AN ACT

Amending title 18, chapter 1, article 1, Arizona Revised Statutes, by adding sections 18‑106 and 18‑107; relating to government information technology.

(TEXT OF BILL BEGINS ON NEXT PAGE)

Be it enacted by the Legislature of the State of Arizona:

Section 1.  Title 18, chapter 1, article 1, Arizona Revised Statutes, is amended by adding sections 18-106 and 18‑107, to read:

START_STATUTE18-106.  Consolidation and shared services; transfer of information technology infrastructure; policy; reporting requirements

A.  The department shall identify opportunities for information technology consolidation and shared services, including consolidating servers and data centers.

B.  The department shall adopt a policy that establishes a two-year hardware, platform and software refresh evaluation cycle for budget units and that requires each budget unit to evaluate and progressively migrate the budget unit's information technology assets to use a commercial cloud computing model or cloud model as defined by the national institute of standards and technology.  The policy must direct budget units to consider purchasing and using cloud computing services before making any new information technology or telecommunications investment.

C.  The policy adopted pursuant to subsection B of this section shall address the following:

1.  Privacy and security standards that require any off-premises environment to conform to all of the following based on data attributes:

(a)  The applicable federal risk and authorization management program.

(b)  The health insurance portability and accountability act privacy standards (45 Code of Federal Regulations section 164.512(e)).

(c)  The family educational rights and privacy act of 1974 (P.L. 93‑380).

(d)  The criminal justice information services security policy.

(e)  The payment card industry data security standard.

(f)  Internal revenue service publication 1075.

(g)  The federal information security modernization act of 2014 (P.L. 113‑283).

(h)  National institute of standards and technology special publication 800‑53.

(i)  National institute of standards and technology special publication 800‑171.

(j)  The federal information processing standards publication 200.

2.  Cybersecurity that addresses and incorporates applicable cybersecurity management and incident reporting requirements in the policy pursuant to the national institute of standards and technology publications and cybersecurity framework.

3.  Data categorization that assesses data and determines privacy and security limits before migration and that conforms with internal revenue service publication 1075 and federal information processing standards publication 199 titled standards for security categorization of federal information and information systems, as applicable.

4.  Third‑party categories, including hardware, platform or software migrations, that require third parties to conform to the applicable national institute of standards and technology definition of cloud computing special publication 800-145.

5.  Economic value that requires evaluation of the total cost of ownership analysis of a period of at least five years for all consolidation efforts considered.

6.  Data and network standards requiring that any environment considered for use certifies that all traffic to and from the hosting environment and the location of the data will reside within the united states.

7.  applicable data security that conforms to data in transit and data at rest encryption standards as referenced in federal information processing standards publication 140‑2, security requirements for cryptographic modules.

D.  On or before January 1, 2018, each budget unit shall report to the department regarding the budget unit's plan for migrating the budget unit's information technology infrastructure.

E.  Beginning January 1, 2018, each budget unit shall report to the department, the chief information officer and the chairperson of the joint legislative budget committee on or before January 1 and July 1 of each year the budget unit's progress in transferring data pursuant to subsection B of this section and any factors delaying or inhibiting the expansion of cloud computing usage.

F.  Notwithstanding any other law, the department shall solicit at least two written bids from qualified bidders before awarding a purchase or contract for an information technology project that exceeds one hundred thousand dollars pursuant to this section.END_STATUTE

START_STATUTE18-107.  Information technology infrastructure plan; joint legislative budget committee review

A budget unit shall submit each information technology infrastructure plan to the joint legislative budget committee for review within ninety days after awarding any contract for information technology Infrastructure that exceeds two million five hundred thousand dollars.  The joint legislative budget committee may meet in executive session to consider the plan.  The plan shall include all of the following:

1.  A project investment justification or request for proposal.

2.  The name of each bidder that was requested to bid and each bidder that submitted a bid for the project and the amounts and conditions of the bids.

3.  The name and bid amount of the successful bidder. END_STATUTE