Req. No. 8982 Page 1 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
STATE OF OKLAHOMA
2nd Session of the 58th Legislature (2022)
HOUSE BILL 3067 By: Manger
AS INTRODUCED
An Act relating to public finance; amending 62 O.S.
2021, Section 34.32, which relates to state agency
information technology systems; ma king certain
provisions inapplicable to the Oklahoma State Bureau
of Investigation; providing an effective date; and
declaring an emergency.
BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
SECTION 1. AMENDATORY 62 O.S. 2021, Section 34.3 2, is
amended to read as follo ws:
Section 34.32 A. The Information Services Division of the
Office of Management and Enterprise Services shall create a standard
security risk assessment for st ate agency information technology
systems that complies with t he International Organization for
Standardization (ISO) and the International Electrotechnical
Commission (IEC) Information Technology - Code of Practice for
Security Management (ISO/IEC 27002).
B. Each state agency that has an i nformation technology syst em
shall obtain an information sec urity risk assessment to identify
vulnerabilities associated with the information system. The
Req. No. 8982 Page 2 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Information Services Division of the Office of Management and
Enterprise Services shall approve not l ess than two firms which
state agencies may choose from to c onduct the information security
risk assessment.
C. A state agency with an information technology system that is
not consolidated under the Information Technol ogy Consolidation and
Coordination Act or that is otherwise re tained by the agency shall
additionally be required to have an information security audit
conducted by a firm approved by the Information Services Division
that is based upon the most current ve rsion of the NIST Cyber-
Security Framework, and shall submit a final report of the
information security risk assessment and information security audit
findings to the Information Services Division each year on a
schedule set by the Information Services Div ision. Agencies shall
also submit a list of remedies and a ti meline for the repair of any
deficiencies to the Information Services Division within ten (10)
days of the completion of the audit. The final information security
risk assessment report shall i dentify, prioritize, and document
information security vulnera bilities for each of the state age ncies
assessed. The Information Services Division may assist agencies in
repairing any vulnerabilities to ensure compliance in a timely
manner.
D. Subject to the provisions of subsection C of Se ction 34.12
of this title, the Information Services Division shall report the
Req. No. 8982 Page 3 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
results of the state agency assessments and information security
audit findings required pursuant to this section to the Governor,
the Speaker of the House of Representatives, and the President Pro
Tempore of the Senate by the first day o f January of each year. Any
state agency with an information technology system that is not
consolidated under the Information Technology Consolidation and
Coordination Act that cannot c omply with the provisions of this
section shall consolidate under the Information Technology
Consolidation and Coordination Act.
E. This act shall not apply to state agencies subject to
mandatory North American Electric Reliabili ty Corporation (NERC)
cybersecurity standards and institutions within The Oklahoma State
System of Higher Education, the Oklahoma State Bureau of
Investigation (OSBI), the Oklahoma State Regents for Higher
Education and the telecommunications network known as OneNet that
follow the Internation al Organization for Stan dardization (ISO), the
Oklahoma Military Department (OMD), and the International
Electrotechnical Commission (IEC) -Security techniques-Code of
Practice for Information Security Controls or Natio nal Institute of
Standards and Technol ogy.
SECTION 2. This act shall become eff ective July 1, 2022.
SECTION 3. It being immediately necessary for the preservation
of the public peace, health or safety, an emergency is here by
Req. No. 8982 Page 4 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
declared to exist, by reason whereo f this act shall take effect and
be in full force from and after its passage and approval.
58-2-8982 MJ 12/09/21