Kansas 2025-2026 Regular Session

Kansas House Bill HB2271 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	Session of 2025
2	2	HOUSE BILL No. 2271
3	3	By Committee on Legislative Modernization
4	4	Requested by Representative Penn
5	5	2-5
6	6	AN ACT concerning cybersecurity; removing the expiration provisions of
7	7	cybersecurity legislation; consolidating cybersecurity services under
8	8	the chief information security officer of each branch; amending K.S.A.
9	9	2024 Supp. 40-110, 75-413, 75-623, 75-710, 75-711, 75-7203, 75-
10	10	7206a, 75-7208a, 75-7245 and 75-7246 and repealing the existing
11	11	sections; also repealing K.S.A. 2023 Supp. 45-229, as amended by
12	12	section 11 of chapter 95 of the 2024 Session Laws of Kansas, 75-7201,
13	13	as amended by section 17 of chapter 95 of the 2024 Session Laws of
14	14	Kansas, 75-7202, as amended by section 19 of chapter 95 of the 2024
15	15	Session Laws of Kansas, 75-7203, as amended by section 21 of chapter
16	16	95 of the 2024 Session Laws of Kansas, 75-7205, as amended by
17	17	section 23 of chapter 95 of the 2024 Session Laws of Kansas, 75-7206,
18	18	as amended by section 25 of chapter 95 of the 2024 Session Laws of
19	19	Kansas, 75-7208, as amended by section 27 of chapter 95 of the 2024
20	20	Session Laws of Kansas, 75-7209, as amended by section 29 of chapter
21	21	95 of the 2024 Session Laws of Kansas, 75-7237, as amended by
22	22	section 31 of chapter 95 of the 2024 Session Laws of Kansas, 75-7238,
23	23	as amended by section 33 of chapter 95 of the 2024 Session Laws of
24	24	Kansas, 75-7239, as amended by section 35 of chapter 95 of the 2024
25	25	Session Laws of Kansas, 75-7240, as amended by section 37 of chapter
26	26	95 of the 2024 Session Laws of Kansas.
27	27	Be it enacted by the Legislature of the State of Kansas:
28	28	Section 1. K.S.A. 2024 Supp. 40-110 is hereby amended to read as
29	29	follows: 40-110. (a) The commissioner of insurance is hereby authorized
30	30	to appoint an assistant commissioner of insurance, actuaries, two special
31	31	attorneys who shall have been regularly admitted to practice, an executive
32	32	secretary, policy examiners, two field representatives, and a secretary to
33	33	the commissioner. Such appointees shall each receive an annual salary to
34	34	be determined by the commissioner of insurance, within the limits of
35	35	available appropriations. The commissioner is also authorized to appoint,
36	36	within the provisions of the civil service law, and available appropriations,
37	37	other employees as necessary to administer the provisions of this act. The
38	38	field representatives authorized by this section may be empowered to
39	39	conduct inquiries, investigations or to receive complaints. Such field
40	40	1
41	41	2
42	42	3
43	43	4
44	44	5
45	45	6
46	46	7
47	47	8
48	48	9
49	49	10
50	50	11
51	51	12
52	52	13
53	53	14
54	54	15
55	55	16
56	56	17
57	57	18
58	58	19
59	59	20
60	60	21
61	61	22
62	62	23
63	63	24
64	64	25
65	65	26
66	66	27
67	67	28
68	68	29
69	69	30
70	70	31
71	71	32
72	72	33
73	73	34
74	74	35 HB 2271 2
75	75	representatives shall not be empowered to make, or direct to be made, an
76	76	examination of the affairs and financial condition of any insurance
77	77	company in the process of organization, or applying for admission or
78	78	doing business in this state.
79	79	(b) The appointees authorized by this section shall take the proper
80	80	official oath and shall be in no way interested, except as policyholders, in
81	81	any insurance company. In the absence of the commissioner of insurance
82	82	the assistant commissioner shall perform the duties of the commissioner of
83	83	insurance, but shall in all cases execute papers in the name of the
84	84	commissioner of insurance, as assistant. The commissioner of insurance
85	85	shall be responsible for all acts of an official nature done and performed by
86	86	the commissioner's assistant or any person employed in such office. All the
87	87	appointees authorized by this section shall hold their office at the will and
88	88	pleasure of the commissioner of insurance.
89	89	(c) (1) The commissioner shall appoint a chief information security
90	90	officer who shall be responsible for establishing security standards and
91	91	policies to protect the department's information technology systems and
92	92	infrastructure. The chief information security officer shall:
93	93	(A)(1) Develop a cybersecurity program for the department that
94	94	complies with the national institute of standards and technology
95	95	cybersecurity framework (CSF) 2.0, as in effect on July 1, 2024. The chief
96	96	information security officer shall ensure that such programs achieve a CSF
97	97	tier of 3.0 prior to July 1, 2028, and a CSF tier of 4.0 prior to July 1, 2030;
98	98	(B)(2) ensure that the commissioner and all employees complete
99	99	cybersecurity awareness training annually and that if an employee does not
100	100	complete the required training, such employee's access to any state-issued
101	101	hardware or the state network is revoked; and
102	102	(C) (i) (a)(3) (A) (i) coordinate with the United States cybersecurity
103	103	and infrastructure security agency to perform annual audits of the
104	104	department for compliance with applicable state and federal laws, rules
105	105	and regulations and department policies and standards; and
106	106	(b)(ii) make an audit request to such agency annually, regardless of
107	107	whether or not such agency has the capacity to perform the requested
108	108	audit.
109	109	(ii)(B) Results of audits conducted pursuant to this paragraph shall be
110	110	confidential and shall not be subject to discovery or disclosure pursuant to
111	111	the open records act, K.S.A. 45-215 et seq., and amendments thereto.
112	112	(2) The provisions of this subsection shall expire on July 1, 2026.
113	113	Sec. 2. K.S.A. 2024 Supp. 75-413 is hereby amended to read as
114	114	follows: 75-413. (a) The secretary of state may appoint such other
115	115	assistants and clerks as may be authorized by law, but the secretary of state
116	116	shall be responsible for the proper discharge of the duties of all assistants
117	117	and clerks, and they shall hold their offices at the will and pleasure of the
118	118	1
119	119	2
120	120	3
121	121	4
122	122	5
123	123	6
124	124	7
125	125	8
126	126	9
127	127	10
128	128	11
129	129	12
130	130	13
131	131	14
132	132	15
133	133	16
134	134	17
135	135	18
136	136	19
137	137	20
138	138	21
139	139	22
140	140	23
141	141	24
142	142	25
143	143	26
144	144	27
145	145	28
146	146	29
147	147	30
148	148	31
149	149	32
150	150	33
151	151	34
152	152	35
153	153	36
154	154	37
155	155	38
156	156	39
157	157	40
158	158	41
159	159	42
160	160	43 HB 2271 3
161	161	secretary and shall do and perform such general duties as the secretary
162	162	may require.
163	163	(b) (1) The secretary of state shall appoint a chief information
164	164	security officer who shall be responsible for establishing security standards
165	165	and policies to protect the office's information technology systems and
166	166	infrastructure. The chief information security officer shall:
167	167	(A)(1) Develop a cybersecurity program for the office that complies
168	168	with the national institute of standards and technology cybersecurity
169	169	framework (CSF) 2.0, as in effect on July 1, 2024. The chief information
170	170	security officer shall ensure that such programs achieve a CSF tier of 3.0
171	171	prior to July 1, 2028, and a CSF tier of 4.0 prior to July 1, 2030;
172	172	(B)(2) ensure that the secretary of state and all employees complete
173	173	cybersecurity awareness training annually and that if an employee does not
174	174	complete the required training, such employee's access to any state-issued
175	175	hardware or the state network is revoked; and
176	176	(C) (i) (a)(3) (A) (i) coordinate with the United States cybersecurity
177	177	and infrastructure security agency to perform annual audits of the office
178	178	for compliance with applicable state and federal laws, rules and
179	179	regulations and office policies and standards; and
180	180	(b)(ii) make an audit request to such agency annually, regardless of
181	181	whether or not such agency has the capacity to perform the requested
182	182	audit.
183	183	(ii)(B) Results of audits conducted pursuant to this paragraph shall be
184	184	confidential and shall not be subject to discovery or disclosure pursuant to
185	185	the open records act, K.S.A. 45-215 et seq., and amendments thereto.
186	186	(2) The provisions of this subsection shall expire on July 1, 2026.
187	187	Sec. 3. K.S.A. 2024 Supp. 75-623 is hereby amended to read as
188	188	follows: 75-623. (a) The treasurer shall appoint such other assistants,
189	189	clerks, bookkeepers, accountants and stenographers as may be authorized
190	190	by law, each of which persons shall take the oath of office required of
191	191	public officers. Such persons shall hold their offices at the will and
192	192	pleasure of the state treasurer.
193	193	(b) (1) The treasurer shall appoint a chief information security officer
194	194	who shall be responsible for establishing security standards and policies to
195	195	protect the office's information technology systems and infrastructure. The
196	196	chief information security officer shall:
197	197	(A)(1) Develop a cybersecurity program for the office that complies
198	198	with the national institute of standards and technology cybersecurity
199	199	framework (CSF) 2.0, as in effect on July 1, 2024. The chief information
200	200	security officer shall ensure that such programs achieve a CSF tier of 3.0
201	201	prior to July 1, 2028, and a CSF tier of 4.0 prior to July 1, 2030;
202	202	(B)(2) ensure that the treasurer and all employees complete
203	203	cybersecurity awareness training annually and that if an employee does not
204	204	1
205	205	2
206	206	3
207	207	4
208	208	5
209	209	6
210	210	7
211	211	8
212	212	9
213	213	10
214	214	11
215	215	12
216	216	13
217	217	14
218	218	15
219	219	16
220	220	17
221	221	18
222	222	19
223	223	20
224	224	21
225	225	22
226	226	23
227	227	24
228	228	25
229	229	26
230	230	27
231	231	28
232	232	29
233	233	30
234	234	31
235	235	32
236	236	33
237	237	34
238	238	35
239	239	36
240	240	37
241	241	38
242	242	39
243	243	40
244	244	41
245	245	42
246	246	43 HB 2271 4
247	247	complete the required training, such employee's access to any state-issued
248	248	hardware or the state network is revoked; and
249	249	(C) (i) (a)(3) (A) (i) coordinate with the United States cybersecurity
250	250	and infrastructure security agency to perform annual audits of the office
251	251	for compliance with applicable state and federal laws, rules and
252	252	regulations and office policies and standards; and
253	253	(b)(ii) make an audit request to such agency annually, regardless of
254	254	whether or not such agency has the capacity to perform the requested
255	255	audit.
256	256	(ii)(B) Results of audits conducted pursuant to this paragraph shall be
257	257	confidential and shall not be subject to discovery or disclosure pursuant to
258	258	the open records act, K.S.A. 45-215 et seq., and amendments thereto.
259	259	(2) The provisions of this subsection shall expire on July 1, 2026.
260	260	Sec. 4. K.S.A. 2024 Supp. 75-710 is hereby amended to read as
261	261	follows: 75-710. (a) The attorney general shall appoint such assistants,
262	262	clerks, and stenographers as shall be authorized by law, and who shall hold
263	263	their office at the will and pleasure of the attorney general. All fees and
264	264	allowances earned by said assistants or any of them, or allowed to them by
265	265	any statute or order of court in any civil or criminal case whatsoever, shall
266	266	be turned into the general revenue fund of the state treasury, and the
267	267	vouchers for their monthly salaries shall not be honored by the director of
268	268	accounts and reports until a verified account of the fees collected by them,
269	269	or either of them, during the preceding month, has been filed in the
270	270	director of accounts and reports' office. Assistants appointed by the
271	271	attorney general shall perform the duties and exercise the powers as
272	272	prescribed by law and shall perform other duties as prescribed by the
273	273	attorney general. Assistants shall act for and exercise the power of the
274	274	attorney general to the extent the attorney general delegates them the
275	275	authority to do so.
276	276	(b) (1) The attorney general shall appoint a chief information security
277	277	officer who shall be responsible for establishing security standards and
278	278	policies to protect the office's information technology systems and
279	279	infrastructure. The chief information security officer shall:
280	280	(A)(1) Develop a cybersecurity program for the office that complies
281	281	with the national institute of standards and technology cybersecurity
282	282	framework (CSF) 2.0, as in effect on July 1, 2024. The chief information
283	283	security officer shall ensure that such programs achieve a CSF tier of 3.0
284	284	prior to July 1, 2028, and a CSF tier of 4.0 prior to July 1, 2030;
285	285	(B)(2) ensure that the attorney general and all employees complete
286	286	cybersecurity awareness training annually and that if an employee does not
287	287	complete the required training, such employee's access to any state-issued
288	288	hardware or the state network is revoked; and
289	289	(C) (i) (a)(3) (A) (i) coordinate with the United States cybersecurity
290	290	1
291	291	2
292	292	3
293	293	4
294	294	5
295	295	6
296	296	7
297	297	8
298	298	9
299	299	10
300	300	11
301	301	12
302	302	13
303	303	14
304	304	15
305	305	16
306	306	17
307	307	18
308	308	19
309	309	20
310	310	21
311	311	22
312	312	23
313	313	24
314	314	25
315	315	26
316	316	27
317	317	28
318	318	29
319	319	30
320	320	31
321	321	32
322	322	33
323	323	34
324	324	35
325	325	36
326	326	37
327	327	38
328	328	39
329	329	40
330	330	41
331	331	42
332	332	43 HB 2271 5
333	333	and infrastructure security agency to perform annual audits of the office
334	334	for compliance with applicable state and federal laws, rules and
335	335	regulations and office policies and standards; and
336	336	(b)(ii) make an audit request to such agency annually, regardless of
337	337	whether or not such agency has the capacity to perform the requested
338	338	audit.
339	339	(ii)(B) Results of audits conducted pursuant to this paragraph shall be
340	340	confidential and shall not be subject to discovery or disclosure pursuant to
341	341	the open records act, K.S.A. 45-215 et seq., and amendments thereto.
342	342	(2) The provisions of this subsection shall expire on July 1, 2026.
343	343	Sec. 5. K.S.A. 2024 Supp. 75-711 is hereby amended to read as
344	344	follows: 75-711. (a) There is hereby established, under the jurisdiction of
345	345	the attorney general, a division to be known as the Kansas bureau of
346	346	investigation. The director of the bureau shall be appointed by the attorney
347	347	general, subject to confirmation by the senate as provided in K.S.A. 75-
348	348	4315b, and amendments thereto, and shall have special training and
349	349	qualifications for such position. Except as provided by K.S.A. 46-2601,
350	350	and amendments thereto, no person appointed as director shall exercise
351	351	any power, duty or function as director until confirmed by the senate. In
352	352	accordance with appropriation acts, the director shall appoint agents who
353	353	shall be trained in the detection and apprehension of criminals. The
354	354	director shall appoint an associate director, and any such assistant directors
355	355	from within the agency as are necessary for the efficient operation of the
356	356	bureau, who shall have the qualifications and employee benefits, including
357	357	longevity, of an agent. The director also may appoint a deputy director
358	358	and, in accordance with appropriation acts, such administrative employees
359	359	as are necessary for the efficient operation of the bureau. No person shall
360	360	be appointed to a position within the Kansas bureau of investigation if the
361	361	person has been convicted of a felony.
362	362	(b) The director, associate director, deputy director, assistant directors
363	363	and any assistant attorneys general assigned to the bureau shall be within
364	364	the unclassified service under the Kansas civil service act. All other agents
365	365	and employees of the bureau shall be in the classified service under the
366	366	Kansas civil service act and their compensation shall be determined as
367	367	provided in the Kansas civil service act and shall receive actual and
368	368	necessary expenses.
369	369	(c) Any person who was a member of the bureau at the time of
370	370	appointment as director, associate director or assistant director, upon the
371	371	expiration of their appointment, shall be returned to an unclassified or
372	372	regular classified position under the Kansas civil service act with
373	373	compensation comparable to and not lower than compensation being
374	374	received at the time of appointment to the unclassified service. If all such
375	375	possible positions are filled at that time, a temporary additional position
376	376	1
377	377	2
378	378	3
379	379	4
380	380	5
381	381	6
382	382	7
383	383	8
384	384	9
385	385	10
386	386	11
387	387	12
388	388	13
389	389	14
390	390	15
391	391	16
392	392	17
393	393	18
394	394	19
395	395	20
396	396	21
397	397	22
398	398	23
399	399	24
400	400	25
401	401	26
402	402	27
403	403	28
404	404	29
405	405	30
406	406	31
407	407	32
408	408	33
409	409	34
410	410	35
411	411	36
412	412	37
413	413	38
414	414	39
415	415	40
416	416	41
417	417	42
418	418	43 HB 2271 6
419	419	shall be created for the person until a vacancy exists in the position. While
420	420	serving in the temporary additional position, the person shall continue to
421	421	be a contributing member of the retirement system for the agents of the
422	422	Kansas bureau of investigation.
423	423	(d) Each agent of the bureau shall subscribe to an oath to faithfully
424	424	discharge the duties of such agent's office, as is required of other public
425	425	officials.
426	426	(e) (1) The director shall appoint a chief information security officer
427	427	who shall be responsible for establishing security standards and policies to
428	428	protect the bureau's information technology systems and infrastructure.
429	429	The chief information security officer shall:
430	430	(A)(1) Develop a cybersecurity program for the bureau that complies
431	431	with the national institute of standards and technology cybersecurity
432	432	framework (CSF) 2.0, as in effect on July 1, 2024. The chief information
433	433	security officer shall ensure that such programs achieve a CSF tier of 3.0
434	434	prior to July 1, 2028, and a CSF tier of 4.0 prior to July 1, 2030;
435	435	(B)(2) ensure that the director and all employees complete
436	436	cybersecurity awareness training annually and that if an employee does not
437	437	complete the required training, such employee's access to any state-issued
438	438	hardware or the state network is revoked; and
439	439	(C) (i) (a)(3) (A) (i) coordinate with the United States cybersecurity
440	440	and infrastructure security agency to perform annual audits of the
441	441	department for compliance with applicable state and federal laws, rules
442	442	and regulations and department policies and standards; and
443	443	(b)(ii) make an audit request to such agency annually, regardless of
444	444	whether or not such agency has the capacity to perform the requested
445	445	audit.
446	446	(ii)(B) Results of audits conducted pursuant to this paragraph shall be
447	447	confidential and shall not be subject to discovery or disclosure pursuant to
448	448	the open records act, K.S.A. 45-215 et seq., and amendments thereto.
449	449	(2) The provisions of this subsection shall expire on July 1, 2026.
450	450	Sec. 6. K.S.A. 75-7203 is hereby amended to read as follows: 75-
451	451	7203. (a) The information technology executive council is hereby
452	452	authorized to adopt such policies and rules and regulations as necessary to
453	453	implement, administer and enforce the provisions of this act.
454	454	(b) The council shall:
455	455	(1) Adopt:
456	456	(A) Information technology resource policies and procedures and
457	457	project management methodologies for all executive branch agencies;
458	458	(B) an information technology architecture, including
459	459	telecommunications systems, networks and equipment, that covers all state
460	460	agencies;
461	461	(C) standards for data management for all executive branch agencies;
462	462	1
463	463	2
464	464	3
465	465	4
466	466	5
467	467	6
468	468	7
469	469	8
470	470	9
471	471	10
472	472	11
473	473	12
474	474	13
475	475	14
476	476	15
477	477	16
478	478	17
479	479	18
480	480	19
481	481	20
482	482	21
483	483	22
484	484	23
485	485	24
486	486	25
487	487	26
488	488	27
489	489	28
490	490	29
491	491	30
492	492	31
493	493	32
494	494	33
495	495	34
496	496	35
497	497	36
498	498	37
499	499	38
500	500	39
501	501	40
502	502	41
503	503	42
504	504	43 HB 2271 7
505	505	and
506	506	(D) a strategic information technology management plan for the
507	507	executive branch;
508	508	(2) provide direction and coordination for the application of the
509	509	executive branch's information technology resources;
510	510	(3) designate the ownership of information resource processes and the
511	511	lead executive branch agency for implementation of new technologies and
512	512	networks shared by multiple agencies within the executive branch of state
513	513	government;
514	514	(4) develop a plan to integrate all information technology services for
515	515	the executive branch into the office of information technology services and
516	516	all cybersecurity services for state educational institutions as defined in
517	517	K.S.A. 76-711, and amendments thereto, into the office of information
518	518	technology services and the Kansas information security office; and
519	519	(5) perform such other functions and duties as necessary to carry out
520	520	the provisions of this act.
521	521	(c) The information technology executive council shall report the
522	522	plan developed under subsection (b)(4) to the senate standing committee
523	523	on ways and means and, the house standing committee on legislative
524	524	modernization or its successor committee and the joint committee on
525	525	information technology prior to January 15, 2026, in accordance with
526	526	K.S.A. 2024 Supp. 75-7245, and amendments thereto.
527	527	Sec. 7. K.S.A. 2024 Supp. 75-7206a is hereby amended to read as
528	528	follows: 75-7206a. (a) There is hereby established the position of judicial
529	529	branch chief information security officer. The judicial chief information
530	530	security officer shall be in the unclassified service under the Kansas civil
531	531	service act, shall be appointed by the judicial administrator, subject to
532	532	approval by the chief justice and shall receive compensation determined
533	533	by the judicial administrator, subject to approval of the chief justice.
534	534	(b) The judicial chief information security officer shall:
535	535	(1) Report to the judicial administrator;
536	536	(2) establish security standards and policies to protect the branch's
537	537	information technology systems and infrastructure in accordance with
538	538	subsection (c);
539	539	(3) ensure the confidentiality, availability and integrity of the
540	540	information transacted, stored or processed in the branch's information
541	541	technology systems and infrastructure;
542	542	(4) develop a centralized cybersecurity protocol for protecting and
543	543	managing judicial branch information technology assets and infrastructure;
544	544	(5) detect and respond to security incidents consistent with
545	545	information security standards and policies;
546	546	(6) be responsible for the cybersecurity of all judicial branch data and
547	547	information resources;
548	548	1
549	549	2
550	550	3
551	551	4
552	552	5
553	553	6
554	554	7
555	555	8
556	556	9
557	557	10
558	558	11
559	559	12
560	560	13
561	561	14
562	562	15
563	563	16
564	564	17
565	565	18
566	566	19
567	567	20
568	568	21
569	569	22
570	570	23
571	571	24
572	572	25
573	573	26
574	574	27
575	575	28
576	576	29
577	577	30
578	578	31
579	579	32
580	580	33
581	581	34
582	582	35
583	583	36
584	584	37
585	585	38
586	586	39
587	587	40
588	588	41
589	589	42
590	590	43 HB 2271 8
591	591	(7) collaborate with the chief information security officers of the
592	592	other branches of state government to respond to cybersecurity incidents;
593	593	(8) ensure that all justices, judges and judicial branch employees
594	594	complete cybersecurity awareness training annually and if an employee
595	595	does not complete the required training, such employee's access to any
596	596	state-issued hardware or the state network is revoked;
597	597	(9) review all contracts related to information technology entered into
598	598	by a person or entity within the judicial branch to make efforts to reduce
599	599	the risk of security vulnerabilities within the supply chain or product and
600	600	ensure each contract contains standard security language; and
601	601	(10) coordinate with the United States cybersecurity and
602	602	infrastructure security agency to perform annual audits of judicial branch
603	603	agencies for compliance with applicable state and federal laws, rules and
604	604	regulations and judicial branch policies and standards. The judicial chief
605	605	information security officer shall make an audit request to such agency
606	606	annually, regardless of whether or not such agency has the capacity to
607	607	perform the requested audit.
608	608	(c) The judicial chief information security officer shall develop a
609	609	cybersecurity program of each judicial agency that complies with the
610	610	national institute of standards and technology cybersecurity framework
611	611	(CSF) 2.0, as in effect on July 1, 2024. The judicial chief information
612	612	security officer shall ensure that such programs achieve a CSF tier of 3.0
613	613	prior to July 1, 2028, and a CSF tier of 4.0 prior to July 1, 2030.
614	614	(d) (1) If an audit conducted pursuant to subsection (b)(10) results in
615	615	a failure, the judicial chief information security officer shall report such
616	616	failure to the speaker and minority leader of the house of representatives
617	617	and the president and minority leader of the senate within 30 days of
618	618	receiving notice of such failure. Such report shall contain a plan to
619	619	mitigate any security risks identified in the audit. The judicial chief
620	620	information security officer shall coordinate for an additional audit after
621	621	the mitigation plan is implemented and report the results of such audit to
622	622	the speaker and minority leader of the house of representatives and the
623	623	president and minority leader of the senate.
624	624	(2) Results of audits conducted pursuant to subsection (b)(10) and the
625	625	reports described in subsection (d)(1) shall be confidential and shall not be
626	626	subject to discovery or disclosure pursuant to the open records act, K.S.A.
627	627	45-215 et seq., and amendments thereto.
628	628	(e) This section shall expire on July 1, 2026.
629	629	Sec. 8. K.S.A. 2024 Supp. 75-7208a is hereby amended to read as
630	630	follows: 75-7208a. (a) There is hereby established the position of
631	631	legislative branch chief information security officer. The legislative chief
632	632	information security officer shall be in the unclassified service under the
633	633	Kansas civil service act, shall be appointed by the legislative coordinating
634	634	1
635	635	2
636	636	3
637	637	4
638	638	5
639	639	6
640	640	7
641	641	8
642	642	9
643	643	10
644	644	11
645	645	12
646	646	13
647	647	14
648	648	15
649	649	16
650	650	17
651	651	18
652	652	19
653	653	20
654	654	21
655	655	22
656	656	23
657	657	24
658	658	25
659	659	26
660	660	27
661	661	28
662	662	29
663	663	30
664	664	31
665	665	32
666	666	33
667	667	34
668	668	35
669	669	36
670	670	37
671	671	38
672	672	39
673	673	40
674	674	41
675	675	42
676	676	43 HB 2271 9
677	677	council and shall receive compensation determined by the legislative
678	678	coordinating council.
679	679	(b) The legislative chief information security officer shall:
680	680	(1) Report to the legislative chief information technology officer;
681	681	(2) establish security standards and policies to protect the branch's
682	682	information technology systems and infrastructure in accordance with
683	683	subsection (c);
684	684	(3) ensure the confidentiality, availability and integrity of the
685	685	information transacted, stored or processed in the branch's information
686	686	technology systems and infrastructure;
687	687	(4) develop a centralized cybersecurity protocol for protecting and
688	688	managing legislative branch information technology assets and
689	689	infrastructure;
690	690	(5) detect and respond to security incidents consistent with
691	691	information security standards and policies;
692	692	(6) be responsible for the cybersecurity of all legislative branch data
693	693	and information resources and obtain approval from the revisor of statutes
694	694	prior to taking any action on any matter that involves a legal issue related
695	695	to the security of information technology;
696	696	(7) collaborate with the chief information security officers of the
697	697	other branches of state government to respond to cybersecurity incidents;
698	698	(8) ensure that all legislators and legislative branch employees
699	699	complete cybersecurity awareness training annually and if an employee
700	700	does not complete the required training, such employee's access to any
701	701	state-issued hardware or the state network is revoked;
702	702	(9) review all contracts related to information technology entered into
703	703	by a person or entity within the legislative branch to make efforts to reduce
704	704	the risk of security vulnerabilities within the supply chain or product and
705	705	ensure each contract contains standard security language; and
706	706	(10) coordinate with the United States cybersecurity and
707	707	infrastructure security agency to perform annual audits of legislative
708	708	branch agencies for compliance with applicable state and federal laws,
709	709	rules and regulations and legislative branch policies and standards. The
710	710	legislative chief information security officer shall make an audit request to
711	711	such agency annually, regardless of whether or not such agency has the
712	712	capacity to perform the requested audit.
713	713	(c) The legislative chief information security officer shall develop a
714	714	cybersecurity program of each legislative agency that complies with the
715	715	national institute of standards and technology cybersecurity framework
716	716	(CSF) 2.0, as in effect on July 1, 2024. The legislative chief information
717	717	security officer shall ensure that such programs achieve a CSF tier of 3.0
718	718	prior to July 1, 2028, and a CSF tier of 4.0 prior to July 1, 2030. The
719	719	agency head of each legislative agency shall coordinate with the legislative
720	720	1
721	721	2
722	722	3
723	723	4
724	724	5
725	725	6
726	726	7
727	727	8
728	728	9
729	729	10
730	730	11
731	731	12
732	732	13
733	733	14
734	734	15
735	735	16
736	736	17
737	737	18
738	738	19
739	739	20
740	740	21
741	741	22
742	742	23
743	743	24
744	744	25
745	745	26
746	746	27
747	747	28
748	748	29
749	749	30
750	750	31
751	751	32
752	752	33
753	753	34
754	754	35
755	755	36
756	756	37
757	757	38
758	758	39
759	759	40
760	760	41
761	761	42
762	762	43 HB 2271 10
763	763	chief information security officer to achieve such standards.
764	764	(d) (1) If an audit conducted pursuant to subsection (b)(10) results in
765	765	a failure, the legislative chief information security officer shall report such
766	766	failure to the speaker and minority leader of the house of representatives
767	767	and the president and minority leader of the senate within 30 days of
768	768	receiving notice of such failure. Such report shall contain a plan to
769	769	mitigate any security risks identified in the audit. The legislative chief
770	770	information security officer shall coordinate for an additional audit after
771	771	the mitigation plan is implemented and report the results of such audit to
772	772	the speaker and minority leader of the house of representatives and the
773	773	president and minority leader of the senate.
774	774	(2) Results of audits conducted pursuant to subsection (b)(10) and the
775	775	reports described in subsection (d)(1) shall be confidential and shall not be
776	776	subject to discovery or disclosure pursuant to the open records act, K.S.A.
777	777	45-215 et seq., and amendments thereto.
778	778	(e) This section shall expire on July 1, 2026.
779	779	Sec. 9. K.S.A. 2024 Supp. 75-7245 is hereby amended to read as
780	780	follows: 75-7245. (a) On and after July 1, 2027, all cybersecurity services
781	781	for each branch of state government shall be administered by the chief
782	782	information technology officer and the chief information security officer of
783	783	such branch. All cybersecurity employees within the legislative and
784	784	executive branches of state government shall work at the direction of the
785	785	chief information technology officer of the branch.
786	786	(b) Prior to January 1, 2026:
787	787	(1) The information technology executive council shall develop a
788	788	plan to integrate all executive branch information technology services into
789	789	the office of information technology services. The council shall consult
790	790	with each agency head when developing such plan.
791	791	(2) The judicial chief information technology officer shall develop an
792	792	estimated project cost to provide information technology to judicial
793	793	agencies and all employees of such agencies, including state and county-
794	794	funded judicial branch district court employees. Such employees shall be
795	795	required to use such state-issued information technology hardware. The
796	796	project cost developed pursuant to this paragraph shall include, in
797	797	consultation with the executive branch information technology officer, a
798	798	plan to allow each piece of information technology hardware that is used
799	799	by a judicial branch employee to access a judicial branch application to
800	800	have access to the KANWIN network and an estimated project cost to
801	801	develop a cybersecurity program for all judicial districts that complies
802	802	with the national institute of standards and technology cybersecurity
803	803	framework (CSF) 2.0, as in effect on July 1, 2024.
804	804	(c) The information technology executive council shall report the
805	805	plan developed pursuant to subsection (b) to the senate standing committee
806	806	1
807	807	2
808	808	3
809	809	4
810	810	5
811	811	6
812	812	7
813	813	8
814	814	9
815	815	10
816	816	11
817	817	12
818	818	13
819	819	14
820	820	15
821	821	16
822	822	17
823	823	18
824	824	19
825	825	20
826	826	21
827	827	22
828	828	23
829	829	24
830	830	25
831	831	26
832	832	27
833	833	28
834	834	29
835	835	30
836	836	31
837	837	32
838	838	33
839	839	34
840	840	35
841	841	36
842	842	37
843	843	38
844	844	39
845	845	40
846	846	41
847	847	42
848	848	43 HB 2271 11
849	849	on ways and means and, the house standing committee on legislative
850	850	modernization or its successor committee and the joint committee on
851	851	information technology, prior to January 15, 2026.
852	852	(d) Prior to February 1, 2025, every website that is maintained by a
853	853	branch of government or state agency shall be moved to a ".gov" domain.
854	854	(e) On July 1, 2025, and each year thereafter, moneys appropriated
855	855	from the state general fund to or any special revenue fund of any state
856	856	agency for information technology and cybersecurity expenditures shall be
857	857	appropriated as a separate line item and shall not be merged with other
858	858	items of appropriation for such state agency to allow for detailed review
859	859	by the senate committee on ways and means and the house of
860	860	representatives committee on appropriations during each regular
861	861	legislative session.
862	862	(f) The provisions of this section do not apply to state educational
863	863	institutions as defined in K.S.A. 76-711, and amendments thereto.
864	864	(g) This section shall expire on July 1, 2026.
865	865	Sec. 10. K.S.A. 2024 Supp. 75-7246 is hereby amended to read as
866	866	follows: 75-7246. (a) On July 1, 2028, and each year thereafter, the
867	867	director of the budget, in consultation with the legislative, executive and
868	868	judicial chief information technology officers as appropriate, shall
869	869	determine if each state agency is in compliance with the provisions of this
870	870	act* for the previous fiscal year. If the director of the budget determines
871	871	that a state agency is not in compliance with the provisions of this act for
872	872	such fiscal year, the director shall certify an amount equal to 5% of the
873	873	amount:
874	874	(1) Appropriated and reappropriated from the state general fund for
875	875	such state agency for such fiscal year; and
876	876	(2) credited to and available in each special revenue fund for such
877	877	state agency in such fiscal year. If during any fiscal year, a special revenue
878	878	fund has no expenditure limitation, then an expenditure limitation shall be
879	879	established for such fiscal year on such special revenue fund by the
880	880	director of the budget in an amount that is 5% less than the amount of
881	881	moneys credited to and available in such special revenue fund for such
882	882	fiscal year.
883	883	(b) The director of the budget shall submit a detailed written report to
884	884	the legislature on or before the first day of the regular session of the
885	885	legislature concerning such compliance determinations, including factors
886	886	considered by the director when making such determination, and the
887	887	amounts certified for each state agency for such fiscal year.
888	888	(c) During the regular session of the legislature, the senate committee
889	889	on ways and means and the house of representatives committee on
890	890	appropriations shall consider such compliance determinations and whether
891	891	to lapse amounts appropriated and reappropriated and decrease the
892	892	1
893	893	2
894	894	3
895	895	4
896	896	5
897	897	6
898	898	7
899	899	8
900	900	9
901	901	10
902	902	11
903	903	12
904	904	13
905	905	14
906	906	15
907	907	16
908	908	17
909	909	18
910	910	19
911	911	20
912	912	21
913	913	22
914	914	23
915	915	24
916	916	25
917	917	26
918	918	27
919	919	28
920	920	29
921	921	30
922	922	31
923	923	32
924	924	33
925	925	34
926	926	35
927	927	36
928	928	37
929	929	38
930	930	39
931	931	40
932	932	41
933	933	42
934	934	43 HB 2271 12
935	935	expenditure limitations of special revenue funds for such state agencies
936	936	during the budget committee hearings for such noncomplying agency.
937	937	(d) This section shall expire on July 1, 2026.
938	938	Sec. 11. K.S.A. 2024 Supp. 40-110, 45-229, as amended by section
939	939	11 of chapter 95 of the 2024 Session Laws of Kansas, 75-413, 75-623, 75-
940	940	710, 75-711, 75-7201, as amended by section 17 of chapter 95 of the 2024
941	941	Session Laws of Kansas, 75-7202, as amended by section 19 of chapter 95
942	942	of the 2024 Session Laws of Kansas, 75-7203, 75-7203, as amended by
943	943	section 21 of chapter 95 of the 2024 Session Laws of Kansas, 75-7205, as
944	944	amended by section 23 of chapter 95 of the 2024 Session Laws of Kansas,
945	945	75-7206, as amended by section 25 of chapter 95 of the 2024 Session
946	946	Laws of Kansas, 75-7206a, 75-7208, as amended by section 27 of chapter
947	947	95 of the 2024 Session Laws of Kansas, 75-7208a, 75-7209, as amended
948	948	by section 29 of chapter 95 of the 2024 Session Laws of Kansas, 75-7237,
949	949	as amended by section 31 of chapter 95 of the 2024 Session Laws of
950	950	Kansas, 75-7238, as amended by section 33 of chapter 95 of the 2024
951	951	Session Laws of Kansas, 75-7239, as amended by section 35 of chapter 95
952	952	of the 2024 Session Laws of Kansas, 75-7240, as amended by section 37
953	953	of chapter 95 of the 2024 Session Laws of Kansas, 75-7245 and 75-7246
954	954	are hereby repealed.
955	955	Sec. 12. This act shall take effect and be in force from and after its
956	956	publication in the statute book.
957	957	1
958	958	2
959	959	3
960	960	4
961	961	5
962	962	6
963	963	7
964	964	8
965	965	9
966	966	10
967	967	11
968	968	12
969	969	13
970	970	14
971	971	15
972	972	16
973	973	17
974	974	18
975	975	19
976	976	20
977	977	21
978	978	22