Utah Legislature HB0080

1     STATE TECHNOLOGY GOVERNANCE AMENDMENTS
2     2017 GENERAL SESSION
3     STATE OF UTAH
4     Chief Sponsor: Bruce R. Cutler
5     Senate Sponsor: David P. Hinkins
6

7     LONG TITLE
8     General Description:
9          This bill amends provisions related to state technology governance.
10     Highlighted Provisions:
11          This bill:
12          ▸     eliminates divisions within the Department of Technology Services;
13          ▸     assigns duties formerly assigned to divisions within the Department of Technology
14     Services to the Department of Technology Services and the chief information
15     officer within the Department of Technology Services;
16          ▸     directs the chief information officer within the Department of Technology Services
17     to appoint a chief information security officer; and
18          ▸     defines terms.
19     Money Appropriated in this Bill:
20          None
21     Other Special Clauses:
22          None
23     Utah Code Sections Affected:
24     AMENDS:
25          63F-1-102, as last amended by Laws of Utah 2015, Chapter 114
26          63F-1-104, as last amended by Laws of Utah 2016, Chapter 13
27          63F-1-106, as enacted by Laws of Utah 2005, Chapter 169
28          63F-1-202, as last amended by Laws of Utah 2014, Chapter 387
29          63F-1-203, as last amended by Laws of Utah 2016, Chapter 13

30          63F-1-204, as last amended by Laws of Utah 2013, Chapter 53
31          63F-1-205, as last amended by Laws of Utah 2016, Chapter 355
32          63F-1-206, as last amended by Laws of Utah 2015, Chapter 114
33          63F-1-207, as last amended by Laws of Utah 2008, Chapter 382
34          63F-1-208, as enacted by Laws of Utah 2005, Chapter 169
35          63F-1-209, as last amended by Laws of Utah 2008, Chapter 382
36          63F-1-210, as enacted by Laws of Utah 2015, Chapter 114
37          63F-1-404, as last amended by Laws of Utah 2016, Chapter 13
38          63F-1-502, as enacted by Laws of Utah 2005, Chapter 169
39          63F-1-504, as last amended by Laws of Utah 2016, Chapter 13
40          63F-1-604, as last amended by Laws of Utah 2016, Chapter 13
41     ENACTS:
42          63F-1-211, Utah Code Annotated 1953
43          63F-1-212, Utah Code Annotated 1953
44     REPEALS AND REENACTS:
45          63F-1-401, as enacted by Laws of Utah 2005, Chapter 169
46          63F-1-403, as enacted by Laws of Utah 2005, Chapter 169
47          63F-1-501, as enacted by Laws of Utah 2005, Chapter 169
48          63F-1-503, as enacted by Laws of Utah 2005, Chapter 169
49          63F-1-601, as enacted by Laws of Utah 2005, Chapter 169
50          63F-1-603, as enacted by Laws of Utah 2005, Chapter 169
51     REPEALS:
52          63F-1-602, as enacted by Laws of Utah 2005, Chapter 169
53

54     Be it enacted by the Legislature of the state of Utah:
55          Section 1. Section 63F-1-102 is amended to read:
56          63F-1-102. Definitions.
57          As used in this title:

58          (1) "Board" means the Technology Advisory Board created in Section 63F-1-202.
59          (2) "Chief information officer" means the chief information officer appointed under
60     Section 63F-1-201.
61          [~~(3) "Computer center" means the location at which a central data processing platform~~
62     ~~is managed to serve multiple executive branch agencies.~~]
63          [~~(4)~~] (3) "Data center" means a centralized repository for the storage, management, and
64     dissemination of data.
65          [~~(5)~~] (4) "Department" means the Department of Technology Services.
66          (5) "Enterprise architecture" means:
67          (a) information technology that can be applied across state government; and
68          (b) support for information technology that can be applied across state government,
69     including:
70          (i) technical support;
71          (ii) master software licenses; and
72          (iii) hardware and software standards.
73          (6) (a) Except as provided in Subsection (6)(b), "executive branch agency" means an
74     agency or administrative subunit of state government.
75          (b) "Executive branch agency" does not include:
76          (i) the legislative branch;
77          (ii) the judicial branch;
78          (iii) the State Board of Education;
79          (iv) the Board of Regents;
80          (v) institutions of higher education;
81          (vi) independent entities as defined in Section 63E-1-102; and
82          (vii) elective constitutional offices of the executive department which includes:
83          (A) the state auditor;
84          (B) the state treasurer; and
85          (C) the attorney general.

86          (7) "Executive branch strategic plan" means the executive branch strategic plan created
87     under Section 63F-1-203.
88          (8) "Individual with a disability" means an individual with a condition that meets the
89     definition of "disability" in 42 U.S.C. Sec. 12102.
90          (9) "Information technology" means all computerized and auxiliary automated
91     information handling, including:
92          (a) systems design and analysis;
93          (b) acquisition, storage, and conversion of data;
94          (c) computer programming;
95          (d) information storage and retrieval;
96          (e) voice, [~~radio,~~] video, and data communications;
97          (f) requisite systems controls;
98          (g) simulation; and
99          (h) all related interactions between people and machines.
100          (10) "State information architecture" means a logically consistent set of principles,
101     policies, and standards that guide the engineering of state government's information technology
102     and infrastructure in a way that ensures alignment with state government's business and service
103     needs.
104          [~~(11) "Telecommunications" means the transmission or reception of signs, signals,~~
105     ~~writing, images, sounds, messages, data, or other information of any nature by wire, radio, light~~
106     ~~waves, or other electromagnetic means.~~]
107          Section 2. Section 63F-1-104 is amended to read:
108          63F-1-104. Purposes.
109          The department shall:
110          (1) lead state executive branch agency efforts to establish and reengineer the state's
111     information technology architecture with the goal of coordinating central and individual agency
112     information technology in a manner that:
113          (a) ensures compliance with the executive branch agency strategic plan; and

114          (b) ensures that cost-effective, efficient information and communication systems and
115     resources are being used by agencies to:
116          (i) reduce data, hardware, and software redundancy;
117          (ii) improve system interoperability and data accessibility between agencies; and
118          (iii) meet the agency's and user's business and service needs;
119          (2) coordinate an executive branch strategic plan for all agencies;
120          [~~(3) each year, in coordination with the governor's office, convene a group of public~~
121     ~~and private sector information technology and data security experts to identify best practices~~
122     ~~from agencies and other public and private sector entities, including best practices for data and~~
123     ~~information technology system security standards;~~]
124          [~~(4)~~] (3) develop and implement processes to replicate information technology best
125     practices and standards [~~identified in Subsection (3),~~] throughout the executive branch;
126          [~~(5) by July 1, 2015, and~~] (4) at least once every [~~two years thereafter~~] odd-numbered
127     year:
128          (a) evaluate the adequacy of the department's and the executive branch agencies' data
129     and information technology system security standards through an independent third party
130     assessment; and
131          (b) communicate the results of the independent third party assessment to the
132     appropriate executive branch agencies and to the president of the Senate and the speaker of the
133     House of Representatives;
134          [~~(6)~~] (5) oversee the expanded use and implementation of project and contract
135     management principles as they relate to information technology projects within the executive
136     branch;
137          [~~(7)~~] (6) serve as general contractor between the state's information technology users
138     and private sector providers of information technology products and services;
139          [~~(8)~~] (7) work toward building stronger partnering relationships with providers;
140          [~~(9)~~] (8) develop service level agreements with executive branch departments and
141     agencies to ensure quality products and services are delivered on schedule and within budget;

142          [~~(10)~~] (9) develop standards for application development including a standard
143     methodology and cost-benefit analysis that all agencies shall utilize for application
144     development activities;
145          [~~(11)~~] (10) determine and implement statewide efforts to standardize data elements
146     [~~and determine data ownership assignments among executive branch agencies~~];
147          [~~(12)~~] (11) develop systems and methodologies to review, evaluate, and prioritize
148     existing information technology projects within the executive branch and report to the governor
149     and the Public Utilities, Energy, and Technology Interim Committee on a semiannual basis
150     regarding the status of information technology projects; and
151          [~~(13)~~] (12) assist the Governor's Office of Management and Budget with the
152     development of information technology budgets for agencies.
153          Section 3. Section 63F-1-106 is amended to read:
154          63F-1-106. Executive director -- Jurisdiction over office directors -- Authority.
155          (1) The executive director of the department:
156          (a) has administrative jurisdiction over each [~~division and~~] office in the department and
157     the [~~division and office directors. The executive director~~] director of each office;
158          (b) may make changes in department personnel and each office's service functions in
159     the divisions under the director's administrative jurisdiction[,]; and
160          (c) may authorize [~~designees~~] a designee to perform appropriate responsibilities[~~, to~~
161     ~~effectuate greater efficiency and economy in the operations of the department as permitted by~~
162     ~~this section.~~].
163          (2) The executive director may, to facilitate department management, establish offices
164     and bureaus to perform functions such as budgeting, planning, and personnel administration [to
165     ~~facilitate management of the department.~~].
166          (3) (a) The executive director may hire employees in the department, divisions, and
167     offices as permitted by department resources.
168          (b) Except as provided in Subsection (4), [~~any employees~~] each employee of the
169     department [~~are~~] is exempt from career service or classified service status as provided in

170     Section 67-19-15.
171          (4) (a) An employee of an executive branch agency who was a career service employee
172     as of July 1, 2005 who is transferred to the Department of Technology Services continues in
173     the employee's career service status during the employee's service to the Department of
174     Technology Services if the duties of the position in the new department are substantially
175     similar to those in the employee's previous position.
176          (b) A career service employee transferred to the new department under the provisions
177     of Subsection (4)(a), whose duties or responsibilities subsequently change, may not be
178     converted to exempt status without the review process required by Subsection 67-19-15(3).
179          [~~(c) The executive director shall work with executive branch agency directors, during~~
180     ~~the period of transition to the new department, in good faith, to:~~]
181          [~~(i) preserve relevant career service positions;~~]
182          [~~(ii) retain qualified employees in non-relevant positions through transfers to other~~
183     ~~positions in state government, with retraining as necessary; and~~]
184          [~~(iii) promote greater economy and efficiencies for the department.~~]
185          [~~(d) The Department of Technology Services together with the Department of Human~~
186     ~~Resource Management may develop financial and other incentives to encourage a career~~
187     ~~service employee who transfers to the department under the provisions of Subsection (4)(a) to~~
188     ~~voluntarily convert to an exempt position under Section 67-19-15.~~]
189          [~~(e) If a career service employee transfers to the department under the provisions of~~
190     ~~Subsection (4)(a) and terminates his employment with the department for any reason, the~~
191     ~~employment position shall be exempt from career service status under the provisions of~~
192     ~~Subsection (3).~~]
193          Section 4. Section 63F-1-202 is amended to read:
194          63F-1-202. Technology Advisory Board -- Membership -- Duties.
195          (1) There is created the Technology Advisory Board to the chief information officer.
196     The board shall have seven members as follows:
197          (a) three members appointed by the governor who are individuals actively involved in

198     business planning for state agencies;
199          (b) one member appointed by the governor who is actively involved in business
200     planning for higher education or public education;
201          (c) one member appointed by the speaker of the House of Representatives and
202     president of the Senate [~~from the Legislative Automation Committee of the Legislature to~~
203     ~~represent the legislative branch~~];
204          (d) one member appointed by the Judicial Council [~~to represent the judicial branch~~];
205     and
206          (e) one member appointed by the governor who represents private sector business
207     needs in the state, but who is not an information technology vendor for the state.
208          (2) (a) The members of the advisory board shall elect a chair from the board by
209     majority vote.
210          (b) The department shall provide staff to the board.
211          (c) (i) A majority of the members of the board constitutes a quorum.
212          (ii) Action by a majority of a quorum of the board constitutes an action of the board.
213          (3) The board shall meet as necessary to advise the chief information officer and assist
214     the chief information officer and executive branch agencies in coming to consensus on:
215          (a) the development and implementation of the state's information technology strategic
216     plan;
217          (b) critical information technology initiatives for the state;
218          (c) the development of standards for state information architecture;
219          (d) identification of the business and technical needs of state agencies;
220          (e) the department's performance measures for service agreements with executive
221     branch agencies and subscribers of services, including a process in which an executive branch
222     agency may review the department's implementation of and compliance with an executive
223     branch agency's data security requirements; and
224          (f) the efficient and effective operation of the department.
225          (4) (a) A member who is not a legislator may not receive compensation or benefits for

226     the member's service, but may receive per diem and travel expenses as allowed in:
227          (i) Section 63A-3-106;
228          (ii) Section 63A-3-107; and
229          (iii) rules made by the Division of Finance [~~according to~~] in accordance with Sections
230     63A-3-106 and 63A-3-107.
231          (b) Compensation and expenses of a member who is a legislator are governed by
232     Section 36-2-2 and Legislative Joint Rules, Title 5, Legislative Compensation and Expenses.
233          Section 5. Section 63F-1-203 is amended to read:
234          63F-1-203. Executive branch information technology strategic plan.
235          (1) In accordance with this section, the chief information officer shall prepare an
236     executive branch information technology strategic plan:
237          (a) that complies with this chapter; and
238          (b) [~~which shall include~~] that includes:
239          (i) a strategic plan for the:
240          (A) interchange of information related to information technology between executive
241     branch agencies;
242          (B) coordination between executive branch agencies in the development and
243     maintenance of information technology and information systems, including the coordination of
244     agency information technology plans described in Section 63F-1-204; and
245          (C) protection of the privacy of individuals who use state information technology or
246     information systems, including the implementation of industry best practices for data and
247     system security [~~that are identified in Subsection 63F-1-104(3)~~];
248          (ii) priorities for the development and implementation of information technology or
249     information systems including priorities determined on the basis of:
250          (A) the importance of the information technology or information system; and
251          (B) the time sequencing of the information technology or information system; and
252          (iii) maximizing the use of existing state information technology resources.
253          (2) In the development of the executive branch strategic plan, the chief information

254     officer shall consult with:
255          (a) all cabinet level officials; and
256          (b) the advisory board created in Section 63F-1-202[~~; and (c) the group convened in~~
257     ~~accordance with Subsection 63F-1-104(3)~~].
258          (3) (a) Unless withdrawn by the chief information officer or the governor in accordance
259     with Subsection (3)(b), the executive branch strategic plan takes effect 30 days after the day on
260     which the executive branch strategic plan is submitted to:
261          (i) the governor; and
262          (ii) the Public Utilities, Energy, and Technology Interim Committee.
263          (b) The chief information officer or the governor may withdraw the executive branch
264     strategic plan submitted under Subsection (3)(a) if the governor or chief information officer
265     determines that the executive branch strategic plan:
266          (i) should be modified; or
267          (ii) for any other reason should not take effect.
268          (c) The Public Utilities, Energy, and Technology Interim Committee may make
269     recommendations to the governor and to the chief information officer if the commission
270     determines that the executive branch strategic plan should be modified or for any other reason
271     should not take effect.
272          (d) Modifications adopted by the chief information officer shall be resubmitted to the
273     governor and the Public Utilities, Energy, and Technology Interim Committee for their review
274     or approval as provided in Subsections (3)(a) and (b).
275          (4) (a) The chief information officer shall, on or before January 1, 2014, and each year
276     thereafter, modify the executive branch information technology strategic plan to incorporate
277     security standards that:
278          (i) are identified as industry best practices in accordance with Subsections
279     63F-1-104(3) and (4); and
280          (ii) can be implemented within the budget of the department or the executive branch
281     agencies.

282          (b) The chief information officer shall inform the speaker of the House of
283     Representatives and the president of the Senate on or before January 1 of each year if best
284     practices identified in Subsection (4)(a)(i) are not adopted due to budget issues considered
285     under Subsection (4)(a)(ii).
286          (5) [~~The~~] Each executive branch agency shall implement the executive branch strategic
287      plan [~~is to be implemented by executive branch agencies through each executive branch~~
288     ~~agency~~] by adopting an agency information technology plan in accordance with Section
289     63F-1-204.
290          Section 6. Section 63F-1-204 is amended to read:
291          63F-1-204. Agency information technology plans.
292          (1) (a) By July 1 of each year, each executive branch agency shall submit an agency
293     information technology plan to the chief information officer at the department level, unless the
294     governor or the chief information officer request an information technology plan be submitted
295     by a subunit of a department, or by an executive branch agency other than a department.
296          (b) The information technology plans required by this section shall be in the form and
297     level of detail required by the chief information officer, by administrative rule adopted in
298     accordance with Section 63F-1-206, and shall include, at least:
299          (i) the information technology objectives of the agency;
300          (ii) any performance measures used by the agency for implementing the agency's
301     information technology objectives;
302          (iii) any planned expenditures related to information technology;
303          (iv) the agency's need for appropriations for information technology;
304          (v) how the agency's development of information technology coordinates with other
305     state and local governmental entities;
306          (vi) any efforts the agency has taken to develop public and private partnerships to
307     accomplish the information technology objectives of the agency;
308          (vii) the efforts the executive branch agency has taken to conduct transactions
309     electronically in compliance with Section 46-4-503; and

310          (viii) the executive branch agency's plan for the timing and method of verifying the
311     department's security standards, if an agency intends to verify the department's security
312     standards for the data that the agency maintains or transmits through the department's servers.
313          (2) (a) Except as provided in Subsection (2)(b), an agency information technology plan
314     described in Subsection (1) shall comply with the executive branch strategic plan established in
315     accordance with Section 63F-1-203.
316          (b) If the executive branch agency submitting the agency information technology plan
317     justifies the need to depart from the executive branch strategic plan, an agency information
318     technology plan may depart from the executive branch strategic plan to the extent approved by
319     the chief information officer.
320          [~~(3) (a) On receipt of a state agency information technology plan, the chief information~~
321     ~~officer shall forward a complete copy of the agency information technology plan to the~~
322     ~~Division of Enterprise Technology created in Section 63F-1-401 and the Division of Integrated~~
323     ~~Technology created in Section 63F-1-501.~~]
324          [~~(b) The divisions shall provide the chief information officer a written analysis of each~~
325     ~~agency plan submitted in accordance with Subsections 63F-1-404(14) and 63F-1-504(3).~~]
326          [~~(4) (a)~~] (3) The chief information officer shall review each agency plan to determine:
327          [~~(i) (A)~~] (a) (i) whether the agency plan complies with the executive branch strategic
328     plan and state information architecture; or
329          [~~(B)~~] (ii) to the extent that the agency plan does not comply with the executive branch
330     strategic plan or state information architecture, whether the executive branch entity is justified
331     in departing from the executive branch strategic plan, or state information architecture; and
332          [~~(ii)~~] (b) whether the agency plan meets the information technology and other needs of:
333          [~~(A)~~] (i) the executive branch agency submitting the plan; and
334          [~~(B)~~] (ii) the state.
335          [~~(b) In conducting the review required by Subsection (4)(a), the chief information~~
336     ~~officer shall consider the analysis submitted by the divisions under Subsection (3).~~]
337          [~~(5)~~] (4) After the chief information officer conducts the review described in

338     Subsection [~~(4)~~] (3) of an agency information technology plan, the chief information officer
339     may:
340          (a) approve the agency information technology plan;
341          (b) disapprove the agency information technology plan; or
342          (c) recommend modifications to the agency information technology plan.
343          [~~(6)~~] (5) An executive branch agency or the department may not submit a request for
344     appropriation related to information technology or an information technology system to the
345     governor in accordance with Section 63J-1-201 until after the executive branch agency's
346     information technology plan is approved by the chief information officer.
347          Section 7. Section 63F-1-205 is amended to read:
348          63F-1-205. Approval of acquisitions of information technology.
349          (1) (a) Except as provided in Title 63N, Chapter 13, Part 2, Government Procurement
350     Private Proposal Program, in accordance with Subsection (2), the chief information officer
351     shall approve the acquisition by an executive branch agency of:
352          (i) information technology equipment;
353          (ii) telecommunications equipment;
354          (iii) software;
355          (iv) services related to the items listed in Subsections (1)(a)(i) through (iii); and
356          (v) data acquisition.
357          (b) The chief information officer may negotiate the purchase, lease, or rental of private
358     or public information technology or telecommunication services or facilities in accordance with
359     this section.
360          (c) Where practical, efficient, and economically beneficial, the chief information
361     officer shall use existing private and public information technology or telecommunication
362     resources.
363          (d) Notwithstanding another provision of this section, an acquisition authorized by this
364     section shall comply with rules made by the applicable rulemaking authority under Title 63G,
365     Chapter 6a, Utah Procurement Code.

366          (2) Before negotiating a purchase, lease, or rental under Subsection (1) for an amount
367     that exceeds the value established by the chief information officer by rule in accordance with
368     Section 63F-1-206, the chief information officer shall:
369          (a) conduct an analysis of the needs of executive branch agencies and subscribers of
370     services and the ability of the proposed information technology or telecommunications services
371     or supplies to meet those needs; and
372          (b) for purchases, leases, or rentals not covered by an existing statewide contract,
373     certify in writing to the chief procurement officer in the Division of Purchasing and General
374     Services that:
375          (i) the analysis required in Subsection (2)(a) was completed; and
376          (ii) based on the analysis, the proposed purchase, lease, rental, or master contract of
377     services, products, or supplies is practical, efficient, and economically beneficial to the state
378     and the executive branch agency or subscriber of services.
379          (3) In approving an acquisition described in Subsections (1) and (2), the chief
380     information officer shall:
381          (a) establish by administrative rule, in accordance with Section 63F-1-206, standards
382     under which an agency must obtain approval from the chief information officer before
383     acquiring the items listed in Subsections (1) and (2);
384          (b) for those acquisitions requiring approval, determine whether the acquisition is in
385     compliance with:
386          (i) the executive branch strategic plan;
387          (ii) the applicable agency information technology plan;
388          (iii) the budget for the executive branch agency or department as adopted by the
389     Legislature;
390          (iv) Title 63G, Chapter 6a, Utah Procurement Code; and
391          (v) the information technology accessibility standards described in Section 63F-1-210;
392     and
393          (c) in accordance with Section 63F-1-207, require coordination of acquisitions between

394     two or more executive branch agencies if it is in the best interests of the state.
395          (4) [~~(a)~~] Each executive branch agency shall provide the chief information officer with
396     complete access to all information technology records, documents, and reports:
397          [~~(i)~~] (a) at the request of the chief information officer; and
398          [~~(ii)~~] (b) related to the executive branch agency's acquisition of any item listed in
399     Subsection (1).
400          [~~(b) Beginning July 1, 2006 and in~~]
401          (5) (a) In accordance with administrative rules established by the department under
402     Section 63F-1-206, [~~no new technology projects may be initiated by an executive branch~~
403     ~~agency or the department~~] an executive branch agency and the department may not initiate a
404     new technology project unless the technology project is described in a formal project plan and
405     [~~the~~] a business case analysis [~~has been~~] is approved by the chief information officer and
406     [~~agency head~~] the highest ranking executive branch agency official.
407          (b) The project plan and business case analysis required by this Subsection [~~(4)~~] (5)
408     shall [~~be in the form required by the chief information officer, and shall~~] include:
409          (i) a statement of work to be done and existing work to be modified or displaced;
410          (ii) total cost of system development and conversion effort, including system analysis
411     and programming costs, establishment of master files, testing, documentation, special
412     equipment cost and all other costs, including overhead;
413          (iii) savings or added operating costs that will result after conversion;
414          (iv) other advantages or reasons that justify the work;
415          (v) source of funding of the work, including ongoing costs;
416          (vi) consistency with budget submissions and planning components of budgets; and
417          (vii) whether the work is within the scope of projects or initiatives envisioned when the
418     current fiscal year budget was approved.
419          (c) The chief information officer shall determine the required form of the project plan
420     and business case analysis described in this Subsection (5).
421          [~~(5)~~] (6) The chief information officer and the Division of Purchasing and General

422     Services within the Department of Administrative Services shall work cooperatively to
423     establish procedures under which the chief information officer shall monitor and approve
424     acquisitions as provided in this section.
425          Section 8. Section 63F-1-206 is amended to read:
426          63F-1-206. Rulemaking -- Policies.
427          (1) (a) Except as provided in Subsection (2), the chief information officer shall, by rule
428     made in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act[~~, the~~
429     ~~chief information officer shall make rules that~~]:
430          (i) provide standards that impose requirements on executive branch agencies that:
431          (A) are related to the security of the statewide area network; and
432          (B) establish standards for when an agency must obtain approval before obtaining
433     items listed in Subsection 63F-1-205(1);
434          (ii) specify the detail and format required in an agency information technology plan
435     submitted in accordance with Section 63F-1-204;
436          (iii) provide for standards related to the privacy policies of websites operated by or on
437     behalf of an executive branch agency;
438          (iv) provide for the acquisition, licensing, and sale of computer software;
439          (v) specify the requirements for the project plan and business case analysis required by
440     Section 63F-1-205;
441          (vi) provide for project oversight of agency technology projects when required by
442     Section 63F-1-205;
443          (vii) establish, in accordance with Subsection 63F-1-205(2), the implementation of the
444     needs assessment for information technology purchases;
445          (viii) establish telecommunications standards and specifications in accordance with
446     Section 63F-1-404; and
447          (ix) establish standards for accessibility of information technology by individuals with
448     disabilities in accordance with Section 63F-1-210.
449          (b) The rulemaking authority [in] granted by this Subsection (1) is in addition to any

450     other rulemaking authority granted by this title.
451          (2) (a) Notwithstanding Title 63G, Chapter 3, Utah Administrative Rulemaking Act,
452     and subject to Subsection (2)(b), the chief information officer may adopt a policy that outlines
453     procedures to be followed by the chief information officer in facilitating the implementation of
454     this title by executive branch agencies if the policy:
455          (i) is consistent with the executive branch strategic plan; and
456          (ii) is not required to be made by rule under Subsection (1) or Section 63G-3-201.
457          (b) (i) A policy adopted by the chief information officer under Subsection (2)(a) may
458     not take effect until 30 days after the day on which the chief information officer submits the
459     policy to:
460          (A) the governor; and
461          (B) all cabinet level officials.
462          (ii) During the 30-day period described in Subsection (2)(b)(i), cabinet level officials
463     may review and comment on a policy submitted under Subsection (2)(b)(i).
464          (3) (a) Notwithstanding Subsection (1) or (2) or Title 63G, Chapter 3, Utah
465     Administrative Rulemaking Act, without following the procedures of Subsection (1) or (2), the
466     chief information officer may adopt a security procedure to be followed by executive branch
467     agencies to protect the statewide area network if:
468          (i) broad communication of the security procedure would create a significant potential
469     for increasing the vulnerability of the statewide area network to breach or attack; and
470          (ii) after consultation with the chief information officer, the governor agrees that broad
471     communication of the security procedure would create a significant potential increase in the
472     vulnerability of the statewide area network to breach or attack.
473          (b) A security procedure described in Subsection (3)(a) is classified as a protected
474     record under Title 63G, Chapter 2, Government Records Access and Management Act.
475          (c) The chief information officer shall provide a copy of the security procedure as a
476     protected record to:
477          (i) the chief justice of the Utah Supreme Court for the judicial branch;

478          (ii) the speaker of the House of Representatives and the president of the Senate for the
479     legislative branch;
480          (iii) the chair of the Board of Regents; and
481          (iv) the chair of the State Board of Education.
482          Section 9. Section 63F-1-207 is amended to read:
483          63F-1-207. Coordination within the executive branch -- Cooperation with other
484     branches.
485          (1) In accordance with the executive branch strategic plan and the requirements of this
486     title, the chief information officer shall coordinate the development of information technology
487     systems between two or more executive branch agencies subject to:
488          (a) the budget approved by the Legislature; and
489          (b) Title 63J, Chapter 1, Budgetary Procedures Act.
490          (2) In addition to the coordination described in Subsection (1), the chief information
491     officer shall promote cooperation regarding information technology [~~in a manner consistent~~
492     ~~with the interbranch coordination plan created in accordance with Section 63F-1-201.~~] between
493     branches of state government.
494          Section 10. Section 63F-1-208 is amended to read:
495          63F-1-208. Delegation of department functions.
496          (1) (a) If the conditions of Subsections (1)(b) and (2) are met and subject to the other
497     provisions of this section, the chief information officer may delegate a function of the
498     department to another executive branch agency or an institution of higher education by contract
499     or other means authorized by law.
500          (b) The chief information officer may delegate a function of the department as
501     provided in Subsection (1)(a) if in the judgment of the director of the executive branch agency[,
502     ~~the director of the division,~~] and the chief information officer:
503          (i) the executive branch agency or institution of higher education has requested that the
504     function be delegated;
505          (ii) the executive branch agency or institution of higher education has the necessary

506     resources and skills to perform or control the function to be delegated; and
507          (iii) the function to be delegated is a unique or [~~mission critical~~] mission-critical
508     function of the agency or institution of higher education [~~which is not appropriate to: (A)~~
509     ~~govern or manage under the Division of Enterprise Technology; or (B) govern or manage under~~
510     ~~the Division of Integrated Technology.~~].
511          (2) The chief information officer may delegate a function of the department only when
512     the delegation results in net cost savings or improved service delivery to the state as a whole or
513     to the unique mission critical function of the executive branch agency.
514          (3) The delegation of a function under this section shall:
515          (a) be in writing;
516          (b) contain all of the following:
517          (i) a precise definition of each function to be delegated;
518          (ii) a clear description of the standards to be met in performing each function
519     delegated;
520          (iii) a provision for periodic administrative audits by the [~~Division of Agency Services~~
521     ~~in accordance with Section 63F-1-604~~] department;
522          (iv) a date on which the agreement shall terminate if the agreement has not been
523     previously terminated or renewed; and
524          (v) any delegation of department staff to the agency to support the function in-house
525     with the agency and rates to be charged for the delegated staff; and
526          (c) include a cost-benefit analysis justifying the delegation [~~in accordance with Section~~
527     ~~63F-1-604~~].
528          (4) An agreement to delegate functions to an executive branch agency or an institution
529     of higher education may be terminated by the department if the results of an administrative
530     audit conducted by the [~~division~~] department reveals a lack of compliance with the terms of the
531     agreement by the executive branch agency or institution of higher education.
532          Section 11. Section 63F-1-209 is amended to read:
533          63F-1-209. Delegation of department staff to executive branch agencies --

534     Prohibition against executive branch agency information technology staff.
535          (1) (a) The chief information officer shall assign department staff to serve an agency
536     in-house if the chief information officer and the executive branch agency director jointly
537     determine it is appropriate to provide information technology services to:
538          (i) the agency's unique [~~mission critical~~] mission-critical functions and applications;
539          (ii) the agency's participation in and use of statewide enterprise architecture [~~under the~~
540     ~~Division of Enterprise Technology~~]; and
541          (iii) the agency's use of coordinated technology services with other agencies that share
542     similar characteristics with the agency [~~under the Division of Integrated Technology~~].
543          (b) (i) An agency may request the chief information officer to assign in-house staff
544     support from the department.
545          (ii) The chief information officer shall respond to the agency's request for in-house
546     staff support in accordance with Subsection (1)(a).
547          (c) The department shall enter into service agreements with an agency when
548     department staff is assigned in-house to the agency under the provisions of this section.
549          (d) An agency that receives in-house staff support assigned from the department under
550     the provision of this section is responsible for paying the rates charged by the department for
551     that staff as established under Section 63F-1-301.
552          (2) (a) [~~After July 1, 2006, an~~] An executive branch agency may not create a full-time
553     equivalent position or part-time position, or request an appropriation to fund a full-time
554     equivalent position or part-time position under the provisions of Section 63J-1-201 for the
555     purpose of providing information technology services to the agency unless:
556          (i) the chief information officer has approved a delegation under Section 63F-1-208;
557     and
558          (ii) the [~~Division of Agency Services~~] department conducts an audit under Section
559     63F-1-604 and finds that the delegation of information technology services to the agency meets
560     the requirements of Section 63F-1-208.
561          (b) The prohibition against a request for appropriation under Subsection (2)(a) does not

562     apply to a request for appropriation needed to pay rates imposed under Subsection (1)(d).
563          Section 12. Section 63F-1-210 is amended to read:
564          63F-1-210. Accessibility standards for executive branch agency information
565     technology.
566          (1) The chief information officer shall establish, by rule made in accordance with Title
567     63G, Chapter 3, Utah Administrative Rulemaking Act:
568          (a) minimum standards for accessibility of executive branch agency information
569     technology by an individual with a disability that:
570          (i) include accessibility criteria for:
571          (A) agency websites;
572          (B) hardware and software procured by an executive branch agency; and
573          (C) information systems used by executive branch agency employees; [~~and~~]
574          (ii) include a protocol to evaluate the standards via testing by individuals with a variety
575     of access limitations; and
576          (iii) are, at minimum, consistent with the most recent Web Content Accessibility
577     guidelines published by the World Wide Web Consortium; and
578          (b) grievance procedures for an individual with a disability who is unable to access
579     executive branch agency information technology, including:
580          (i) a process for an individual with a disability to report the access issue to the chief
581     information officer; and
582          (ii) a mechanism through which the chief information officer can respond to the
583     report[~~; and (c) are, at minimum, consistent with the Web Content Accessibility 2.0 guidelines~~
584     ~~published by the World Wide Web Consortium.~~].
585          (2) The chief information officer shall update the standards described in Subsection
586     (1)(a) at least every three years to reflect advances in technology.
587          Section 13. Section 63F-1-211 is enacted to read:
588          63F-1-211. Chief information security officer.
589          (1) The chief information officer shall appoint a chief information security officer.

590          (2) The chief information security officer described in Subsection (1) shall:
591          (a) assess cybersecurity risks;
592          (b) coordinate with executive branch agencies to assess the sensitivity of information;
593     and
594          (c) manage cybersecurity support for the department and executive branch agencies.
595          Section 14. Section 63F-1-212 is enacted to read:
596          63F-1-212. Report to the Legislature.
597          The department shall, before November 1 of each year, report to the Public Utilities,
598     Energy, and Technology Interim Committee on:
599          (1) performance measures that the department uses to assess the department's
600     effectiveness in performing the department's duties under this chapter; and
601          (2) the department's performance, evaluated in accordance with the performance
602     measures described in Subsection (1).
603          Section 15. Section 63F-1-401 is repealed and reenacted to read:
604     Part 4. Enterprise Technology
605          63F-1-401. Title.
606          This part is known as "Enterprise Technology."
607          Section 16. Section 63F-1-403 is repealed and reenacted to read:
608          63F-1-403. Enterprise technology -- Chief information officer manages.
609          The chief information officer shall manage the department's duties related to enterprise
610     technology.
611          Section 17. Section 63F-1-404 is amended to read:
612          63F-1-404. Duties of the department -- Enterprise technology.
613          The [~~division~~] department shall:
614          (1) develop and implement an effective enterprise architecture governance model for
615     the executive branch;
616          (2) provide oversight of information technology projects that impact statewide
617     information technology services, assets, or functions of state government to:

618          (a) control costs;
619          (b) ensure business value to a project;
620          (c) maximize resources;
621          (d) ensure the uniform application of best practices; and
622          (e) avoid duplication of resources;
623          (3) develop a method of accountability to agencies for services provided by the
624     [~~division~~] department through service agreements with the agencies;
625          [~~(4) beginning September 1, 2006, and each September 1 thereafter, provide the chief~~
626     ~~information officer and the Public Utilities, Energy, and Technology Interim Committee with~~
627     ~~performance measures used by the division to measure the quality of service delivered by the~~
628     ~~division and the results of the performance measures;~~]
629          [~~(5)~~] (4) serve as a project manager for enterprise architecture which includes the
630     management of applications, standards, and procurement of enterprise architecture;
631          [~~(6)~~] (5) coordinate the development and implementation of advanced state
632     telecommunication systems;
633          [~~(7)~~] (6) provide services including technical assistance:
634          (a) to executive branch agencies and subscribers to the services; and
635          (b) related to information technology or telecommunications;
636          [~~(8)~~] (7) establish telecommunication system specifications and standards for use by:
637          (a) one or more executive branch agencies; or
638          (b) one or more entities that subscribe to the telecommunication systems in accordance
639     with Section 63F-1-303;
640          [~~(9)~~] (8) coordinate state telecommunication planning in cooperation with:
641          (a) state telecommunication users;
642          (b) executive branch agencies; and
643          (c) other subscribers to the state's telecommunication systems;
644          [~~(10)~~] (9) cooperate with the federal government, other state entities, counties, and
645     municipalities in the development, implementation, and maintenance of:

646          (a) (i) governmental information technology; or
647          (ii) governmental telecommunication systems; and
648          (b) (i) as part of a cooperative organization; or
649          (ii) through means other than a cooperative organization;
650          [~~(11)~~] (10) establish, operate, manage, and maintain:
651          (a) one or more state data centers; and
652          (b) one or more regional computer centers;
653          [~~(12)~~] (11) design, implement, and manage all state-owned, leased, or rented land,
654     mobile, or radio telecommunication systems that are used in the delivery of services for state
655     government or its political subdivisions; and
656          [~~(13)~~] (12) in accordance with the executive branch strategic plan, implement
657     minimum standards to be used by the [~~division~~] department for purposes of compatibility of
658     procedures, programming languages, codes, and media that facilitate the exchange of
659     information within and among telecommunication systems[~~; and~~].
660          [~~(14) provide the chief information officer with an analysis of an executive branch~~
661     ~~agency information technology plan that includes:~~]
662          [~~(a) an assessment of how the implementation of the agency information technology~~
663     ~~plan will affect the costs, operations, and services of:~~]
664          [~~(i) the department; and~~]
665          [~~(ii) other executive branch agencies; and~~]
666          [~~(b) any recommended changes to the plan.~~]
667          Section 18. Section 63F-1-501 is repealed and reenacted to read:
668     Part 5. Integrated Technology
669          63F-1-501. Title.
670          This part is known as "Integrated Technology."
671          Section 19. Section 63F-1-502 is amended to read:
672          63F-1-502. Definitions.
673          As used in this part:

674          (1) "Center" means the Automated Geographic Reference Center created in Section
675     63F-1-506.
676          (2) "Database" means the State Geographic Information Database created in Section
677     63F-1-507.
678          [~~(3) "Director" means the director appointed in accordance with Section 63F-1-503.~~]
679          [~~(4) "Division" means the Division of Integrated Technology created in this part.~~]
680          [~~(5)~~] (3) "Geographic Information System" or "GIS" means a computer driven data
681     integration and map production system that interrelates disparate layers of data to specific
682     geographic locations.
683          [~~(6)~~] (4) "State Geographic Information Database" means the database created in
684     Section 63F-1-507.
685          [~~(7)~~] (5) "Statewide Global Positioning Reference Network" or "network" means the
686     network created in Section 63F-1-509.
687          Section 20. Section 63F-1-503 is repealed and reenacted to read:
688          63F-1-503. Integrated technology -- Chief information officer manages.
689          The chief information officer shall manage the department's duties related to integrated
690     technology.
691          Section 21. Section 63F-1-504 is amended to read:
692          63F-1-504. Duties of the department -- Integrated technology.
693          The [~~division~~] department shall:
694          (1) establish standards for the information technology needs of a collection of
695     executive branch agencies or programs that share common characteristics relative to the types
696     of stakeholders they serve, including:
697          (a) project management;
698          (b) application development; and
699          (c) procurement;
700          (2) provide oversight of information technology standards that impact multiple
701     executive branch agency information technology services, assets, or functions to:

702          (a) control costs;
703          (b) ensure business value to a project;
704          (c) maximize resources;
705          (d) ensure the uniform application of best practices; and
706          (e) avoid duplication of resources; and
707          [~~(3) in accordance with Section 63F-1-204, provide the chief information officer a~~
708     ~~written analysis of any agency information technology plan provided to the division, which~~
709     ~~shall include:~~]
710          [~~(a) a review of whether the agency's technology projects impact multiple agencies and~~
711     ~~if so, whether the information technology projects are appropriately designed and developed;~~]
712          [~~(b) an assessment of whether the agency plan complies with the state information~~
713     ~~architecture; and~~]
714          [~~(c) an assessment of whether the information technology projects included in the~~
715     ~~agency plan comply with policies, procedures, and rules adopted by the department to ensure~~
716     ~~that:~~]
717          [~~(i) information technology projects are phased in;~~]
718          [~~(ii) funding is released in phases;~~]
719          [~~(iii) an agency's authority to proceed to the next phase of an information technology~~
720     ~~project is contingent upon the successful completion of the prior phase; and~~]
721          [~~(iv) one or more specific deliverables is identified for each phase of a technology~~
722     ~~project;~~]
723          [~~(4)~~] (3) establish a system of accountability to user agencies through the use of service
724     agreements[;].
725          [~~(5) each year, provide the chief information officer and the Public Utilities, Energy,~~
726     ~~and Technology Interim Committee with performance measures used by the division to~~
727     ~~measure the quality of services delivered by the division and results of those measures; and~~]
728          [~~(6) establish administrative rules in accordance with Section 63F-1-206 and as~~
729     ~~required by Section 63F-1-506.~~]

730          Section 22. Section 63F-1-601 is repealed and reenacted to read:
731     Part 6. Agency Services
732          63F-1-601. Title.
733          This part is known as "Agency Services."
734          Section 23. Section 63F-1-603 is repealed and reenacted to read:
735          63F-1-603. Agency services -- Chief information officer manages.
736          The chief information officer shall manage the department's duties related to agency
737     services.
738          Section 24. Section 63F-1-604 is amended to read:
739          63F-1-604. Duties of the department -- Agency services.
740          The [~~division~~] department shall:
741          (1) be responsible for providing support to executive branch agencies for an agency's
742     information technology assets and functions that are unique to the executive branch agency and
743     are mission critical functions of the agency;
744          [~~(2) conduct audits of an executive branch agency when requested under the provisions~~
745     ~~of Section 63F-1-208;~~]
746          [~~(3) conduct cost-benefit analysis of delegating a department function to an agency in~~
747     ~~accordance with Section 63F-1-208;~~]
748          [~~(4)~~] (2) provide in-house information technology staff support to executive branch
749     agencies;
750          [~~(5) establish accountability and performance measures for the division to assure that~~
751     ~~the division is:~~]
752          [~~(a) meeting the business and service needs of the state and individual executive branch~~
753     ~~agencies; and~~]
754          [~~(b) implementing security standards in accordance with Subsection 63F-1-203(4);~~]
755          [~~(6)~~] (3) establish a committee composed of agency user groups for the purpose of
756     coordinating department services with agency needs; and
757          [~~(7)~~] (4) assist executive branch agencies in complying with the requirements of any

758     rule adopted by the chief information officer[~~; and (8) by July 1, 2013, and each July 1~~
759     ~~thereafter, report to the Public Utilities, Energy, and Technology Interim Committee on the~~
760     ~~performance measures used by the division under Subsection (5) and the results.~~].
761          Section 25. Repealer.
762          This bill repeals:
763          Section 63F-1-602, Definitions.