Minnesota Legislature
SF 2097
as introduced - 91st Legislature (2019 - 2020) Posted on 07/19/2019 10:09am
Bill Text Versions
| Engrossments | ||
|---|---|---|
| Introduction | Posted on 03/05/2019 |
Current Version - as introduced
1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12
2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25
2.26 2.27 2.28 2.29 2.30 2.31 2.32 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27
4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 4.32 4.33 4.34 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10
A bill for an act
relating to state government; requiring consideration of cloud computing service
options in state agency information technology projects; requiring technology
infrastructure inventories and security risk assessments; requiring completion of
the consolidation of information technology services and a strategic workplan;
requiring a consolidation surcharge for certain agencies; mandating reports;
amending Minnesota Statutes 2018, sections 16E.03, subdivision 1, by adding a
subdivision; 16E.035.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1.
Minnesota Statutes 2018, section 16E.03, subdivision 1, is amended to read:
Subdivision 1.
Definitions.
(a) For the purposes of this chapter, the following terms
have the meanings given them.
(b) "Information and telecommunications technology systems and services" means all
computing and telecommunications hardware and software, the activities undertaken to
secure that hardware and software, and the activities undertaken to acquire, transport, process,
analyze, store, and disseminate information electronically. "Information and
telecommunications technology systems and services" includes all proposed expenditures
for computing and telecommunications hardware and software, security for that hardware
and software, and related consulting or other professional services.
(c) "Information and telecommunications technology project" means an effort to acquire
or produce information and telecommunications technology systems and services.
(d) "Telecommunications" means voice, video, and data electronic transmissions
transported by wire, wireless, fiber-optic, radio, or other available transport technology.
(e) "Cyber security" means the protection of data and systems in networks connected to
the Internet.
(f) "State agency" means an agency in the executive branch of state government and
includes the Minnesota Office of Higher Education, but does not include the Minnesota
State Colleges and Universities unless specifically provided elsewhere in this chapter.
(g) "Total expected project cost" includes direct staff costs, all supplemental contract
staff and vendor costs, and costs of hardware and software development or purchase.
Breaking a project into several phases does not affect the cost threshold, which must be
computed based on the full cost of all phases.
new text begin
(h) "Cloud computing" has the meaning described by the National Institute of Standards
and Technology of the United States Department of Commerce in special publication
800-145, September 2011.
new text end
Sec. 2.
Minnesota Statutes 2018, section 16E.03, is amended by adding a subdivision to
read:
new text begin Subd. 4a. new text end
new text begin Cloud computing services. new text end
new text begin
(a) The project evaluation procedure required by
subdivision 4 must include a review of cloud computing service options, including any
security benefits and costs savings associated with purchasing those service options from
a cloud computing service provider.
new text end
new text begin
(b) No later than October 1, 2019, and by October 1 of each even-numbered year
thereafter, the chief information officer must submit a report to the governor and to the
legislative committees with primary jurisdiction over state information technology issues
on the consideration of cloud computing service options in the information and
communications projects proposed by state agencies. The report must provide examples of
projects that produce cost savings and other benefits, including security enhancements, from
the use of cloud computing services.
new text end
Sec. 3.
Minnesota Statutes 2018, section 16E.035, is amended to read:
16E.035 TECHNOLOGY new text begin INFRASTRUCTURE new text end INVENTORYnew text begin ; SECURITY RISK
ASSESSMENTnew text end .
new text begin Subdivision 1. new text end
new text begin Inventory required. new text end
new text begin (a) new text end The chief information officer must prepare deleted text begin a
financialdeleted text end new text begin annew text end inventory of technology new text begin infrastructure new text end owned or leased by MN.IT Servicesnew text begin or
a state agencynew text end . The inventory must include:
(1) new text begin each agency's information technology security program;
new text end
new text begin
(2) an inventory of servers, mainframes, cloud services, and other information technology
systems and services, itemized by agency;
new text end
new text begin
(3) identification of vendors that operate or manage information technology systems or
services within each agency;
new text end
new text begin (4) new text end information on how deleted text begin the technologydeleted text end new text begin each system or servicenew text end fits into the state's
information technology architecture; and
deleted text begin (2)deleted text end new text begin (5)new text end a projected replacement schedulenew text begin for each system or servicenew text end .
deleted text begin
The chief information officer must report the inventory to the legislative committees
with primary jurisdiction over state technology issues by July 1 of each even-numbered
year.
deleted text end
new text begin Subd. 2. new text end
new text begin Risk assessment. new text end
new text begin
(a) The chief information officer must conduct a risk
assessment of the information technology systems and services contained in the inventory
required by subdivision 1. The risk assessment must include:
new text end
new text begin
(1) an analysis and assessment of each state agency's security and operational risks; and
new text end
new text begin
(2) for a state agency found to be at higher security and operational risks, a detailed
analysis of, and an estimate of the costs to implement:
new text end
new text begin
(i) the requirements for the agency to address the risks and related vulnerabilities; and
new text end
new text begin
(ii) agency efforts to address the risks through the modernization of information
technology systems and services, the use of cloud computing services, and use of a statewide
data center.
new text end
new text begin
(b) This section does not require disclosure of security information classified under
section 13.37.
new text end
new text begin Subd. 3. new text end
new text begin Reports required. new text end
new text begin
The chief information officer must submit a report containing
the inventory and risk assessments required by this section to the governor and the chairs
and ranking minority members of the legislative committees with primary jurisdiction over
state information technology issues no later than October 1, 2019, and by October 1 of each
even-numbered year thereafter.
new text end
Sec. 4. new text begin COMPLETION OF INFORMATION TECHNOLOGY CONSOLIDATION;
SURCHARGE AND SUSPENSION OF SERVICES FOR NONCOMPLIANT
AGENCIES; STRATEGIC WORKPLAN.
new text end
new text begin Subdivision 1. new text end
new text begin Consolidation required; state agency surcharge. new text end
new text begin
(a) No later than
December 31, 2020, the state chief information officer must complete the executive branch
information technology consolidation required by Laws 2011, First Special Session chapter
10, article 4, section 7, as amended by Laws 2013, chapter 134, section 29. The head of any
state agency subject to consolidation must assist the state chief information officer as
necessary to implement the requirements of this subdivision.
new text end
new text begin
(b) Beginning July 1, 2020, the state chief information officer must impose a technology
consolidation surcharge of ... percent on billings, and must suspend ongoing work on any
new projects or system upgrades, for an agency with information technology systems that
have not fully integrated into the statewide consolidated system despite the requirements
of law. Amounts received from the surcharge must be deposited into the general fund and
used to support information technology projects within agencies that have completed the
consolidation or for other purposes directed by law.
new text end
new text begin Subd. 2. new text end
new text begin Strategic workplan. new text end
new text begin
No later than August 1, 2019, the state chief information
officer must prepare a strategic workplan detailing the steps necessary to complete the
information technology consolidation required by subdivision 1. The plan must include
benchmark goals that can be reasonably measured and documented and have specific
deadlines to be met within each quarter. The benchmark goals must include but are not
limited to strategies for implementing the cloud computing services review required by
Minnesota Statutes, section 16E.03, subdivision 4a, and other tools to provide secure and
cost-effective services to executive branch agencies and other end-users.
new text end
new text begin Subd. 3. new text end
new text begin Progress reports. new text end
new text begin
(a) No later than September 1, 2019, the state chief
information officer must submit a copy of the workplan required by subdivision 2 to the
chairs and ranking minority members of the legislative committees with primary jurisdiction
over state government finance and state information technology services.
new text end
new text begin
(b) No later than October 1, 2019, and quarterly thereafter, the state chief information
officer must submit a progress report to the committees receiving the workplan required by
paragraph (a). At a minimum, the progress reports must include:
new text end
new text begin
(1) information sufficient to determine whether deadlines for each benchmark goal have
been met and an explanation of the circumstances for any deadline that has not been met;
new text end
new text begin
(2) details on the progress toward achieving each benchmark goal; and
new text end
new text begin
(3) information on any new or unexpected costs or other barriers that impact progress
toward achieving a benchmark goal, including a detailed explanation of efforts by the state
chief information officer to reduce or eliminate those costs or barriers to ensure achievement
of that goal.
new text end
new text begin
The report must also identify any agencies subject to the surcharge required under subdivision
1, paragraph (b).
new text end
new text begin
(c) The chairs of each committee in paragraph (a) must convene a public hearing within
30 days of receipt of each report to discuss its contents. The state chief information officer
must appear at each hearing and respond to questions from committee members regarding
the progress update.
new text end