See other bills
under the
same topic
PRIOR PRINTER'S NOS. 1189, 1689
PRINTER'S NO. 1773
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
1139
Session of
2023
INTRODUCED BY KENYATTA, MADDEN, GALLOWAY, RABB, SANCHEZ,
SAMUELSON, D. WILLIAMS, SOLOMON, PARKER, SHUSTERMAN, TAKAC,
PISCIOTTANO AND WEBSTER, MAY 8, 2023
AS AMENDED ON SECOND CONSIDERATION, HOUSE OF REPRESENTATIVES,
JUNE 28, 2023
AN ACT
Amending the act of April 9, 1929 (P.L.177, No.175), entitled
"An act providing for and reorganizing the conduct of the
executive and administrative work of the Commonwealth by the
Executive Department thereof and the administrative
departments, boards, commissions, and officers thereof,
including the boards of trustees of State Normal Schools, or
Teachers Colleges; abolishing, creating, reorganizing or
authorizing the reorganization of certain administrative
departments, boards, and commissions; defining the powers and
duties of the Governor and other executive and administrative
officers, and of the several administrative departments,
boards, commissions, and officers; fixing the salaries of the
Governor, Lieutenant Governor, and certain other executive
and administrative officers; providing for the appointment of
certain administrative officers, and of all deputies and
other assistants and employes in certain departments, boards,
and commissions; providing for judicial administration; and
prescribing the manner in which the number and compensation
of the deputies and all other assistants and employes of
certain departments, boards and commissions shall be
determined," in organization of departmental administrative
boards and commissions and of advisory boards and
commissions, providing for Cybersecurity Coordination Board.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. The act of April 9, 1929 (P.L.177, No.175), known
as The Administrative Code of 1929, is amended by adding a
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
section to read:
Section 480. Cybersecurity Coordination Board.--(a) The
following apply regarding establishment and purposes:
(1) The Cybersecurity Coordination Board is established
within the Office of Administration.
(2) The Cybersecurity Coordination Board shall:
(i) Collect, study and share information about cybersecurity
issues and initiatives and provide advice to the Governor with
respect to developing uniform cybersecurity techniques,
standards, policies, procedures and best practices.
(ii) Coordinate efforts with Federal, State and local
government agencies, academic institutions and the private
sector to promote effective cybersecurity measures for the
benefit of the residents, businesses, government entities and
other entities within this Commonwealth.
(b) The Cybersecurity Coordination Board shall consist of
the following members:
(1) The Secretary of Administration or a designee.
(2) The Secretary of Banking and Securities or a designee.
(3) The Secretary of the Commonwealth or a designee.
(4) The Secretary of Community and Economic Development or a
designee.
(5) The Secretary of Corrections or a designee.
(6) The Secretary of Education or a designee.
(7) The Secretary of Health or a designee.
(8) The Secretary of Human Services or a designee.
(9) The Secretary of Labor and Industry or a designee.
(10) The Secretary of Revenue or a designee.
(11) The Secretary of Transportation or a designee.
(12) The Adjutant General of the Department of Military and
20230HB1139PN1773 - 2 -
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Veterans Affairs or a designee.
(13) The Attorney General or a designee.
(14) The Auditor General or a designee.
(15) The Commissioner of Pennsylvania State Police or a
designee.
(16) The State Treasurer or a designee.
(17) The Director of the Pennsylvania Emergency Management
Agency or a designee.
(18) The Commonwealth's Chief Information Security Officer
under the Office of Administration.
(19) The Director of the Governor's Office of Homeland
Security or a designee.
(20) The Chancellor of the State System of Higher Education
or a designee.
(21) The Executive Director of the Pennsylvania Public
Utility Commission or a designee.
(22) The Court Administrator of the Administrative Office of
Pennsylvania Courts or a designee.
(23) One member of the Senate to be appointed by the
President pro tempore or a designee .
(24) One member of the House of Representatives to be
appointed by the Speaker of the House of Representatives or a
designee .
(25) One member of the Senate to be appointed by the
Minority Leader of the Senate or a designee .
(26) One member of the House of Representatives to be
appointed by the Minority Leader of the House of Representatives
or a designee .
(27) The Executive Director of the County Commissioners
Association of Pennsylvania or a designee.
20230HB1139PN1773 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(28) The Executive Director for the Pennsylvania Municipal
League or a designee.
(29) The Executive Director for the Pennsylvania State
Association of Township Supervisors or a designee.
(30) The Executive Director for the Pennsylvania State
Association of Boroughs or a designee.
(31) The Executive Director for the Pennsylvania State
Association of Township Commissioners or a designee.
(32) The President of the Pennsylvania Association of
Intermediate Units or a designee.
(c) The Cybersecurity Coordination Board shall also include
three cybersecurity subject matter experts from private sector
industries that shall be appointed by and serve at the pleasure
of the Governor.
(2) THE ATTORNEY GENERAL OR A DESIGNEE.
(3) THE AUDITOR GENERAL OR A DESIGNEE.
(4) THE STATE TREASURER OR A DESIGNEE.
(5) THE DIRECTOR OF THE PENNSYLVANIA EMERGENCY MANAGEMENT
AGENCY OR A DESIGNEE.
(6) THE COMMONWEALTH'S CHIEF INFORMATION SECURITY OFFICER
UNDER THE OFFICE OF ADMINISTRATION.
(7) THE DIRECTOR OF THE GOVERNOR'S OFFICE OF HOMELAND
SECURITY OR A DESIGNEE.
(8) ONE MEMBER OF THE SENATE TO BE APPOINTED BY THE
PRESIDENT PRO TEMPORE OR A DESIGNEE .
(9) ONE MEMBER OF THE HOUSE OF REPRESENTATIVES TO BE
APPOINTED BY THE SPEAKER OF THE HOUSE OF REPRESENTATIVES OR A
DESIGNEE .
(10) ONE MEMBER OF THE SENATE TO BE APPOINTED BY THE
MINORITY LEADER OF THE SENATE OR A DESIGNEE .
20230HB1139PN1773 - 4 -
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(11) ONE MEMBER OF THE HOUSE OF REPRESENTATIVES TO BE
APPOINTED BY THE MINORITY LEADER OF THE HOUSE OF REPRESENTATIVES
OR A DESIGNEE .
(12) THE EXECUTIVE DIRECTOR OF THE COUNTY COMMISSIONERS
ASSOCIATION OF PENNSYLVANIA OR A DESIGNEE.
(13) THE EXECUTIVE DIRECTOR FOR THE PENNSYLVANIA MUNICIPAL
LEAGUE OR A DESIGNEE.
(14) THE EXECUTIVE DIRECTOR FOR THE PENNSYLVANIA STATE
ASSOCIATION OF TOWNSHIP SUPERVISORS OR A DESIGNEE.
(15) THE EXECUTIVE DIRECTOR FOR THE PENNSYLVANIA STATE
ASSOCIATION OF BOROUGHS OR A DESIGNEE.
(16) THE EXECUTIVE DIRECTOR FOR THE PENNSYLVANIA STATE
ASSOCIATION OF TOWNSHIP COMMISSIONERS OR A DESIGNEE.
(C) THE CYBERSECURITY COORDINATION BOARD SHALL ALSO INCLUDE
THREE CYBERSECURITY EXPERTS THAT SHALL BE APPOINTED BY AND SERVE
AT THE PLEASURE OF THE GOVERNOR. THE CYBERSECURITY EXPERTS MUST
HAVE PROFESSIONAL EXPERIENCE IN CYBERSECURITY OR INFORMATION
TECHNOLOGY.
(D) IF A MEMBER OF THE CYBERSECURITY COORDINATION BOARD
SENDS A DESIGNEE IN THE MEMBER'S PLACE, THE DESIGNEE MUST HAVE A
BACKGROUND IN CYBERSECURITY OR BE THE CYBERSECURITY EXPERT OF
THE DESIGNATING BOARD MEMBER.
(d) (E) The Governor shall invite the following
representatives of Federal agencies to serve as advisory members
to the Cybersecurity Coordination Board:
(1) The United States Secretary of Defense or the
secretary's designee.
(2) The United States Secretary of Homeland Security or the
secretary's designee.
(3) The Director of the National Institute of Standards and
20230HB1139PN1773 - 5 -
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Technology or a designee.
(4) The Director of the Defense Information Systems Agency
or the director's designee.
(5) The Director of the Intelligence Advanced Research
Projects Activity or the director's designee.
(6) The Director of the Federal Bureau of Investigation or
the director's designee.
(e) (F) The voting members of the Cybersecurity Coordination
Board shall elect a chairperson, vice chairperson and secretary
of the Cybersecurity Coordination Board.
(f) (G) The Cybersecurity Coordination Board shall, with the
approval of the Governor, appoint an executive director to carry
out the duties of the Cybersecurity Coordination Board. The
following apply to the executive director:
(1) The executive director shall serve at the pleasure of
the Cybersecurity Coordination Board. The selection and removal
of the executive director shall be made by a simple majority of
the voting members of the Cybersecurity Coordination Board that
constitute a quorum.
(2) The executive director shall be qualified for the duties
of the position, as determined by the Cybersecurity Coordination
Board.
(3) The executive director shall conduct the work of the
Cybersecurity Coordination Board under the direction and
supervision of the Cybersecurity Coordination Board.
(4) The executive director shall provide a report to the
Governor of the final determination of any action or inaction
that the Cybersecurity Coordination Board recommends, including
any advice or information in support of or in addition to any
final determination of the Cybersecurity Coordination Board.
20230HB1139PN1773 - 6 -
<--
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(5) A current member of the Cybersecurity Coordination Board
may not serve as the executive director.
(6) The executive director's appointment shall not continue
beyond the expiration of this section.
(7) The executive director shall be subject to the same
policies and procedures as employees of the Office of
Administration.
(8) The Cybersecurity Coordination Board shall fix the
compensation of the executive director, subject to the approval
of the Executive Board.
(g) (H) The Office of Administration shall acquire staff,
office space, office equipment and supplies and obtain the
services of cybersecurity subject matter experts to assist the
Cybersecurity Coordination Board and the executive director of
the Cybersecurity Coordination Board in fulfilling the duties
under this section.
(h) (I) The Cybersecurity Coordination Board and the
executive director of the Cybersecurity Coordination Board may
be supported by the Office of Administration's designated staff
in furtherance of the Cybersecurity Coordination Board
fulfilling the duties under this section.
(i) (J) The Cybersecurity Coordination Board shall meet no
fewer than four times a year to review and assess cybersecurity,
including risks, protective measures, laws, regulations,
governances, technologies, standards and best practices that
affect the Federal, State, county and local governments,
international government, businesses and other entities.
Additional meetings shall be at the discretion of the
Commonwealth's Chief Information Security Officer under the
Office of Administration, until an executive director of the
20230HB1139PN1773 - 7 -
<--
<--
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Cybersecurity Coordination Board is appointed, after which any
additional meetings shall be held at the discretion of the
executive director of the Cybersecurity Coordination Board.
(K) MEETINGS OF THE CYBERSECURITY COORDINATION BOARD SHALL
NOT BE HELD USING VIDEO CONFERENCING TECHNOLOGY. MEMBERS OF THE
BOARD MAY USE TELECONFERENCING TECHNOLOGY, AS NECESSARY.
(j) (L) The Cybersecurity Coordination Board may establish
committees, as needed, to formulate recommended positions or
actions.
(k) (M) The Cybersecurity Coordination Board, through the
executive director of the Cybersecurity Coordination Board,
shall provide the Governor an annual report summarizing the
Cybersecurity Coordination Board's findings and assessments. The
following apply:
(1) The report shall include an overview of the
cybersecurity landscape, changes since the prior report, issues
and risks affecting the protection of information,
recommendations to resolve and mitigate the issues and risks and
any other relevant information deemed appropriate by the
Cybersecurity Coordination Board with respect to cybersecurity.
(2) The report shall be confidential and exempt from
disclosure as provided under subsection (l) (N) .
(l) (N) Deliberations, documentation, records,
correspondence and all work of the Cybersecurity Coordination
Board and its committees, including any actions or reports of
the Cybersecurity Coordination Board, shall be confidential and
shall be exempt from the requirements of the following:
(1) The act of February 14, 2008 (P.L.6, No.3), known as the
"Right-to-Know Law."
(2) 65 Pa.C.S. Ch. 7 (relating to open meetings).
20230HB1139PN1773 - 8 -
<--
<--
<--
<--
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(m) (O) Members of the Cybersecurity Coordination Board and
its committee members shall serve without compensation except
for payment of necessary and actual expenses incurred in
attending meetings and in performing duties and responsibilities
as members.
(n) (P) The Cybersecurity Coordination Board and its
committee members, including advisory members, shall not use
their position to sell products or services to the Commonwealth
or benefit financially or enable their immediate family members
or employers to benefit financially, whether directly or
indirectly, from Commonwealth initiatives that result from
recommendations or advice provided by the Cybersecurity
Coordination Board under this section.
(o) (Q) This section shall expire four years after the
effective date of this subsection.
Section 2. This act shall take effect in 60 days.
20230HB1139PN1773 - 9 -
<--
<--
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16