Bill Text: MS SB2530 | 2022 | Regular Session | Comm Sub
Bill Title: Department of Information Technology Services; require to report ransomware incidents and revise provisions related thereto.
Spectrum: Partisan Bill (Republican 2-0)
Status: (Vetoed) 2022-04-21 - Vetoed [SB2530 Detail]
Download: Mississippi-2022-SB2530-Comm_Sub.html
MISSISSIPPI LEGISLATURE
2022 Regular Session
To: Technology
By: Senator(s) DeLano, Williams
Senate Bill 2530
(COMMITTEE SUBSTITUTE)
AN ACT TO AMEND SECTION 25-53-201, MISSISSIPPI CODE OF 1972, TO PROVIDE THAT THE MISSISSIPPI DEPARTMENT OF INFORMATION TECHNOLOGY SERVICES SHALL EVALUATE THE OPPORTUNITIES FOR EXPANDING THE ENTERPRISE SECURITY PROGRAM AND THE COORDINATED OVERSIGHT OF CYBERSECURITY EFFORTS TO INCLUDE THOSE GOVERNING AUTHORITIES DEFINED IN SECTION 25-53-3(F); TO REQUIRE THE DEPARTMENT TO DEVELOP A REPORT ON THESE OPPORTUNITIES AND TO PRESENT THE REPORT TO THE CHAIRMEN OF THE SENATE AND HOUSE OF REPRESENTATIVES ACCOUNTABILITY, EFFICIENCY, TRANSPARENCY COMMITTEES AND THE CHAIRMAN OF THE SENATE TECHNOLOGY COMMITTEE BY NOVEMBER 1, 2022; TO PROVIDE THAT FROM AND AFTER JULY 1, 2022, ALL STATE AGENCIES AND GOVERNING AUTHORITIES AS DEFINED IN SECTION 25-53-3 SHALL REPORT TO THE MISSISSIPPI DEPARTMENT OF INFORMATION TECHNOLOGY SERVICES ANY DEMAND FOR PAYMENT OR ANY PAYMENT MADE AS A RESULT OF RANSOMWARE; TO DEFINE RANSOMWARE; TO REQUIRE THESE AGENCIES AND AUTHORITIES TO REPORT THIS INFORMATION WITHIN 24 HOURS OF DISCOVERY OF THE RANSOMWARE; TO REQUIRE THE DEPARTMENT TO RECORD ALL INFORMATION SUBMITTED FROM THESE AGENCIES AND AUTHORITIES AND DEVELOP A REPORT ON THIS INFORMATION WITHIN 48 HOURS OF DISCOVERY; TO REQUIRE THE DEPARTMENT TO PRESENT THIS REPORT TO THE LIEUTENANT GOVERNOR, SPEAKER OF THE HOUSE, CHAIRMEN OF THE SENATE AND HOUSE OF REPRESENTATIVES ACCOUNTABILITY, EFFICIENCY, TRANSPARENCY COMMITTEES AND THE CHAIRMAN OF THE SENATE TECHNOLOGY COMMITTEE; TO REQUIRE THE DEPARTMENT TO PRESENT A YEARLY SUMMARY OF ALL RANSOMWARE INCIDENTS BY NOVEMBER 1 OF EACH YEAR TO THE LIEUTENANT GOVERNOR, SPEAKER OF THE HOUSE, CHAIRMEN OF THE SENATE AND HOUSE OF REPRESENTATIVES ACCOUNTABILITY, EFFICIENCY, TRANSPARENCY COMMITTEES AND THE CHAIRMAN OF THE SENATE TECHNOLOGY COMMITTEE; AND FOR RELATED PURPOSES.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI:
SECTION 1. Section 25-53-201, Mississippi Code of 1972, is amended as follows:
25-53-201. (1) There is hereby established the Enterprise Security Program which shall provide for the coordinated oversight of the cybersecurity efforts across all state agencies, including cybersecurity systems, services and the development of policies, standards and guidelines.
(2) The Mississippi Department of Information Technology Services (MDITS), in conjunction with all state agencies, shall provide centralized management and coordination of state policies for the security of data and information technology resources, which such information shall be compiled by MDITS and distributed to each participating state agency. MDITS shall:
(a) Serve as sole authority, within the constraints of this statute, for defining the specific enterprise cybersecurity systems and services to which this statute is applicable;
(b) Acquire and operate enterprise technology solutions to provide services to state agencies when it is determined that such operation will improve the cybersecurity posture in the function of any agency, institution or function of state government as a whole;
(c) Provide oversight of enterprise security policies for state data and information technology (IT) resources including, the following:
(i) Establishing and maintaining the security standards and policies for all state data and IT resources state agencies shall implement to the extent that they apply; and
(ii) Including the defined enterprise security requirements as minimum requirements in the specifications for solicitation of state contracts for procuring data and information technology systems and services;
(d) Adhere to all policies, standards and guidelines in the management of technology infrastructure supporting the state data centers, telecommunications networks and backup facilities;
(e) Coordinate and promote efficiency and security with all applicable laws and regulations in the acquisition, operation and maintenance of state data, cybersecurity systems and services used by agencies of the state;
(f) Manage, plan and coordinate all enterprise cybersecurity systems under the jurisdiction of the state;
(g) Develop, in conjunction with agencies of the state, coordinated enterprise cybersecurity systems and services for all state agencies;
(h) Provide ongoing analysis of enterprise cybersecurity systems and services costs, facilities and systems within state government;
(i) Develop policies, procedures and long-range plans for the use of enterprise cybersecurity systems and services;
(j) Form an advisory council of information security officers from each state agency to plan, develop and implement cybersecurity initiatives;
(k) Coordinate the activities of the advisory council to provide education and awareness, identify cybersecurity-related issues, set future direction for cybersecurity plans and policy, and provide a forum for interagency communications regarding cybersecurity;
(l) Charge respective user agencies on a reimbursement basis for their proportionate cost of the installation, maintenance and operation of the cybersecurity systems and services; and
(m) Require cooperative utilization of cybersecurity systems and services by aggregating users.
(3) Each state agency's executive director or agency head shall:
(a) Be solely responsible for the security of all data and IT resources under its purview, irrespective of the location of the data or resources. Locations include data residing:
(i) At agency sites;
(ii) On agency real property and tangible and intangible assets;
(iii) On infrastructure in the State Data Centers;
(iv) At a third-party location;
(v) In transit between locations;
(b) Ensure that an agency-wide security program is in place;
(c) Designate an information security officer to administer the agency's security program;
(d) Ensure the agency adheres to the requirements established by the Enterprise Security Program, to the extent that they apply;
(e) Participate in all Enterprise Security Program initiatives and services in lieu of deploying duplicate services specific to the agency;
(f) Develop, implement and maintain written agency policies and procedures to ensure the security of data and IT resources. The agency policies and procedures are confidential information and exempt from public inspection, except that the information must be available to the Office of the State Auditor in performing auditing duties;
(g) Implement policies and standards to ensure that all of the agency's data and IT resources are maintained in compliance with state and federal laws and regulations, to the extent that they apply;
(h) Implement appropriate cost-effective safeguards to reduce, eliminate or recover from identified threats to data and IT resources;
(i) Ensure that internal assessments of the security program are conducted. The results of the internal assessments are confidential and exempt from public inspection, except that the information must be available to the Office of the State Auditor in performing auditing duties;
(j) Include all appropriate cybersecurity requirements in the specifications for the agency's solicitation of state contracts for procuring data and information technology systems and services;
(k) Include a general description of the security program and future plans for ensuring security of data in the agency long-range information technology plan;
(l) Participate in annual information security training designed specifically for the executive director or agency head to ensure that such individual has an understanding of:
(i) The information and information systems that support the operations and assets of the agency;
(ii) The potential impact of common types of cyber-attacks and data breaches on the agency's operations and assets;
(iii) How cyber-attacks and data breaches on the agency's operations and assets could impact the operations and assets of other state agencies on the Enterprise State Network;
(iv) How cyber-attacks and data breaches occur;
(v) Steps to be undertaken by the executive director or agency head and agency employees to protect their information and information systems; and
(vi) The annual reporting requirements required of the executive director or agency head.
(4) The Mississippi Department of Information Technology Services shall evaluate the opportunities for expanding the Enterprise Security Program and the coordinated oversight of cybersecurity efforts to include those governing authorities as defined in Section 25-53-3(f). The Mississippi Department of Information Technology Services shall develop a report on these opportunities. The Mississippi Department of Information Technology Services shall present this report to the Chairmen of the Senate and House of Representatives Accountability, Efficiency, Transparency Committees, Attorney General and the Chairman of the Senate Technology Committee by November 1, 2022.
(5) From and after July 1, 2022, all state agencies and governing authorities as defined in Section 25-53-3 shall report to the Mississippi Department of Information Technology Services any demand for payment or any payment made as a result of ransomware. These agencies and authorities shall report this information within twenty-four (24) hours of discovery of the ransomware. The Mississippi Department of Information Technology Services shall record all information submitted from these agencies and authorities and develop a report on this information within forty-eight (48) hours of discovery. The Mississippi Department of Information Technology Services shall present this report to the Lieutenant Governor, Speaker of the House, Attorney General, Chairmen of the Senate and House of Representatives Accountability, Efficiency, Transparency Committees and the Chairman of the Senate Technology Committee. By November 1 of each year, the Mississippi Department of Information Technology Services shall provide a yearly summary of all ransomware incidents to the Lieutenant Governor, Speaker of the House, Chairmen of the Senate and House of Representatives Accountability, Efficiency, Transparency Committees and the Chairman of the Senate Technology Committee. For the purpose of this subsection, "ransomware" shall mean a computer contaminant, or lock placed or introduced without authorization into a computer, computer system, or computer network that restricts access by an authorized person to the computer, computer system, computer network, or any data therein under circumstances in which the person responsible for the placement or introduction of the ransomware demands payment of money or other consideration to remove the computer contaminant, restore access to the computer, computer system, computer network, or data, or otherwise remediate the impact of the computer contaminant or lock.
SECTION 2. This act shall take effect and be in force from and after July 1, 2022.