H.B. 545
LEGISLATIVE GENERAL COUNSEL
6 Approved for Filing: D.M. Cheung 6
6 02-22-23 11:33 AM 6
H.B. 545
1 CYBERSECURITY INFRASTRUCTURE MODI FICATIONS
2 2023 GENERAL SESSION
3 STATE OF UTAH
4 Chief Sponsor: Jon Hawkins
5 Senate Sponsor: ____________
6
7LONG TITLE
8General Description:
9 This bill enacts certain cybersecurity requirements for state information architecture.
10Highlighted Provisions:
11 This bill:
12 <defines terms;
13 <specifies the applicability of the provisions enacted in this bill;
14 <enacts requirements regarding the adoption of zero trust architecture and
15multi-factor authentication for executive branch agencies; and
16 <creates a reporting requirement.
17Money Appropriated in this Bill:
18 None
19Other Special Clauses:
20 None
21Utah Code Sections Affected:
22ENACTS:
23 63A-16-214, Utah Code Annotated 1953
24
25Be it enacted by the Legislature of the state of Utah:
26 Section 1. Section 63A-16-214 is enacted to read:
27 63A-16-214. Zero trust architectures -- Implementation -- Requirements --
*HB0545* H.B. 545 02-22-23 11:33 AM
- 2 -
28Reporting.
29 (1) As used in this section:
30 (a) "Endpoint detection and response" means a cybersecurity solution that continuously
31monitors end-user devices to detect and respond to cyber threats.
32 (b) "Governmental entity" means:
33 (i) the state;
34 (ii) a political subdivision of the state; and
35 (iii) an entity created by the state or a political subdivision of the state, including an
36agency, board, bureau, commission, committee, department, division, institution,
37instrumentality, or office.
38 (c) "Multi-factor authentication" means using two or more different types of
39identification factors to authenticate a user's identity for the purpose of accessing systems and
40data, which may include:
41 (i) knowledge-based factors, which require the user to provide information that only
42the user knows, such as a password or personal identification number;
43 (ii) possession-based factors, which require the user to have a physical item that only
44the user possesses, such as a security token, key fob, subscriber identity module card or smart
45phone application; or
46 (iii) inherence-based credentials, which require the user to demonstrate specific known
47biological traits attributable only to the user, such as fingerprints or facial recognition.
48 (d) "Zero trust architecture" means a security model, a set of system design principles,
49and a coordinated cybersecurity and system management strategy that employs continuous
50monitoring, risk-based access controls, secure identity and access management practices, and
51system security automation techniques to address the cybersecurity risk from threats inside and
52outside traditional network boundaries.
53 (2) This section applies to:
54 (a) all systems and data owned, managed, maintained, or utilized by or on behalf of an
55executive branch agency to access state systems or data; and
56 (b) all hardware, software, internal systems, and essential third-party software,
57including for on-premises, cloud, and hybrid environments.
58 (3) (a) On or before November 1, 2023, the chief information officer shall develop 02-22-23 11:33 AM H.B. 545
- 3 -
59uniform technology policies, standards, and procedures for use by executive branch agencies in
60implementing zero trust architecture and multi-factor authentication on all systems in
61accordance with this section.
62 (b) On or before July 1, 2024, the division shall adopt the enterprise security practices
63described in this section and implement zero trust architecture and robust identity management
64practices, including:
65 (i) multi-factor authentication;
66 (ii) cloud-based enterprise endpoint detection and response solutions to promote
67real-time detection, and rapid investigation and remediation capabilities; and
68 (iii) robust logging practices to provide adequate data to support security investigations
69and proactive threat hunting.
70 (4) (a) In implementing a zero trust architecture and multi-factor authentication, the
71division shall prioritize the use of third-party cloud computing solutions that meet or exceed
72industry standards.
73 (b) The division shall give preference to zero trust architecture solutions that comply
74with, are authorized by, or align to applicable federal guidelines, programs, and frameworks,
75including:
76 (i) the Federal Risk and Authorization Management Program;
77 (ii) the Continuous Diagnostics and Mitigation Program; and
78 (iii) guidance and frameworks from the National Institute of Standards and
79Technology.
80 (5) (a) In procuring third-party cloud computing solutions, the division may utilize
81established purchasing vehicles, including cooperative purchasing contracts and federal supply
82contracts, to facilitate efficient purchasing.
83 (b) The chief information officer shall establish a list of approved vendors that are
84authorized to provide zero trust architecture to governmental entities in the state.
85 (c) If an executive branch agency determines that procurement of a third-party cloud
86computing solution is not feasible, the executive branch agency shall provide a written
87explanation to the division of the reasons that a cloud computing solution is not feasible,
88including:
89 (i) the reasons why the executive branch agency determined that a third-party cloud H.B. 545 02-22-23 11:33 AM
- 4 -
90computing solution is not feasible;
91 (ii) specific challenges or difficulties of migrating existing solutions to a cloud
92environment; and
93 (iii) the total expected cost of ownership of existing or alternative solutions compared
94to a cloud computing solution.
95 (6) (a) On or before November 30 of each year, the chief information officer shall
96report on the progress of implementing zero trust architecture and multi-factor authentication
97to:
98 (i) the Government Operations Interim Committee; and
99 (ii) the Cybersecurity Commission created in Section 63C-25-201.
100 (b) The report described in Subsection (6)(a) may include information on:
101 (i) applicable guidance issued by the United States Cybersecurity and Infrastructure
102Security Agency; and
103 (ii) the progress of the division, executive branch agencies, and governmental entities
104with respect to:
105 (A) shifting away from a paradigm of trusted networks toward implementation of
106security controls based on a presumption of compromise;
107 (B) implementing principles of least privilege in administering information security
108programs;
109 (C) limiting the ability of entities that cause incidents to move laterally through or
110between agency systems;
111 (D) identifying incidents quickly; and
112 (E) isolating and removing unauthorized entities from agency systems as quickly as
113practicable, accounting for cyber threat intelligence or law enforcement purposes.