Bill Text: NC H390 | 2013-2014 | Regular Session | Chaptered
Bill Title: State IT Governance Changes.-AB
Spectrum: Bipartisan Bill
Status: (Passed) 2013-06-26 - Ch. SL 2013-188 [H390 Detail]
Download: North_Carolina-2013-H390-Chaptered.html
GENERAL ASSEMBLY OF NORTH CAROLINA
SESSION 2013
SESSION LAW 2013-188
HOUSE BILL 390
AN ACT making various changes to the laws relating to state information technology governance.
The General Assembly of North Carolina enacts:
SECTION 1. G.S. 143‑135.9(a)(3) is repealed.
SECTION 2. G.S. 147‑33.72C(e) reads as rewritten:
"(e) Performance
Contracting. – All contracts between a State agency and a private party for
information technology projects shall include provisions for vendor performance
review and accountability. The State CIO may require that these contract
provisions require a performance bond, include monetary penalties penalties,
or require other performance assurance measures for projects that are not
completed or performed within the specified time period or that involve
costs in excess of those specified in the contract. The State CIO may require
contract provisions requiring a vendor to provide a performance bond.utilize
cost‑savings realized on government‑vendor partnerships, as defined
in G.S. 143‑135.9, as performance incentives for an information
technology project vendor."
SECTION 3. G.S. 147‑33.91(a) reads as rewritten:
"(a) With respect to State agencies, the State Chief Information Officer shall exercise general coordinating authority for all telecommunications matters relating to the internal management and operations of those agencies. In discharging that responsibility, the State Chief Information Officer, in cooperation with affected State agency heads, may:
(1) Provide for the establishment, management, and operation, through either State ownership, contract, or commercial leasing, of the following systems and services as they affect the internal management and operation of State agencies:
a. Central telephone systems and telephone networks.
b. Repealed by Session Laws 2004‑129, s. 23, effective July 1, 2004.
c. Repealed by Session Laws 2004‑129, s. 23, effective July 1, 2004.
d. Satellite services.
e. Closed‑circuit TV systems.
f. Two‑way radio systems.
g. Microwave systems.
h. Related systems based on telecommunication technologies.
i. The "State Network", managed by the Office, which means any connectivity designed for the purpose of providing Internet Protocol transport of information to any building.
(2) Coordinate the development of cost‑sharing systems for respective user agencies for their proportionate parts of the cost of maintenance and operation of the systems and services listed in subdivision (1) of this subsection.
(3) Assist in the development of coordinated telecommunications services or systems within and among all State agencies and recommend, where appropriate, cooperative utilization of telecommunication facilities by aggregating users.
(4) Perform traffic analysis and engineering for all telecommunications services and systems listed in subdivision (1) of this subsection.
(5) Pursuant to G.S. 143‑49,
establish Establish telecommunications specifications and designs so
as to promote and support compatibility of the systems within State agencies.
(6) Pursuant to G.S. 143‑49
and G.S. 143‑50, coordinate Coordinate the review of
requests by State agencies for the procurement of telecommunications systems or
services.
(7) Pursuant to G.S. 143‑341
and Chapter 146 of the General Statutes, coordinate Coordinate the
review of requests by State agencies for State government property acquisition,
disposition, or construction for telecommunications systems requirements.
(8) Provide a periodic inventory of telecommunications costs, facilities, systems, and personnel within State agencies.
(9) Promote, coordinate, and assist in the design and engineering of emergency telecommunications systems, including, but not limited to, the 911 emergency telephone number program, Emergency Medical Services, and other emergency telecommunications services.
(10) Perform frequency coordination and management for State agencies and local governments, including all public safety radio service frequencies, in accordance with the rules and regulations of the Federal Communications Commission or any successor federal agency.
(11) Advise all State agencies on telecommunications management planning and related matters and provide through the State Personnel Training Center or the Office of Information Technology Services training to users within State agencies in telecommunications technology and systems.
(12) Assist and coordinate the development of policies and long‑range plans, consistent with the protection of citizens' rights to privacy and access to information, for the acquisition and use of telecommunications systems, and base such policies and plans on current information about State telecommunications activities in relation to the full range of emerging technologies.
(13) Work
cooperatively with the North Carolina Agency for Public Telecommunications in
furthering the purpose of this section."
SECTION 4. G.S. 147‑33.92(b) reads as rewritten:
"(b) The State Chief
Information Officer shall establish switched broadband
telecommunications services and permit, in addition to State agencies, cities,
counties, and other local government entities, the following organizations and
entities to share on a not‑for‑profit basis:
(1) Nonprofit educational institutions.
(2) MCNC.
(3) Research MCNC
and research affiliates of MCNC for use only in connection with research
activities sponsored or funded, in whole or in part, by MCNC, if such research
activities relate to health care or education in North Carolina.
(4) Agencies of the United States government operating in North Carolina for use only in connection with activities that relate to health care or education in North Carolina.
(5) Hospitals, clinics, and other health care facilities for use only in connection with activities that relate to health care or education in North Carolina.
Provided, however, that sharing of
the switched broadband telecommunications services by State agencies
with entities or organizations in the categories set forth in this subsection
shall not cause the State, the Office of Information Technology Services, or
the MCNC to be classified as a public utility as that term is defined in G.S. 62‑3(23)
a.6. Nor shall the State, the Office of Information Technology Services, or the
MCNC engage in any activities that may cause those entities to be classified as
a common carrier as that term is defined in the Communications Act of 1934, 47
U.S.C. § 153(10). Provided further, authority to share the switched broadband
telecommunications services with the non‑State agencies set forth in
subdivisions (1) through (5) of this subsection shall terminate one year from
the effective date of a tariff that makes the broadband services available to
any customer."
SECTION 5. G.S. 147‑33.111 reads as rewritten:
"§ 147‑33.111. State CIO approval of security standards and security assessments.
(a) Notwithstanding G.S. 143‑48.3 or any other provision of law, and except as otherwise provided by this section, all information technology security purchased using State funds, or for use by a State agency or in a State facility, shall be subject to approval by the State Chief Information Officer in accordance with security standards adopted under this Article.
(a1) The State Chief Information Officer shall conduct assessments of information system security, network vulnerability, including network penetration or any similar procedure. The State Chief Information Officer may contract with another party or parties to perform the assessments. Detailed reports of the security issues identified shall be kept confidential as provided in G.S. 132‑6.1(c).
(b) If the legislative branch, the judicial branch, The University of North Carolina and its constituent institutions, local school administrative units as defined by G.S. 115C‑5, or the North Carolina Community Colleges System develop their own security standards, taking into consideration the mission and functions of that entity, that are comparable to or exceed those set by the State Chief Information Officer under this section, then these entities may elect to be governed by their own respective security standards, and approval of the State Chief Information Officer shall not be required before the purchase of information technology security. The State Chief Information Officer shall consult with the legislative branch, the judicial branch, The University of North Carolina and its constituent institutions, local school administrative units, and the North Carolina Community Colleges System in reviewing the security standards adopted by those entities.
(c) Before a State agency may enter into any contract with another party for an assessment of information system security or network vulnerability, the State agency shall notify the State Chief Information Officer and obtain approval of the request. If the State agency enters into a contract with another party for assessment and testing, after approval of the State Chief Information Officer, the State agency shall issue public reports on the general results of the reviews. The contractor shall provide the State agency with detailed reports of the security issues identified that shall not be disclosed as provided in G.S. 132‑6.1(c). The State agency shall provide the State Chief Information Officer with copies of the detailed reports that shall not be disclosed as provided in G.S. 132‑6.1(c).
(d) Nothing in this section shall be construed to preclude the Office of the State Auditor from assessing the security practices of State information technology systems as part of that Office's duties and responsibilities."
SECTION 6. G.S. 147‑33.112 reads as rewritten:
"§ 147‑33.112. Assessment of agency compliance with security standards.
The State Chief Information
Officer shall assess periodically the ability of each agency and each
agency's contracted vendors to comply with the current security enterprise‑wide
set of standards established pursuant to this section. The assessment shall
include, at a minimum, the rate of compliance with the enterprise‑wide
security standards in each agency and an assessment of each
agency's security organization, security practices, security industry
standards, network security architecture, and current expenditures of
State funds for information technology security. The assessment of an
agency shall also estimate the cost to implement the security measures
needed for agencies to fully comply with the standards. Each agency subject to
the standards shall submit information required by the State Chief Information
Officer for purposes of this assessment. The State Chief Information Officer
shall include the information obtained from the assessment in the State
Information Technology Plan required under G.S. 147‑33.72B."
SECTION 7. G.S. 150B‑2(8a) reads as rewritten:
"§ 150B‑2. Definitions.
As used in this Chapter,
…
(8a) "Rule" means any agency regulation, standard, or statement of general applicability that implements or interprets an enactment of the General Assembly or Congress or a regulation adopted by a federal agency or that describes the procedure or practice requirements of an agency. The term includes the establishment of a fee and the amendment or repeal of a prior rule. The term does not include the following:
a. Statements concerning only the internal management of an agency or group of agencies within the same principal office or department enumerated in G.S. 143A‑11 or 143B‑6, including policies and procedures manuals, if the statement does not directly or substantially affect the procedural or substantive rights or duties of a person not employed by the agency or group of agencies.
b. Budgets and budget policies and procedures issued by the Director of the Budget, by the head of a department, as defined by G.S. 143A‑2 or G.S. 143B‑3, by an occupational licensing board, as defined by G.S. 93B‑1, or by the State Board of Elections.
c. Nonbinding interpretative statements within the delegated authority of an agency that merely define, interpret, or explain the meaning of a statute or rule.
d. A form, the contents or substantive requirements of which are prescribed by rule or statute.
e. Statements of agency policy made in the context of another proceeding, including:
1. Declaratory rulings under G.S. 150B‑4.
2. Orders establishing or fixing rates or tariffs.
f. Requirements, communicated to the public by the use of signs or symbols, concerning the use of public roads, bridges, ferries, buildings, or facilities.
g. Statements that set forth criteria or guidelines to be used by the staff of an agency in performing audits, investigations, or inspections; in settling financial disputes or negotiating financial arrangements; or in the defense, prosecution, or settlement of cases.
h. Scientific, architectural, or engineering standards, forms, or procedures, including design criteria and construction standards used to construct or maintain highways, bridges, or ferries.
i. Job classification standards, job qualifications, and salaries established for positions under the jurisdiction of the State Personnel Commission.
j. Establishment of the interest rate that applies to tax assessments under G.S. 105‑241.21 and the variable component of the excise tax on motor fuel under G.S. 105‑449.80.
k. The State Medical Facilities Plan, if the Plan has been prepared with public notice and hearing as provided in G.S. 131E‑176(25), reviewed by the Commission for compliance with G.S. 131E‑176(25), and approved by the Governor.
l. Standards adopted by the Office of Information Technology Services applied to information technology as defined by G.S. 147‑33.81."
SECTION 8. This act is effective when it becomes law.
In the General Assembly read three times and ratified this the 18th day of June, 2013.
s/ Tom Apodaca
Presiding Officer of the Senate
s/ Thom Tillis
Speaker of the House of Representatives
s/ Pat McCrory
Governor
Approved 4:20 p.m. this 26th day of June, 2013