Req. No. 511 Page 1 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
STATE OF OKLAHOMA
1st Session of the 59th Legislature (2023)
SENATE BILL 320 By: Bergstrom
AS INTRODUCED
An Act relating to state government; defining levels
of certain incidents; amending 74 O.S. 2021, Section
63, which relates to the Off ice of Management and
Enterprise Services; modifying powers and authority
of the Office of Management and Enterprise Services;
defining requirements for reporting certain incidents
to certain state agency; providing for codifica tion;
and providing an effec tive date.
BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
SECTION 1. NEW LAW A new section of law to be codified
in the Oklahoma Statutes as Section 63.7 of Title 74, unless there
is created a duplication in numb ering, reads as follows:
The level of severity of a cybersecurity incident shall be
defined pursuant to the National Cyber Incident Response Plan of the
United States Department of Homeland Security a s follows:
1. Level 5 is an emergency -level incident within the specified
jurisdiction that poses an imminent threat t o wide-scale critical
infrastructure services; national, state, or municipal security; or
the lives of the country’s, state’s, or municipality’s residents;
Req. No. 511 Page 2 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2. Level 4 is a severe-level incident that is likely to result
in a significant impact in the affected jurisdiction t o public
health or safety; the national, state, or municipal economic or
physical security; or civil liberties;
3. Level 3 is a high-level incident that is likely to result in
a demonstrable impact in the affected jurisdiction to public health
or safety; national, state, or municipal economic or physical
security; civil liberties; or public confidence ;
4. Level 2 is a medium-level incident that may impact public
health or safety; national, state, or municipal economic or physical
security; civil liberties; or public c onfidence; and
5. Level 1 is a low-level incident that is unlikely to impact
public health or safet y; national, state, or municipal economic or
physical security; civil liberties; or public confidence.
SECTION 2. AMENDATORY 74 O.S. 202 1, Section 63, is
amended to read as follows:
Section 63. A. The Office of Management and En terprise
Services shall have power to promulgate rules not inco nsistent with
the laws of this state.
B. The Office of Management and Enterprise Services shall hav e
charge of the construction, repa ir, maintenance, insurance, and
operation of all buildings owned, used, or occupied by or on behalf
of the state including buildings owned by the Oklahoma Capitol
Improvement Authority where s uch services are carried out b y
Req. No. 511 Page 3 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
contract with the Authority, exc ept as otherwise provided by law.
Whenever feasible, the O ffice of Management and Enterprise Services
may utilize the Construction Division of the Department of
Corrections for the constructi on and repair of buildings for the
Department of Corrections.
C. The Director of the Office of Management and Enterprise
Services shall have authority to purchase all material and perfo rm
all other duties necessary in the construction, repair, and
maintenance of all buildings under it s management or control, shall
make all necessary contracts by or on behalf of the state for any
buildings or rooms rented for the use of the state or any o f the
officers thereof, and shall have charge of t he arrangement and
allotment of space in such buil dings among the different state
officers except as otherwise provided by law.
D. The Office of Management and Enterprise Services shall not
have any authority or responsibility for buildings, rooms or spac e
under the management or control of the Universit y Hospitals
Authority.
E. The Office of Management and Enterprise Services shall have
the custody and control of all state property, and all other
property managed or used by the state, except military sto res and
such property under the control of the Sta te Banking Department and
the two houses of the State Legislature, shall procure all necessar y
insurance thereon against loss and shall allot the use of the
Req. No. 511 Page 4 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
property to the several offices of the state, and prescribe where
the property shall be kept for pu blic use.
F. The Office of Manage ment and Enterprise Services shall keep
an accurate account of all property purchased for the state or any
of the departments or officers thereof, except that purchased for
and by the two houses of the State Legislature. The two houses
shall have the exclusive use, care, and custody of their respective
chambers, committee rooms, furniture, and property, and shall keep
their respective records of said furniture and property.
G. The Office of Management and Enterprise Servi ces shall not
have any authority o r responsibility for property purchased for or
under the management or control of the University Hospitals
Authority except as expressly provided by law.
H. The Office of Management and Enter prise Services shall not
have any authority or responsibility fo r property purchased for or
under the management or control of CompSource Oklahoma if CompSource
Oklahoma is operating pur suant to a pilot program authorized by
Sections 3316 and 3317 of this title.
I. The Office of Management and Enterprise Services shall have
the responsibility to assess and track all levels of cybersecurity
incidents occurring within state agencies, count ies, municipalities,
and political subdivisions as defined in Section 1 of this act .
Req. No. 511 Page 5 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 3. NEW LAW A new section of law to be codified
in the Oklahoma Stat utes as Section 63.8 of Title 74, unless there
is created a duplication in numbering, reads as follows:
The cybersecurity incident reporting process shall specify the
information that shall be reported by a state agency , county,
municipality, or political subdivision, to the Office of Management
and Enterprise Services following a cybersecurity or ransomware
incident, which, at a minimum, shall include the following:
1. A summary of the facts surrounding the cybersecurity
incident or ransomware inciden t;
2. The date on which the state agency most recently backed up
its data, the physical location of the backup, if the backup was
affected, and if the backup was created using cloud computing;
3. The types of data compromised by the cybersecurity incident
or ransomware incident;
4. The estimated fiscal impact of the cybersecuri ty incident or
ransomware incident; and
5. In the case of a ransomware incident, the details of the
ransom demanded.
SECTION 4. This act shall become effective Novemb er 1, 2023.
59-1-511 KR 1/13/2023 8:56:46 AM