Old	New	Differences
1	1
2	2
3	3
4	4	Req. No. 511 Page 1 1
5	5	2
6	6	3
7	7	4
8	8	5
9	9	6
10	10	7
11	11	8
12	12	9
13	13	10
14	14	11
15	15	12
16	16	13
17	17	14
18	18	15
19	19	16
20	20	17
21	21	18
22	22	19
23	23	20
24	24	21
25	25	22
26	26	23
27	27	24
28	28	1
29	29	2
30	30	3
31	31	4
32	32	5
33	33	6
34	34	7
35	35	8
36	36	9
37	37	10
38	38	11
39	39	12
40	40	13
41	41	14
42	42	15
43	43	16
44	44	17
45	45	18
46	46	19
47	47	20
48	48	21
49	49	22
50	50	23
51	51	24
52	52
53	53	STATE OF OKLAHOMA
54	54
55	55	1st Session of the 59th Legislature (2023)
56	56
57	57	SENATE BILL 320 By: Bergstrom
58	58
59	59
60	60
61	61
62	62
63	63	AS INTRODUCED
64	64
65	65	An Act relating to state government; defining levels
66	66	of certain incidents; amending 74 O.S. 2021, Section
67	67	63, which relates to the Off ice of Management and
68	68	Enterprise Services; modifying powers and authority
69	69	of the Office of Management and Enterprise Services;
70	70	defining requirements for reporting certain incidents
71	71	to certain state agency; providing for codifica tion;
72	72	and providing an effec tive date.
73	73
74	74
75	75
76	76
77	77	BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
78	78	SECTION 1. NEW LAW A new section of law to be codified
79	79	in the Oklahoma Statutes as Section 63.7 of Title 74, unless there
80	80	is created a duplication in numb ering, reads as follows:
81	81	The level of severity of a cybersecurity incident shall be
82	82	defined pursuant to the National Cyber Incident Response Plan of the
83	83	United States Department of Homeland Security a s follows:
84	84	1. Level 5 is an emergency -level incident within the specified
85	85	jurisdiction that poses an imminent threat t o wide-scale critical
86	86	infrastructure services; national, state, or municipal security; or
87	87	the lives of the country’s, state’s, or municipality’s residents;
88	88
89	89
90	90	Req. No. 511 Page 2 1
91	91	2
92	92	3
93	93	4
94	94	5
95	95	6
96	96	7
97	97	8
98	98	9
99	99	10
100	100	11
101	101	12
102	102	13
103	103	14
104	104	15
105	105	16
106	106	17
107	107	18
108	108	19
109	109	20
110	110	21
111	111	22
112	112	23
113	113	24
114	114	1
115	115	2
116	116	3
117	117	4
118	118	5
119	119	6
120	120	7
121	121	8
122	122	9
123	123	10
124	124	11
125	125	12
126	126	13
127	127	14
128	128	15
129	129	16
130	130	17
131	131	18
132	132	19
133	133	20
134	134	21
135	135	22
136	136	23
137	137	24
138	138
139	139	2. Level 4 is a severe-level incident that is likely to result
140	140	in a significant impact in the affected jurisdiction t o public
141	141	health or safety; the national, state, or municipal economic or
142	142	physical security; or civil liberties;
143	143	3. Level 3 is a high-level incident that is likely to result in
144	144	a demonstrable impact in the affected jurisdiction to public health
145	145	or safety; national, state, or municipal economic or physical
146	146	security; civil liberties; or public confidence ;
147	147	4. Level 2 is a medium-level incident that may impact public
148	148	health or safety; national, state, or municipal economic or physical
149	149	security; civil liberties; or public c onfidence; and
150	150	5. Level 1 is a low-level incident that is unlikely to impact
151	151	public health or safet y; national, state, or municipal economic or
152	152	physical security; civil liberties; or public confidence.
153	153	SECTION 2. AMENDATORY 74 O.S. 202 1, Section 63, is
154	154	amended to read as follows:
155	155	Section 63. A. The Office of Management and En terprise
156	156	Services shall have power to promulgate rules not inco nsistent with
157	157	the laws of this state.
158	158	B. The Office of Management and Enterprise Services shall hav e
159	159	charge of the construction, repa ir, maintenance, insurance, and
160	160	operation of all buildings owned, used, or occupied by or on behalf
161	161	of the state including buildings owned by the Oklahoma Capitol
162	162	Improvement Authority where s uch services are carried out b y
163	163
164	164
165	165	Req. No. 511 Page 3 1
166	166	2
167	167	3
168	168	4
169	169	5
170	170	6
171	171	7
172	172	8
173	173	9
174	174	10
175	175	11
176	176	12
177	177	13
178	178	14
179	179	15
180	180	16
181	181	17
182	182	18
183	183	19
184	184	20
185	185	21
186	186	22
187	187	23
188	188	24
189	189	1
190	190	2
191	191	3
192	192	4
193	193	5
194	194	6
195	195	7
196	196	8
197	197	9
198	198	10
199	199	11
200	200	12
201	201	13
202	202	14
203	203	15
204	204	16
205	205	17
206	206	18
207	207	19
208	208	20
209	209	21
210	210	22
211	211	23
212	212	24
213	213
214	214	contract with the Authority, exc ept as otherwise provided by law.
215	215	Whenever feasible, the O ffice of Management and Enterprise Services
216	216	may utilize the Construction Division of the Department of
217	217	Corrections for the constructi on and repair of buildings for the
218	218	Department of Corrections.
219	219	C. The Director of the Office of Management and Enterprise
220	220	Services shall have authority to purchase all material and perfo rm
221	221	all other duties necessary in the construction, repair, and
222	222	maintenance of all buildings under it s management or control, shall
223	223	make all necessary contracts by or on behalf of the state for any
224	224	buildings or rooms rented for the use of the state or any o f the
225	225	officers thereof, and shall have charge of t he arrangement and
226	226	allotment of space in such buil dings among the different state
227	227	officers except as otherwise provided by law.
228	228	D. The Office of Management and Enterprise Services shall not
229	229	have any authority or responsibility for buildings, rooms or spac e
230	230	under the management or control of the Universit y Hospitals
231	231	Authority.
232	232	E. The Office of Management and Enterprise Services shall have
233	233	the custody and control of all state property, and all other
234	234	property managed or used by the state, except military sto res and
235	235	such property under the control of the Sta te Banking Department and
236	236	the two houses of the State Legislature, shall procure all necessar y
237	237	insurance thereon against loss and shall allot the use of the
238	238
239	239
240	240	Req. No. 511 Page 4 1
241	241	2
242	242	3
243	243	4
244	244	5
245	245	6
246	246	7
247	247	8
248	248	9
249	249	10
250	250	11
251	251	12
252	252	13
253	253	14
254	254	15
255	255	16
256	256	17
257	257	18
258	258	19
259	259	20
260	260	21
261	261	22
262	262	23
263	263	24
264	264	1
265	265	2
266	266	3
267	267	4
268	268	5
269	269	6
270	270	7
271	271	8
272	272	9
273	273	10
274	274	11
275	275	12
276	276	13
277	277	14
278	278	15
279	279	16
280	280	17
281	281	18
282	282	19
283	283	20
284	284	21
285	285	22
286	286	23
287	287	24
288	288
289	289	property to the several offices of the state, and prescribe where
290	290	the property shall be kept for pu blic use.
291	291	F. The Office of Manage ment and Enterprise Services shall keep
292	292	an accurate account of all property purchased for the state or any
293	293	of the departments or officers thereof, except that purchased for
294	294	and by the two houses of the State Legislature. The two houses
295	295	shall have the exclusive use, care, and custody of their respective
296	296	chambers, committee rooms, furniture, and property, and shall keep
297	297	their respective records of said furniture and property.
298	298	G. The Office of Management and Enterprise Servi ces shall not
299	299	have any authority o r responsibility for property purchased for or
300	300	under the management or control of the University Hospitals
301	301	Authority except as expressly provided by law.
302	302	H. The Office of Management and Enter prise Services shall not
303	303	have any authority or responsibility fo r property purchased for or
304	304	under the management or control of CompSource Oklahoma if CompSource
305	305	Oklahoma is operating pur suant to a pilot program authorized by
306	306	Sections 3316 and 3317 of this title.
307	307	I. The Office of Management and Enterprise Services shall have
308	308	the responsibility to assess and track all levels of cybersecurity
309	309	incidents occurring within state agencies, count ies, municipalities,
310	310	and political subdivisions as defined in Section 1 of this act .
311	311
312	312
313	313	Req. No. 511 Page 5 1
314	314	2
315	315	3
316	316	4
317	317	5
318	318	6
319	319	7
320	320	8
321	321	9
322	322	10
323	323	11
324	324	12
325	325	13
326	326	14
327	327	15
328	328	16
329	329	17
330	330	18
331	331	19
332	332	20
333	333	21
334	334	22
335	335	23
336	336	24
337	337	1
338	338	2
339	339	3
340	340	4
341	341	5
342	342	6
343	343	7
344	344	8
345	345	9
346	346	10
347	347	11
348	348	12
349	349	13
350	350	14
351	351	15
352	352	16
353	353	17
354	354	18
355	355	19
356	356	20
357	357	21
358	358	22
359	359	23
360	360	24
361	361
362	362	SECTION 3. NEW LAW A new section of law to be codified
363	363	in the Oklahoma Stat utes as Section 63.8 of Title 74, unless there
364	364	is created a duplication in numbering, reads as follows:
365	365	The cybersecurity incident reporting process shall specify the
366	366	information that shall be reported by a state agency , county,
367	367	municipality, or political subdivision, to the Office of Management
368	368	and Enterprise Services following a cybersecurity or ransomware
369	369	incident, which, at a minimum, shall include the following:
370	370	1. A summary of the facts surrounding the cybersecurity
371	371	incident or ransomware inciden t;
372	372	2. The date on which the state agency most recently backed up
373	373	its data, the physical location of the backup, if the backup was
374	374	affected, and if the backup was created using cloud computing;
375	375	3. The types of data compromised by the cybersecurity incident
376	376	or ransomware incident;
377	377	4. The estimated fiscal impact of the cybersecuri ty incident or
378	378	ransomware incident; and
379	379	5. In the case of a ransomware incident, the details of the
380	380	ransom demanded.
381	381	SECTION 4. This act shall become effective Novemb er 1, 2023.
382	382
383	383	59-1-511 KR 1/13/2023 8:56:46 AM

Oklahoma 2023 Regular Session

Oklahoma Senate Bill SB320 Compare Versions