Oklahoma 2022 Regular Session

Oklahoma House Bill HB2331 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1		-	An Act
2		-	ENROLLED HOUSE
	1	+
	2	+
	3	+	SENATE FLOOR VERSION - HB2331 SFLR Page 1
	4	+	(Bold face denotes Committee Amendments) 1
	5	+	2
	6	+	3
	7	+	4
	8	+	5
	9	+	6
	10	+	7
	11	+	8
	12	+	9
	13	+	10
	14	+	11
	15	+	12
	16	+	13
	17	+	14
	18	+	15
	19	+	16
	20	+	17
	21	+	18
	22	+	19
	23	+	20
	24	+	21
	25	+	22
	26	+	23
	27	+	24
	28	+
	29	+	SENATE FLOOR VERSION
	30	+	March 31, 2021
	31	+
	32	+
	33	+	ENGROSSED HOUSE
3	34		BILL NO. 2331 By: Steagall and Fugate of the
4	35		House
5	36
6	37		and
7	38
8	39		Newhouse of the Senate
9		-
10	40
11	41
12	42
13	43
14	44
15	45		An Act relating to public finance; amending 62 O.S.
16	46		2011, Section 34.32, as last amended by Section 1,
17	47		Chapter 331, O.S.L. 2019 (62 O.S. Supp. 20 20, Section
18	48		34.32), which relates to state agency information
19	49		technology systems; making certain provisions
20	50		inapplicable to the Oklahoma Military Department;
21	51		providing an effective date; and declaring an
22	52		emergency.
23	53
24	54
25	55
26	56
27		-	SUBJECT: Public finance
28		-
29	57		BE IT ENACTED BY THE PEOPLE OF THE STA TE OF OKLAHOMA:
30		-
31	58		SECTION 1. AMENDATORY 62 O.S. 2011, Section 34.32, as
32	59		last amended by Section 1, Chapter 331, O.S.L. 2019 (62 O.S. Supp.
33	60		2020, Section 34.32), is amended to read a s follows:
34		-
35		-	Section 34.32 A. The Information Services Division of the
	61	+	Section 34.32. A. The Information Servi ces Division of the
36	62		Office of Management and Enterprise Services shall create a standard
37	63		security risk assessment for state agency information technology
38	64		systems that complies with the International Organ ization for
39	65		Standardization (ISO) and the Internatio nal Electrotechnical
	66	+
	67	+	SENATE FLOOR VERSION - HB2331 SFLR Page 2
	68	+	(Bold face denotes Committee Amendments) 1
	69	+	2
	70	+	3
	71	+	4
	72	+	5
	73	+	6
	74	+	7
	75	+	8
	76	+	9
	77	+	10
	78	+	11
	79	+	12
	80	+	13
	81	+	14
	82	+	15
	83	+	16
	84	+	17
	85	+	18
	86	+	19
	87	+	20
	88	+	21
	89	+	22
	90	+	23
	91	+	24
	92	+
40	93		Commission (IEC) Information Technology - Code of Practice for
41	94		Security Management (ISO/IEC 27002).
42		-
43	95		B. Each state agency that has an information technology system
44	96		shall obtain an information security risk assessment to identify
45	97		vulnerabilities associated with the information system. The
46		-	Information Services Division of the Office of Management and ~~ENR. H. B. NO. 2331 Page 2~~
	98	+	Information Services Division of the Office of Management and
47	99		Enterprise Services shall approve not less than two firms which
48	100		state agencies may choo se from to conduct the information security
49	101		risk assessment.
50		-
51	102		C. A state agency with an information technology system that is
52	103		not consolidated under the Information Technology Consolidation and
53	104		Coordination Act or that is otherwise retained by the agency s hall
54	105		additionally be required to have an information security audit
55	106		conducted by a firm approved by the Information Services Division
56	107		that is based upon the most current version of the NIST Cyber -
57	108		Security Framework, and shall submit a final report of the
58	109		information security risk assessment and information security audit
59	110		findings to the Information Services Division each year on a
60	111		schedule set by the Information Services Division. Agencies shall
61	112		also submit a list of remedies and a timeline for the repair of any
62	113		deficiencies to the Information Services Divi sion within ten (10)
63	114		days of the completion of the audit. The final information security
64	115		risk assessment report shall identify, prioritize, and document
65	116		information security vulnerabilities for each of t he state agencies
	117	+
	118	+	SENATE FLOOR VERSION - HB2331 SFLR Page 3
	119	+	(Bold face denotes Committee Amendments) 1
	120	+	2
	121	+	3
	122	+	4
	123	+	5
	124	+	6
	125	+	7
	126	+	8
	127	+	9
	128	+	10
	129	+	11
	130	+	12
	131	+	13
	132	+	14
	133	+	15
	134	+	16
	135	+	17
	136	+	18
	137	+	19
	138	+	20
	139	+	21
	140	+	22
	141	+	23
	142	+	24
	143	+
66	144		assessed. The Information Service s Division may assist agencies in
67	145		repairing any vulnerabilities to ensure compliance in a timely
68	146		manner.
69		-
70	147		D. Subject to the provisions of subsection C of Section 34.12
71	148		of this title, the Information Servi ces Division shall report the
72	149		results of the state a gency assessments and information security
73	150		audit findings required pursuant to this section to the Governor,
74	151		the Speaker of the House of Representatives, and the President Pro
75	152		Tempore of the Senate by the first day of January of each year. Any
76	153		state agency with an information technology system that is not
77	154		consolidated under the Information Technology Consolidation and
78	155		Coordination Act that cannot comply with the provisions of this
79	156		section shall consolidat e under the Information Technology
80	157		Consolidation and Coordination Act.
81		-
82	158		E. This act shall not apply to state agencies subject to
83	159		mandatory North American Electric Reliability Corporation (NERC)
84	160		cybersecurity standards and institutions within The Oklahoma S tate
85	161		System of Higher Education, the Oklahoma State Regents for Higher
86	162		Education and the telecommunications network known as OneNet that
87	163		follow the International Organization for Standardization (ISO) , the
88	164		Oklahoma Military Department (OMD), and the International
89	165		Electrotechnical Commission (IEC) -Security techniques-Code of
90	166		Practice for Information Security Controls or National Institute of
91		-	Standards and Technology. ENR. H. B. NO. 2331 Page 3
	167	+	Standards and Technology.
	168	+
	169	+	SENATE FLOOR VERSION - HB2331 SFLR Page 4
	170	+	(Bold face denotes Committee Amendments) 1
	171	+	2
	172	+	3
	173	+	4
	174	+	5
	175	+	6
	176	+	7
	177	+	8
	178	+	9
	179	+	10
	180	+	11
	181	+	12
	182	+	13
	183	+	14
	184	+	15
	185	+	16
	186	+	17
	187	+	18
	188	+	19
	189	+	20
	190	+	21
	191	+	22
	192	+	23
	193	+	24
92	194
93	195		SECTION 2. This act shall become effective July 1, 202 1.
94		-
95	196		SECTION 3. It being immediately necessary for the pre servation
96	197		of the public peace, health or safety, an emergency is hereby
97	198		declared to exist, by reason whereof this act shall take effect and
98	199		be in full force from and after its passage and approval.
99		-	ENR. H. B. NO. 2331 Page 4
100		-	Passed the House of Repres entatives the 1st day of March, 2021.
101		-
102		-
103		-
104		-
105		-	Presiding Officer of the House
106		-	of Representatives
107		-
108		-
109		-	Passed the Senate the 15th day of April, 2021.
110		-
111		-
112		-
113		-
114		-	Presiding Officer of the Senate
115		-
116		-
117		-
118		-	OFFICE OF THE GOVERNOR
119		-	Received by the Office of the Governor this ___ _________________
120		-	day of ___________________, 20_______, at _______ o'clock _______ M.
121		-	By: _________________________________
122		-	Approved by the Governor of the State of Oklahoma this _________
123		-	day of ___________________, 20_______, at _______ o'clock _______ M.
124		-
125		-
126		-	_________________________________
127		-	Governor of the State of Oklahoma
128		-
129		-	OFFICE OF THE SECRETARY OF STATE
130		-	Received by the Office of the Secretary of State this __________
131		-	day of ___________________, 20_______, at _______ o'clock _______ M.
132		-	By: _________________________________
133		-
	200	+	COMMITTEE REPORT BY: COMMITTEE ON GENERAL GOVERNMENT
	201	+	March 31, 2021 - DO PASS