1
2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill creates the Cybersecurity Commission to gather information and share best
10 practices on cybersecurity.
11 Highlighted Provisions:
12 This bill:
13 ▸ repeals the Data Security Management Council;
14 ▸ creates the Cybersecurity Commission (the commission);
15 ▸ directs the appointment of members to the commission;
16 ▸ directs the commission to gather information about cybersecurity:
17 • vulnerabilities; and
18 • best practices;
19 ▸ authorizes the commission to share information it gathers with the governor;
20 ▸ directs the commission to establish guidelines and best practices with respect to
21 cybersecurity protections;
22 ▸ directs the commission to analyze cybersecurity practices in the private and the
23 public sectors;
24 ▸ requires the commission to report annually to the Public Utilities, Energy, and
25 Technology Interim Committee;
26 ▸ describes the circumstances under which the commission may close a meeting to the
27 public;
28 ▸ provides a sunset date; and
29 ▸ makes technical and conforming changes.
30 Money Appropriated in this Bill:
31 None
32 Other Special Clauses:
33 This bill provides a coordination clause.
34 Utah Code Sections Affected:
35 AMENDS:
36 63I-1-263, as last amended by Laws of Utah 2021, Chapters 70, 72, 84, 90, 171, 196,
37 260, 280, 282, 345, 382, 401, 421 and last amended by Coordination Clause, Laws
38 of Utah 2021, Chapter 382
39 ENACTS:
40 63C-25-101, Utah Code Annotated 1953
41 63C-25-201, Utah Code Annotated 1953
42 63C-25-202, Utah Code Annotated 1953
43 63C-25-203, Utah Code Annotated 1953
44 63C-25-204, Utah Code Annotated 1953
45 63C-25-205, Utah Code Annotated 1953
46 63C-25-206, Utah Code Annotated 1953
47 REPEALS:
48 63A-16-701, as renumbered and amended by Laws of Utah 2021, Chapter 344
49 63A-16-702, as renumbered and amended by Laws of Utah 2021, Chapter 344
50 Utah Code Sections Affected by Coordination Clause:
51 63I-1-263, as last amended by Laws of Utah 2021, Chapters 70, 72, 84, 90, 171, 196,
52 260, 280, 282, 345, 382, 401, 421 and last amended by Coordination Clause, Laws
53 of Utah 2021, Chapter 382
54
55 Be it enacted by the Legislature of the state of Utah:
56 Section 1. Section 63C-25-101 is enacted to read:
57
58
59 63C-25-101. Definitions.
60 As used in this chapter:
61 (1) "Commission" means the Cybersecurity Commission created in this chapter.
62 (2) "Critical infrastructure" includes the following sectors the United States
63 Department of Homeland Security identifies as critical:
64 (a) chemical;
65 (b) commercial facilities;
66 (c) communications;
67 (d) critical manufacturing;
68 (e) dams;
69 (f) defense industrial base;
70 (g) emergency services;
71 (h) energy;
72 (i) financial services;
73 (j) food and agriculture;
74 (k) government facilities;
75 (l) healthcare and public health;
76 (m) information technology;
77 (n) nuclear reactors, nuclear materials, and nuclear waste;
78 (o) transportation systems; and
79 (p) water and wastewater systems.
80 Section 2. Section 63C-25-201 is enacted to read:
81
82 63C-25-201. Cybersecurity Commission created.
83 (1) There is created the Cybersecurity Commission.
84 (2) The commission shall be composed of 24 members:
85 (a) one member the governor designates to serve as the governor's designee;
86 (b) the commissioner of the Department of Public Safety;
87 (c) the lieutenant governor, or an election officer, as that term is defined in Section
88 20A-1-102, the lieutenant governor designates to serve as the lieutenant governor's designee;
89 (d) the chief information officer of the Division of Technology Services;
90 (e) the chief information security officer, as described in Section 63A-16-210;
91 (f) the chairman of the Public Service Commission shall designate a representative
92 with professional experience in information technology or cybersecurity;
93 (g) the executive director of the Utah Department of Transportation shall designate a
94 representative with professional experience in information technology or cybersecurity;
95 (h) the director of the Division of Finance shall designate a representative with
96 professional experience in information technology or cybersecurity;
97 (i) the executive director of the Department of Health and Human Services shall
98 designate a representative with professional experience in information technology or
99 cybersecurity;
100 (j) the director of the Division of Indian Affairs shall designate a representative with
101 professional experience in information technology or cybersecurity;
102 (k) the Utah League of Cities and Towns shall designate a representative with
103 professional experience in information technology or cybersecurity;
104 (l) the Utah Association of Counties shall designate a representative with professional
105 experience in information technology or cybersecurity;
106 (m) the attorney general, or the attorney general's designee;
107 (n) the commissioner of financial institutions, or the commissioner's designee;
108 (o) the executive director of the Department of Environmental Quality shall designate a
109 representative with professional experience in information technology or cybersecurity;
110 (p) the executive director of the Department of Natural Resources shall designate a
111 representative with professional experience in information technology or cybersecurity;
112 (q) the highest ranking information technology official, or the official's designee, from
113 each of:
114 (i) the Judicial Council;
115 (ii) the Utah Board of Higher Education;
116 (iii) the State Board of Education; and
117 (iv) the State Tax Commission;
118 (r) the governor shall appoint:
119 (i) one representative from the Utah National Guard; and
120 (ii) one representative from the Governor's Office of Economic Opportunity;
121 (s) the president of the Senate shall appoint one member of the Senate; and
122 (t) the speaker of the House of Representatives shall appoint one member of the House
123 of Representatives.
124 (3) (a) The governor's designee shall serve as cochair of the commission.
125 (b) The commissioner of the Department of Public Safety shall serve as cochair of the
126 commission.
127 (4) (a) The members described in Subsection (2) shall represent urban, rural, and
128 suburban population areas.
129 (b) No fewer than half of the members described in Subsection (2) shall have
130 professional experience in cybersecurity or in information technology.
131 (5) In addition to the membership described in Subsection (2), the commission shall
132 seek information and advice from state and private entities with expertise in critical
133 infrastructure.
134 (6) As necessary to improve information and protect potential vulnerabilities, the
135 commission shall seek information and advice from federal entities including:
136 (a) the Cybersecurity and Infrastructure Security Agency;
137 (b) the Federal Energy Regulatory Commission;
138 (c) the Federal Bureau of Investigation; and
139 (d) the United States Department of Transportation.
140 (7) (a) Except as provided in Subsections (7)(b) and (7)(c), a member is appointed for a
141 term of four years.
142 (b) A member shall serve until the member's successor is appointed and qualified.
143 (c) Notwithstanding the requirements of Subsection (7)(a), the governor shall, at the
144 time of appointment or reappointment, adjust the length of terms to ensure that the terms of
145 commission members are staggered so that approximately half of the commission members
146 appointed under Subsection (2)(r) are appointed every two years.
147 (8) (a) If a vacancy occurs in the membership of the commission, the member shall be
148 replaced in the same manner in which the original appointment was made.
149 (b) An individual may be appointed to more than one term.
150 (c) When a vacancy occurs in the membership for any reason, the replacement shall be
151 appointed for the unexpired term.
152 (9) (a) A majority of the members of the commission is a quorum.
153 (b) The action of a majority of a quorum constitutes an action of the commission.
154 (10) The commission shall meet at least two times a year.
155 Section 3. Section 63C-25-202 is enacted to read:
156 63C-25-202. Commission duties.
157 The commission shall:
158 (1) identify and inform the governor of:
159 (a) cyber threats and vulnerabilities towards Utah's critical infrastructure;
160 (b) cybersecurity assets and resources;
161 (c) an analysis of:
162 (i) current cyber incident response capabilities;
163 (ii) potential cyber threats; and
164 (iii) areas of significant concern with respect to:
165 (A) vulnerability to cyber attack; or
166 (B) seriousness of consequences in the event of a cyber attack;
167 (2) provide resources with respect to cyber attacks in both the public and private sector,
168 including:
169 (a) best practices;
170 (b) education; and
171 (c) mitigation;
172 (3) promote cyber security awareness;
173 (4) share information;
174 (5) promote best practices to prevent and mitigate cyber attacks;
175 (6) enhance cyber capabilities and response for all Utahns;
176 (7) provide consistent outreach and collaboration with private and public sector
177 organizations; and
178 (8) share cyber threat intelligence to operators and overseers of Utah's critical
179 infrastructure.
180 Section 4. Section 63C-25-203 is enacted to read:
181 63C-25-203. Compensation of members.
182 (1) A member who is not a legislator may not receive compensation or benefits for the
183 member's service, but may receive per diem and travel expenses incurred as a member of the
184 commission at the rates established by the Division of Finance under:
185 (a) Sections 63A-3-106 and 63A-3-107; and
186 (b) rules made by the Division of Finance in accordance with Sections 63A-3-106 and
187 63A-3-107.
188 (2) Compensation and expenses of a member who is a legislator are governed by
189 Section 36-2-2 and Legislative Joint Rules, Title 5, Legislative Compensation and Expenses.
190 Section 5. Section 63C-25-204 is enacted to read:
191 63C-25-204. Staffing.
192 The Department of Public Safety shall provide staff and support to the commission.
193 Section 6. Section 63C-25-205 is enacted to read:
194 63C-25-205. Reporting requirement.
195 On or before November 30, the commission shall report to the Public Utilities, Energy,
196 and Technology Interim Committee:
197 (1) an assessment of cyber threats to Utah;
198 (2) recommendations for legislation that would reduce the state's vulnerability to
199 attack; and
200 (3) recommendations for best practices for state government with respect to
201 cybersecurity.
202 Section 7. Section 63C-25-206 is enacted to read:
203 63C-25-206. Closure of meetings.
204 The commission may, in accordance with Section 52-4-204, close to the public a
205 meeting to discuss an item described in Subsections 63C-25-202(1) and (8).
206 Section 8. Section 63I-1-263 is amended to read:
207 63I-1-263. Repeal dates, Titles 63A to 63N.
208 (1) In relation to the Utah Transparency Advisory Board, on January 1, 2025:
209 (a) Section 63A-16-102 is repealed;
210 (b) Section 63A-16-201 is repealed; and
211 (c) Section 63A-16-202 is repealed.
212 (2) Subsection 63A-5b-405(5), relating to prioritizing and allocating capital
213 improvement funding, is repealed July 1, 2024.
214 (3) Section 63A-5b-1003, State Facility Energy Efficiency Fund, is repealed July 1,
215 2023.
216 (4) Sections 63A-9-301 and 63A-9-302, related to the Motor Vehicle Review
217 Committee, are repealed July 1, 2023.
218 (5) Title 63C, Chapter 4a, Constitutional and Federalism Defense Act, is repealed July
219 1, 2028.
220 (6) Title 63C, Chapter 6, Utah Seismic Safety Commission, is repealed January 1,
221 2025.
222 (7) Title 63C, Chapter 12, Snake Valley Aquifer Advisory Council, is repealed July 1,
223 2024.
224 (8) Title 63C, Chapter 17, Point of the Mountain Development Commission Act, is
225 repealed July 1, 2023.
226 (9) Title 63C, Chapter 18, Behavioral Health Crisis Response Commission, is repealed
227 July 1, 2023.
228 (10) Title 63C, Chapter 23, Education and Mental Health Coordinating Council, is
229 repealed July 1, 2026.
230 (11) Title 63C, Chapter 25, Cybersecurity Commission, is repealed July 1, 2032.
231 [
232
233 (12) Section 63G-6a-805, which creates the Purchasing from Persons with Disabilities
234 Advisory Board, is repealed July 1, 2026.
235 (13) Title 63G, Chapter 21, Agreements to Provide State Services, is repealed July 1,
236 2025.
237 (14) Title 63H, Chapter 4, Heber Valley Historic Railroad Authority, is repealed July 1,
238 2024.
239 (15) Title 63H, Chapter 8, Utah Housing Corporation Act, is repealed July 1, 2026.
240 (16) Subsection 63J-1-602.1(17), Nurse Home Visiting Restricted Account, is repealed
241 July 1, 2026.
242 (17) (a) Subsection 63J-1-602.1(61), relating to the Utah Statewide Radio System
243 Restricted Account, is repealed July 1, 2022.
244 (b) When repealing Subsection 63J-1-602.1(61), the Office of Legislative Research and
245 General Counsel shall, in addition to the office's authority under Subsection 36-12-12(3), make
246 necessary changes to subsection numbering and cross references.
247 (18) Subsection 63J-1-602.2(5), referring to dedicated credits to the Utah Marriage
248 Commission, is repealed July 1, 2023.
249 (19) Subsection 63J-1-602.2(6), referring to the Trip Reduction Program, is repealed
250 July 1, 2022.
251 (20) Subsection 63J-1-602.2(24), related to the Utah Seismic Safety Commission, is
252 repealed January 1, 2025.
253 (21) Title 63J, Chapter 4, Part 5, Resource Development Coordinating Committee, is
254 repealed July 1, 2027.
255 (22) In relation to the advisory committee created in Subsection 63L-11-305(3), on July
256 1, 2022:
257 (a) Subsection 63L-11-305(1)(a), which defines "advisory committee," is repealed; and
258 (b) Subsection 63L-11-305(3), which creates the advisory committee, is repealed.
259 (23) In relation to the Utah Substance Use and Mental Health Advisory Council, on
260 January 1, 2023:
261 (a) Sections 63M-7-301, 63M-7-302, 63M-7-303, 63M-7-304, and 63M-7-306 are
262 repealed;
263 (b) Section 63M-7-305, the language that states "council" is replaced with
264 "commission";
265 (c) Subsection 63M-7-305(1) is repealed and replaced with:
266 "(1) "Commission" means the Commission on Criminal and Juvenile Justice."; and
267 (d) Subsection 63M-7-305(2) is repealed and replaced with:
268 "(2) The commission shall:
269 (a) provide ongoing oversight of the implementation, functions, and evaluation of the
270 Drug-Related Offenses Reform Act; and
271 (b) coordinate the implementation of Section 77-18-104 and related provisions in
272 Subsections 77-18-103(2)(c) and (d).".
273 (24) The Crime Victim Reparations and Assistance Board, created in Section
274 63M-7-504, is repealed July 1, 2027.
275 (25) Title 63M, Chapter 7, Part 6, Utah Council on Victims of Crime, is repealed July
276 1, 2022.
277 (26) Title 63M, Chapter 11, Utah Commission on Aging, is repealed July 1, 2026.
278 (27) Title 63N, Chapter 1, Part 5, Governor's Economic Development Coordinating
279 Council, is repealed July 1, 2024.
280 (28) Title 63N, Chapter 2, Part 2, Enterprise Zone Act, is repealed July 1, 2028.
281 (29) Section 63N-2-512, related to the Hotel Impact Mitigation Fund, is repealed July
282 1, 2028.
283 (30) (a) Title 63N, Chapter 2, Part 6, Utah Small Business Jobs Act, is repealed
284 January 1, 2021.
285 (b) Section 59-9-107 regarding tax credits against premium taxes is repealed for
286 calendar years beginning on or after January 1, 2021.
287 (c) Notwithstanding Subsection (30)(b), an entity may carry forward a tax credit in
288 accordance with Section 59-9-107 if:
289 (i) the person is entitled to a tax credit under Section 59-9-107 on or before December
290 31, 2020; and
291 (ii) the qualified equity investment that is the basis of the tax credit is certified under
292 Section 63N-2-603 on or before December 31, 2023.
293 (31) Title 63N, Chapter 4, Part 4, Rural Employment Expansion Program, is repealed
294 July 1, 2023.
295 (32) Title 63N, Chapter 7, Part 1, Board of Tourism Development, is repealed July 1,
296 2025.
297 (33) Title 63N, Chapter 9, Part 2, Outdoor Recreational Infrastructure Grant Program,
298 is repealed January 1, 2028.
299 Section 9. Repealer.
300 This bill repeals:
301 Section 63A-16-701, Data Security Management Council -- Membership -- Duties.
302 Section 63A-16-702, Data Security Management Council -- Report to Legislature --
303 Recommendations.
304 Section 10. Coordinating H.B. 280 with S.B. 34 and H.B. 48 -- Technical
305 amendment.
306 If this H.B. 280 and S.B. 34, Utah Statewide Radio Systems Restricted Account Sunset
307 Amendments, or H.B. 48, Utah Substance Use and Mental Health Advisory Council Sunset
308 Extension, pass and become law, it is the intent of the Legislature that the language in Section
309 63I-1-263 that reads "Title 63A, Chapter 16, Part 7, Data Security Management Council, is
310 repealed July 1, 2025." not take effect when the Office of Legislative Research and General
311 Counsel prepares the Utah Code database for publication.