begin implementation of the project, the project plan,
603	603	including the architecture and the cost-benefit analysis, shall be approved
604	604	by the head of each state agency proposing the project and by the chief
605	605	information technology officer of each branch of state government of
606	606	which the agency or agencies are a part. Approval of those projects that
607	607	involve telecommunications services shall also be subject to the provisions
608	608	of K.S.A. 75-4709, 75-4710 and 75-4712, and amendments thereto.
609	609	(2) All specifications for bids or proposals related to an approved
610	610	information technology project of one or more state agencies shall be
611	611	reviewed by the chief information technology officer of each branch of
612	612	state government of which the agency or agencies are a part Prior to the
613	613	release of any request for proposal for an information technology project
614	614	with significant business risk:
615	615	(A) Specifications for bids or proposals for such project shall be
616	616	submitted to the chief information technology officer of the branch of state
617	617	government of which the agency or agencies are a part. Information
618	618	technology projects requiring chief information technology officer
619	619	approval shall also require the chief information technology officer's
620	620	written approval on specifications for bids or proposals; and
621	621	(B) (i) The chief information technology officer of the appropriate
622	622	branch over the state agency or agencies that are involved in such project
623	623	shall submit the project, the project plan, including the architecture, and
624	624	the cost-benefit analysis to the joint committee on information technology
625	625	to advise and consult on the project. Such chief information technology
626	626	officer shall submit such information to each member of the joint
627	627	committee and to the director of the legislative research department. Each
628	628	such project plan summary shall include a notice specifying the date the
629	629	summary was mailed or emailed. After receiving any such project plan
630	630	summary, each member shall review the information and may submit
631	631	questions, requests for additional information or request a presentation
632	632	and review of the proposed project at a meeting of the joint committee. If
633	633	two or more members of the joint committee contact the director of the
634	634	legislative research department within seven business days of the date
635	635	1
636	636	2
637	637	3
638	638	4
639	639	5
640	640	6
641	641	7
642	642	8
643	643	9
644	644	10
645	645	11
646	646	12
647	647	13
648	648	14
649	649	15
650	650	16
651	651	17
652	652	18
653	653	19
654	654	20
655	655	21
656	656	22
657	657	23
658	658	24
659	659	25
660	660	26
661	661	27
662	662	28
663	663	29
664	664	30
665	665	31
666	666	32
667	667	33
668	668	34
669	669	35
670	670	36
671	671	37
672	672	38
673	673	39
674	674	40
675	675	41
676	676	42
677	677	43 HB 2077 9
678	678	specified in the summary description and request that the joint committee
679	679	schedule a meeting for such presentation and review, then the director of
680	680	the legislative research department shall notify the chief information
681	681	technology officer of the appropriate branch, the head of such agency and
682	682	the chairperson of the joint committee that a meeting has been requested
683	683	for such presentation and review on the next business day following the
684	684	members' contact with the director of the legislative research department.
685	685	Upon receiving such notification, the chairperson shall call a meeting of
686	686	the joint committee as soon as practicable for the purpose of such
687	687	presentation and review and shall furnish the chief information technology
688	688	officer of the appropriate branch and the head of such agency with notice
689	689	of the time, date and place of the meeting. Except as provided in
690	690	subsection (b)(1)(B)(ii), the state agency shall not authorize or approve
691	691	the release of any request for proposal or other bid event for an
692	692	information technology project without having first advised and consulted
693	693	with the joint committee at a meeting.
694	694	(ii) The state agency or agencies shall be deemed to have advised
695	695	and consulted with the joint committee about such proposed release of any
696	696	request for proposal or other bid event for an information technology
697	697	project and may authorize or approve such proposed release of any
698	698	request for proposal or other bid event for an information technology
699	699	project if:
700	700	(a) Fewer than two members of the joint committee contact the
701	701	director of the legislative research department within seven business days
702	702	of the date the project plan summary was mailed and request a committee
703	703	meeting for a presentation and review of any such proposed request for
704	704	proposal or other bid event for an information technology project; or
705	705	(b) a committee meeting is requested by at least two members of the
706	706	joint committee pursuant to this paragraph, but such meeting does not
707	707	occur within two calendar weeks of the chairperson receiving the
708	708	notification from the director of the legislative research department of a
709	709	request for such meeting.
710	710	(3)(2) (A) Agencies are prohibited from contracting with a vendor to
711	711	implement the project if that vendor prepared or assisted in the preparation
712	712	of the program statement required under subsection (a), the project
713	713	planning documents required under subsection (b)(1), or any other project
714	714	plans prepared prior to the project being approved by the chief information
715	715	technology officer as required under subsection (b)(1) by this section.
716	716	(B) Information technology projects with an estimated cumulative
717	717	cost of less than $5,000,000 are exempted from the provisions of
718	718	subparagraph (A).
719	719	(C) The provisions of subparagraph (A) may be waived with prior
720	720	written permission from the chief information technology officer.
721	721	1
722	722	2
723	723	3
724	724	4
725	725	5
726	726	6
727	727	7
728	728	8
729	729	9
730	730	10
731	731	11
732	732	12
733	733	13
734	734	14
735	735	15
736	736	16
737	737	17
738	738	18
739	739	19
740	740	20
741	741	21
742	742	22
743	743	23
744	744	24
745	745	25
746	746	26
747	747	27
748	748	28
749	749	29
750	750	30
751	751	31
752	752	32
753	753	33
754	754	34
755	755	35
756	756	36
757	757	37
758	758	38
759	759	39
760	760	40
761	761	41
762	762	42
763	763	43 HB 2077 10
764	764	(c) Annually at the time specified by the chief information technology
765	765	officer of the branch of state government of which the agency is a part,
766	766	each agency shall submit to such officer:
767	767	(1) A copy of a three-year strategic information technology plan that
768	768	sets forth the agency's current and future information technology needs
769	769	and utilization plans for the next three ensuing fiscal years, in such form
770	770	and containing such additional information as prescribed by the chief
771	771	information technology officer; and
772	772	(2) any deviations from the state information technology architecture
773	773	adopted by the information technology executive council.
774	774	(d) The provisions of this section shall not apply to the information
775	775	network of Kansas (INK).
776	776	Sec. 7. K.S.A. 75-7210 is hereby amended to read as follows: 75-
777	777	7210. (a) Not later than October November 1 of each year, the executive,
778	778	judicial and legislative chief information technology officers shall submit
779	779	to the joint committee and to the legislative research department all
780	780	information technology project budget estimates and amendments and
781	781	revisions thereto, all three-year plans and all deviations from the state
782	782	information technology architecture submitted to such officers pursuant to
783	783	K.S.A. 75-7209, and amendments thereto. The legislative chief
784	784	information technology officer joint committee shall review all such
785	785	estimates and amendments and revisions thereto, plans and deviations and
786	786	shall make recommendations to the joint committee house standing
787	787	committee on appropriations and the senate standing committee on ways
788	788	and means regarding the merit thereof and appropriations therefor.
789	789	(b) The executive and judicial chief information technology officers
790	790	shall report to the legislative chief information technology officer, at times
791	791	agreed upon by the three officers:
792	792	(1) Progress regarding implementation of information technology
793	793	projects of state agencies within the executive and judicial branches of
794	794	state government; and
795	795	(2) all proposed expenditures for such projects, including all revisions
796	796	to such proposed expenditures, for the current fiscal year and for ensuing
797	797	fiscal years.
798	798	Sec. 8. K.S.A. 75-7211 is hereby amended to read as follows: 75-
799	799	7211. (a) The legislative chief information technology officer, under the
800	800	direction of the joint committee, shall monitor state agency execution of
801	801	reported information technology projects and, at times agreed upon by.
802	802	The joint committee shall require the three chief information technology
803	803	officers, shall to report progress regarding the implementation of such
804	804	projects and all proposed expenditures therefor, including all revisions to
805	805	such proposed expenditures for the current fiscal year and for ensuing
806	806	fiscal years.
807	807	1
808	808	2
809	809	3
810	810	4
811	811	5
812	812	6
813	813	7
814	814	8
815	815	9
816	816	10
817	817	11
818	818	12
819	819	13
820	820	14
821	821	15
822	822	16
823	823	17
824	824	18
825	825	19
826	826	20
827	827	21
828	828	22
829	829	23
830	830	24
831	831	25
832	832	26
833	833	27
834	834	28
835	835	29
836	836	30
837	837	31
838	838	32
839	839	33
840	840	34
841	841	35
842	842	36
843	843	37
844	844	38
845	845	39
846	846	40
847	847	41
848	848	42
849	849	43 HB 2077 11
850	850	(b) For information technology projects, the joint committee may:
851	851	(1) Require the head of a any state agency with primary responsibility
852	852	for an information technology project may authorize or approve, without
853	853	prior consultation with the joint committee, any change in planned
854	854	expenditures for an information technology project that would result in the
855	855	total cost of the project being increased above the currently authorized cost
856	856	of such project but that increases the total cost of such project by less than
857	857	the lower of either $1,000,000 or 10% of the currently authorized cost, and
858	858	any change in planned expenditures for an information technology project
859	859	involving a cost reduction, other than a change in the proposed use of any
860	860	new or replacement information technology equipment or in the use of any
861	861	existing information technology equipment that has been significantly
862	862	upgraded to advise and consult on the status and progress of such
863	863	information technology project, including revisions to expenditures for the
864	864	current fiscal year and ensuing fiscal years; and
865	865	(2) report on the status and progress of such information technology
866	866	projects to the senate standing committee on ways and means, the house of
867	867	representatives standing committee on appropriations and the legislative
868	868	budget committee.
869	869	(c) Prior to authorizing or approving any information technology
870	870	project change or overrun, the head of a state agency with primary
871	871	responsibility for an such information technology project shall not
872	872	authorize or approve, without first advising and consulting with the joint
873	873	committee any information technology project change or overrun report
874	874	all such information technology project changes or overruns to the joint
875	875	committee through the chief information technology officer of the branch
876	876	of state government of which the agency is a part pursuant to the
877	877	information technology executive council's policy. The joint committee
878	878	shall report all such changes and overruns to the senate standing
879	879	committee on ways and means and, the house of representatives standing
880	880	committee on appropriations and the legislative budget committee.
881	881	Sec. 9. K.S.A. 75-7237 is hereby amended to read as follows: 75-
882	882	7237. As used in K.S.A. 75-7236 through 75-7243, and amendments
883	883	thereto:
884	884	(a) "Act" means the Kansas cybersecurity act.
885	885	(b) "Breach" or "breach of security" means unauthorized access of
886	886	data in electronic form containing personal information. Good faith access
887	887	of personal information by an employee or agent of an executive branch
888	888	agency does not constitute a breach of security, provided that the
889	889	information is not used for a purpose unrelated to the business or subject to
890	890	further unauthorized use.
891	891	(c) "CISO" means the executive branch chief information security
892	892	officer.
893	893	1
894	894	2
895	895	3
896	896	4
897	897	5
898	898	6
899	899	7
900	900	8
901	901	9
902	902	10
903	903	11
904	904	12
905	905	13
906	906	14
907	907	15
908	908	16
909	909	17
910	910	18
911	911	19
912	912	20
913	913	21
914	914	22
915	915	23
916	916	24
917	917	25
918	918	26
919	919	27
920	920	28
921	921	29
922	922	30
923	923	31
924	924	32
925	925	33
926	926	34
927	927	35
928	928	36
929	929	37
930	930	38
931	931	39
932	932	40
933	933	41
934	934	42
935	935	43 HB 2077 12
936	936	(d) "Cybersecurity" is the body of information technologies,
937	937	processes and practices designed to protect networks, computers, programs
938	938	and data from attack, damage or unauthorized access.
939	939	(e) "Cybersecurity positions" do not include information technology
940	940	positions within executive branch agencies.
941	941	(f) "Data in electronic form" means any data stored electronically or
942	942	digitally on any computer system or other database and includes
943	943	recordable tapes and other mass storage devices.
944	944	(g) "Executive branch agency" means any agency in the executive
945	945	branch of the state of Kansas, but does not include elected office agencies,
946	946	the adjutant general's department, the Kansas public employees retirement
947	947	system, regents' institutions, or the board of regents.
948	948	(h) "KISO" means the Kansas information security office.
949	949	(i) (1) "Personal information" means:
950	950	(A) An individual's first name or first initial and last name, in
951	951	combination with at least one of the following data elements for that
952	952	individual:
953	953	(i) Social security number;
954	954	(ii) driver's license or identification card number, passport number,
955	955	military identification number or other similar number issued on a
956	956	government document used to verify identity;
957	957	(iii) financial account number or credit or debit card number, in
958	958	combination with any security code, access code or password that is
959	959	necessary to permit access to an individual's financial account;
960	960	(iv) any information regarding an individual's medical history, mental
961	961	or physical condition or medical treatment or diagnosis by a healthcare
962	962	professional; or
963	963	(v) an individual's health insurance policy number or subscriber
964	964	identification number and any unique identifier used by a health insurer to
965	965	identify the individual; or
966	966	(B) a user name or email address, in combination with a password or
967	967	security question and answer that would permit access to an online
968	968	account.
969	969	(2) "Personal information" does not include information:
970	970	(A) About an individual that has been made publicly available by a
971	971	federal agency, state agency or municipality; or
972	972	(B) that is encrypted, secured or modified by any other method or
973	973	technology that removes elements that personally identify an individual or
974	974	that otherwise renders the information unusable.
975	975	(j) "State agency" means the same as defined in K.S.A. 75-7201, and
976	976	amendments thereto.
977	977	Sec. 10. K.S.A. 75-7239 is hereby amended to read as follows: 75-
978	978	7239. (a) There is hereby established within and as a part of the office of
979	979	1
980	980	2
981	981	3
982	982	4
983	983	5
984	984	6
985	985	7
986	986	8
987	987	9
988	988	10
989	989	11
990	990	12
991	991	13
992	992	14
993	993	15
994	994	16
995	995	17
996	996	18
997	997	19
998	998	20
999	999	21
1000	1000	22
1001	1001	23
1002	1002	24
1003	1003	25
1004	1004	26
1005	1005	27
1006	1006	28
1007	1007	29
1008	1008	30
1009	1009	31
1010	1010	32
1011	1011	33
1012	1012	34
1013	1013	35
1014	1014	36
1015	1015	37
1016	1016	38
1017	1017	39
1018	1018	40
1019	1019	41
1020	1020	42
1021	1021	43 HB 2077 13
1022	1022	information technology services the Kansas information security office.
1023	1023	The Kansas information security office shall be administered by the CISO
1024	1024	and be staffed appropriately to effect the provisions of the Kansas
1025	1025	cybersecurity act.
1026	1026	(b) For the purpose of preparing the governor's budget report and
1027	1027	related legislative measures submitted to the legislature, the Kansas
1028	1028	information security office, established in this section, shall be considered
1029	1029	a separate state agency and shall be titled for such purpose as the "Kansas
1030	1030	information security office." The budget estimates and requests of such
1031	1031	office shall be presented as from a state agency separate from the
1032	1032	department of administration office of information technology services,
1033	1033	and such separation shall be maintained in the budget documents and
1034	1034	reports prepared by the director of the budget and the governor, or either of
1035	1035	them, including all related legislative reports and measures submitted to
1036	1036	the legislature.
1037	1037	(c) Under direction of the CISO, the KISO shall:
1038	1038	(1) Administer the Kansas cybersecurity act;
1039	1039	(2) assist the executive branch in developing, implementing and
1040	1040	monitoring strategic and comprehensive information security risk-
1041	1041	management programs;
1042	1042	(3) facilitate executive branch information security governance,
1043	1043	including the consistent application of information security programs,
1044	1044	plans and procedures;
1045	1045	(4) using standards adopted by the information technology executive
1046	1046	council, create and manage a unified and flexible control framework to
1047	1047	integrate and normalize requirements resulting from applicable state and
1048	1048	federal laws, and rules and regulations;
1049	1049	(5) facilitate a metrics, logging and reporting framework to measure
1050	1050	the efficiency and effectiveness of state information security programs;
1051	1051	(6) provide the executive branch strategic risk guidance for
1052	1052	information technology projects, including the evaluation and
1053	1053	recommendation of technical controls;
1054	1054	(7) assist in the development of executive branch agency
1055	1055	cybersecurity programs that are in to ensure compliance with applicable
1056	1056	state and federal laws and rules and regulations and standards adopted by
1057	1057	the information technology executive council;
1058	1058	(8) coordinate the use of external resources involved in information
1059	1059	security programs, including, but not limited to, interviewing and
1060	1060	negotiating contracts and fees;
1061	1061	(9) liaise with external agencies, such as law enforcement and other
1062	1062	advisory bodies as necessary, to ensure a strong security posture;
1063	1063	(10) assist in the development of plans and procedures to manage and
1064	1064	recover business-critical services in the event of a cyberattack or other
1065	1065	1
1066	1066	2
1067	1067	3
1068	1068	4
1069	1069	5
1070	1070	6
1071	1071	7
1072	1072	8
1073	1073	9
1074	1074	10
1075	1075	11
1076	1076	12
1077	1077	13
1078	1078	14
1079	1079	15
1080	1080	16
1081	1081	17
1082	1082	18
1083	1083	19
1084	1084	20
1085	1085	21
1086	1086	22
1087	1087	23
1088	1088	24
1089	1089	25
1090	1090	26
1091	1091	27
1092	1092	28
1093	1093	29
1094	1094	30
1095	1095	31
1096	1096	32
1097	1097	33
1098	1098	34
1099	1099	35
1100	1100	36
1101	1101	37
1102	1102	38
1103	1103	39
1104	1104	40
1105	1105	41
1106	1106	42
1107	1107	43 HB 2077 14
1108	1108	disaster;
1109	1109	(11) assist executive branch agencies to create a framework for roles
1110	1110	and responsibilities relating to information ownership, classification,
1111	1111	accountability and protection;
1112	1112	(12) ensure a cybersecurity training program is provided to executive
1113	1113	branch agencies at no cost to the agencies awareness training program is
1114	1114	made available to all branches of state government; and
1115	1115	(13) provide cybersecurity threat briefings to the information
1116	1116	technology executive council;
1117	1117	(14) provide an annual status report of executive branch cybersecurity
1118	1118	programs of executive branch agencies to the joint committee on
1119	1119	information technology and the house committee on government,
1120	1120	technology and security; and
1121	1121	(15) perform such other functions and duties as provided by law and
1122	1122	as directed by the CISO.
1123	1123	Sec. 11. K.S.A. 75-7240 is hereby amended to read as follows: 75-
1124	1124	7240. (a) The executive branch agency heads shall:
1125	1125	(a)(1) Be solely responsible for security of all data and information
1126	1126	technology resources under such agency's purview, irrespective of the
1127	1127	location of the data or resources. Locations of data may include:
1128	1128	(1)(A) Agency sites;
1129	1129	(2)(B) agency real property;
1130	1130	(3)(C) infrastructure in state data centers;
1131	1131	(4)(D) third-party locations; and
1132	1132	(5)(E) in transit between locations;
1133	1133	(b)(2) ensure that an agency-wide information security program is in
1134	1134	place;
1135	1135	(c)(3) designate an information security officer to administer the
1136	1136	agency's information security program that reports directly to executive
1137	1137	leadership;
1138	1138	(d)(4) participate in CISO-sponsored statewide cybersecurity program
1139	1139	initiatives and services;
1140	1140	(e)(5) implement policies and standards to ensure that all the agency's
1141	1141	data and information technology resources are maintained in compliance
1142	1142	with applicable state and federal laws and rules and regulations;
1143	1143	(f)(6) implement appropriate cost-effective safeguards to reduce,
1144	1144	eliminate or recover from identified threats to data and information
1145	1145	technology resources;
1146	1146	(g)(7) include all appropriate cybersecurity requirements in the
1147	1147	agency's request for proposal specifications for procuring data and
1148	1148	information technology systems and services;
1149	1149	(h) (1)(8) (A) submit a cybersecurity assessment self-assessment
1150	1150	report to the CISO by October 16 of each even-numbered year, including
1151	1151	1
1152	1152	2
1153	1153	3
1154	1154	4
1155	1155	5
1156	1156	6
1157	1157	7
1158	1158	8
1159	1159	9
1160	1160	10
1161	1161	11
1162	1162	12
1163	1163	13
1164	1164	14
1165	1165	15
1166	1166	16
1167	1167	17
1168	1168	18
1169	1169	19
1170	1170	20
1171	1171	21
1172	1172	22
1173	1173	23
1174	1174	24
1175	1175	25
1176	1176	26
1177	1177	27
1178	1178	28
1179	1179	29
1180	1180	30
1181	1181	31
1182	1182	32
1183	1183	33
1184	1184	34
1185	1185	35
1186	1186	36
1187	1187	37
1188	1188	38
1189	1189	39
1190	1190	40
1191	1191	41
1192	1192	42
1193	1193	43 HB 2077 15
1194	1194	an executive summary of the findings, that assesses the extent to which a
1195	1195	computer, a computer program, a computer network, a computer system, a
1196	1196	printer, an interface to a computer system, including mobile and peripheral
1197	1197	devices, computer software, or the data processing of the agency or of a
1198	1198	contractor of the agency is vulnerable to unauthorized access or harm,
1199	1199	including the extent to which the agency's or contractor's electronically
1200	1200	stored information is vulnerable to alteration, damage, erasure or
1201	1201	inappropriate use;
1202	1202	(2)(B) ensure that the agency conducts annual internal assessments of
1203	1203	its security program. Internal assessment results shall be considered
1204	1204	confidential and shall not be subject to discovery by or release to any
1205	1205	person or agency, outside of the KISO or CISO, without authorization
1206	1206	from the executive branch agency director or head. This provision
1207	1207	regarding confidentiality shall expire on July 1, 2023, unless the
1208	1208	legislature reviews and reenacts such provision pursuant to K.S.A. 45-229,
1209	1209	and amendments thereto, prior to July 1, 2023; and
1210	1210	(3)(C) prepare or have prepared a summary financial summary
1211	1211	identifying cybersecurity expenditures addressing the findings of the
1212	1212	cybersecurity assessment self-assessment report required in paragraph (1)
1213	1213	(8)(A), excluding information that might put the data or information
1214	1214	resources of the agency or its contractors at risk and submit such report to
1215	1215	the house of representatives committee on government, technology and
1216	1216	security or its successor committee appropriations and the senate
1217	1217	committee on ways and means;
1218	1218	(i) participate in annual agency leadership training to ensure
1219	1219	understanding of: (1) The information and information systems that
1220	1220	support the operations and assets of the agency; (2) The potential impact of
1221	1221	common types of cyberattacks and data breaches on the agency's
1222	1222	operations and assets; (3) how cyberattacks and data breaches on the
1223	1223	agency's operations and assets could impact the operations and assets of
1224	1224	other governmental entities on the state enterprise network; (4) how
1225	1225	cyberattacks and data breaches occur; (5) steps to be undertaken by the
1226	1226	executive director or agency head and agency employees to protect their
1227	1227	information and information systems; and (6) the annual reporting
1228	1228	requirements required of the executive director or agency head; and
1229	1229	(j)(9) ensure that if an agency owns, licenses or maintains
1230	1230	computerized data that includes personal information, confidential
1231	1231	information or information, the disclosure of which is regulated by law,
1232	1232	such agency shall, in the event of a breach or suspected breach of system
1233	1233	security or an unauthorized exposure of that information:
1234	1234	(1)(A) Comply with the notification requirements set out in K.S.A.
1235	1235	2022 Supp. 50-7a01 et seq., and amendments thereto, and applicable
1236	1236	federal laws and rules and regulations, to the same extent as a person who
1237	1237	1
1238	1238	2
1239	1239	3
1240	1240	4
1241	1241	5
1242	1242	6
1243	1243	7
1244	1244	8
1245	1245	9
1246	1246	10
1247	1247	11
1248	1248	12
1249	1249	13
1250	1250	14
1251	1251	15
1252	1252	16
1253	1253	17
1254	1254	18
1255	1255	19
1256	1256	20
1257	1257	21
1258	1258	22
1259	1259	23
1260	1260	24
1261	1261	25
1262	1262	26
1263	1263	27
1264	1264	28
1265	1265	29
1266	1266	30
1267	1267	31
1268	1268	32
1269	1269	33
1270	1270	34
1271	1271	35
1272	1272	36
1273	1273	37
1274	1274	38
1275	1275	39
1276	1276	40
1277	1277	41
1278	1278	42
1279	1279	43 HB 2077 16
1280	1280	conducts business in this state; and
1281	1281	(2)(B) not later than 48 hours after the discovery of the breach,
1282	1282	suspected breach or unauthorized exposure, notify: (A)(i) The CISO; and
1283	1283	(B)(ii) if the breach, suspected breach or unauthorized exposure involves
1284	1284	election data, the secretary of state.
1285	1285	(b) The director or head of each state agency shall:
1286	1286	(1) Participate in annual agency leadership training to ensure
1287	1287	understanding of:
1288	1288	(A) The potential impact of common types of cyberattacks and data
1289	1289	breaches on the agency's operations and assets;
1290	1290	(B) how cyberattacks and data breaches on the agency's operations
1291	1291	and assets may impact the operations and assets of other governmental
1292	1292	entities on the state enterprise network;
1293	1293	(C) how cyberattacks and data breaches occur; and
1294	1294	(D) steps to be undertaken by the executive director or agency head
1295	1295	and agency employees to protect their information and information
1296	1296	systems;
1297	1297	(2) ensure that all information technology login credentials are
1298	1298	disabled the same day that any employee ends their employment with the
1299	1299	state; and
1300	1300	(3) require that all employees with access to information technology
1301	1301	receive a minimum of one hour of information technology security training
1302	1302	per year.
1303	1303	(c) (1) The CISO, with input from the joint committee on information
1304	1304	technology and the joint committee on Kansas security, shall develop a
1305	1305	self-assessment report template for use under subsection (a)(8)(A). The
1306	1306	most recent version of such template shall be made available to state
1307	1307	agencies prior to July 1 of each even-numbered year. The CISO shall
1308	1308	aggregate data from the self-assessments received under subsection (a)(8)
1309	1309	(A) and provide a summary of such data to the joint committee on
1310	1310	information technology and the joint committee on Kansas security.
1311	1311	(2) Self-assessment reports made to the CISO pursuant to subsection
1312	1312	(a)(8)(A) shall be confidential and shall not be subject to the provisions of
1313	1313	the Kansas open records act, K.S.A. 45-215 et seq., and amendments
1314	1314	thereto. The provisions of this paragraph shall expire on July 1, 2028,
1315	1315	unless the legislature reviews and reenacts this provision pursuant to
1316	1316	K.S.A. 45-229, and amendments thereto, prior to July 1, 2028.
1317	1317	Sec. 12. K.S.A. 75-7242 is hereby amended to read as follows: 75-
1318	1318	7242. Information collected to effectuate this act shall be considered
1319	1319	confidential by the executive branch agency and KISO all state and local
1320	1320	governmental organizations unless all data elements or information that
1321	1321	specifically identifies a target, vulnerability or weakness that would place
1322	1322	the organization at risk have been redacted, including: (a) System
1323	1323	1
1324	1324	2
1325	1325	3
1326	1326	4
1327	1327	5
1328	1328	6
1329	1329	7
1330	1330	8
1331	1331	9
1332	1332	10
1333	1333	11
1334	1334	12
1335	1335	13
1336	1336	14
1337	1337	15
1338	1338	16
1339	1339	17
1340	1340	18
1341	1341	19
1342	1342	20
1343	1343	21
1344	1344	22
1345	1345	23
1346	1346	24
1347	1347	25
1348	1348	26
1349	1349	27
1350	1350	28
1351	1351	29
1352	1352	30
1353	1353	31
1354	1354	32
1355	1355	33
1356	1356	34
1357	1357	35
1358	1358	36
1359	1359	37
1360	1360	38
1361	1361	39
1362	1362	40
1363	1363	41
1364	1364	42
1365	1365	43 HB 2077 17
1366	1366	information logs; (b) vulnerability reports; (c) risk assessment reports; (d)
1367	1367	system security plans; (e) detailed system design plans; (f) network or
1368	1368	system diagrams; and (g) audit reports. The provisions of this section shall
1369	1369	expire on July 1, 2023, unless the legislature reviews and reenacts this
1370	1370	provision pursuant to K.S.A. 45-229, and amendments thereto, prior to
1371	1371	July 1, 2023.
1372	1372	Sec. 13. K.S.A. 46-2102, 75-7201, 75-7205, 75-7206, 75-7208, 75-
1373	1373	7209, 75-7210, 75-7211, 75-7237, 75-7239, 75-7240 and 75-7242 are
1374	1374	hereby repealed.
1375	1375	Sec. 14. This act shall take effect and be in force from and after its
1376	1376	publication in the statute book.
1377	1377	1
1378	1378	2
1379	1379	3
1380	1380	4
1381	1381	5
1382	1382	6
1383	1383	7
1384	1384	8
1385	1385	9
1386	1386	10
1387	1387	11