Oklahoma 2022 Regular Session

Oklahoma Senate Bill SB570 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1	1
2	2
3		-	SB570 HFLR Page 1
4		-	BOLD FACE denotes Committee Amendments. 1
	3	+	ENGR. S. B. NO. 570 Page 1 1
5	4		2
6	5		3
7	6		4
8	7		5
9	8		6
10	9		7
11	10		8
12	11		9
13	12		10
14	13		11
15	14		12
16	15		13
17	16		14
18	17		15
19	18		16
20	19		17
21	20		18
22	21		19
23	22		20
24	23		21
25	24		22
26	25		23
27	26		24
28		-
29		-	HOUSE OF REPRESENTATIVES - FLOOR VERSION
30		-
31		-	STATE OF OKLAHOMA
32		-
33		-	1st Session of the 58th Legislature (2021)
34	27
35	28		ENGROSSED SENATE
36	29		BILL NO. 570 By: Newhouse of the Senate
37	30
38	31		and
39	32
40	33		Steagall of the House
41	34
42	35
43	36
44	37
45	38		An Act relating to public finance; amending 62 O.S.
46	39		2011, Section 34.32, as last ame nded by Section 1,
47	40		Chapter 331, O.S.L. 2019 (62 O.S. Supp. 20 20, Section
48	41		34.32), which relates to state agency information
49	42		technology systems; making certain provisions
50	43		inapplicable to the Military Department of the State
51	44		of Oklahoma; providing an effective date; and
52	45		declaring an emergency.
53	46
54	47
55	48
56	49
57	50		BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
58	51		SECTION 1. AMENDATORY 62 O.S. 2011, Section 34.32, as
59	52		last amended by Section 1, Chapter 331, O.S.L. 2019 (62 O.S. Sup p.
60	53		2020, Section 34.32), is amended to read as follows:
61	54		Section 34.32. A. The Information Services Division of the
62	55		Office of Management and Enterprise Services shall create a standard
63	56		security risk assessment for state agency information technology
64	57		systems that complies with the International Organization for
65	58		Standardization (ISO) and the International Electrotechnical
	59	+	Commission (IEC) Information Technology - Code of Practice for
	60	+	Security Management (ISO/IEC 27002).
	61	+	B. Each state agency that has an info rmation technology system
	62	+	shall obtain an information security risk assessment to identify
66	63
67		-	SB570 HFLR Page 2
68		-	BOLD FACE denotes Committee Amendments. 1
	64	+	ENGR. S. B. NO. 570 Page 2 1
69	65		2
70	66		3
71	67		4
72	68		5
73	69		6
74	70		7
75	71		8
76	72		9
77	73		10
78	74		11
79	75		12
80	76		13
81	77		14
82	78		15
83	79		16
84	80		17
85	81		18
86	82		19
87	83		20
88	84		21
89	85		22
90	86		23
91	87		24
92	88
93		-	Commission (IEC) Information Technology - Code of Practice for
94		-	Security Management (ISO/IEC 27002).
95		-	B. Each state agency that ha s an information technology system
96		-	shall obtain an information security risk assessment to identify
97	89		vulnerabilities associated with the information system. The
98	90		Information Services Division of the Office of Management and
99	91		Enterprise Services shall approve not less than two firms which
100	92		state agencies may choose from to conduct the information security
101	93		risk assessment.
102	94		C. A state agency with an information technology system that is
103	95		not consolidated under the Information Technology Consolidation and
104	96		Coordination Act or that is otherwise retained by the agency shall
105	97		additionally be required to h ave an information security audit
106	98		conducted by a firm approved by the Information Services Division
107	99		that is based upon the most current version of the NIST Cyber -
108	100		Security Framework, and shall submit a final report of the
109	101		information security risk assessmen t and information security audit
110	102		findings to the Information Services Division each year on a
111	103		schedule set by the Information Services Division. Agencies shall
112	104		also submit a list of remedies and a timeline for the repair of any
113	105		deficiencies to the Informa tion Services Division within ten (10)
114	106		days of the completion of the audit. The final information security
115	107		risk assessment report shall identify, prioritize, and document
116	108		information security vulnerabilities for each of the state agencies
	109	+	assessed. The Information Services Division may assist agencies in
	110	+	repairing any vulnerabilities to ensure compliance in a timely
	111	+	manner.
117	112
118		-	SB570 HFLR Page 3
119		-	BOLD FACE denotes Committee Amendments. 1
	113	+	ENGR. S. B. NO. 570 Page 3 1
120	114		2
121	115		3
122	116		4
123	117		5
124	118		6
125	119		7
126	120		8
127	121		9
128	122		10
129	123		11
130	124		12
131	125		13
132	126		14
133	127		15
134	128		16
135	129		17
136	130		18
137	131		19
138	132		20
139	133		21
140	134		22
141	135		23
142	136		24
143	137
144		-	assessed. The Information Services Division may assist agencies in
145		-	repairing any vulnerabilities to ensure compliance in a timely
146		-	manner.
147	138		D. Subject to the provisions of subsection C of Secti on 34.12
148	139		of this title, the Information Services Division shall report the
149	140		results of the state agency assessments and information security
150	141		audit findings required pursuant to this section to the Governor,
151	142		the Speaker of the House of Representatives, and t he President Pro
152	143		Tempore of the Senate by the first day of January of each year . Any
153	144		state agency with an information technology system that is not
154	145		consolidated under the Information Technology Consolidation and
155	146		Coordination Act that cannot comply with th e provisions of this
156	147		section shall consolidate under the Information Technology
157	148		Consolidation and Coordination Act.
158	149		E. This act shall not apply to state agencies subject to
159	150		mandatory North American Electric Reliability Corporation (NERC)
160	151		cybersecurity standards and institutions within The Oklahoma State
161	152		System of Higher Education, t he Oklahoma State Regents for Higher
162	153		Education and the telecommunications network known as OneNet that
163	154		follow the International Organization for Standardization (ISO) , the
164	155		Military Department of the State of Oklahoma (OMD) and the
165	156		International Electrotech nical Commission (IEC)-Security techniques-
166	157		Code of Practice for Information Security Controls or National
167	158		Institute of Standards and Technology.
	159	+	SECTION 2. This act shall become effective July 1, 20 21.
	160	+	SECTION 3. It being immediately necessary for the preservation
	161	+	of the public peace, health or safety, an emergency is hereby
168	162
169		-	SB570 HFLR Page 4
170		-	BOLD FACE denotes Committee Amendments. 1
	163	+	ENGR. S. B. NO. 570 Page 4 1
171	164		2
172	165		3
173	166		4
174	167		5
175	168		6
176	169		7
177	170		8
178	171		9
179	172		10
180	173		11
181	174		12
182	175		13
183	176		14
184	177		15
185	178		16
186	179		17
187	180		18
188	181		19
189	182		20
190	183		21
191	184		22
192	185		23
193	186		24
194	187
195		-	SECTION 2. This act shall become effective July 1, 2021.
196		-	SECTION 3. It being immediately necessary for the preservation
197		-	of the public peace, health or safety, an emergency is hereby
198	188		declared to exist, by reason whereof this act shall take effect and
199	189		be in full force from and after its passage an d approval.
	190	+	Passed the Senate the 9th day of March, 2021.
200	191
201		-	COMMITTEE REPORT BY: COMMITTEE ON GOVERNMENT MODERNIZATION AND
202		-	EFFICIENCY, dated 04/06/2021 - DO PASS.
	192	+
	193	+
	194	+	Presiding Officer of the Senate
	195	+
	196	+
	197	+	Passed the House of Representatives the ____ day of __________,
	198	+	2021.
	199	+
	200	+
	201	+
	202	+	Presiding Officer of the House
	203	+	of Representatives
	204	+