Washington State

House of Representatives

Office of Program Research

BILL

ANALYSIS

Environment Committee

HB 2172

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

Background:

In 2011, the Legislature created "the consolidated technology services agency," which became known as WaTech, to establish a centralized information technology organization to assist state government agencies, institutions of higher education, the Legislature, and the Judiciary in their information technology practices.

As part of WaTech's duties, it must establish security standards and policies to ensure the confidentiality, availability, and integrity of the information transacted, stored, or processed in the state's information technology systems and infrastructures.

All state agencies must develop an information technology security program that "adheres to" WaTech's security standards and policies. While institutions of higher education, the Legislature, and the Judiciary must develop an information technology security program that "is comparable to the intended outcomes of" WaTech's security standards and policies.

Summary of Bill:

WaTech may test the security of any state agency's information technology systems and infrastructure to identify and mitigate system vulnerabilities, subject to the following requirements:

the test must apply framework from the "cybersecurity excellence assessment" criteria or similar objective criteria to give measurable results for the test;
WaTech must coordinate with the state agency being tested to minimize disruptions; and
the results of the test must be shared with the state agency tested and with legislators upon request.

"Cybersecurity excellence assessment" is an assessment of cybersecurity operational performance using a framework approved by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce.

WaTech may assist the state agencies in the remediation of any vulnerabilities identified by the test. WaTech may only test the Judiciary or the Legislature at that organization's request. For testing to occur with the Legislature, WaTech must develop procedures, including enforceable nondisclosure agreements, with the Legislature to ensure that such testing does not interfere with the Legislature to perform its constitutional duties.

Upon request, the Military Department may conduct independent security tests of the information security of any private entity or unit of local government in Washington that is involved in the management of "critical infrastructure," which means systems and assets, managed by private entities or local governments, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, economic security, or public health or safety. The Military Department may assist in the remediation of any vulnerabilities identified by such a test.

The Chief Information Security Officer of WaTech, the Utilities and Transportation Commission, and the Military Department must meet regularly to share information, trends, and best practices related to information technology systems and infrastructure security.