HB 425-FN - AS INTRODUCED 2021 SESSION 21-0546 05/08 HOUSE BILL 425-FN AN ACT establishing the position of chief information security officer and deputy chief information security officer in the department of information technology. SPONSORS: Rep. L. Ober, Hills. 37 COMMITTEE: Executive Departments and Administration ───────────────────────────────────────────────────────────────── ANALYSIS This bill establishes the positions of chief information security officer and deputy chief information security officer in the department of information technology. --------------------------------------------------------------------------- Explanation: Matter added to current law appears in bold italics. Matter removed from current law appears [in brackets and struckthrough.] Matter which is either (a) all new or (b) repealed and reenacted appears in regular type. HB 425-FN - AS INTRODUCED 21-0546 05/08 STATE OF NEW HAMPSHIRE In the Year of Our Lord Two Thousand Twenty One AN ACT establishing the position of chief information security officer and deputy chief information security officer in the department of information technology. Be it Enacted by the Senate and House of Representatives in General Court convened: 1 1 New Section; Department of Information Technology; Positions Established. Amend RSA 21-R 2 by inserting after section 3 the following new section: 3 21-R:3-a Chief Information Security Officer and Deputy Chief Information Security Officer; 4 Positions Established. The commissioner of the department of information technology shall appoint 5 a chief information security officer (CISO) and a deputy CISO with the advice and consent of the 6 information technology council, established in RSA 21-R:6, and the director of homeland security and 7 emergency management. The CISO and deputy CISO shall be qualified to hold the position by 8 reason of education and experience, and shall perform such duties as assigned by the commissioner, 9 which may include, but not be limited to, the authority and power with approval of the commissioner 10 to direct and oversee the cybersecurity functions and security posture of the department of 11 information technology and executive branch agencies. The CISO and deputy CISO shall serve 12 continuously until resignation or replacement. 13 2 Chief Information Security Officer; Deputy Chief Information Security Officer; Salary. The 14 salaries for the unclassified positions established in section 1 of this act shall be determined after 15 assessment and review of the appropriate temporary letter grade allocation in RSA 94:1-a, I(b), 16 which shall be conducted pursuant to RSA 94:1-d and RSA 14:14-c. 17 3 New Paragraphs; Department of Information Technology; Technical Committees. Amend RSA 18 21-R:7 by inserting after paragraph VI the following new paragraphs: 19 VII. Cyber security. 20 VIII. Cloud technologies or strategies. 21 4 New Section; Cyber security Advisory Committee. Amend RSA 21-R by inserting after section 22 15 the following new section: 23 21-R:16 Cybersecurity Advisory Committee 24 I. There is hereby established the cybersecurity advisory committee (CAC) which shall be 25 chaired by the chief information security officer. 26 II. The committee shall advise the commissioner or the commissioner's designee on 27 cybersecurity concerns, promote awareness, develop effective policies and solutions, and obtain 28 consensus on enterprise-wide initiatives that advance the cybersecurity of information assets and 29 technology resources. HB 425-FN - AS INTRODUCED - Page 2 - 1 III. All executive departments and agencies shall identify and appoint an employee with 2 cybersecurity responsibilities to spearhead agency cybersecurity matters including information 3 security, confidentiality, privacy, and regulatory compliance, and to represent the agency on the 4 CAC. Contributors to the CAC may include representatives with cybersecurity responsibilities from 5 the New Hampshire National Guard, New Hampshire political subdivisions, academic institutions, 6 and select private industry representatives as identified by the CAC. 7 5 Effective Date. This act shall take effect July 1, 2021. LBA 21-0546 1/6/21 HB 425-FN- FISCAL NOTE AS INTRODUCED AN ACT establishing the position of chief information security officer and deputy chief information security officer in the department of information technology. FISCAL IMPACT: [ X ] State [ ] County [ ] Local [ ] None Estimated Increase / (Decrease) STATE: FY 2021 FY 2022 FY 2023 FY 2024 Appropriation $0 Indeterminable Indeterminable Indeterminable Revenue $0 $0 $0 $0 Expenditures $0 Indeterminable Indeterminable Indeterminable Funding Source: [ X ] General [ ] Education [ ] Highway [ X ] Other METHODOLOGY: This bill establishes the position of chief information security officer and deputy chief information security officer in the department of information technology. The commissioner of the department of information technology shall appoint a chief information security officer (CISO) and a deputy CISO with the advice and consent of the information technology council, established in RSA 21-R:6, and the director of homeland security and emergency management. The salaries for these unclassified positions shall be determined after assessment and review of the appropriate temporary letter grade allocation in RSA 94:1-a, I(b), which shall be conducted pursuant to RSA 94:1-d and RSA 14:14-c. The unclassified positions of chief information security officer and deputy chief information security officer currently exist and are fully funded, but are subject to a different appointment process. Because the bill does not transfer existing appropriations and abolish the existing positions, the legislation creates duplicative positions. AGENCIES CONTACTED: Department of Information Technology Statutes affected: Introduced: 21-R:7 Ought to Pass: 21-R:7 latest version: 21-R:7