Bill Summary – FastDemocracy

H-2641.1
                       SECOND SUBSTITUTE HOUSE BILL 2044
     State of Washington         67th Legislature     2022 Regular Session
     By House Appropriations (originally sponsored by Representatives
     Boehnke, Hackney, Fitzgibbon, Kloba, Ormsby, Sutherland, Ramel, and
     Young)
     READ FIRST TIME 02/07/22.
      AN ACT Relating to the protection of critical constituent and
  state operational data against the financial and personal harm caused
  by ransomware and other malicious cyber activities; amending RCW
  43.105.054 and 43.105.220; reenacting and amending RCW 43.105.020;
  adding new sections to chapter 43.105 RCW; adding a new section to
  chapter 42.56 RCW; and creating new sections.
 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
     NEW SECTION.   Sec. 1.   Washington state branches of government,
 agencies, boards, and commissions manage and protect highly sensitive
 data in order to best serve constituents. The data managed by public
 entities is a high value target for domestic and international
 perpetrators of for-profit ransomware and other malicious cyber
 activities. Breaches in data security prevent state agencies from
 protecting   confidential   and   sensitive  information  stored   in
 technology systems. In the absence of immutable data backup
 capabilities and reliable disaster recovery practices, state agency
 information technology systems are vulnerable to such breaches in
 security. The legislature finds that enterprise technology programs,
 standards, and policies have been developed for data backup and
 recovery   practices   that  agencies   must  implement  to   protect
 confidential and sensitive information contained in enterprise and
                                       p. 1                         2SHB 2044
 individual agencies' information technology systems. The legislature
 further finds that the availability of an enterprise identity
 management solution, the active promotion of cybersecurity awareness
 practices, readiness of state resources for incident management, and
 the availability of immutable data backups of critical, sensitive,
 and confidential data are the best protection that the state can
 offer to combat ransomware and other malicious cyber activities. The
 legislature recognizes that action must be taken at each state agency
 to ensure data backup and disaster recovery practices are consistent
 with enterprise technology standards and is aware that additional
 investments in technology, training, and personnel will be needed.
     NEW SECTION. Sec. 2.   A new section is added to chapter 43.105
 RCW to read as follows:
     (1) The office shall design, develop, and implement enterprise
 technology standards specific to malware and ransomware protection,
 backup, and recovery, as well as prevention education for state
 employees and constituents using state technology services.
     (2)(a) The office shall establish a ransomware education and
 outreach   program  dedicated   to   educating  public   agencies  on
 prevention, response, and remediation of ransomware.
     (b) The office shall document, publish, and distribute ransomware
 response educational materials specifically for chief executive
 officers, chief financial officers, chief information officers, and
 chief information security officers, or their equivalents, to each
 state agency, board, and commission, which outlines specific steps to
 take in the event of a malware attack. Distribution of materials must
 be determined at the discretion of the office.
     (3) Each state agency must ensure that all mission critical
 applications, business essential applications, and other resources
 containing data that requires special handling, as defined in
 enterprise technology standards developed pursuant to RCW 43.105.054,
 must be protected.
     (4)(a) Each state agency must perform an assessment of all their
 applications and resources containing data and report to the office
 the sizing of managed data to include identifying mission critical
 applications, business essential applications, and categorizing all
 data attributes, as defined in enterprise technology standards
 developed pursuant to RCW 43.105.054, and develop a list of
 prioritized applications based on mission criticality and impact to
                                     p. 2                        2SHB 2044
 constituents in the event of system failure or data loss and submit
 the list to the office.
     (b) Each state agency must submit the sizing of managed data and
 the list required in (a) of this subsection to the office by
 September 30, 2022.
     (5)(a) The office must analyze and aggregate data reported
 pursuant to subsection (4) of this section.
     (b) By October 31, 2023, the office must submit a report to the
 governor and the appropriate committees of the legislature on the
 following:
     (i) The total number of mission critical applications, the total
 amount of data associated with each mission critical application, the
 percentage of mission critical applications with immutable backups,
 the estimated annual data change and growth rates for each mission
 critical application, the percentage of mission critical applications
 that undergo annual continuity of operations exercises, and the
 percentage that meet enterprise technology standards;
     (ii) The total number of business essential applications, the
 total amount of data associated with each business essential
 application, the estimated annual data change and growth rates for
 each business essential application, the percentage of business
 essential applications with immutable backups, the percentage of
 business essential applications that undergo annual continuity of
 operations exercises, and the percentage that meet backup and
 recovery standards of the office;
     (iii) The percentage of applications with catalogued and
 categorized data;
     (iv) Prioritized applications identified by each state agency as
 required in subsection (4)(a) of this section; and
     (v) Recommendations for further legislation, rules, and policy
 that will increase protections against ransomware.
     (6) Agencies must ensure that all mission critical applications,
 business essential applications, and other resources containing
 category 3 and category 4 data are protected in accordance with
 enterprise technology standards developed under RCW 43.105.054.
     (7) The office of financial management, department of enterprise
 services, and consolidated technology services agency must ensure
 that all mission critical and business essential information
 technology   systems,  in   accordance   with  enterprise   technology
 standards developed under RCW 43.105.054, are compliant with the
                                     p. 3                        2SHB 2044
 provisions of this act and are supported by immutable backups by
 December 31, 2025.
     (8) The office shall provide ongoing assistance to the
 legislature by identifying mission critical systems, as defined in
 enterprise technology standards, that do not maintain backup and
 recovery capabilities and may require further investment to do so.
 The office shall modify existing portfolio reporting mechanisms
 already in place to support the collection of relevant data necessary
 to baseline and monitor risk associated with malware and ransomware
 protections as prescribed by this act. The agency-reported data must
 be analyzed for risk and used to provide the legislature with a
 prioritized list of mission critical systems that require additional
 protections to maintain continuity of operations in the event of
 malicious cyber activity.
     (9) The reports produced and information compiled pursuant to
 subsection (5) of this section are confidential and may not be
 disclosed under chapter 42.56 RCW.
     (10) This section does not apply to institutions of higher
 education.
     NEW SECTION. Sec. 3. A new section is added to chapter 43.105
 RCW to read as follows:
     (1) The information technology security account is created in the
 custody of the state treasurer. All receipts from legislative
 appropriations to the account must be deposited in the account.
 Expenditures from the account may only be used for the purposes
 specified in subsection (2) of this section. Only the director of the
 consolidated technology services agency or the director's designee
 may authorize expenditures from the account. The account is subject
 to allotment procedures under chapter 43.88 RCW, but an appropriation
 is not required for expenditures.
     (2) State agencies may apply to the consolidated technology
 services agency to receive a disbursement from the account for the
 purposes of procuring immutable data backup and disaster recovery
 services for mission critical and business essential applications or
 other critical information technology systems. When selecting
 agencies to receive disbursements from the account, the consolidated
 technology services agency must consider the agency's prioritized
 application list created under section 2 of this act, in order to
                                     p. 4                        2SHB 2044
  ensure that funding is allocated to protecting the most vulnerable
  systems containing the most sensitive public information.
      (3) Moneys in the account must supplement, and may supplant,
  existing funding to the consolidated technology services agency or
  the office of the state chief information officer.
     NEW SECTION.   Sec. 4. A new section is added to chapter 42.56
 RCW to read as follows:
     The reports and information compiled pursuant to section 2 (4)
 and (5)(b) of this act are confidential and may not be disclosed
 under this chapter.
     Sec. 5. RCW 43.105.020 and 2021 c 176 s 5223 and 2021 c 40 s 2
 are each reenacted and amended to read as follows:
     The definitions in this section apply throughout this chapter
 unless the context clearly requires otherwise.
     (1) "Agency" means the consolidated technology services agency.
     (2) "Board" means the technology services board.
     (3) "Cloud computing" has the same meaning as provided by the
 special publication 800-145 issued by the national institute of
 standards and technology of the United States department of commerce
 as of September 2011 or its successor publications.
     (4) "Customer agencies" means all entities that purchase or use
 information technology resources, telecommunications, or services
 from the consolidated technology services agency.
     (5) "Director" means the state chief information officer, who is
 the director of the consolidated technology services agency.
     (6) "Enterprise architecture" means an ongoing activity for
 translating business vision and strategy into effective enterprise
 change. It is a continuous activity. Enterprise architecture creates,
 communicates, and improves the key principles and models that
 describe the enterprise's future state and enable its evolution.
     (7) "Equipment" means the machines, devices, and transmission
 facilities used in information processing, including but not limited
 to computers, terminals, telephones, wireless communications system
 facilities, cables, and any physical facility necessary for the
 operation of such equipment.
     (8) "Information" includes, but is not limited to, data, text,
 voice, and video.
                                     p. 5                        2SHB 2044
     (9) "Information security" means the protection of communication
 and information resources from unauthorized access, use, disclosure,
 disruption, modification, or destruction in order to:
     (a) Prevent improper information modification or destruction;
     (b) Preserve authorized restrictions on information access and
 disclosure;
     (c) Ensure timely and reliable access to and use of information;
 and
     (d) Maintain the confidentiality, integrity, and availability of
 information.
     (10) "Information technology" includes, but is not limited to,
 all electronic technology systems and services, automated information
 handling, system design and analysis, conversion of data, computer
 programming, information storage and retrieval, telecommunications,
 requisite system controls, simulation, electronic commerce, radio
 technologies, and all related interactions between people and
 machines.
     (11) "Information technology portfolio" or "portfolio" means a
 strategic management process documenting relationships between agency
 missions    and   information    technology   and   telecommunications
 investments.
     (12) "K-20 network" means the network established in RCW
 43.41.391.
     (13) "Local governments" includes all municipal and quasi-
 municipal corporations and political subdivisions, and all agencies
 of such corporations and subdivisions authorized to contract
 separately.
     (14) "Office" means the office of the state chief information
 officer within the consolidated technology services agency.
     (15) "Oversight" means a process of comprehensive risk analysis
 and management designed to ensure optimum use of information
 technology resources and telecommunications.
     (16) "Proprietary software" means that software offered for sale
 or license.
     (17) "Public agency" means any agency of this state or another
 state; any political subdivision or unit of local government of this
 state or another state including, but not limited to, municipal
 corporations,    quasi-municipal    corporations,   special    purpose
 districts, and local service districts; any public benefit nonprofit
                                     p. 6                        2SHB 2044
 corporation; any agency of the United States; and any Indian tribe
 recognized as such by the federal government.
     (18) "Public benefit nonprofit corporation" means a public
 benefit nonprofit corporation as defined in RCW 24.03A.245 that is
 receiving local, state, or federal funds either directly or through a
 public agency other than an Indian tribe or political subdivision of
 another state.
     (19) "Public record" has the definitions in RCW 42.56.010 and
 chapter 40.14 RCW and includes legislative records and court records
 that are available for public inspection.
     (20) "Public safety" refers to any entity or services that ensure
 the welfare and protection of the public.
     (21) "Security incident" means an accidental or deliberative
 event that results in or constitutes an imminent threat of the
 unauthorized access, loss, disclosure, modification, disruption, or
 destruction of communication and information resources.
     (22) "State agency" means every state office, department,
 division, bureau, board, commission, or other state agency, including
 offices headed by a statewide elected official.
     (23) "Telecommunications" includes, but is not limited to,
 wireless or wired systems for transport of voice, video, and data
 communications, network systems, requisite facilities, equipment,
 system controls, simulation, electronic commerce, and all related
 interactions between people and machines.
     (24) "Utility-based infrastructure services" includes personal
 computer   and   portable   device   support,   servers   and   server
 administration, security administration, network administration,
 telephony, email, and other information technology services commonly
 used by state agencies.
     (25) "Immutable" means data that is stored unchanged over time or
 unable to be changed. For the purposes of backups, this means that,
 once ingested, no external or internal operation can modify the data
 and must never be available in a read/write state to the client.
 "Immutable"   specifically   applies   to  the   characteristics   and
 attributes of a backup system's file system and may not be applied to
 temporary systems state, time-bound or expiring configurations, or
 temporary conditions created by a physical air gap as is implemented
 in most legacy systems. An immutable file system must demonstrate
 characteristics that do not permit the editing or changing of any
                                     p. 7                        2SHB 2044
 data    backed up   to  provide    agencies  with  absolute  recovery
 capabilities.
     (26) "Malicious cyber activities" means activities, other than
 those authorized by or in accordance with United States law, that
 seek to compromise or impair the confidentiality, integrity, or
 availability of computers, information or communications systems,
 networks, physical or virtual infrastructure controlled by computers
 or information systems, or information resident thereon.
      (27) "Ransomware" means any type of malicious software code,
 executable, application, payload, or digital content designed to
 encrypt, steal, exfiltrate, delete, destroy, or deny access to any
 data, databases, systems, applications, networks, data centers, cloud
 computing environment, cloud service, or other mission critical or
 business essential infrastructure.
     Sec. 6.   RCW 43.105.054 and 2021 c 291 s 9 are each amended to
 read as follows: