AN ACT ESTABLISHING THE LEGISLATIVE CYBERSECURITY COMMITTEE.
Makes the following changes to Article 26 of GS Chapter 120. Renames the chapter as Joint Legislative Oversight Committee on Information Technology and the Legislative Cybersecurity Committee (previously, did not include the Legislative Cybersecurity Committee). Makes organizational changes to place existing language into Part 1, and adds Part 2 pertaining to the Legislative Cybersecurity Committee as follows.
Creates the Legislative Cybersecurity Committee (Committee), consisting of 12 members with six each appointed by the President Pro Tempore of the Senate and the Speaker of the House of Representatives. Establishes terms on the Committee to be for two years, and begin on the convening of the General Assembly in each odd-numbered year. Provides that resignation or removal from service in the General Assembly constitutes resignation or removal from service on the Committee. Requires a vacancy to be filled within 30 days by the appointing officer. Directs the President Pro Tempore and the Speaker to each designate a cochair for the Committee. Provides that the Committee is to meet upon the joint call of the cochairs. Provides a quorum of the Committee of eight members is required for action to be taken. Details provisions for the powers the Committee may exercise in the discharge of its official duties, member expenses, staffing the Committee, and clerical expenses of the Committee.
Charges the Committee with examining the cybersecurity practices of State agencies on a continuing basis in order to make ongoing recommendations to the General Assembly on ways to improve the effectiveness, efficiency, and quality of the State's cybersecurity and data loss prevention practices and measures. Specifies five powers and duties of the Committee in order to carry out its charge, including reviewing any issues that affect State agency information resources that arise during the interim period between sessions of the General Assembly, in the discretion of the Committee. Defines information resources to mean data and the means for storing, retrieving, connecting, or using data, including but not limited to records, files, databases, documents, software, equipment, and facilities that a State agency owns or leases. Directs the Committee to make periodic reports to the General Assembly, which can contain legislative proposals to implement its recommendations. Other powers of the Committee include (1) monitoring State agency and Department of Information Technology cybersecurity and data loss prevention activities; (2) reviewing and monitoring State agency compliance with budgetary and other directives of the General Assembly relating to State agency cybersecurity and data loss prevention and monitoring State agency expenditures, deviations, and changes to the certified budget related to cybersecurity and data loss prevention; (3) requesting and receiving presentations and reports from State agencies on security incidents and information security assessments as well as audits, studies, and other reports; and (4) identifying opportunities for agencies to coordinate and collaborate to eliminate duplicative cybersecurity functions. Defines security incident as the term is defined in GS 143B-1320(a)(15). Defines information security assessment as (1) an organized method to determine a risk to or a vulnerability of a State agency's information system or a third-party information service to which the State subscribes and (2) an independent examination and review of records, logs, policies, activities, and practices used to: (a) access whether a State agency's information system is vulnerable to an information security incident; (b) ensure compliance with the rules, policies, standards, and procedures that the State Chief Information Officer or a State agency, under the State agency's independent authority, adopts or promulgates; and (c) recommend necessary changes to a State agency's rules, policies, standards, and procedures to ensure compliance and prevent information security incidents.
Requires each member of the Committee to execute a nondisclosure agreement upon appointment and any subsequent nondisclosure agreements, as appropriate. Specifies that the nondiscloure agreement is to be provided by the Committee and include (1) a description of the parties to the agreement, (2) a definition of the types of information covered by the agreement, (3) the period of nondisclosure, (4) exclusions from the agreement, (5) description of how to handle information covered by the agreement that is received by the member, and (6) types of permissible disclosure. Provides that disclosure of information covered by the nondisclosure agreement constitutes grounds for the member's removal from the Committee, and willful or intentional disclosure of information covered by the nondisclosure agreement constitutes a Class I felony.
Authorizes the Committee to conduct its business in closed session and exclude the public under GS 143-318.11 when required in four circumstances, in addition to the permitted purposes provided in GS 143-318.11. Specifies the four circumstances to be (1) to receive reports, audits, studies, or testimony that could provide sensitive information relating to the State agency cybersecurity, data loss prevention measures, protocols, or related budgetary expenditures; (2) discuss information technology security incidents affecting State agencies; (3) discuss the provision or status of measures taken to prevent information technology security incidents by the departments and agencies of this State; and (4) discuss budgetary items and requests relating to the prevention and mitigation of security interests. Defines information technology security incident to be as defined by GS 143B-1320(a)(12), and includes any incident that creates a risk of harm to a State agency or the State agency's operations and in which: (1) access to or viewing, copying, transmission, theft, or usage of a State agency's sensitive information occurs without authorization from the State agency; (2) a failure of compliance with a State agency's security or acceptable use policies or practices occurs that results in access to a State agency's information system or information resources for viewing, copying, transmission, theft, or use without the State agency's authorization; or (3) a State agency's information system or information resources or a third party information service to which a State agency subscribes becomes available in a reliable and timely manner to authorized individuals or organizations, or is modified or deleted under circumstances that the State agency does not intend, plan, or initiate. Establishes that all minutes, documents, testimony, or other records relating to Committee proceedings occurring during closed session under this statute are subject to the nondisclosure provisions of GS 120-283.3 and are not public records. Authorizes the Committee to release information it has received pursuant to new Part 2 of Article 26 in the Committee's discretion and upon unanimous vote of the members. Requires the Committee to consider the potential impact upon private and proprietary interests in exercising its discretion.
Amends GS 143B-1322(c) to add to the powers and duties of the State Chief Information Officer the power to enter into nondisclosure agreements with the Legislative Cybersecurity Committee and the chief information officers and department heads of participating agencies relating to the sharing of information on cybersecurity and data loss prevention practices and measures used by the Department of Information Technology and participating agencies. Amends GS 143B-1322(d) to direct the Office of State Budget and Management and the Office of State Controller to cooperate with the Department of Information Technology in the assignment of budget codes in a manner that protects the security of the State's information technology assets.
Enacts GS 143B-1380 to require the State CIO to at least quarterly thereafter report to the Legislative Cybersecurity Committee on: (1) known instances of and attempts at cyber attack or data breach within the Department of Information Technology or participating agencies, (2) quantifiable data on losses stemming from instances of cyber attack or data breach, (3) identification of issues surrounding cybersecurity and data loss prevention practices and measures in place at the time of the cyber attack or data breach, (4) steps taken to prevent future cyber attacks and data breaches of a similar nature, and (5) recommendation to the Committee on potential legislative action. Establishes that the report by the State CIO is not public record, but is subject to the provision of GS 120-238.3, as enacted.
Directs that the initial appointment of members to the Legislative Cybersecurity Committee to be made on or before January 1, 2018, with initial members serving a one-year term during the 2018 Regular Session of the 2017 General Assembly, unless reappointed by the appointing official.