Existing law provides that the Office of the Chief Information Officer within the Office of the Governor is composed of: (1) the Administration Unit; (2) the Client Services Unit; (3) the Computing Services Unit; (4) the Network Services Unit, including a Network Transportation Services Group and a Telecommunications Group; (5) the Office of Information Security; and (6) certain other units, groups, divisions or departments deemed necessary by the Chief Information Officer. (NRS 242.080) Section 12 of this bill creates the Security Operations Center in the Office of the Chief Information Officer.
Existing law: (1) requires the Office to provide certain state agencies and elected officers with all their required design of information systems; (2) authorizes certain other state agencies to negotiate with the Office for its services or the use of its equipment; and (3) authorizes, upon request, the Office to provide certain services to state agencies not under the control of the Governor and local governmental agencies. (NRS 242.131, 242.141) Section 15 of this bill requires the Security Operations Center to provide certain state agencies and elected officers with cybersecurity services, including real-time monitoring of cyberinfrastructure, threat mitigation, incident response and cybersecurity enforcement. Sections 15 and 24 of this bill reorganize provisions that authorize certain state agencies and local governmental agencies to use the equipment and services of the Office. Section 9 of this bill revises the definition of “local governmental agency” to include the board of trustees of a school district, which has the effect of authorizing the board of trustees of a school district to use the services of the Office pursuant to section 15. Section 10 of this bill amends the definition of “using agency” so that the term includes any state agency, state officer or local governmental agency that uses the services and equipment of the Office.
Section 2 of this bill requires the Security Operations Center to develop certain policies and procedures to: (1) combat the increasing threats to using agencies posed by cybercriminals; (2) protect sensitive data in the possession of a using agency; and (3) ensure a coordinated and rapid response to any cybersecurity incident that affects a using agency.
Section 3 of this bill provides that if a using agency does not comply with the cybersecurity policies and protocols developed by the Security Operations Center, the Chief may: (1) impose additional oversight or audit requirements on the using agency relating to cybersecurity; (2) restrict the using agency's access to the equipment of the Office until the using agency is back in compliance; or (3) charge the using agency an additional amount for the using agency's continued use of the equipment and services of the Office.
Section 4 of this bill authorizes the Chief to apply for and accept federal grants for purposes of supporting and carrying out the duties of the Security Operations Center.
Section 5 of this bill requires the Security Operations Center to collaborate with the Nevada Office of Cyber Defense Coordination to enhance communication and coordination of incident responses to cyber threats or cyberattacks on information systems.
Section 6 of this bill requires the Security Operations Center to submit an annual report to the Governor, Attorney General and the Director of the Legislative Counsel Bureau for transmission to the Legislature that includes certain information relating to the duties of the Security Operations Center.
Section 7 of this bill requires the Security Operations Center, in collaboration with the Nevada System of Higher Education, to develop the Cybersecurity Talent Pipeline Program.
Section 8 of this bill amends the definition of “information service,” as provided by the Office to a using agency, to include the real-time monitoring of cyberinfrastructure, threat mitigation, incident response and cybersecurity enforcement.
Existing law makes certain legislative determinations and declarations relating to the creation and purpose of the Office. (NRS 242.071) Section 11 of this bill revises these determinations and declarations to include performing information services for using agencies and to eliminate the limitation on the Office providing administrative control of the informational systems of using agencies.
Existing law provides that certain documents relating to homeland security that are assembled, maintained, overseen or prepared by the Office to mitigate, prevent or respond to acts of terrorism are confidential. (NRS 242.105) Section 13 of this bill provides that certain documents relating to the cybersecurity of a using agency are also confidential.
Existing law requires the Chief to adopt certain regulations relating to information systems of certain state agencies. (NRS 242.111) Section 14 of this bill instead requires the Chief to adopt certain regulations relating to information systems of using agencies.
Existing law requires the Chief to advise using agencies regarding the policy for information services of the Executive Branch of Government. (NRS 242.151) Section 16 of this bill instead requires the Chief to advise the using agencies of the policy for information services of the Office.
Existing law provides that all equipment of an agency or elected state officer which is owned or leased by the State must be under the managerial control of the Office. (NRS 242.161) Section 17 of this bill provides instead that all equipment of a using agency which is owned or leased by the State must be under the managerial control of the Office.
Section 18 of this bill provides that the Office is responsible for any application of an information system which it furnishes to using agencies.
Section 19 of this bill requires: (1) any using agency which uses the equipment or services of the Office to adhere to the regulations, standards, practices, policies and conventions of the Office; and (2) each using agency to report certain suspected incidents to the Security Operations Center.
Existing law requires the Chief to investigate and resolve any breach of an information system of a state agency or elected officer that uses the equipment or services of the Office. (NRS 242.183) Section 20 of this bill requires instead that the Chief, in consultation with the Security Operations Center, investigate and resolve any breach of an information system of using agency.
Existing law provides that the amount receivable from a state agency or officer or local governmental agency which uses the service of the Office must be determined by the Chief. (NRS 242.191) Section 21 of this bill provides instead that the amount receivable from a using agency which uses the services or equipment of the Office must be determined by the Chief and that the amount will include the annual expenses of the cybersecurity services provided by the Security Operations Center.
Section 22 of this bill requires each using agency using the services and equipment of the Office to pay a fee to the Fund for Information Services.
Statutes affected: As Introduced: 242.055, 242.061, 242.068, 242.071, 242.080, 242.105, 242.111, 242.131, 242.151, 242.161, 242.171, 242.181, 242.183, 242.191, 242.211, 242.141
BDR: 242.055, 242.061, 242.068, 242.071, 242.080, 242.105, 242.111, 242.131, 242.151, 242.161, 242.171, 242.181, 242.183, 242.191, 242.211, 242.141