Senate Study Bill 1050 - Introduced SENATE FILE _____ BY (PROPOSED COMMITTEE ON COMMERCE BILL BY CHAIRPERSON SCHULTZ) A BILL FOR An Act relating to the office of the chief information officer, 1 including procurement preferences and a report detailing 2 state information technology assets. 3 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 4 TLSB 1489XC (2) 89 jda/rn

S.F. _____ Section 1. Section 8B.1, Code 2021, is amended by adding the 1 following new subsection: 2 NEW SUBSECTION . 2A. “Cloud computing” means the same as 3 defined in the United States national institute of standards 4 and technology’s special publication 800-145. 5 Sec. 2. Section 8B.9, subsection 6, Code 2021, is amended 6 to read as follows: 7 6. Beginning October 1, 2019, a quarterly report regarding 8 the status of technology upgrades or enhancements for state 9 agencies, submitted to the general assembly and to the 10 chairpersons and ranking members of the senate and house 11 committees on appropriations. The quarterly report shall 12 also include a listing of state agencies coordinating or 13 working with the office , and a listing of state agencies not 14 coordinating or working with the office , and the information 15 required by section 8B.24, subsection 5A, paragraph “b” . 16 Sec. 3. Section 8B.24, Code 2021, is amended by adding the 17 following new subsection: 18 NEW SUBSECTION . 5A. a. The office shall, when feasible, 19 procure from providers that meet or exceed applicable state 20 and federal laws, regulations, and standards for information 21 technology, third-party cloud computing solutions and other 22 information technology and related services that are not hosted 23 on premises by the state. 24 b. If the office determines it is not feasible to procure 25 third-party cloud computing solutions or other information 26 technology and related services pursuant to paragraph “a” , and 27 if on-premises technology upgrades or new applications to be 28 housed on-premises are proposed, the office shall include all 29 of the following in the report required pursuant to section 30 8B.9, subsection 6: 31 (1) An explanation as to why a cloud computing deployment 32 was not feasible. 33 (2) Whether the application can be deployed using a hybrid 34 or containerized approach to minimize on-premise costs. 35 -1- LSB 1489XC (2) 89 jda/rn 1/ 4

S.F. _____ (3) Compliance frameworks that require the application to 1 be hosted on-premises. 2 c. The office shall contract with multiple third-party 3 commercial cloud computing service providers. 4 d. The control and ownership of state data stored with cloud 5 computing service providers shall remain with the state. The 6 office shall ensure the portability of state data stored with 7 cloud computing service providers. 8 Sec. 4. Section 8B.24, subsection 6, Code 2021, is amended 9 to read as follows: 10 6. The office shall adopt rules pursuant to chapter 17A to 11 implement the procurement methods and procedures provided for 12 in subsections 2 through 5 5A . 13 Sec. 5. INVENTORY OF INFORMATION TECHNOLOGY ASSETS, CURRENT 14 CLOUD COMPUTING ADOPTION, AND CLOUD COMPUTING MIGRATION PLAN 15 —— REPORT. By November 1, 2021, the office of the chief 16 information officer, in collaboration with other state agencies 17 and departments, shall provide a report to the general assembly 18 that includes all of the following: 19 1. An inventory of all state information technology 20 applications, and the percentage of the information technology 21 applications that are cloud-based applications. 22 2. Recommendations regarding state information technology 23 applications that should migrate to cloud-based applications. 24 Each such recommendation shall include a description of 25 workloads and information technology applications that are best 26 suited to migrate to cloud-based applications given all of the 27 following considerations: 28 a. Whether the information technology application has 29 underlying storage, networks, or infrastructure that supports 30 another information technology application, and whether the 31 information technology application is supported by another 32 information technology application. 33 b. How critical the information technology application is 34 to the mission of the state agency or department. 35 -2- LSB 1489XC (2) 89 jda/rn 2/ 4

S.F. _____ c. The difficulty of migrating the information technology 1 application to a cloud-based application. 2 d. The total cost of ownership of the target environment in 3 which the information technology application shall operate if 4 migrated to a cloud-based application. 5 EXPLANATION 6 The inclusion of this explanation does not constitute agreement with 7 the explanation’s substance by the members of the general assembly. 8 This bill relates to the office of the chief information 9 officer, including procurement preferences and a report 10 detailing state information technology assets. 11 The bill defines “cloud computing” by reference to the 12 United States national institute of standards and technology’s 13 special publication 800-145, which defines the term as a model 14 for enabling ubiquitous, convenient, on-demand network access 15 to a shared pool of configurable computing resources that can 16 be rapidly provisioned and released with minimal management 17 effort or service provider interaction. 18 Current law requires the office to submit a quarterly report 19 regarding the status of technology upgrades or enhancements for 20 state agencies. The bill requires this report to also include 21 information related to the office’s determination that it was 22 not feasible to procure a cloud computing solution, including 23 an explanation as to why a cloud computing deployment was not 24 feasible, whether the application can be deployed using a 25 hybrid or containerized approach to minimize on-premise costs, 26 and compliance frameworks that require the application to be 27 hosted on-premises. 28 The bill requires the office to, when feasible, procure 29 third-party cloud computing solutions and other information 30 technology and related services that are not hosted on premises 31 by the state from providers that meet or exceed applicable 32 state and federal laws, regulations, and standards for 33 information technology. 34 The bill provides the office shall contract with multiple 35 -3- LSB 1489XC (2) 89 jda/rn 3/ 4

S.F. _____ third-party commercial cloud computing service providers. 1 The bill establishes that control and ownership of state 2 data stored with cloud computing service providers shall remain 3 with the state. The bill requires the office to ensure the 4 portability of state data stored with cloud computing service 5 providers. 6 The bill requires the office to provide a report to the 7 general assembly by November 1, 2021, that includes an 8 inventory of all state information technology applications, 9 and recommendations regarding state information technology 10 applications that should migrate to cloud-based applications. 11 -4- LSB 1489XC (2) 89 jda/rn 4/ 4