Utah 2023 Regular Session

Utah House Bill HB0545 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1		-	Enrolled Copy H.B. 545
	1	+	H.B. 545
	2	+	LEGISLATIVE GENERAL COUNSEL
	3	+	6 Approved for Filing: D.M. Cheung 6
	4	+	6 02-22-23 11:33 AM 6
	5	+	H.B. 545
2	6		1 CYBERSECURITY INFRASTRUCTURE MODI FICATIONS
3	7		2 2023 GENERAL SESSION
4	8		3 STATE OF UTAH
5	9		4 Chief Sponsor: Jon Hawkins
6	10		5 Senate Sponsor: Daniel McCay
7	11		6
8	12		7LONG TITLE
9	13		8General Description:
10	14		9 This bill enacts certain cybersecurity requirements for state information architecture.
11	15		10Highlighted Provisions:
12	16		11 This bill:
13	17		12 <defines terms;
14	18		13 <specifies the applicability of the provisions enacted in this bill;
15	19		14 <enacts requirements regarding the adoption of zero trust architecture and
16	20		15multi-factor authentication for executive branch agencies; and
17	21		16 <creates a reporting requirement.
18	22		17Money Appropriated in this Bill:
19	23		18 None
20	24		19Other Special Clauses:
21	25		20 None
22	26		21Utah Code Sections Affected:
23	27		22ENACTS:
24	28		23 63A-16-214, Utah Code Annotated 1953
25	29		24
26	30		25Be it enacted by the Legislature of the state of Utah:
27	31		26 Section 1. Section 63A-16-214 is enacted to read:
28	32		27 63A-16-214. Zero trust architectures -- Implementation -- Requirements --
	33	+	HB0545 H.B. 545 02-22-23 11:33 AM
	34	+	- 2 -
29	35		28Reporting.
30		-	29 (1) As used in this section: H.B. 545 Enrolled Copy
31		-	- 2 -
	36	+	29 (1) As used in this section:
32	37		30 (a) "Endpoint detection and response" means a cybersecurity solution that continuously
33	38		31monitors end-user devices to detect and respond to cyber threats.
34	39		32 (b) "Governmental entity" means:
35	40		33 (i) the state;
36	41		34 (ii) a political subdivision of the state; and
37	42		35 (iii) an entity created by the state or a political subdivision of the state, including an
38	43		36agency, board, bureau, commission, committee, department, division, institution,
39	44		37instrumentality, or office.
40	45		38 (c) "Multi-factor authentication" means using two or more different types of
41	46		39identification factors to authenticate a user's identity for the purpose of accessing systems and
42	47		40data, which may include:
43	48		41 (i) knowledge-based factors, which require the user to provide information that only
44	49		42the user knows, such as a password or personal identification number;
45	50		43 (ii) possession-based factors, which require the user to have a physical item that only
46		-	44the user possesses, such as a security token, key fob, subscriber identity module card, or smart
	51	+	44the user possesses, such as a security token, key fob, subscriber identity module card or smart
47	52		45phone application; or
48	53		46 (iii) inherence-based credentials, which require the user to demonstrate specific known
49	54		47biological traits attributable only to the user, such as fingerprints or facial recognition.
50	55		48 (d) "Zero trust architecture" means a security model, a set of system design principles,
51	56		49and a coordinated cybersecurity and system management strategy that employs continuous
52	57		50monitoring, risk-based access controls, secure identity and access management practices, and
53	58		51system security automation techniques to address the cybersecurity risk from threats inside and
54	59		52outside traditional network boundaries.
55	60		53 (2) This section applies to:
56	61		54 (a) all systems and data owned, managed, maintained, or utilized by or on behalf of an
57	62		55executive branch agency to access state systems or data; and
58	63		56 (b) all hardware, software, internal systems, and essential third-party software,
59		-	57including for on-premises, cloud, and hybrid environments. ~~Enrolled Copy H.B. 545~~
60		-	~~- 3 -~~
61		-	~~58 (~~3~~) (a) On or before November 1, 2023, the chief information officer shall develop~~
	64	+	57including for on-premises, cloud, and hybrid environments.
	65	+	58 (3) (a) On or before November 1, 2023, the chief information officer shall develop 02-22-23 11:33 AM H.B. 545
	66	+	- 3 - Senate 3rd Reading Amendments 3-3-2023 lp/dc
62	67		59uniform technology policies, standards, and procedures for use by executive branch agencies in
63	68		60implementing zero trust architecture and multi-factor authentication on all systems in
64	69		61accordance with this section.
65		-	62 (b) On or before July 1, 2024, the division shall consider adopting the enterprise
66		-	63security practices described in this section and consider implementing zero trust architecture
67		-	64and robust identity management practices, including:
	70	+	62 (b) On or before July 1, 2024, the division shall Öº [adopt] consider adopting »Ö the
	71	+	62aenterprise security practices
	72	+	63described in this section and Öº [implement] consider implementing »Ö zero trust architecture
	73	+	63aand robust identity management
	74	+	64practices, including:
68	75		65 (i) multi-factor authentication;
69	76		66 (ii) cloud-based enterprise endpoint detection and response solutions to promote
70	77		67real-time detection, and rapid investigation and remediation capabilities; and
71	78		68 (iii) robust logging practices to provide adequate data to support security investigations
72	79		69and proactive threat hunting.
73		-	70 (4) (a) If implementing a zero trust architecture and multi-factor authentication, the
74		-	71division shall consider prioritizing the use of third-party cloud computing solutions that meet
75		-	72or exceed industry standards.
76		-	73 (b) The division shall consider giving preference to zero trust architecture solutions
77		-	74that comply with, are authorized by, or align to applicable federal guidelines, programs, and
78		-	75frameworks, including:
	80	+	70 (4) (a) Öº [In] If »Ö implementing a zero trust architecture and multi-factor
	81	+	70aauthentication, the
	82	+	71division shall Öº [prioritize] consider prioritizing »Ö the use of third-party cloud computing
	83	+	71asolutions that meet or exceed
	84	+	72industry standards.
	85	+	73 (b) The division shall Öº [give] consider giving »Ö preference to zero trust architecture
	86	+	73asolutions that comply
	87	+	74with, are authorized by, or align to applicable federal guidelines, programs, and frameworks,
	88	+	75including:
79	89		76 (i) the Federal Risk and Authorization Management Program;
80	90		77 (ii) the Continuous Diagnostics and Mitigation Program; and
81	91		78 (iii) guidance and frameworks from the National Institute of Standards and
82	92		79Technology.
83	93		80 (5) (a) In procuring third-party cloud computing solutions, the division may utilize
84	94		81established purchasing vehicles, including cooperative purchasing contracts and federal supply
85	95		82contracts, to facilitate efficient purchasing.
86	96		83 (b) The chief information officer shall establish a list of approved vendors that are
87	97		84authorized to provide zero trust architecture to governmental entities in the state.
88		-	85 (c) If an executive branch agency determines that procurement of a third-party cloud H.B. 545 Enrolled Copy
89		-	- 4 -
	98	+	85 (c) If an executive branch agency determines that procurement of a third-party cloud
90	99		86computing solution is not feasible, the executive branch agency shall provide a written
91	100		87explanation to the division of the reasons that a cloud computing solution is not feasible,
92	101		88including:
93		-	89 (i) the reasons why the executive branch agency determined that a third-party cloud
	102	+	89 (i) the reasons why the executive branch agency determined that a third-party cloud H.B. 545 02-22-23 11:33 AM
	103	+	- 4 - Senate 3rd Reading Amendments 3-3-2023 lp/dc
94	104		90computing solution is not feasible;
95	105		91 (ii) specific challenges or difficulties of migrating existing solutions to a cloud
96	106		92environment; and
97	107		93 (iii) the total expected cost of ownership of existing or alternative solutions compared
98	108		94to a cloud computing solution.
99	109		95 (6) (a) On or before November 30 of each year, the chief information officer shall
100	110		96report on the progress of implementing zero trust architecture and multi-factor authentication
101	111		97to:
102		-	98 (i) the Public Utilities, Energy, and Technology Interim Committee; and
	112	+	98 (i) the Öº [Government Operations] Public Utilities, Energy, and Technology »Ö
	113	+	98a Interim Committee; and
103	114		99 (ii) the Cybersecurity Commission created in Section 63C-25-201.
104	115		100 (b) The report described in Subsection (6)(a) may include information on:
105	116		101 (i) applicable guidance issued by the United States Cybersecurity and Infrastructure
106	117		102Security Agency; and
107	118		103 (ii) the progress of the division, executive branch agencies, and governmental entities
108	119		104with respect to:
109	120		105 (A) shifting away from a paradigm of trusted networks toward implementation of
110	121		106security controls based on a presumption of compromise;
111	122		107 (B) implementing principles of least privilege in administering information security
112	123		108programs;
113	124		109 (C) limiting the ability of entities that cause incidents to move laterally through or
114	125		110between agency systems;
115	126		111 (D) identifying incidents quickly; and
116	127		112 (E) isolating and removing unauthorized entities from agency systems as quickly as
117		-	113practicable, accounting for cyber threat intelligence or law enforcement purposes. Enrolled Copy H.B. 545
118		-	- 5 -
119		-	114
	128	+	113practicable, accounting for cyber threat intelligence or law enforcement purposes.