Representative Stephen G. Handy proposes the following substitute bill:




Chief Sponsor: Stephen G. Handy

Senate Sponsor: Todd D. Weiler


8     General Description:
9          This bill creates the Cybersecurity Commission to gather information and share best
10     practices on cybersecurity.
11     Highlighted Provisions:
12          This bill:
13          ▸     repeals the Data Security Management Council;
14          ▸     creates the Cybersecurity Commission (the commission);
15          ▸     directs the appointment of members to the commission;
16          ▸     directs the commission to gather information about cybersecurity:
17               •     vulnerabilities; and
18               •     best practices;
19          ▸     authorizes the commission to share information it gathers with the governor;
20          ▸     directs the commission to establish guidelines and best practices with respect to
21     cybersecurity protections;
22          ▸     directs the commission to analyze cybersecurity practices in the private and the
23     public sectors;
24          ▸     requires the commission to report annually to the Public Utilities, Energy, and
25     Technology Interim Committee; and

26          ▸     describes the circumstances under which the commission may close a meeting to the
27     public.
28     Money Appropriated in this Bill:
29          None
30     Other Special Clauses:
31          None
32     Utah Code Sections Affected:
33     ENACTS:
34          63C-25-101, Utah Code Annotated 1953
35          63C-25-201, Utah Code Annotated 1953
36          63C-25-202, Utah Code Annotated 1953
37          63C-25-203, Utah Code Annotated 1953
38          63C-25-204, Utah Code Annotated 1953
39          63C-25-205, Utah Code Annotated 1953
40          63C-25-206, Utah Code Annotated 1953
41     REPEALS:
42          63A-16-701, as renumbered and amended by Laws of Utah 2021, Chapter 344
43          63A-16-702, as renumbered and amended by Laws of Utah 2021, Chapter 344

45     Be it enacted by the Legislature of the state of Utah:
46          Section 1. Section 63C-25-101 is enacted to read:

Part 1. General Provisions

49          63C-25-101. Definitions.
50          As used in this chapter:
51          (1) "Commission" means the Cybersecurity Commission created in this chapter.
52          (2) "Critical infrastructure" includes the following sectors the United States
53     Department of Homeland Security identifies as critical:
54          (a) chemical;
55          (b) commercial facilities;
56          (c) communications;

57          (d) critical manufacturing;
58          (e) dams;
59          (f) defense industrial base;
60          (g) emergency services;
61          (h) energy;
62          (i) financial services;
63          (j) food and agriculture;
64          (k) government facilities;
65          (l) healthcare and public health;
66          (m) information technology;
67          (n) nuclear reactors, nuclear materials, and nuclear waste;
68          (o) transportation systems; and
69          (p) water and wastewater systems.
70          Section 2. Section 63C-25-201 is enacted to read:
Part 2. Cybersecurity Commission

72          63C-25-201. Cybersecurity Commission created.
73          (1) There is created the Cybersecurity Commission.
74          (2) The commission shall be composed of 24 members:
75          (a) one member the governor designates to serve as the governor's designee;
76          (b) the commissioner of the Department of Public Safety;
77          (c) the lieutenant governor, or an election officer, as that term is defined in Section
78     20A-1-102, the lieutenant governor designates to serve as the lieutenant governor's designee;
79          (d) the chief information officer of the Division of Technology Services;
80          (e) the chief information security officer, as described in Section 63A-16-210;
81          (f) the chairman of the Public Service Commission shall designate a representative
82     with professional experience in information technology or cybersecurity;
83          (g) the executive director of the Utah Department of Transportation shall designate a
84     representative with professional experience in information technology or cybersecurity;
85          (h) the director of the Division of Finance shall designate a representative with
86     professional experience in information technology or cybersecurity;
87          (i) the executive director of the Department of Health and Human Services shall

88     designate a representative with professional experience in information technology or
89     cybersecurity;
90          (j) the director of the Division of Indian Affairs shall designate a representative with
91     professional experience in information technology or cybersecurity;
92          (k) the Utah League of Cities and Towns shall designate a representative with
93     professional experience in information technology or cybersecurity;
94          (l) the Utah Association of Counties shall designate a representative with professional
95     experience in information technology or cybersecurity;
96          (m) the attorney general, or the attorney general's designee;
97          (n) the commissioner of financial institutions, or the commissioner's designee;
98          (o) the executive director of the Department of Environmental Quality shall designate a
99     representative with professional experience in information technology or cybersecurity;
100          (p) the executive director of the Department of Natural Resources shall designate a
101     representative with professional experience in information technology or cybersecurity;
102          (q) the highest ranking information technology official, or the official's designee, from
103     each of:
104          (i) the Judicial Council;
105          (ii) the Utah Board of Higher Education;
106          (iii) the State Board of Education; and
107          (iv) the State Tax Commission;
108          (r) the governor shall appoint:
109          (i) one representative from the Utah National Guard; and
110          (ii) one representative from the Governor's Office of Economic Opportunity;
111          (s) the president of the Senate shall appoint one member of the Senate; and
112          (t) the speaker of the House of Representatives shall appoint one member of the House
113     of Representatives.
114          (3) (a) The governor's designee shall serve as cochair of the commission.
115          (b) The commissioner of the Department of Public Safety shall serve as cochair of the
116     commission.
117          (4) (a) The members described in Subsection (2) shall represent urban, rural, and
118     suburban population areas.

119          (b) No fewer than half of the members described in Subsection (2) shall have
120     professional experience in cybersecurity or in information technology.
121          (5) In addition to the membership described in Subsection (2), the commission shall
122     seek information and advice from state and private entities with expertise in critical
123     infrastructure.
124          (6) As necessary to improve information and protect potential vulnerabilities, the
125     commission shall seek information and advice from federal entities including:
126          (a) the Cybersecurity and Infrastructure Security Agency;
127          (b) the Federal Energy Regulatory Commission;
128          (c) the Federal Bureau of Investigation; and
129          (d) the United States Department of Transportation.
130          (7) (a) Except as provided in Subsections (7)(b) and (7)(c), a member is appointed for a
131     term of four years.
132          (b) A member shall serve until the member's successor is appointed and qualified.
133          (c) Notwithstanding the requirements of Subsection (7)(a), the governor shall, at the
134     time of appointment or reappointment, adjust the length of terms to ensure that the terms of
135     commission members are staggered so that approximately half of the commission members
136     appointed under Subsection (2)(r) are appointed every two years.
137          (8) (a) If a vacancy occurs in the membership of the commission, the member shall be
138     replaced in the same manner in which the original appointment was made.
139          (b) An individual may be appointed to more than one term.
140          (c) When a vacancy occurs in the membership for any reason, the replacement shall be
141     appointed for the unexpired term.
142          (9) (a) A majority of the members of the commission is a quorum.
143          (b) The action of a majority of a quorum constitutes an action of the commission.
144          (10) The commission shall meet at least two times a year.
145          Section 3. Section 63C-25-202 is enacted to read:
146          63C-25-202. Commission duties.
147          The commission shall:
148          (1) identify and inform the governor of:
149          (a) cyber threats and vulnerabilities towards Utah's critical infrastructure;

150          (b) cybersecurity assets and resources;
151          (c) an analysis of:
152          (i) current cyber incident response capabilities;
153          (ii) potential cyber threats; and
154          (iii) areas of significant concern with respect to:
155          (A) vulnerability to cyber attack; or
156          (B) seriousness of consequences in the event of a cyber attack;
157          (2) provide resources with respect to cyber attacks in both the public and private sector,
158     including:
159          (a) best practices;
160          (b) education; and
161          (c) mitigation;
162          (3) promote cyber security awareness;
163          (4) share information;
164          (5) promote best practices to prevent and mitigate cyber attacks;
165          (6) enhance cyber capabilities and response for all Utahns;
166          (7) provide consistent outreach and collaboration with private and public sector
167     organizations; and
168          (8) share cyber threat intelligence to operators and overseers of Utah's critical
169     infrastructure.
170          Section 4. Section 63C-25-203 is enacted to read:
171          63C-25-203. Compensation of members.
172          (1) A member who is not a legislator may not receive compensation or benefits for the
173     member's service, but may receive per diem and travel expenses incurred as a member of the
174     commission at the rates established by the Division of Finance under:
175          (a) Sections 63A-3-106 and 63A-3-107; and
176          (b) rules made by the Division of Finance in accordance with Sections 63A-3-106 and
177     63A-3-107.
178          (2) Compensation and expenses of a member who is a legislator are governed by
179     Section 36-2-2 and Legislative Joint Rules, Title 5, Legislative Compensation and Expenses.
180          Section 5. Section 63C-25-204 is enacted to read:

181          63C-25-204. Staffing.
182          The Department of Public Safety shall provide staff and support to the commission.
183          Section 6. Section 63C-25-205 is enacted to read:
184          63C-25-205. Reporting requirement.
185          On or before November 30, the commission shall report to the Public Utilities, Energy,
186     and Technology Interim Committee:
187          (1) an assessment of cyber threats to Utah;
188          (2) recommendations for legislation that would reduce the state's vulnerability to
189     attack; and
190          (3) recommendations for best practices for state government with respect to
191     cybersecurity.
192          Section 7. Section 63C-25-206 is enacted to read:
193          63C-25-206. Closure of meetings.
194          The commission may, in accordance with Section 52-4-204, close to the public a
195     meeting to discuss an item described in Subsections 63C-25-202(1) and (8).
196          Section 8. Repealer.
197          This bill repeals:
198          Section 63A-16-701, Data Security Management Council -- Membership -- Duties.
199          Section 63A-16-702, Data Security Management Council -- Report to Legislature --
200     Recommendations.