LB651 LB651
2023 2023
LEGISLATURE OF NEBRASKA
ONE HUNDRED EIGHTH LEGISLATURE
FIRST SESSION
LEGISLATIVE BILL 651
Introduced by McDonnell, 5.
Read first time January 18, 2023
Committee: Appropriations
1 A BILL FOR AN ACT relating to appropriations for cybersecurity; to state
2 findings; to provide duties for the office of Chief Information
3 Officer relating to cybersecurity; to provide funding for enhancing
4 political subdivisions' cybersecurity; and to declare an emergency.
5 Be it enacted by the people of the State of Nebraska,
-1-
LB651 LB651
2023 2023
1 Section 1. (1) For purposes of this section:
2 (a) Office means the office of the Chief Information Officer; and
3 (b) Political subdivision means villages, cities, counties, school
4 districts, educational service units, and natural resource districts.
5 (2) The Legislature hereby finds and declares that:
6 (a) Cybersecurity is a growing problem for the State of Nebraska and
7 its political subdivisions;
8 (b) The office of Chief Information Officer is constrained in its
9 cybersecurity efforts due to its lack of General Fund appropriations from
10 the Nebraska Legislature. Therefore, the office relies entirely on
11 charging state agencies for services, resulting in increased costs for
12 state agencies;
13 (c) The office, the state, and political subdivisions face
14 sophisticated attacks from cyber adversaries and must act to defend
15 networks, systems, and data from such attacks;
16 (d) The office must have access to the most advanced tools,
17 software, and services, to combat cyber threats against the state and its
18 political subdivisions;
19 (e) The state and its executive agencies contract with thousands of
20 vendors, each of which could pose a cybersecurity threat to the state and
21 the services that Nebraska residents rely upon. As such, the Chief
22 Information Officer must have insight into the cybersecurity
23 vulnerabilities of entities doing business with the state; and
24 (f) In addressing these issues, the office will need to establish
25 strategic partnerships and contracts with companies that are in
26 compliance with state and federal cybersecurity standards.
27 (3) It is the intent of the Legislature to appropriate twenty
28 million dollars of General Funds annually beginning in FY2023-24 to
29 Agency 65, Department of Administrative Services, Program 172,
30 Information Management Services Division, for the purposes of
31 cybersecurity activities described in this section.
-2-
LB651 LB651
2023 2023
1 (4)(a) The office shall work to:
2 (i) Support cybersecurity preparedness activities;
3 (ii) Procure tools, hardware, software, or services, that enhance or
4 expand the cybersecurity defense and response capabilities of the state;
5 (iii) Strengthen and expand cyber risk management activities for the
6 state;
7 (iv) Expand vulnerability monitoring, identification, and
8 management;
9 (v) Increase and maintain cyber incident response capabilities;
10 (vi) Promote cybersecurity training and awareness within the state;
11 and
12 (vii) Support cybersecurity workforce development within the state;
13 (b) It is the intent of the Legislature that of the appropriation
14 described in subsection (3) of this section, three million dollars of
15 such appropriation be used annually for purposes of this subsection,
16 including up to one million dollars in total expenditures for permanent
17 and temporary salaries and per diems.
18 (5)(a) The office shall work to secure and remediate the
19 cybersecurity vulnerabilities within the vendor ecosystems of vendors
20 contracted with the state, executive agencies, and political subdivisions
21 by contracting with a software provider that will:
22 (i) Provide the office access to publicly observable cybersecurity
23 vulnerabilities of state and executive agencies vendors. Such information
24 shall be updated daily to ensure action may be taken if deemed necessary
25 by the Chief Information Officer;
26 (ii) Notify state executive agencies' vendors of specific
27 vulnerabilities, as defined by the Chief Information Officer, and track
28 the remediation efforts of vendors deemed critical by the Chief
29 Information Officer; and
30 (iii) Provide political subdivisions the ability to monitor publicly
31 observable cybersecurity vulnerabilities of themselves and their vendor
-3-
LB651 LB651
2023 2023
1 ecosystems and training classes on managing their cybersecurity vendor
2 ecosystems.
3 (b) It is the intent of the Legislature that of the appropriation
4 described in subsection (3) of this section, eight million dollars of
5 such appropriation be used annually for purposes of this subsection.
6 (6)(a) A program is created to provide political subdivisions the
7 ability to upgrade critical information technology infrastructure. The
8 program shall be administered by the office.
9 (b) A political subdivision may apply for funding under this
10 subsection by submitting an application to the office in a form and
11 manner prescribed by the office.
12 (c) The office shall develop eligibility criteria under this
13 subsection. At a minimum, the eligibility criteria shall require a
14 political subdivision to document how the money will be used to fulfill
15 the purposes and requirements set forth in subdivision (6)(d) of this
16 section.
17 (d) A political subdivision awarded money under this subsection
18 shall use such money to upgrade critical information technology
19 infrastructure of the political subdivision, improve training on
20 cybersecurity, and work toward compliance with nationally recognized
21 cybersecurity frameworks and other cybersecurity objectives outlined by
22 the Chief Information Officer.
23 (e) The office may adopt and promulgate rules and regulations to
24 carry out this subsection, including, but not limited to, defining what
25 qualifies as critical information technology infrastructure, setting
26 parameters for cybersecurity training, selecting cybersecurity
27 frameworks, and methods and metrics for determining political
28 subdivisions' progress toward compliance with such frameworks.
29 (f) Each fiscal year, money remaining in the program that is not
30 provided to political subdivisions due to a lack of qualifying applicants
31 or projects may be used by the office to upgrade the state's critical
-4-
LB651 LB651
2023 2023
1 information technology infrastructure.
2 (g) It is the intent of the Legislature that of the appropriation
3 described in subsection (3) of this section, four million five hundred
4 thousand dollars of such appropriation be used annually for purposes of
5 this subsection, including up to five hundred thousand dollars in total
6 expenditures for permanent and temporary salaries and per diems.
7 (7)(a) The office shall purchase software and services, including,
8 but not limited to, identity access management, cybersecurity incident
9 response capabilities, cybersecurity training, and other activities that
10 promote cybersecurity, and make such software and services available to
11 political subdivisions at no cost. The Chief Information Officer may
12 include services to be used by the state and state agencies as long as
13 the contracted software or services are offered to political subdivisions
14 at no charge.
15 (b) It is the intent of the Legislature that of the appropriation
16 described in subsection (3) of this section, four million five hundred
17 thousand dollars of such appropriation be used annually for purposes of
18 this subsection, including up to two hundred fifty thousand dollars in
19 total expenditures for permanent and temporary salaries and per diems.
20 (8) In negotiating contracts for this section, the office shall, if
21 practicable, use vendors associated with existing procurement contracts
22 with the office.
23 (9) Any person that the office enters into a contract with to
24 purchase software or services pursuant to this section shall:
25 (a) Be headquartered in the United States;
26 (b) Be in good standing in this state; and
27 (c) Have demonstrated the ability to achieve the "Ready" stage in
28 the Federal Risk and Authorization Management Program (FedRAMP)
29 certification process, as determined by the office.
30 Sec. 2. Since an emergency exists, this act takes effect when
31 passed and approved according to law.
-5-