Bill Summary – FastDemocracy

Existing law provides that the Governor's Technology Office within the Office of the Governor is composed of: (1) the Director's Office; (2) the Client Services Division; (3) the Computing Services Division; (4) the Network Services Division, including a Network Transport Services Unit and a Unified Communications Unit; (5) the Office of Information Security and Cyber Defense; and (6) certain other units, groups, divisions or departments deemed necessary by the Chief Information Officer. (NRS 242.080) Section 13 of this bill creates the Security Operations Center in the Office of Information Security and Cyber Defense. 
	Existing law: (1) requires the Governor's Technology Office to provide certain state agencies and elected officers with all their required design of information systems; (2) authorizes certain other state agencies to negotiate with the Office for its services or the use of its equipment; and (3) authorizes, upon request, the Office to provide certain services to state agencies not under the control of the Governor and local governmental agencies. (NRS 242.131, 242.141) Section 16 of this bill requires the Security Operations Center to provide each state agency and elected state officers with cybersecurity services, including real-time monitoring of cyberinfrastructure, threat mitigation, incident response and cybersecurity enforcement. Sections 16 and 30 of this bill reorganize provisions that authorize certain state agencies and local governmental agencies to use the equipment and services of the Governor's Technology Office. Section 16 also requires any local governmental agency which has agreed to use the equipment or services of the Governor's Technology Office to apply to the Chief to withdraw from such use. Section 10 of this bill revises the definition of “local governmental agency” to include the board of trustees of a school district, which has the effect of authorizing the board of trustees of a school district to use the services of the Governor's Technology Office pursuant to section 16. Section 11 of this bill amends the definition of “using agency” so that the term includes any state agency, elected state officer or local governmental agency that uses the services or equipment of the Office.
	Section 2 of this bill requires the Security Operations Center to develop certain policies and procedures to: (1) combat the increasing threats to using agencies posed by cybercriminals; (2) protect sensitive data in the possession of a using agency; and (3) ensure a coordinated and rapid response to any cybersecurity incident that affects a using agency. Section 3 of this bill provides that if a using agency does not comply with the cybersecurity policies and protocols developed by the Security Operations Center, the Chief may impose additional oversight or audit requirements on the using agency relating to cybersecurity. 
	Section 4 of this bill creates the Account for the Security Operations Center in the State General Fund to be administered by the Chief. Section 4 requires the money in the Account to be used for the purposes of supporting and carrying out the duties of the Security Operations Center. Section 4 also authorizes the Security Operations Center to serve as a fiscal agent to pool federal grant funds for the purposes of cybersecurity support and infrastructure development.
	Section 5 of this bill requires the Security Operations Center to collaborate with the Office of Information Security and Cyber Defense to enhance communication and coordination of incident responses to cyber threats or cyberattacks on information systems.
	Section 6 of this bill requires the Security Operations Center to prepare and submit an annual report to the Governor, Attorney General and the Director of the Legislative Counsel Bureau for transmission to the Legislature that includes certain information relating to the duties of the Security Operations Center.
	Section 7 of this bill provides that the provisions of the Nevada Revised Statutes relating to information services do not impair or affect existing agreements with a federally recognized Indian tribe and that any interlocal agreement entered into must respect the sovereign governance of the tribe and provide for jointly agreed upon data protocols.
	To the extent that funding is available, section 8 of this bill requires the Security Operations Center, in collaboration with the Nevada System of Higher Education, to develop the Cybersecurity Talent Pipeline Program.
	Section 9 of this bill amends the definition of “information service,” as provided by the Office to a using agency, to include the real-time monitoring of cyberinfrastructure, threat mitigation, incident response and cybersecurity enforcement.
	Existing law makes certain legislative determinations and declarations relating to the purpose of the Governor's Technology Office. (NRS 242.071) Section 12 of this bill revises these determinations and declarations to include performing information services for using agencies. 
	Existing law provides that certain documents assembled, maintained, overseen or prepared by the Governor's Technology Office to mitigate, prevent or respond to acts of terrorism are confidential. (NRS 242.105) Section 14 of this bill provides that certain documents relating to the cybersecurity of a using agency are also confidential.
	Existing law requires the Chief to adopt certain regulations relating to information systems of certain state agencies. (NRS 242.111) Section 15 of this bill instead requires the Chief to adopt certain regulations relating to information systems of using agencies.
	Existing law requires the Chief to advise using agencies regarding the policy for information services of the Executive Branch of Government. (NRS 242.151) Section 17 of this bill requires the Chief to instead advise the using agencies of the policy for information services of the Governor's Technology Office.
	Existing law provides that all equipment of an agency or elected state officer which is owned or leased by the State must be under the managerial control of the Office. (NRS 242.161) Section 18 of this bill: (1) provides instead that all equipment of a using agency which is owned or leased by the State must be under the managerial control of the Office; (2) prohibits the Security Operations Center from assuming operational control of the equipment or software systems of a using agency; and (3) requires the Security Operations Center to provide to a using agency standards and policies for the equipment or software systems to be deployed by the Security Operations Center, which must be agreed upon in writing before the Security Operations Center provides services.
	Section 19 of this bill provides that the Office is responsible for any application of an information system which it furnishes to using agencies. 
	Section 20 of this bill requires: (1) any using agency which uses the equipment or services of the Office to adhere to the regulations, standards, practices, policies and conventions of the Office; and (2) each using agency to report certain information relating to certain suspected incidents to the Office of Information Security and Cyber Defense and the Security Operations Center.
	Existing law requires the Deputy Director of the Office of Information Security and Cyber Defense to investigate and resolve any breach of an information system of a state agency or elected officer that uses the equipment or services of the Governor's Technology Office. (NRS 242.183) Section 21 of this bill requires instead that the Deputy Director, in consultation with the Security Operations Center, investigate and resolve any breach of an information system of a using agency.
	Existing law authorizes the Governor to proclaim the existence of a state of emergency or a declaration of disaster if the Governor in his or her proclamation finds that certain events, including a technological or man-made emergency or disaster of major proportions, have actually occurred in this State and that the safety and welfare of the inhabitants of this State require such a proclamation. (NRS 414.070) If the Governor has made such a proclamation concerning a critical cybersecurity incident, section 21 authorizes the Governor to authorize the information technology personnel of using agencies of the Executive Branch to report directly to the Chief.
	Existing law provides that the amount receivable from a state agency or officer or local governmental agency which uses the services of the Governor's Technology Office must be determined by the Chief. (NRS 242.191) Section 22 of this bill provides instead that the amount receivable from a using agency which uses the services or equipment of the Office must be determined by the Chief. 
	Section 23 of this bill requires each using agency using the services or equipment of the Office to pay a fee for such use to the Fund for Information Services.
	Section 24 of this bill makes an appropriation to the Office of Finance in the Office of the Governor for the Governor's Technology Office within the Office of the Governor for investments related to cybersecurity. Sections 25-27 of this bill make appropriations to the Office of Finance in the Office of the Governor for a loan to the Governor's Technology Office within the Office of the Governor to cover a shortfall in revenues for certain divisions and offices within the Governor's Technology Office.
Statutes affected: 
As Introduced: 242.055, 242.061, 242.068, 242.071, 242.080, 242.105, 242.111, 242.131, 242.151, 242.161, 242.171, 242.181, 242.183, 242.191, 242.211, 242.141