Utah Legislature HB0080

1     STATE TECHNOLOGY GOVERNANCE AMENDMENTS
2     2017 GENERAL SESSION
3     STATE OF UTAH
4     Chief Sponsor: Bruce R. Cutler
5     Senate Sponsor: David P. Hinkins
6

7     LONG TITLE
8     General Description:
9          This bill amends provisions related to state technology governance.
10     Highlighted Provisions:
11          This bill:
12          ▸     eliminates divisions within the Department of Technology Services;
13          ▸     assigns duties formerly assigned to divisions within the Department of Technology
14     Services to the Department of Technology Services and the chief information
15     officer within the Department of Technology Services;
16          ▸     directs the chief information officer within the Department of Technology Services
17     to appoint a chief information security officer; and
18          ▸     defines terms.
19     Money Appropriated in this Bill:
20          None
21     Other Special Clauses:
22          None
23     Utah Code Sections Affected:
24     AMENDS:
25          63F-1-102, as last amended by Laws of Utah 2015, Chapter 114
26          63F-1-104, as last amended by Laws of Utah 2016, Chapter 13
27          63F-1-106, as enacted by Laws of Utah 2005, Chapter 169

28          63F-1-202, as last amended by Laws of Utah 2014, Chapter 387
29          63F-1-203, as last amended by Laws of Utah 2016, Chapter 13
30          63F-1-204, as last amended by Laws of Utah 2013, Chapter 53
31          63F-1-205, as last amended by Laws of Utah 2016, Chapter 355
32          63F-1-206, as last amended by Laws of Utah 2015, Chapter 114
33          63F-1-207, as last amended by Laws of Utah 2008, Chapter 382
34          63F-1-208, as enacted by Laws of Utah 2005, Chapter 169
35          63F-1-209, as last amended by Laws of Utah 2008, Chapter 382
36          63F-1-210, as enacted by Laws of Utah 2015, Chapter 114
37          63F-1-404, as last amended by Laws of Utah 2016, Chapter 13
38          63F-1-502, as enacted by Laws of Utah 2005, Chapter 169
39          63F-1-504, as last amended by Laws of Utah 2016, Chapter 13
40          63F-1-604, as last amended by Laws of Utah 2016, Chapter 13
41     ENACTS:
42          63F-1-211, Utah Code Annotated 1953
43          63F-1-212, Utah Code Annotated 1953
44     REPEALS AND REENACTS:
45          63F-1-401, as enacted by Laws of Utah 2005, Chapter 169
46          63F-1-403, as enacted by Laws of Utah 2005, Chapter 169
47          63F-1-501, as enacted by Laws of Utah 2005, Chapter 169
48          63F-1-503, as enacted by Laws of Utah 2005, Chapter 169
49          63F-1-601, as enacted by Laws of Utah 2005, Chapter 169
50          63F-1-603, as enacted by Laws of Utah 2005, Chapter 169
51     REPEALS:
52          63F-1-602, as enacted by Laws of Utah 2005, Chapter 169
53

54     Be it enacted by the Legislature of the state of Utah:
55          Section 1. Section 63F-1-102 is amended to read:
56          63F-1-102. Definitions.
57          As used in this title:
58          (1) "Board" means the Technology Advisory Board created in Section 63F-1-202.

59          (2) "Chief information officer" means the chief information officer appointed under
60     Section 63F-1-201.
61          [~~(3) "Computer center" means the location at which a central data processing platform~~
62     ~~is managed to serve multiple executive branch agencies.~~]
63          [~~(4)~~] (3) "Data center" means a centralized repository for the storage, management, and
64     dissemination of data.
65          [~~(5)~~] (4) "Department" means the Department of Technology Services.
66          (5) "Enterprise architecture" means:
67          (a) information technology that can be applied across state government; and
68          (b) support for information technology that can be applied across state government,
69     including:
70          (i) technical support;
71          (ii) master software licenses; and
72          (iii) hardware and software standards.
73          (6) (a) Except as provided in Subsection (6)(b), "executive branch agency" means an
74     agency or administrative subunit of state government.
75          (b) "Executive branch agency" does not include:
76          (i) the legislative branch;
77          (ii) the judicial branch;
78          (iii) the State Board of Education;
79          (iv) the Board of Regents;
80          (v) institutions of higher education;
81          (vi) independent entities as defined in Section 63E-1-102; and
82          (vii) elective constitutional offices of the executive department which includes:
83          (A) the state auditor;
84          (B) the state treasurer; and
85          (C) the attorney general.
86          (7) "Executive branch strategic plan" means the executive branch strategic plan created
87     under Section 63F-1-203.
88          (8) "Individual with a disability" means an individual with a condition that meets the
89     definition of "disability" in 42 U.S.C. Sec. 12102.

90          (9) "Information technology" means all computerized and auxiliary automated
91     information handling, including:
92          (a) systems design and analysis;
93          (b) acquisition, storage, and conversion of data;
94          (c) computer programming;
95          (d) information storage and retrieval;
96          (e) voice, [~~radio,~~] video, and data communications;
97          (f) requisite systems controls;
98          (g) simulation; and
99          (h) all related interactions between people and machines.
100          (10) "State information architecture" means a logically consistent set of principles,
101     policies, and standards that guide the engineering of state government's information technology
102     and infrastructure in a way that ensures alignment with state government's business and service
103     needs.
104          [~~(11) "Telecommunications" means the transmission or reception of signs, signals,~~
105     ~~writing, images, sounds, messages, data, or other information of any nature by wire, radio, light~~
106     ~~waves, or other electromagnetic means.~~]
107          Section 2. Section 63F-1-104 is amended to read:
108          63F-1-104. Purposes.
109          The department shall:
110          (1) lead state executive branch agency efforts to establish and reengineer the state's
111     information technology architecture with the goal of coordinating central and individual agency
112     information technology in a manner that:
113          (a) ensures compliance with the executive branch agency strategic plan; and
114          (b) ensures that cost-effective, efficient information and communication systems and
115     resources are being used by agencies to:
116          (i) reduce data, hardware, and software redundancy;
117          (ii) improve system interoperability and data accessibility between agencies; and
118          (iii) meet the agency's and user's business and service needs;
119          (2) coordinate an executive branch strategic plan for all agencies;
120          [~~(3) each year, in coordination with the governor's office, convene a group of public~~

121     ~~and private sector information technology and data security experts to identify best practices~~
122     ~~from agencies and other public and private sector entities, including best practices for data and~~
123     ~~information technology system security standards;~~]
124          [~~(4)~~] (3) develop and implement processes to replicate information technology best
125     practices and standards [~~identified in Subsection (3),~~] throughout the executive branch;
126          [~~(5) by July 1, 2015, and~~] (4) at least once every [~~two years thereafter~~] odd-numbered
127     year:
128          (a) evaluate the adequacy of the department's and the executive branch agencies' data
129     and information technology system security standards through an independent third party
130     assessment; and
131          (b) communicate the results of the independent third party assessment to the
132     appropriate executive branch agencies and to the president of the Senate and the speaker of the
133     House of Representatives;
134          [~~(6)~~] (5) oversee the expanded use and implementation of project and contract
135     management principles as they relate to information technology projects within the executive
136     branch;
137          [~~(7)~~] (6) serve as general contractor between the state's information technology users
138     and private sector providers of information technology products and services;
139          [~~(8)~~] (7) work toward building stronger partnering relationships with providers;
140          [~~(9)~~] (8) develop service level agreements with executive branch departments and
141     agencies to ensure quality products and services are delivered on schedule and within budget;
142          [~~(10)~~] (9) develop standards for application development including a standard
143     methodology and cost-benefit analysis that all agencies shall utilize for application
144     development activities;
145          [~~(11)~~] (10) determine and implement statewide efforts to standardize data elements
146     [~~and determine data ownership assignments among executive branch agencies~~];
147          [~~(12)~~] (11) develop systems and methodologies to review, evaluate, and prioritize
148     existing information technology projects within the executive branch and report to the governor
149     and the Public Utilities, Energy, and Technology Interim Committee on a semiannual basis
150     regarding the status of information technology projects; and
151          [~~(13)~~] (12) assist the Governor's Office of Management and Budget with the

152     development of information technology budgets for agencies.
153          Section 3. Section 63F-1-106 is amended to read:
154          63F-1-106. Executive director -- Jurisdiction over divisions and office directors --
155     Authority.
156          (1) The executive director of the department:
157          (a) has administrative jurisdiction over each [~~division and~~] office in the department and
158     the [~~division and office directors. The executive director~~] director of each office;
159          (b) may make changes in department personnel and each office's service functions in
160     the divisions under the director's administrative jurisdiction[,]; and
161          (c) may authorize [~~designees~~] a designee to perform appropriate responsibilities[~~, to~~
162     ~~effectuate greater efficiency and economy in the operations of the department as permitted by~~
163     ~~this section.~~].
164          (2) The executive director may, to facilitate department management, establish offices
165     and bureaus to perform functions such as budgeting, planning, and personnel administration [to
166     ~~facilitate management of the department.~~].
167          (3) (a) The executive director may hire employees in the department, divisions, and
168     offices as permitted by department resources.
169          (b) Except as provided in Subsection (4), [~~any employees~~] each employee of the
170     department [~~are~~] is exempt from career service or classified service status as provided in
171     Section 67-19-15.
172          (4) (a) An employee of an executive branch agency who was a career service employee
173     as of July 1, 2005 who is transferred to the Department of Technology Services continues in
174     the employee's career service status during the employee's service to the Department of
175     Technology Services if the duties of the position in the new department are substantially
176     similar to those in the employee's previous position.
177          (b) A career service employee transferred to the new department under the provisions
178     of Subsection (4)(a), whose duties or responsibilities subsequently change, may not be
179     converted to exempt status without the review process required by Subsection 67-19-15(3).
180          [~~(c) The executive director shall work with executive branch agency directors, during~~
181     ~~the period of transition to the new department, in good faith, to:~~]
182          [~~(i) preserve relevant career service positions;~~]

183          [~~(ii) retain qualified employees in non-relevant positions through transfers to other~~
184     ~~positions in state government, with retraining as necessary; and~~]
185          [~~(iii) promote greater economy and efficiencies for the department.~~]
186          [~~(d) The Department of Technology Services together with the Department of Human~~
187     ~~Resource Management may develop financial and other incentives to encourage a career~~
188     ~~service employee who transfers to the department under the provisions of Subsection (4)(a) to~~
189     ~~voluntarily convert to an exempt position under Section 67-19-15.~~]
190          [~~(e) If a career service employee transfers to the department under the provisions of~~
191     ~~Subsection (4)(a) and terminates his employment with the department for any reason, the~~
192     ~~employment position shall be exempt from career service status under the provisions of~~
193     ~~Subsection (3).~~]
194          Section 4. Section 63F-1-202 is amended to read:
195          63F-1-202. Technology Advisory Board -- Membership -- Duties.
196          (1) There is created the Technology Advisory Board to the chief information officer.
197     The board shall have seven members as follows:
198          (a) three members appointed by the governor who are individuals actively involved in
199     business planning for state agencies;
200          (b) one member appointed by the governor who is actively involved in business
201     planning for higher education or public education;
202          (c) one member appointed by the speaker of the House of Representatives and
203     president of the Senate [~~from the Legislative Automation Committee of the Legislature to~~
204     ~~represent the legislative branch~~];
205          (d) one member appointed by the Judicial Council [~~to represent the judicial branch~~];
206     and
207          (e) one member appointed by the governor who represents private sector business
208     needs in the state, but who is not an information technology vendor for the state.
209          (2) (a) The members of the advisory board shall elect a chair from the board by
210     majority vote.
211          (b) The department shall provide staff to the board.
212          (c) (i) A majority of the members of the board constitutes a quorum.
213          (ii) Action by a majority of a quorum of the board constitutes an action of the board.

214          (3) The board shall meet as necessary to advise the chief information officer and assist
215     the chief information officer and executive branch agencies in coming to consensus on:
216          (a) the development and implementation of the state's information technology strategic
217     plan;
218          (b) critical information technology initiatives for the state;
219          (c) the development of standards for state information architecture;
220          (d) identification of the business and technical needs of state agencies;
221          (e) the department's performance measures for service agreements with executive
222     branch agencies and subscribers of services, including a process in which an executive branch
223     agency may review the department's implementation of and compliance with an executive
224     branch agency's data security requirements; and
225          (f) the efficient and effective operation of the department.
226          (4) (a) A member who is not a legislator may not receive compensation or benefits for
227     the member's service, but may receive per diem and travel expenses as allowed in:
228          (i) Section 63A-3-106;
229          (ii) Section 63A-3-107; and
230          (iii) rules made by the Division of Finance [~~according to~~] in accordance with Sections
231     63A-3-106 and 63A-3-107.
232          (b) Compensation and expenses of a member who is a legislator are governed by
233     Section 36-2-2 and Legislative Joint Rules, Title 5, Legislative Compensation and Expenses.
234          Section 5. Section 63F-1-203 is amended to read:
235          63F-1-203. Executive branch information technology strategic plan.
236          (1) In accordance with this section, the chief information officer shall prepare an
237     executive branch information technology strategic plan:
238          (a) that complies with this chapter; and
239          (b) [~~which shall include~~] that includes:
240          (i) a strategic plan for the:
241          (A) interchange of information related to information technology between executive
242     branch agencies;
243          (B) coordination between executive branch agencies in the development and
244     maintenance of information technology and information systems, including the coordination of

245     agency information technology plans described in Section 63F-1-204; and
246          (C) protection of the privacy of individuals who use state information technology or
247     information systems, including the implementation of industry best practices for data and
248     system security [~~that are identified in Subsection 63F-1-104(3)~~];
249          (ii) priorities for the development and implementation of information technology or
250     information systems including priorities determined on the basis of:
251          (A) the importance of the information technology or information system; and
252          (B) the time sequencing of the information technology or information system; and
253          (iii) maximizing the use of existing state information technology resources.
254          (2) In the development of the executive branch strategic plan, the chief information
255     officer shall consult with:
256          (a) all cabinet level officials; and
257          (b) the advisory board created in Section 63F-1-202[~~; and (c) the group convened in~~
258     ~~accordance with Subsection 63F-1-104(3)~~].
259          (3) (a) Unless withdrawn by the chief information officer or the governor in accordance
260     with Subsection (3)(b), the executive branch strategic plan takes effect 30 days after the day on
261     which the executive branch strategic plan is submitted to:
262          (i) the governor; and
263          (ii) the Public Utilities, Energy, and Technology Interim Committee.
264          (b) The chief information officer or the governor may withdraw the executive branch
265     strategic plan submitted under Subsection (3)(a) if the governor or chief information officer
266     determines that the executive branch strategic plan:
267          (i) should be modified; or
268          (ii) for any other reason should not take effect.
269          (c) The Public Utilities, Energy, and Technology Interim Committee may make
270     recommendations to the governor and to the chief information officer if the commission
271     determines that the executive branch strategic plan should be modified or for any other reason
272     should not take effect.
273          (d) Modifications adopted by the chief information officer shall be resubmitted to the
274     governor and the Public Utilities, Energy, and Technology Interim Committee for their review
275     or approval as provided in Subsections (3)(a) and (b).

276          (4) (a) The chief information officer shall, on or before January 1, 2014, and each year
277     thereafter, modify the executive branch information technology strategic plan to incorporate
278     security standards that:
279          (i) are identified as industry best practices in accordance with Subsections
280     63F-1-104(3) and (4); and
281          (ii) can be implemented within the budget of the department or the executive branch
282     agencies.
283          (b) The chief information officer shall inform the speaker of the House of
284     Representatives and the president of the Senate on or before January 1 of each year if best
285     practices identified in Subsection (4)(a)(i) are not adopted due to budget issues considered
286     under Subsection (4)(a)(ii).
287          (5) [~~The~~] Each executive branch agency shall implement the executive branch strategic
288      plan [~~is to be implemented by executive branch agencies through each executive branch~~
289     ~~agency~~] by adopting an agency information technology plan in accordance with Section
290     63F-1-204.
291          Section 6. Section 63F-1-204 is amended to read:
292          63F-1-204. Agency information technology plans.
293          (1) (a) By July 1 of each year, each executive branch agency shall submit an agency
294     information technology plan to the chief information officer at the department level, unless the
295     governor or the chief information officer request an information technology plan be submitted
296     by a subunit of a department, or by an executive branch agency other than a department.
297          (b) The information technology plans required by this section shall be in the form and
298     level of detail required by the chief information officer, by administrative rule adopted in
299     accordance with Section 63F-1-206, and shall include, at least:
300          (i) the information technology objectives of the agency;
301          (ii) any performance measures used by the agency for implementing the agency's
302     information technology objectives;
303          (iii) any planned expenditures related to information technology;
304          (iv) the agency's need for appropriations for information technology;
305          (v) how the agency's development of information technology coordinates with other
306     state and local governmental entities;

307          (vi) any efforts the agency has taken to develop public and private partnerships to
308     accomplish the information technology objectives of the agency;
309          (vii) the efforts the executive branch agency has taken to conduct transactions
310     electronically in compliance with Section 46-4-503; and
311          (viii) the executive branch agency's plan for the timing and method of verifying the
312     department's security standards, if an agency intends to verify the department's security
313     standards for the data that the agency maintains or transmits through the department's servers.
314          (2) (a) Except as provided in Subsection (2)(b), an agency information technology plan
315     described in Subsection (1) shall comply with the executive branch strategic plan established in
316     accordance with Section 63F-1-203.
317          (b) If the executive branch agency submitting the agency information technology plan
318     justifies the need to depart from the executive branch strategic plan, an agency information
319     technology plan may depart from the executive branch strategic plan to the extent approved by
320     the chief information officer.
321          [~~(3) (a) On receipt of a state agency information technology plan, the chief information~~
322     ~~officer shall forward a complete copy of the agency information technology plan to the~~
323     ~~Division of Enterprise Technology created in Section 63F-1-401 and the Division of Integrated~~
324     ~~Technology created in Section 63F-1-501.~~]
325          [~~(b) The divisions shall provide the chief information officer a written analysis of each~~
326     ~~agency plan submitted in accordance with Subsections 63F-1-404(14) and 63F-1-504(3).~~]
327          [~~(4) (a)~~] (3) The chief information officer shall review each agency plan to determine:
328          [~~(i) (A)~~] (a) (i) whether the agency plan complies with the executive branch strategic
329     plan and state information architecture; or
330          [~~(B)~~] (ii) to the extent that the agency plan does not comply with the executive branch
331     strategic plan or state information architecture, whether the executive branch entity is justified
332     in departing from the executive branch strategic plan, or state information architecture; and
333          [~~(ii)~~] (b) whether the agency plan meets the information technology and other needs of:
334          [~~(A)~~] (i) the executive branch agency submitting the plan; and
335          [~~(B)~~] (ii) the state.
336          [~~(b) In conducting the review required by Subsection (4)(a), the chief information~~
337     ~~officer shall consider the analysis submitted by the divisions under Subsection (3).~~]

338          [~~(5)~~] (4) After the chief information officer conducts the review described in
339     Subsection [~~(4)~~] (3) of an agency information technology plan, the chief information officer
340     may:
341          (a) approve the agency information technology plan;
342          (b) disapprove the agency information technology plan; or
343          (c) recommend modifications to the agency information technology plan.
344          [~~(6)~~] (5) An executive branch agency or the department may not submit a request for
345     appropriation related to information technology or an information technology system to the
346     governor in accordance with Section 63J-1-201 until after the executive branch agency's
347     information technology plan is approved by the chief information officer.
348          Section 7. Section 63F-1-205 is amended to read:
349          63F-1-205. Approval of acquisitions of information technology.
350          (1) (a) Except as provided in Title 63N, Chapter 13, Part 2, Government Procurement
351     Private Proposal Program, in accordance with Subsection (2), the chief information officer
352     shall approve the acquisition by an executive branch agency of:
353          (i) information technology equipment;
354          (ii) telecommunications equipment;
355          (iii) software;
356          (iv) services related to the items listed in Subsections (1)(a)(i) through (iii); and
357          (v) data acquisition.
358          (b) The chief information officer may negotiate the purchase, lease, or rental of private
359     or public information technology or telecommunication services or facilities in accordance with
360     this section.
361          (c) Where practical, efficient, and economically beneficial, the chief information
362     officer shall use existing private and public information technology or telecommunication
363     resources.
364          (d) Notwithstanding another provision of this section, an acquisition authorized by this
365     section shall comply with rules made by the applicable rulemaking authority under Title 63G,
366     Chapter 6a, Utah Procurement Code.
367          (2) Before negotiating a purchase, lease, or rental under Subsection (1) for an amount
368     that exceeds the value established by the chief information officer by rule in accordance with

369     Section 63F-1-206, the chief information officer shall:
370          (a) conduct an analysis of the needs of executive branch agencies and subscribers of
371     services and the ability of the proposed information technology or telecommunications services
372     or supplies to meet those needs; and
373          (b) for purchases, leases, or rentals not covered by an existing statewide contract,
374     certify in writing to the chief procurement officer in the Division of Purchasing and General
375     Services that:
376          (i) the analysis required in Subsection (2)(a) was completed; and
377          (ii) based on the analysis, the proposed purchase, lease, rental, or master contract of
378     services, products, or supplies is practical, efficient, and economically beneficial to the state
379     and the executive branch agency or subscriber of services.
380          (3) In approving an acquisition described in Subsections (1) and (2), the chief
381     information officer shall:
382          (a) establish by administrative rule, in accordance with Section 63F-1-206, standards
383     under which an agency must obtain approval from the chief information officer before
384     acquiring the items listed in Subsections (1) and (2);
385          (b) for those acquisitions requiring approval, determine whether the acquisition is in
386     compliance with:
387          (i) the executive branch strategic plan;
388          (ii) the applicable agency information technology plan;
389          (iii) the budget for the executive branch agency or department as adopted by the
390     Legislature;
391          (iv) Title 63G, Chapter 6a, Utah Procurement Code; and
392          (v) the information technology accessibility standards described in Section 63F-1-210;
393     and
394          (c) in accordance with Section 63F-1-207, require coordination of acquisitions between
395     two or more executive branch agencies if it is in the best interests of the state.
396          (4) [~~(a)~~] Each executive branch agency shall provide the chief information officer with
397     complete access to all information technology records, documents, and reports:
398          [~~(i)~~] (a) at the request of the chief information officer; and
399          [~~(ii)~~] (b) related to the executive branch agency's acquisition of any item listed in

400     Subsection (1).
401          [~~(b) Beginning July 1, 2006 and in~~]
402          (5) (a) In accordance with administrative rules established by the department under
403     Section 63F-1-206, [~~no new technology projects may be initiated by an executive branch~~
404     ~~agency or the department~~] an executive branch agency and the department may not initiate a
405     new technology project unless the technology project is described in a formal project plan and
406     [~~the~~] a business case analysis [~~has been~~] is approved by the chief information officer and
407     [~~agency head~~] the highest ranking executive branch agency official.
408          (b) The project plan and business case analysis required by this Subsection [~~(4)~~] (5)
409     shall [~~be in the form required by the chief information officer, and shall~~] include:
410          (i) a statement of work to be done and existing work to be modified or displaced;
411          (ii) total cost of system development and conversion effort, including system analysis
412     and programming costs, establishment of master files, testing, documentation, special
413     equipment cost and all other costs, including overhead;
414          (iii) savings or added operating costs that will result after conversion;
415          (iv) other advantages or reasons that justify the work;
416          (v) source of funding of the work, including ongoing costs;
417          (vi) consistency with budget submissions and planning components of budgets; and
418          (vii) whether the work is within the scope of projects or initiatives envisioned when the
419     current fiscal year budget was approved.
420          (c) The chief information officer shall determine the required form of the project plan
421     and business case analysis described in this Subsection (5).
422          [~~(5)~~] (6) The chief information officer and the Division of Purchasing and General
423     Services within the Department of Administrative Services shall work cooperatively to
424     establish procedures under which the chief information officer shall monitor and approve
425     acquisitions as provided in this section.
426          Section 8. Section 63F-1-206 is amended to read:
427          63F-1-206. Rulemaking -- Policies.
428          (1) (a) Except as provided in Subsection (2), the chief information officer shall, by rule
429     made in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act[~~, the~~
430     ~~chief information officer shall make rules that~~]:

431          (i) provide standards that impose requirements on executive branch agencies that:
432          (A) are related to the security of the statewide area network; and
433          (B) establish standards for when an agency must obtain approval before obtaining
434     items listed in Subsection 63F-1-205(1);
435          (ii) specify the detail and format required in an agency information technology plan
436     submitted in accordance with Section 63F-1-204;
437          (iii) provide for standards related to the privacy policies of websites operated by or on
438     behalf of an executive branch agency;
439          (iv) provide for the acquisition, licensing, and sale of computer software;
440          (v) specify the requirements for the project plan and business case analysis required by
441     Section 63F-1-205;
442          (vi) provide for project oversight of agency technology projects when required by
443     Section 63F-1-205;
444          (vii) establish, in accordance with Subsection 63F-1-205(2), the implementation of the
445     needs assessment for information technology purchases;
446          (viii) establish telecommunications standards and specifications in accordance with
447     Section 63F-1-404; and
448          (ix) establish standards for accessibility of information technology by individuals with
449     disabilities in accordance with Section 63F-1-210.
450          (b) The rulemaking authority [in] granted by this Subsection (1) is in addition to any
451     other rulemaking authority granted by this title.
452          (2) (a) Notwithstanding Title 63G, Chapter 3, Utah Administrative Rulemaking Act,
453     and subject to Subsection (2)(b), the chief information officer may adopt a policy that outlines
454     procedures to be followed by the chief information officer in facilitating the implementation of
455     this title by executive branch agencies if the policy:
456          (i) is consistent with the executive branch strategic plan; and
457          (ii) is not required to be made by rule under Subsection (1) or Section 63G-3-201.
458          (b) (i) A policy adopted by the chief information officer under Subsection (2)(a) may
459     not take effect until 30 days after the day on which the chief information officer submits the
460     policy to:
461          (A) the governor; and

462          (B) all cabinet level officials.
463          (ii) During the 30-day period described in Subsection (2)(b)(i), cabinet level officials
464     may review and comment on a policy submitted under Subsection (2)(b)(i).
465          (3) (a) Notwithstanding Subsection (1) or (2) or Title 63G, Chapter 3, Utah
466     Administrative Rulemaking Act, without following the procedures of Subsection (1) or (2), the
467     chief information officer may adopt a security procedure to be followed by executive branch
468     agencies to protect the statewide area network if:
469          (i) broad communication of the security procedure would create a significant potential
470     for increasing the vulnerability of the statewide area network to breach or attack; and
471          (ii) after consultation with the chief information officer, the governor agrees that broad
472     communication of the security procedure would create a significant potential increase in the
473     vulnerability of the statewide area network to breach or attack.
474          (b) A security procedure described in Subsection (3)(a) is classified as a protected
475     record under Title 63G, Chapter 2, Government Records Access and Management Act.
476          (c) The chief information officer shall provide a copy of the security procedure as a
477     protected record to:
478          (i) the chief justice of the Utah Supreme Court for the judicial branch;
479          (ii) the speaker of the House of Representatives and the president of the Senate for the
480     legislative branch;
481          (iii) the chair of the Board of Regents; and
482          (iv) the chair of the State Board of Education.
483          Section 9. Section 63F-1-207 is amended to read:
484          63F-1-207. Coordination within the executive branch -- Cooperation with other
485     branches.
486          (1) In accordance with the executive branch strategic plan and the requirements of this
487     title, the chief information officer shall coordinate the development of information technology
488     systems between two or more executive branch agencies subject to:
489          (a) the budget approved by the Legislature; and
490          (b) Title 63J, Chapter 1, Budgetary Procedures Act.
491          (2) In addition to the coordination described in Subsection (1), the chief information
492     officer shall promote cooperation regarding information technology [~~in a manner consistent~~

493     ~~with the interbranch coordination plan created in accordance with Section 63F-1-201.~~] between
494     branches of state government.
495          Section 10. Section 63F-1-208 is amended to read:
496          63F-1-208. Delegation of department functions.
497          (1) (a) If the conditions of Subsections (1)(b) and (2) are met and subject to the other
498     provisions of this section, the chief information officer may delegate a function of the
499     department to another executive branch agency or an institution of higher education by contract
500     or other means authorized by law.
501          (b) The chief information officer may delegate a function of the department as
502     provided in Subsection (1)(a) if in the judgment of the director of the executive branch agency[,
503     ~~the director of the division,~~] and the chief information officer:
504          (i) the executive branch agency or institution of higher education has requested that the
505     function be delegated;
506          (ii) the executive branch agency or institution of higher education has the necessary
507     resources and skills to perform or control the function to be delegated; and
508          (iii) the function to be delegated is a unique or [~~mission critical~~] mission-critical
509     function of the agency or institution of higher education [~~which is not appropriate to: (A)~~
510     ~~govern or manage under the Division of Enterprise Technology; or (B) govern or manage under~~
511     ~~the Division of Integrated Technology.~~].
512          (2) The chief information officer may delegate a function of the department only when
513     the delegation results in net cost savings or improved service delivery to the state as a whole or
514     to the unique mission critical function of the executive branch agency.
515          (3) The delegation of a function under this section shall:
516          (a) be in writing;
517          (b) contain all of the following:
518          (i) a precise definition of each function to be delegated;
519          (ii) a clear description of the standards to be met in performing each function
520     delegated;
521          (iii) a provision for periodic administrative audits by the [~~Division of Agency Services~~
522     ~~in accordance with Section 63F-1-604~~] department;
523          (iv) a date on which the agreement shall terminate if the agreement has not been

524     previously terminated or renewed; and
525          (v) any delegation of department staff to the agency to support the function in-house
526     with the agency and rates to be charged for the delegated staff; and
527          (c) include a cost-benefit analysis justifying the delegation [~~in accordance with Section~~
528     ~~63F-1-604~~].
529          (4) An agreement to delegate functions to an executive branch agency or an institution
530     of higher education may be terminated by the department if the results of an administrative
531     audit conducted by the [~~division~~] department reveals a lack of compliance with the terms of the
532     agreement by the executive branch agency or institution of higher education.
533          Section 11. Section 63F-1-209 is amended to read:
534          63F-1-209. Delegation of department staff to executive branch agencies --
535     Prohibition against executive branch agency information technology staff.
536          (1) (a) The chief information officer shall assign department staff to serve an agency
537     in-house if the chief information officer and the executive branch agency director jointly
538     determine it is appropriate to provide information technology services to:
539          (i) the agency's unique [~~mission critical~~] mission-critical functions and applications;
540          (ii) the agency's participation in and use of statewide enterprise architecture [~~under the~~
541     ~~Division of Enterprise Technology~~]; and
542          (iii) the agency's use of coordinated technology services with other agencies that share
543     similar characteristics with the agency [~~under the Division of Integrated Technology~~].
544          (b) (i) An agency may request the chief information officer to assign in-house staff
545     support from the department.
546          (ii) The chief information officer shall respond to the agency's request for in-house
547     staff support in accordance with Subsection (1)(a).
548          (c) The department shall enter into service agreements with an agency when
549     department staff is assigned in-house to the agency under the provisions of this section.
550          (d) An agency that receives in-house staff support assigned from the department under
551     the provision of this section is responsible for paying the rates charged by the department for
552     that staff as established under Section 63F-1-301.
553          (2) (a) [~~After July 1, 2006, an~~] An executive branch agency may not create a full-time
554     equivalent position or part-time position, or request an appropriation to fund a full-time

555     equivalent position or part-time position under the provisions of Section 63J-1-201 for the
556     purpose of providing information technology services to the agency unless:
557          (i) the chief information officer has approved a delegation under Section 63F-1-208;
558     and
559          (ii) the [~~Division of Agency Services~~] department conducts an audit under Section
560     63F-1-604 and finds that the delegation of information technology services to the agency meets
561     the requirements of Section 63F-1-208.
562          (b) The prohibition against a request for appropriation under Subsection (2)(a) does not
563     apply to a request for appropriation needed to pay rates imposed under Subsection (1)(d).
564          Section 12. Section 63F-1-210 is amended to read:
565          63F-1-210. Accessibility standards for executive branch agency information
566     technology.
567          (1) The chief information officer shall establish, by rule made in accordance with Title
568     63G, Chapter 3, Utah Administrative Rulemaking Act:
569          (a) minimum standards for accessibility of executive branch agency information
570     technology by an individual with a disability that:
571          (i) include accessibility criteria for:
572          (A) agency websites;
573          (B) hardware and software procured by an executive branch agency; and
574          (C) information systems used by executive branch agency employees; [~~and~~]
575          (ii) include a protocol to evaluate the standards via testing by individuals with a variety
576     of access limitations; and
577          (iii) are, at minimum, consistent with the most recent Web Content Accessibility
578     guidelines published by the World Wide Web Consortium; and
579          (b) grievance procedures for an individual with a disability who is unable to access
580     executive branch agency information technology, including:
581          (i) a process for an individual with a disability to report the access issue to the chief
582     information officer; and
583          (ii) a mechanism through which the chief information officer can respond to the
584     report[~~; and (c) are, at minimum, consistent with the Web Content Accessibility 2.0 guidelines~~
585     ~~published by the World Wide Web Consortium.~~].

586          (2) The chief information officer shall update the standards described in Subsection
587     (1)(a) at least every three years to reflect advances in technology.
588          Section 13. Section 63F-1-211 is enacted to read:
589          63F-1-211. Chief information security officer.
590          (1) The chief information officer shall appoint a chief information security officer.
591          (2) The chief information security officer described in Subsection (1) shall:
592          (a) assess cybersecurity risks;
593          (b) coordinate with executive branch agencies to assess the sensitivity of information;
594     and
595          (c) manage cybersecurity support for the department and executive branch agencies.
596          Section 14. Section 63F-1-212 is enacted to read:
597          63F-1-212. Report to the Legislature.
598          The department shall, before November 1 of each year, report to the Public Utilities,
599     Energy, and Technology Interim Committee on:
600          (1) performance measures that the department uses to assess the department's
601     effectiveness in performing the department's duties under this chapter; and
602          (2) the department's performance, evaluated in accordance with the performance
603     measures described in Subsection (1).
604          Section 15. Section 63F-1-401 is repealed and reenacted to read:
605     Part 4. Enterprise Technology
606          63F-1-401. Title.
607          This part is known as "Enterprise Technology."
608          Section 16. Section 63F-1-403 is repealed and reenacted to read:
609          63F-1-403. Enterprise technology -- Chief information officer manages.
610          The chief information officer shall manage the department's duties related to enterprise
611     technology.
612          Section 17. Section 63F-1-404 is amended to read:
613          63F-1-404. Duties of the department -- Enterprise technology.
614          The [~~division~~] department shall:
615          (1) develop and implement an effective enterprise architecture governance model for
616     the executive branch;

617          (2) provide oversight of information technology projects that impact statewide
618     information technology services, assets, or functions of state government to:
619          (a) control costs;
620          (b) ensure business value to a project;
621          (c) maximize resources;
622          (d) ensure the uniform application of best practices; and
623          (e) avoid duplication of resources;
624          (3) develop a method of accountability to agencies for services provided by the
625     [~~division~~] department through service agreements with the agencies;
626          [~~(4) beginning September 1, 2006, and each September 1 thereafter, provide the chief~~
627     ~~information officer and the Public Utilities, Energy, and Technology Interim Committee with~~
628     ~~performance measures used by the division to measure the quality of service delivered by the~~
629     ~~division and the results of the performance measures;~~]
630          [~~(5)~~] (4) serve as a project manager for enterprise architecture which includes the
631     management of applications, standards, and procurement of enterprise architecture;
632          [~~(6)~~] (5) coordinate the development and implementation of advanced state
633     telecommunication systems;
634          [~~(7)~~] (6) provide services including technical assistance:
635          (a) to executive branch agencies and subscribers to the services; and
636          (b) related to information technology or telecommunications;
637          [~~(8)~~] (7) establish telecommunication system specifications and standards for use by:
638          (a) one or more executive branch agencies; or
639          (b) one or more entities that subscribe to the telecommunication systems in accordance
640     with Section 63F-1-303;
641          [~~(9)~~] (8) coordinate state telecommunication planning in cooperation with:
642          (a) state telecommunication users;
643          (b) executive branch agencies; and
644          (c) other subscribers to the state's telecommunication systems;
645          [~~(10)~~] (9) cooperate with the federal government, other state entities, counties, and
646     municipalities in the development, implementation, and maintenance of:
647          (a) (i) governmental information technology; or

648          (ii) governmental telecommunication systems; and
649          (b) (i) as part of a cooperative organization; or
650          (ii) through means other than a cooperative organization;
651          [~~(11)~~] (10) establish, operate, manage, and maintain:
652          (a) one or more state data centers; and
653          (b) one or more regional computer centers;
654          [~~(12)~~] (11) design, implement, and manage all state-owned, leased, or rented land,
655     mobile, or radio telecommunication systems that are used in the delivery of services for state
656     government or its political subdivisions; and
657          [~~(13)~~] (12) in accordance with the executive branch strategic plan, implement
658     minimum standards to be used by the [~~division~~] department for purposes of compatibility of
659     procedures, programming languages, codes, and media that facilitate the exchange of
660     information within and among telecommunication systems[~~; and~~].
661          [~~(14) provide the chief information officer with an analysis of an executive branch~~
662     ~~agency information technology plan that includes:~~]
663          [~~(a) an assessment of how the implementation of the agency information technology~~
664     ~~plan will affect the costs, operations, and services of:~~]
665          [~~(i) the department; and~~]
666          [~~(ii) other executive branch agencies; and~~]
667          [~~(b) any recommended changes to the plan.~~]
668          Section 18. Section 63F-1-501 is repealed and reenacted to read:
669     Part 5. Integrated Technology
670          63F-1-501. Title.
671          This part is known as "Integrated Technology."
672          Section 19. Section 63F-1-502 is amended to read:
673          63F-1-502. Definitions.
674          As used in this part:
675          (1) "Center" means the Automated Geographic Reference Center created in Section
676     63F-1-506.
677          (2) "Database" means the State Geographic Information Database created in Section
678     63F-1-507.

679          [~~(3) "Director" means the director appointed in accordance with Section 63F-1-503.~~]
680          [~~(4) "Division" means the Division of Integrated Technology created in this part.~~]
681          [~~(5)~~] (3) "Geographic Information System" or "GIS" means a computer driven data
682     integration and map production system that interrelates disparate layers of data to specific
683     geographic locations.
684          [~~(6)~~] (4) "State Geographic Information Database" means the database created in
685     Section 63F-1-507.
686          [~~(7)~~] (5) "Statewide Global Positioning Reference Network" or "network" means the
687     network created in Section 63F-1-509.
688          Section 20. Section 63F-1-503 is repealed and reenacted to read:
689          63F-1-503. Integrated technology -- Chief information officer manages.
690          The chief information officer shall manage the department's duties related to integrated
691     technology.
692          Section 21. Section 63F-1-504 is amended to read:
693          63F-1-504. Duties of the department -- Integrated technology.
694          The [~~division~~] department shall:
695          (1) establish standards for the information technology needs of a collection of
696     executive branch agencies or programs that share common characteristics relative to the types
697     of stakeholders they serve, including:
698          (a) project management;
699          (b) application development; and
700          (c) procurement;
701          (2) provide oversight of information technology standards that impact multiple
702     executive branch agency information technology services, assets, or functions to:
703          (a) control costs;
704          (b) ensure business value to a project;
705          (c) maximize resources;
706          (d) ensure the uniform application of best practices; and
707          (e) avoid duplication of resources; and
708          [~~(3) in accordance with Section 63F-1-204, provide the chief information officer a~~
709     ~~written analysis of any agency information technology plan provided to the division, which~~

710     ~~shall include:~~]
711          [~~(a) a review of whether the agency's technology projects impact multiple agencies and~~
712     ~~if so, whether the information technology projects are appropriately designed and developed;~~]
713          [~~(b) an assessment of whether the agency plan complies with the state information~~
714     ~~architecture; and~~]
715          [~~(c) an assessment of whether the information technology projects included in the~~
716     ~~agency plan comply with policies, procedures, and rules adopted by the department to ensure~~
717     ~~that:~~]
718          [~~(i) information technology projects are phased in;~~]
719          [~~(ii) funding is released in phases;~~]
720          [~~(iii) an agency's authority to proceed to the next phase of an information technology~~
721     ~~project is contingent upon the successful completion of the prior phase; and~~]
722          [~~(iv) one or more specific deliverables is identified for each phase of a technology~~
723     ~~project;~~]
724          [~~(4)~~] (3) establish a system of accountability to user agencies through the use of service
725     agreements[;].
726          [~~(5) each year, provide the chief information officer and the Public Utilities, Energy,~~
727     ~~and Technology Interim Committee with performance measures used by the division to~~
728     ~~measure the quality of services delivered by the division and results of those measures; and~~]
729          [~~(6) establish administrative rules in accordance with Section 63F-1-206 and as~~
730     ~~required by Section 63F-1-506.~~]
731          Section 22. Section 63F-1-601 is repealed and reenacted to read:
732     Part 6. Agency Services
733          63F-1-601. Title.
734          This part is known as "Agency Services."
735          Section 23. Section 63F-1-603 is repealed and reenacted to read:
736          63F-1-603. Agency services -- Chief information officer manages.
737          The chief information officer shall manage the department's duties related to agency
738     services.
739          Section 24. Section 63F-1-604 is amended to read:
740          63F-1-604. Duties of the department -- Agency services.

741          The [~~division~~] department shall:
742          (1) be responsible for providing support to executive branch agencies for an agency's
743     information technology assets and functions that are unique to the executive branch agency and
744     are mission critical functions of the agency;
745          [~~(2) conduct audits of an executive branch agency when requested under the provisions~~
746     ~~of Section 63F-1-208;~~]
747          [~~(3) conduct cost-benefit analysis of delegating a department function to an agency in~~
748     ~~accordance with Section 63F-1-208;~~]
749          [~~(4)~~] (2) provide in-house information technology staff support to executive branch
750     agencies;
751          [~~(5) establish accountability and performance measures for the division to assure that~~
752     ~~the division is:~~]
753          [~~(a) meeting the business and service needs of the state and individual executive branch~~
754     ~~agencies; and~~]
755          [~~(b) implementing security standards in accordance with Subsection 63F-1-203(4);~~]
756          [~~(6)~~] (3) establish a committee composed of agency user groups for the purpose of
757     coordinating department services with agency needs; and
758          [~~(7)~~] (4) assist executive branch agencies in complying with the requirements of any
759     rule adopted by the chief information officer[~~; and (8) by July 1, 2013, and each July 1~~
760     ~~thereafter, report to the Public Utilities, Energy, and Technology Interim Committee on the~~
761     ~~performance measures used by the division under Subsection (5) and the results.~~].
762          Section 25. Repealer.
763          This bill repeals:
764          Section 63F-1-602, Definitions.

Legislative Review Note
Office of Legislative Research and General Counsel