1
2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill creates the Cybersecurity Commission to gather information and share best
10 practices on cybersecurity.
11 Highlighted Provisions:
12 This bill:
13 ▸ repeals the Data Security Management Council;
14 ▸ creates the Cybersecurity Commission (the commission);
15 ▸ directs the appointment of members to the commission;
16 ▸ directs the commission to gather information about cybersecurity:
17 • vulnerabilities; and
18 • best practices;
19 ▸ authorizes the commission to share information it gathers with the governor;
20 ▸ directs the commission to establish guidelines and best practices with respect to
21 cybersecurity protections;
22 ▸ directs the commission to analyze cybersecurity practices in the private and the
23 public sectors;
24 ▸ requires the commission to report annually to the Public Utilities, Energy, and
25 Technology Interim Committee; and
26 ▸ describes the circumstances under which the commission may close a meeting to the
27 public.
28 Money Appropriated in this Bill:
29 None
30 Other Special Clauses:
31 None
32 Utah Code Sections Affected:
33 ENACTS:
34 63C-25-101, Utah Code Annotated 1953
35 63C-25-201, Utah Code Annotated 1953
36 63C-25-202, Utah Code Annotated 1953
37 63C-25-203, Utah Code Annotated 1953
38 63C-25-204, Utah Code Annotated 1953
39 63C-25-205, Utah Code Annotated 1953
40 63C-25-206, Utah Code Annotated 1953
41 REPEALS:
42 63A-16-701, as renumbered and amended by Laws of Utah 2021, Chapter 344
43 63A-16-702, as renumbered and amended by Laws of Utah 2021, Chapter 344
44
45 Be it enacted by the Legislature of the state of Utah:
46 Section 1. Section 63C-25-101 is enacted to read:
47
48
49 63C-25-101. Definitions.
50 As used in this chapter:
51 (1) "Commission" means the Cybersecurity Commission created in this chapter.
52 (2) "Critical infrastructure" includes the following sectors the United States
53 Department of Homeland Security identifies as critical:
54 (a) chemical;
55 (b) commercial facilities;
56 (c) communications;
57 (d) critical manufacturing;
58 (e) dams;
59 (f) defense industrial base;
60 (g) emergency services;
61 (h) energy;
62 (i) financial services;
63 (j) food and agriculture;
64 (k) government facilities;
65 (l) healthcare and public health;
66 (m) information technology;
67 (n) nuclear reactors, nuclear materials, and nuclear waste;
68 (o) transportation systems; and
69 (p) water and wastewater systems.
70 Section 2. Section 63C-25-201 is enacted to read:
71
72 63C-25-201. Cybersecurity Commission created.
73 (1) There is created the Cybersecurity Commission.
74 (2) The commission shall be composed of 24 members:
75 (a) one member the governor designates to serve as the governor's designee;
76 (b) the commissioner of the Department of Public Safety;
77 (c) the lieutenant governor, or an election officer, as that term is defined in Section
78 20A-1-102, the lieutenant governor designates to serve as the lieutenant governor's designee;
79 (d) the chief information officer of the Division of Technology Services;
80 (e) the chief information security officer, as described in Section 63A-16-210;
81 (f) the chairman of the Public Service Commission shall designate a representative
82 with professional experience in information technology or cybersecurity;
83 (g) the executive director of the Utah Department of Transportation shall designate a
84 representative with professional experience in information technology or cybersecurity;
85 (h) the director of the Division of Finance shall designate a representative with
86 professional experience in information technology or cybersecurity;
87 (i) the executive director of the Department of Health and Human Services shall
88 designate a representative with professional experience in information technology or
89 cybersecurity;
90 (j) the director of the Division of Indian Affairs shall designate a representative with
91 professional experience in information technology or cybersecurity;
92 (k) the Utah League of Cities and Towns shall designate a representative with
93 professional experience in information technology or cybersecurity;
94 (l) the Utah Association of Counties shall designate a representative with professional
95 experience in information technology or cybersecurity;
96 (m) the attorney general, or the attorney general's designee;
97 (n) the commissioner of financial institutions, or the commissioner's designee;
98 (o) the executive director of the Department of Environmental Quality shall designate a
99 representative with professional experience in information technology or cybersecurity;
100 (p) the executive director of the Department of Natural Resources shall designate a
101 representative with professional experience in information technology or cybersecurity;
102 (q) the highest ranking information technology official, or the official's designee, from
103 each of:
104 (i) the Judicial Council;
105 (ii) the Utah Board of Higher Education;
106 (iii) the State Board of Education; and
107 (iv) the State Tax Commission;
108 (r) the governor shall appoint:
109 (i) one representative from the Utah National Guard; and
110 (ii) one representative from the Governor's Office of Economic Opportunity;
111 (s) the president of the Senate shall appoint one member of the Senate; and
112 (t) the speaker of the House of Representatives shall appoint one member of the House
113 of Representatives.
114 (3) (a) The governor's designee shall serve as cochair of the commission.
115 (b) The commissioner of the Department of Public Safety shall serve as cochair of the
116 commission.
117 (4) (a) The members described in Subsection (2) shall represent urban, rural, and
118 suburban population areas.
119 (b) No fewer than half of the members described in Subsection (2) shall have
120 professional experience in cybersecurity or in information technology.
121 (5) In addition to the membership described in Subsection (2), the commission shall
122 seek information and advice from state and private entities with expertise in critical
123 infrastructure.
124 (6) As necessary to improve information and protect potential vulnerabilities, the
125 commission shall seek information and advice from federal entities including:
126 (a) the Cybersecurity and Infrastructure Security Agency;
127 (b) the Federal Energy Regulatory Commission;
128 (c) the Federal Bureau of Investigation; and
129 (d) the United States Department of Transportation.
130 (7) (a) Except as provided in Subsections (7)(b) and (7)(c), a member is appointed for a
131 term of four years.
132 (b) A member shall serve until the member's successor is appointed and qualified.
133 (c) Notwithstanding the requirements of Subsection (7)(a), the governor shall, at the
134 time of appointment or reappointment, adjust the length of terms to ensure that the terms of
135 commission members are staggered so that approximately half of the commission members
136 appointed under Subsection (2)(r) are appointed every two years.
137 (8) (a) If a vacancy occurs in the membership of the commission, the member shall be
138 replaced in the same manner in which the original appointment was made.
139 (b) An individual may be appointed to more than one term.
140 (c) When a vacancy occurs in the membership for any reason, the replacement shall be
141 appointed for the unexpired term.
142 (9) (a) A majority of the members of the commission is a quorum.
143 (b) The action of a majority of a quorum constitutes an action of the commission.
144 (10) The commission shall meet at least two times a year.
145 Section 3. Section 63C-25-202 is enacted to read:
146 63C-25-202. Commission duties.
147 The commission shall:
148 (1) identify and inform the governor of:
149 (a) cyber threats and vulnerabilities towards Utah's critical infrastructure;
150 (b) cybersecurity assets and resources;
151 (c) an analysis of:
152 (i) current cyber incident response capabilities;
153 (ii) potential cyber threats; and
154 (iii) areas of significant concern with respect to:
155 (A) vulnerability to cyber attack; or
156 (B) seriousness of consequences in the event of a cyber attack;
157 (2) provide resources with respect to cyber attacks in both the public and private sector,
158 including:
159 (a) best practices;
160 (b) education; and
161 (c) mitigation;
162 (3) promote cyber security awareness;
163 (4) share information;
164 (5) promote best practices to prevent and mitigate cyber attacks;
165 (6) enhance cyber capabilities and response for all Utahns;
166 (7) provide consistent outreach and collaboration with private and public sector
167 organizations; and
168 (8) share cyber threat intelligence to operators and overseers of Utah's critical
169 infrastructure.
170 Section 4. Section 63C-25-203 is enacted to read:
171 63C-25-203. Compensation of members.
172 (1) A member who is not a legislator may not receive compensation or benefits for the
173 member's service, but may receive per diem and travel expenses incurred as a member of the
174 commission at the rates established by the Division of Finance under:
175 (a) Sections 63A-3-106 and 63A-3-107; and
176 (b) rules made by the Division of Finance in accordance with Sections 63A-3-106 and
177 63A-3-107.
178 (2) Compensation and expenses of a member who is a legislator are governed by
179 Section 36-2-2 and Legislative Joint Rules, Title 5, Legislative Compensation and Expenses.
180 Section 5. Section 63C-25-204 is enacted to read:
181 63C-25-204. Staffing.
182 The Department of Public Safety shall provide staff and support to the commission.
183 Section 6. Section 63C-25-205 is enacted to read:
184 63C-25-205. Reporting requirement.
185 On or before November 30, the commission shall report to the Public Utilities, Energy,
186 and Technology Interim Committee:
187 (1) an assessment of cyber threats to Utah;
188 (2) recommendations for legislation that would reduce the state's vulnerability to
189 attack; and
190 (3) recommendations for best practices for state government with respect to
191 cybersecurity.
192 Section 7. Section 63C-25-206 is enacted to read:
193 63C-25-206. Closure of meetings.
194 The commission may, in accordance with Section 52-4-204, close to the public a
195 meeting to discuss an item described in Subsections 63C-25-202(1) and (8).
196 Section 8. Repealer.
197 This bill repeals:
198 Section 63A-16-701, Data Security Management Council -- Membership -- Duties.
199 Section 63A-16-702, Data Security Management Council -- Report to Legislature --
200 Recommendations.