(a) For the purposes of this chapter, the following terms have the meanings given them.
(b) "Information and telecommunications technology systems and services" means all computing and telecommunications hardware and software, the activities undertaken to secure that hardware and software, and the activities undertaken to acquire, transport, process, analyze, store, and disseminate information electronically. "Information and telecommunications technology systems and services" includes all proposed expenditures for computing and telecommunications hardware and software, security for that hardware and software, and related consulting or other professional services.
(c) "Information and telecommunications technology project" means an effort to acquire or produce information and telecommunications technology systems and services.
(d) "Telecommunications" means voice, video, and data electronic transmissions transported by wire, wireless, fiber-optic, radio, or other available transport technology.
(e) "Cyber security" means the protection of data and systems in networks connected to the Internet.
(f) "State agency" means an agency in the executive branch of state government and includes the Minnesota Office of Higher Education, but does not include the Minnesota State Colleges and Universities unless specifically provided elsewhere in this chapter.
(g) "Total expected project cost" includes direct staff costs, all supplemental contract staff and vendor costs, and costs of hardware and software development or purchase. Breaking a project into several phases does not affect the cost threshold, which must be computed based on the full cost of all phases.
(h) "Cloud computing" has the meaning described by the National Institute of Standards and Technology of the United States Department of Commerce in special publication 800-145, September 2011.
The chief information officer shall:
(1) design a master plan for information and telecommunications technology systems and services in the state and its political subdivisions and shall report on the plan to the governor and legislature at the beginning of each regular session;
(2) coordinate, review, and approve all information and telecommunications technology projects and oversee the state's information and telecommunications technology systems and services;
(3) establish and enforce compliance with standards for information and telecommunications technology systems and services that are cost-effective and support open systems environments and that are compatible with state, national, and international standards, including accessibility standards;
(4) maintain a library of systems and programs developed by the state and its political subdivisions for use by agencies of government;
(5) direct and manage the shared operations of the state's information and telecommunications technology systems and services; and
(6) establish and enforce standards and ensure acquisition of hardware and software necessary to protect data and systems in state agency networks connected to the Internet.
A state agency may not undertake an information and telecommunications technology project until it has been evaluated according to the procedures developed under subdivision 4. The chief information officer shall give written approval of the proposed project. When notified by the chief information officer that a project has not been approved, the commissioner of management and budget shall cancel the unencumbered balance of any appropriation allotted for the project.
The chief information officer shall establish and, as necessary, update and modify procedures to evaluate information and communications projects proposed by state agencies. The evaluation procedure must assess the necessity, design and plan for development, ability to meet user requirements, accessibility, feasibility, and flexibility of the proposed data processing device or system, its relationship to other state data processing devices or systems, and its costs and benefits when considered by itself and when compared with other options.
The project evaluation procedure required by subdivision 4 must include a review of cloud computing service options, including any security benefits and cost savings associated with purchasing those service options from a cloud computing service provider.
The chief information officer shall submit to the legislature, at the same time as the governor's budget required by section 16A.11, a concise narrative explanation of any information and communication technology project that involves collaboration between state agencies and an explanation of how the budget requests of the several agencies collaborating on the project relate to each other.
The chief information officer shall establish and, as necessary, update and modify methods for developing information and communications systems appropriate to the specific needs of individual state agencies. The development methods shall be used to define the design, programming, and implementation of systems. The development methods must also enable and require a data processing system to be defined in terms of its computer programs, input requirements, output formats, administrative procedures, and processing frequencies.
In consultation with the attorney general and appropriate agency heads, the chief information officer shall develop cyber security policies, guidelines, and standards, and shall install and administer state data security systems on the state's computer facilities consistent with these policies, guidelines, standards, and state law to ensure the integrity of computer-based and other data and to ensure applicable limitations on access to data, consistent with the public's right to know as defined in chapter 13. The chief information officer is responsible for overall security of state agency networks connected to the Internet. Each department or agency head is responsible for the security of the department's or agency's data within the guidelines of established enterprise policy.
(a) The chief information officer shall develop accessibility standards applicable to technology, software, and hardware procurement, with the exception of infrastructure hardware. The standards shall not impose an undue burden on the state.
(b) The chief information officer shall require state agencies to adhere to the standards developed under this subdivision unless an exception is approved pursuant to subdivision 10. Except as provided in paragraph (c), the standards developed under this section must incorporate section 508 of the Rehabilitation Act, United States Code, title 29, section 794d, as amended by the Workforce Investment Act of 1998, Public Law 105-220, August 7, 1998, and the Web Content Accessibility Guidelines, 2.0. The chief information officer must review subsequent revisions to section 508 of the Rehabilitation Act and to the Web Content Accessibility Guidelines and may incorporate the revisions in the accessibility standards.
(c) If the chief information officer determines that any standard developed under this subdivision poses an undue burden to the state, the chief information officer may modify the burdensome standard, provided written findings and rationale are made explaining the deviation.
Exceptions to the standards may be granted by the chief information officer based upon a request by an agency.
The chief information officer, or a designee, must provide technical support to assist the legislature to comply with accessibility standards under section 3.199, subdivision 2. Support under this subdivision must include:
(1) clarifying the requirements of the accessibility standards;
(2) providing templates for common software applications used in developing documents used by the legislature;
(3) assisting the development of training for staff to comply with the accessibility standards and assisting in providing the training; and
(4) assisting the development of technical applications that enable legislative documents to be fully accessible.
The chief information officer must provide these services at no cost to the legislature.