2
3
4
5
6
7 LONG TITLE
8 Committee Note:
9 The Government Operations Interim Committee recommended this bill.
10 Legislative Vote: 11 voting for 0 voting against 3 absent
11 General Description:
12 This bill modifies provisions relating to the Division of Technology Services.
13 Highlighted Provisions:
14 This bill:
15 ▸ defines terms;
16 ▸ modifies and clarifies duties of the Division of Technology Services in relation to
17 procurement, contract management, and security assessment; and
18 ▸ makes technical and conforming changes.
19 Money Appropriated in this Bill:
20 None
21 Other Special Clauses:
22 None
23 Utah Code Sections Affected:
24 AMENDS:
25 63A-16-104, as last amended by Laws of Utah 2022, Chapter 169
26 63A-16-201, as last amended by Laws of Utah 2022, Chapter 169
27 63A-16-205, as last amended by Laws of Utah 2022, Chapter 169
28 63G-6a-303, as last amended by Laws of Utah 2022, Chapter 421
29 RENUMBERS AND AMENDS:
30 63G-6a-109.5, (Renumbered from 63A-16-204, as renumbered and amended by Laws
31 of Utah 2021, Chapter 344)
32
33 Be it enacted by the Legislature of the state of Utah:
34 Section 1. Section 63A-16-104 is amended to read:
35 63A-16-104. Duties of division.
36 The division shall:
37 (1) lead state executive branch agency efforts to establish and reengineer the state's
38 information technology architecture with the goal of coordinating central and individual agency
39 information technology in a manner that:
40 (a) ensures compliance with the executive branch agency strategic plan; and
41 (b) ensures that cost-effective, efficient information and communication systems and
42 resources are being used by agencies to:
43 (i) reduce data, hardware, and software redundancy;
44 (ii) improve system interoperability and data accessibility between agencies; and
45 (iii) meet the agency's and user's business and service needs;
46 (2) coordinate an executive branch strategic plan for all agencies;
47 (3) develop and implement processes to replicate information technology best practices
48 and standards throughout the executive branch;
49 (4) [
50 (a) conduct an information technology security assessment via an independent third
51 party:
52 (i) to evaluate the adequacy of the division's and the executive branch agencies' data
53 and information technology system security standards [
54
55 (ii) that will be completed over a period that does not exceed two years; and
56 (b) communicate the results of the [
57 Subsection (4)(a) to the appropriate executive branch agencies and to the president of the
58 Senate and the speaker of the House of Representatives;
59 (5) [
60 63G-6a-109.5(9):
61 (a) advise executive branch agencies on project and contract management principles as
62 they relate to information technology projects within the executive branch; and
63 (b) approve the acquisition of technology services and products by executive branch
64 agencies as required under Section 63G-6a-109.5;
65 [
66
67 [
68 [
69 agencies to ensure quality products and services are delivered on schedule and within budget;
70 [
71 methodology and cost-benefit analysis that all agencies shall utilize for application
72 development activities;
73 [
74 [
75 standards for agencies that address common design standards and navigation standards,
76 including:
77 (a) accessibility for individuals with disabilities in accordance with:
78 (i) the standards of 29 U.S.C. Sec. 794d; and
79 (ii) Section 63A-16-209;
80 (b) consistency with standardized government security standards;
81 (c) designing around user needs with data-driven analysis influencing management and
82 development decisions, using qualitative and quantitative data to determine user goals, needs,
83 and behaviors, and continual testing of the website, web-based form, web-based application, or
84 digital service to ensure that user needs are addressed;
85 (d) providing users of the website, web-based form, web-based application, or digital
86 service with the option for a more customized digital experience that allows users to complete
87 digital transactions in an efficient and accurate manner; and
88 (e) full functionality and usability on common mobile devices;
89 [
90 computing options, including any security benefits, privacy, data retention risks, and cost
91 savings associated with cloud computing options;
92 [
93 existing information technology projects within the executive branch and report to the governor
94 and the Government Operations Interim Committee in accordance with Section 63A-16-201 on
95 a semiannual basis regarding the status of information technology projects;
96 [
97 of information technology budgets for agencies;
98 [
99 public employee, as those terms are defined in Section 63G-22-102, complies with Title 63G,
100 Chapter 22, State Training and Certification Requirements, if the training or certification is
101 required:
102 (a) under this chapter;
103 (b) by the department; or
104 (c) by the division;
105 [
106 technology assets and functions that are unique to the agency and are mission critical functions
107 of the agency;
108 [
109 agencies;
110 [
111 division services with agency needs;
112 [
113 rule made by the chief information officer;
114 [
115 model for the executive branch;
116 [
117 information technology services, assets, or functions of state government to:
118 (a) control costs;
119 (b) ensure business value to a project;
120 (c) maximize resources;
121 (d) ensure the uniform application of best practices; and
122 (e) avoid duplication of resources;
123 [
124 department through service agreements with the agencies;
125 [
126 management of applications, standards, and procurement of enterprise architecture;
127 [
128 telecommunication systems;
129 [
130 (a) to executive branch agencies and subscribers to the services; and
131 (b) related to information technology or telecommunications;
132 [
133 (a) one or more executive branch agencies; or
134 (b) one or more entities that subscribe to the telecommunication systems in accordance
135 with Section 63A-16-302;
136 [
137 (a) state telecommunication users;
138 (b) executive branch agencies; and
139 (c) other subscribers to the state's telecommunication systems;
140 [
141 municipalities in the development, implementation, and maintenance of:
142 (a) (i) governmental information technology; or
143 (ii) governmental telecommunication systems; and
144 (b) (i) as part of a cooperative organization; or
145 (ii) through means other than a cooperative organization;
146 [
147 (a) one or more state data centers; and
148 (b) one or more regional computer centers;
149 [
150 mobile, or radio telecommunication systems that are used in the delivery of services for state
151 government or the state's political subdivisions;
152 [
153 minimum standards to be used by the division for purposes of compatibility of procedures,
154 programming languages, codes, and media that facilitate the exchange of information within
155 and among telecommunication systems;
156 [
157 executive branch agencies or programs that share common characteristics relative to the types
158 of stakeholders the agencies or programs serve, including:
159 (a) project management;
160 (b) application development; and
161 (c) subject to Subsections (5) and 63G-6a-109.5(9), procurement;
162 [
163 executive branch agency information technology services, assets, or functions to:
164 (a) control costs;
165 (b) ensure business value to a project;
166 (c) maximize resources;
167 (d) ensure the uniform application of best practices; and
168 (e) avoid duplication of resources; and
169 [
170 service agreements.
171 Section 2. Section 63A-16-201 is amended to read:
172 63A-16-201. Chief information officer -- Appointment -- Powers -- Reporting.
173 (1) The director of the division shall serve as the state's chief information officer.
174 (2) The chief information officer shall:
175 (a) advise the governor on information technology policy; and
176 (b) perform those duties given the chief information officer by statute.
177 (3) (a) The chief information officer shall report annually to:
178 (i) the governor; and
179 (ii) the Government Operations Interim Committee.
180 (b) The report required under Subsection (3)(a) shall:
181 (i) summarize the state's current and projected use of information technology;
182 (ii) summarize the executive branch strategic plan including a description of major
183 changes in the executive branch strategic plan;
184 (iii) provide a brief description of each state agency's information technology plan;
185 (iv) include the status of information technology projects described in Subsection
186 [
187 (v) include the performance report described in Section 63A-16-211; and
188 (vi) include the expenditure of the funds provided for electronic technology,
189 equipment, and hardware.
190 Section 3. Section 63A-16-205 is amended to read:
191 63A-16-205. Rulemaking -- Policies.
192 (1) (a) Except as provided in Subsection (2), the chief information officer shall, by rule
193 made in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act:
194 (i) [
195 agencies [
196 [
197 items [
198 [
199 plan submitted in accordance with Section 63A-16-203;
200 [
201 operated by or on behalf of an executive branch agency;
202 [
203 acquisition, licensing, and sale of computer software;
204 [
205 required [
206 [
207 [
208 [
209 63G-6a-109.5(3), the implementation of the needs assessment for information technology
210 purchases;
211 [
212 with Subsection [
213 [
214 with disabilities in accordance with Section 63A-16-209.
215 (b) The rulemaking authority granted by [
216 other rulemaking authority granted under this chapter.
217 (2) (a) Notwithstanding Title 63G, Chapter 3, Utah Administrative Rulemaking Act,
218 and subject to Subsection (2)(b), the chief information officer may adopt a policy that outlines
219 procedures to be followed by the chief information officer in facilitating the implementation of
220 this title by executive branch agencies if the policy:
221 (i) is consistent with the executive branch strategic plan; and
222 (ii) is not required to be made by rule under Subsection (1) or Section 63G-3-201.
223 (b) (i) A policy adopted by the chief information officer under Subsection (2)(a) may
224 not take effect until 30 days after the day on which the chief information officer submits the
225 policy to:
226 (A) the governor; and
227 (B) all cabinet level officials.
228 (ii) During the 30-day period described in Subsection (2)(b)(i), cabinet level officials
229 may review and comment on a policy submitted under Subsection (2)(b)(i).
230 (3) (a) Notwithstanding Subsection (1) or (2) or Title 63G, Chapter 3, Utah
231 Administrative Rulemaking Act, without following the procedures of Subsection (1) or (2), the
232 chief information officer may adopt a security procedure to be followed by executive branch
233 agencies to protect the statewide area network if:
234 (i) broad communication of the security procedure would create a significant potential
235 for increasing the vulnerability of the statewide area network to breach or attack; and
236 (ii) after consultation with the chief information officer, the governor agrees that broad
237 communication of the security procedure would create a significant potential increase in the
238 vulnerability of the statewide area network to breach or attack.
239 (b) A security procedure described in Subsection (3)(a) is classified as a protected
240 record under Title 63G, Chapter 2, Government Records Access and Management Act.
241 (c) The chief information officer shall provide a copy of the security procedure as a
242 protected record to:
243 (i) the chief justice of the Utah Supreme Court for the judicial branch;
244 (ii) the speaker of the House of Representatives and the president of the Senate for the
245 legislative branch;
246 (iii) the chair of the Utah Board of Higher Education; and
247 (iv) the chair of the State Board of Education.
248 Section 4. Section 63G-6a-109.5, which is renumbered from Section 63A-16-204 is
249 renumbered and amended to read:
250 [
251 technology.
252 (1) As used in this section:
253 (a) "Chief information officer" means the director of the Division of Technology
254 Services, created in Section 63A-16-103.
255 (b) "Department" means the Department of Government Operations, created in Section
256 63A-1-104.
257 [
258 approve the acquisition by an executive branch agency of:
259 (i) information technology equipment;
260 (ii) telecommunications equipment;
261 (iii) software;
262 (iv) services related to the items [
263 through (iii); and
264 (v) data acquisition.
265 (b) The chief information officer may negotiate the purchase, lease, or rental of private
266 or public information technology or telecommunication services or facilities in accordance with
267 this section.
268 (c) Where practical, efficient, and economically beneficial, the chief information
269 officer shall use existing private and public information technology or telecommunication
270 resources.
271 (d) In accordance with Section 63A-16-206, the chief information officer may
272 recommend coordination of acquisitions between two or more executive branch agencies if the
273 coordination is in the best interests of the state.
274 [
275 [
276 rulemaking authority under [
277 [
278 lease, or rental under Subsection [
279 the chief information officer by rule made in accordance with Section 63A-16-205, the chief
280 information officer shall:
281 (a) conduct an analysis of the needs of executive branch agencies and subscribers of
282 services and the ability of the proposed information technology or telecommunications services
283 or supplies to meet those needs; and
284 (b) for purchases, leases, or rentals not covered by an existing statewide contract,
285 certify in writing to the chief procurement officer in the Division of Purchasing and General
286 Services that:
287 (i) the analysis required in Subsection [
288 (ii) based on the analysis, the proposed purchase, lease, rental, or master contract of
289 services, products, or supplies is practical, efficient, and economically beneficial to the state
290 and the executive branch agency or subscriber of services.
291 [
292 chief information officer shall approve an acquisition described in Subsection (2) or (3) if the
293 acquisition complies with:
294 [
295
296
297 [
298
299 (a) the applicable rules and policies described in Section 63A-16-205;
300 [
301 [
302 [
303 Legislature;
304 [
305 [
306 63A-16-209[
307 [
308
309 [
310 complete access to all information technology records, documents, and reports:
311 (a) at the request of the chief information officer; and
312 (b) related to the executive branch agency's acquisition of [
313 described in Subsection [
314 [
315 chief information officer under Section 63A-16-205, an executive branch agency and the
316 department may not initiate a new technology project unless the technology project is described
317 in a formal project plan and a business case analysis is approved by the chief information
318 officer and the highest ranking executive branch agency official.
319 (b) The project plan and business case analysis required [
320 [
321 (i) a statement of work to be done and existing work to be modified or displaced;
322 (ii) the total cost of the system development and conversion effort, including system
323 analysis and programming costs, establishment of master files, testing, documentation, special
324 equipment cost, and all other costs, including overhead;
325 (iii) the savings or added operating costs that will result after conversion;
326 (iv) a description of the other advantages or reasons that justify the work;
327 (v) the source of funding of the work, including ongoing costs;
328 (vi) a description of the project's consistency with budget submissions and planning
329 components of budgets; and
330 (vii) a statement regarding whether the work is within the scope of projects or
331 initiatives envisioned when the current fiscal year budget was approved.
332 (c) The chief information officer shall determine the required form of the project plan
333 and business case analysis described in this Subsection [
334 [
335 of Purchasing and General Services within the department shall work cooperatively to establish
336 procedures under which the chief information officer shall monitor and approve acquisitions
337 [
338 (8) In addition to the requirement that the chief information officer approve the
339 acquisitions described in Subsections (2) and (3), the Division of Technology Services shall,
340 subject to Subsection (9), assist and support executive branch agencies in the acquisition of all
341 technology services and products.
342 (9) In relation to the acquisition of technology services or products:
343 (a) the requirement of approval by the chief information officer, as described in this
344 section, and the assistance and support of the Division of Technology Services described in
345 Subsection (8), do not make the chief information officer, the department, or the Division of
346 Technology Services responsible to manage the contract or fund the procurement;
347 (b) contract management is the responsibility of the conducting procurement unit; and
348 (c) funding of the procurement is the responsibility of the executive branch agency
349 acquiring the technology services or products.
350 Section 5. Section 63G-6a-303 is amended to read:
351 63G-6a-303. Role, duties, and authority of chief procurement officer.
352 (1) The chief procurement officer:
353 (a) is the director of the division;
354 (b) serves as the central procurement officer of the state;
355 (c) serves as a voting member of the board; and
356 (d) serves as the protest officer for a protest relating to a procurement of an executive
357 branch procurement, except an executive branch procurement unit designated under Subsection
358 63G-6a-103(38)(b), (c), (d), or (e) as an independent procurement unit, or a state cooperative
359 contract procurement, unless the chief procurement officer designates another to serve as
360 protest officer, as authorized in this chapter.
361 (2) Except as otherwise provided in this chapter, the chief procurement officer shall:
362 (a) develop procurement policies and procedures supporting ethical procurement
363 practices, fair and open competition among vendors, and transparency within the state's
364 procurement process;
365 (b) administer the state's cooperative purchasing program, including state cooperative
366 contracts and associated administrative fees;
367 (c) enter into an agreement with a public entity for services provided by the division, if
368 the agreement is in the best interest of the state;
369 (d) ensure the division's compliance with any applicable law, rule, or policy, including
370 a law, rule, or policy applicable to the division's role as an issuing procurement unit or
371 conducting procurement unit, or as the state's central procurement organization;
372 (e) manage the division's electronic procurement system;
373 (f) oversee the recruitment, training, career development, certification requirements,
374 and performance evaluation of the division's procurement personnel;
375 (g) make procurement training available to procurement units and persons who do
376 business with procurement units;
377 (h) provide exemplary customer service and continually improve the division's
378 procurement operations;
379 (i) exercise all other authority, fulfill all other duties and responsibilities, and perform
380 all other functions authorized under this chapter; and
381 (j) ensure that any training described in this Subsection (2) complies with [
382 Chapter 22, State Training and Certification Requirements.
383 (3) With respect to a procurement or contract over which the chief procurement officer
384 has authority under this chapter, the chief procurement officer, except as otherwise provided in
385 this chapter:
386 (a) shall:
387 (i) manage and supervise a procurement to ensure to the extent practicable that
388 taxpayers receive the best value;
389 (ii) prepare and issue standard specifications for procurement items;
390 (iii) review contracts, coordinate contract compliance, conduct contract audits, and
391 approve change orders;
392 (iv) in accordance with Section [
393 Division of Technology Services, created in Section 63A-16-103, with respect to the
394 procurement of information technology services by an executive branch procurement unit;
395 (v) correct, amend, or cancel a procurement at any stage of the procurement process if
396 the procurement is out of compliance with this chapter or a board rule;
397 (vi) after consultation with the attorney general's office, correct, amend, or cancel a
398 contract at any time during the term of the contract if:
399 (A) the contract is out of compliance with this chapter or a board rule; and
400 (B) the chief procurement officer determines that correcting, amending, or canceling
401 the contract is in the best interest of the state; and
402 (vii) make a reasonable attempt to resolve a contract dispute, in coordination with the
403 attorney general's office; and
404 (b) may:
405 (i) delegate limited purchasing authority to a state agency, with appropriate oversight
406 and control to ensure compliance with this chapter;
407 (ii) delegate duties and authority to an employee of the division, as the chief
408 procurement officer considers appropriate;
409 (iii) negotiate and settle contract overcharges, undercharges, and claims, in accordance
410 with the law and after consultation with the attorney general's office;
411 (iv) authorize a procurement unit to make a procurement pursuant to a regional
412 solicitation, as defined in Subsection 63G-6a-2105(7), even if the procurement item is also
413 offered under a state cooperative contract, if the chief procurement officer determines that the
414 procurement pursuant to a regional solicitation is in the best interest of the acquiring
415 procurement unit; and
416 (v) remove an individual from the procurement process or contract administration for:
417 (A) having a conflict of interest or the appearance of a conflict of interest with a person
418 responding to a solicitation or with a contractor;
419 (B) having a bias or the appearance of bias for or against a person responding to a
420 solicitation or for or against a contractor;
421 (C) making an inconsistent or unexplainable score for a solicitation response;
422 (D) having inappropriate contact or communication with a person responding to a
423 solicitation;
424 (E) socializing inappropriately with a person responding to a solicitation or with a
425 contractor;
426 (F) engaging in any other action or having any other association that causes the chief
427 procurement officer to conclude that the individual cannot fairly evaluate a solicitation
428 response or administer a contract; or
429 (G) any other violation of a law, rule, or policy.
430 (4) The chief procurement officer may not delegate to an individual outside the
431 division the chief procurement officer's authority over a procurement described in Subsection
432 (3)(a)(iv).
433 (5) The chief procurement officer has final authority to determine whether an executive
434 branch procurement unit's anticipated expenditure of public funds, anticipated agreement to
435 expend public funds, or provision of a benefit constitutes a procurement that is subject to this
436 chapter.
437 (6) Except as otherwise provided in this chapter, the chief procurement officer shall
438 review, monitor, and audit the procurement activities and delegated procurement authority of
439 an executive branch procurement unit, except to the extent that an executive branch
440 procurement unit is designated under Subsection 63G-6a-103(38)(b), (c), (d), or (e) as an
441 independent procurement unit, to ensure compliance with this chapter, rules made by the
442 applicable rulemaking authority, and division policies.