This bill mandates the establishment of a Chief Information Security Officer (CISO) for the Department of Information Technology. The CISO will be appointed by the commissioner of the department and must be qualified by education and experience. The CISO's responsibilities will include overseeing the formulation and implementation of cybersecurity and information security strategies, policies, procedures, and standards across the executive branch of the state government. Additionally, the bill amends RSA 21-R:3 to include the CISO in the list of positions whose salaries are specified in RSA 94:1-a.

The bill also introduces a new section, RSA 21-R:4-a, which outlines the specific duties of the Chief Information Security Officer. These duties encompass chairing the cybersecurity advisory committee, developing and managing the statewide cyber disruption plan, staffing and training for emergency support functions, and providing expertise and security metrics to the executive branch. The CISO will also be responsible for risk assessments, vulnerability assessments, penetration tests, and information security risk assessments of third parties. Furthermore, the CISO will serve as the chief of the New Hampshire Cyber Integration Center. The act is set to take effect 60 days after its passage, with an effective date of August 29, 2023.

Statutes affected:
Introduced: 21-R:3, 21-R:4
Version adopted by both bodies: 21-R:3, 21-R:4
CHAPTERED FINAL VERSION: 21-R:3, 21-R:4