PRINTER'S NO. 1189
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
1139
Session of
2023
INTRODUCED BY KENYATTA, MADDEN, GALLOWAY, RABB, SANCHEZ,
SAMUELSON, D. WILLIAMS, SOLOMON, PARKER AND SHUSTERMAN,
MAY 8, 2023
REFERRED TO COMMITTEE ON COMMERCE, MAY 8, 2023
AN ACT
Amending the act of April 9, 1929 (P.L.177, No.175), entitled
"An act providing for and reorganizing the conduct of the
executive and administrative work of the Commonwealth by the
Executive Department thereof and the administrative
departments, boards, commissions, and officers thereof,
including the boards of trustees of State Normal Schools, or
Teachers Colleges; abolishing, creating, reorganizing or
authorizing the reorganization of certain administrative
departments, boards, and commissions; defining the powers and
duties of the Governor and other executive and administrative
officers, and of the several administrative departments,
boards, commissions, and officers; fixing the salaries of the
Governor, Lieutenant Governor, and certain other executive
and administrative officers; providing for the appointment of
certain administrative officers, and of all deputies and
other assistants and employes in certain departments, boards,
and commissions; providing for judicial administration; and
prescribing the manner in which the number and compensation
of the deputies and all other assistants and employes of
certain departments, boards and commissions shall be
determined," in organization of departmental administrative
boards and commissions and of advisory boards and
commissions, providing for Cybersecurity Coordination Board.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. The act of April 9, 1929 (P.L.177, No.175), known
as The Administrative Code of 1929, is amended by adding a
section to read:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Section 480. Cybersecurity Coordination Board.--(a) The
following apply regarding establishment and purposes:
(1) The Cybersecurity Coordination Board is established
within the Office of Administration.
(2) The Cybersecurity Coordination Board shall:
(i) Collect, study and share information about cybersecurity
issues and initiatives and provide advice to the Governor with
respect to developing uniform cybersecurity techniques,
standards, policies, procedures and best practices.
(ii) Coordinate efforts with Federal, State and local
government agencies, academic institutions and the private
sector to promote effective cybersecurity measures for the
benefit of the residents, businesses, government entities and
other entities within this Commonwealth.
(b) The Cybersecurity Coordination Board shall consist of
the following members:
(1) The Secretary of Administration or a designee.
(2) The Secretary of Banking and Securities or a designee.
(3) The Secretary of the Commonwealth or a designee.
(4) The Secretary of Community and Economic Development or a
designee.
(5) The Secretary of Corrections or a designee.
(6) The Secretary of Education or a designee.
(7) The Secretary of Health or a designee.
(8) The Secretary of Human Services or a designee.
(9) The Secretary of Labor and Industry or a designee.
(10) The Secretary of Revenue or a designee.
(11) The Secretary of Transportation or a designee.
(12) The Adjutant General of the Department of Military and
Veterans Affairs or a designee.
20230HB1139PN1189 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(13) The Attorney General or a designee.
(14) The Auditor General or a designee.
(15) The Commissioner of Pennsylvania State Police or a
designee.
(16) The State Treasurer or a designee.
(17) The Director of the Pennsylvania Emergency Management
Agency or a designee.
(18) The Commonwealth's Chief Information Security Officer
under the Office of Administration.
(19) The Director of the Governor's Office of Homeland
Security or a designee.
(20) The Chancellor of the State System of Higher Education
or a designee.
(21) The Executive Director of the Pennsylvania Public
Utility Commission or a designee.
(22) The Court Administrator of the Administrative Office of
Pennsylvania Courts or a designee.
(23) One member of the Senate to be appointed by the
President pro tempore.
(24) One member of the House of Representatives to be
appointed by the Speaker of the House of Representatives.
(25) One member of the Senate to be appointed by the
Minority Leader of the Senate.
(26) One member of the House of Representatives to be
appointed by the Minority Leader of the House of
Representatives.
(27) The Executive Director of the County Commissioners
Association of Pennsylvania or a designee.
(28) The Executive Director for the Pennsylvania Municipal
League or a designee.
20230HB1139PN1189 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(29) The Executive Director for the Pennsylvania State
Association of Township Supervisors or a designee.
(30) The Executive Director for the Pennsylvania State
Association of Boroughs or a designee.
(31) The Executive Director for the Pennsylvania State
Association of Township Commissioners or a designee.
(32) The President of the Pennsylvania Association of
Intermediate Units or a designee.
(c) The Cybersecurity Coordination Board shall also include
three cybersecurity subject matter experts from private sector
industries that shall be appointed by and serve at the pleasure
of the Governor.
(d) The Governor shall invite the following representatives
of Federal agencies to serve as advisory members to the
Cybersecurity Coordination Board:
(1) The United States Secretary of Defense or the
secretary's designee.
(2) The United States Secretary of Homeland Security or the
secretary's designee.
(3) The Director of the National Institute of Standards and
Technology or a designee.
(4) The Director of the Defense Information Systems Agency
or the director's designee.
(5) The Director of the Intelligence Advanced Research
Projects Activity or the director's designee.
(6) The Director of the Federal Bureau of Investigation or
the director's designee.
(e) The voting members of the Cybersecurity Coordination
Board shall elect a chairperson, vice chairperson and secretary
of the Cybersecurity Coordination Board.
20230HB1139PN1189 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(f) The Cybersecurity Coordination Board shall, with the
approval of the Governor, appoint an executive director to carry
out the duties of the Cybersecurity Coordination Board. The
following apply to the executive director:
(1) The executive director shall serve at the pleasure of
the Cybersecurity Coordination Board. The selection and removal
of the executive director shall be made by a simple majority of
the voting members of the Cybersecurity Coordination Board that
constitute a quorum.
(2) The executive director shall be qualified for the duties
of the position, as determined by the Cybersecurity Coordination
Board.
(3) The executive director shall conduct the work of the
Cybersecurity Coordination Board under the direction and
supervision of the Cybersecurity Coordination Board.
(4) The executive director shall provide a report to the
Governor of the final determination of any action or inaction
that the Cybersecurity Coordination Board recommends, including
any advice or information in support of or in addition to any
final determination of the Cybersecurity Coordination Board.
(5) A current member of the Cybersecurity Coordination Board
may not serve as the executive director.
(6) The executive director's appointment shall not continue
beyond the expiration of this section.
(7) The executive director shall be subject to the same
policies and procedures as employees of the Office of
Administration.
(8) The Cybersecurity Coordination Board shall fix the
compensation of the executive director, subject to the approval
of the Executive Board.
20230HB1139PN1189 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(g) The Office of Administration shall acquire staff, office
space, office equipment and supplies and obtain the services of
cybersecurity subject matter experts to assist the Cybersecurity
Coordination Board and the executive director of the
Cybersecurity Coordination Board in fulfilling the duties under
this section.
(h) The Cybersecurity Coordination Board and the executive
director of the Cybersecurity Coordination Board may be
supported by the Office of Administration's designated staff in
furtherance of the Cybersecurity Coordination Board fulfilling
the duties under this section.
(i) The Cybersecurity Coordination Board shall meet no fewer
than four times a year to review and assess cybersecurity,
including risks, protective measures, laws, regulations,
governances, technologies, standards and best practices that
affect the Federal, State, county and local governments,
international government, businesses and other entities.
Additional meetings shall be at the discretion of the
Commonwealth's Chief Information Security Officer under the
Office of Administration, until an executive director of the
Cybersecurity Coordination Board is appointed, after which any
additional meetings shall be held at the discretion of the
executive director of the Cybersecurity Coordination Board.
(j) The Cybersecurity Coordination Board may establish
committees, as needed, to formulate recommended positions or
actions.
(k) The Cybersecurity Coordination Board, through the
executive director of the Cybersecurity Coordination Board,
shall provide the Governor an annual report summarizing the
Cybersecurity Coordination Board's findings and assessments. The
20230HB1139PN1189 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
following apply:
(1) The report shall include an overview of the
cybersecurity landscape, changes since the prior report, issues
and risks affecting the protection of information,
recommendations to resolve and mitigate the issues and risks and
any other relevant information deemed appropriate by the
Cybersecurity Coordination Board with respect to cybersecurity.
(2) The report shall be confidential and exempt from
disclosure as provided under subsection (l).
(l) Deliberations, documentation, records, correspondence
and all work of the Cybersecurity Coordination Board and its
committees, including any actions or reports of the
Cybersecurity Coordination Board, shall be confidential and
shall be exempt from the requirements of the following:
(1) The act of February 14, 2008 (P.L.6, No.3), known as the
"Right-to-Know Law."
(2) 65 Pa.C.S. Ch. 7 (relating to open meetings).
(m) Members of the Cybersecurity Coordination Board and its
committee members shall serve without compensation except for
payment of necessary and actual expenses incurred in attending
meetings and in performing duties and responsibilities as
members.
(n) The Cybersecurity Coordination Board and its committee
members, including advisory members, shall not use their
position to sell products or services to the Commonwealth or
benefit financially or enable their immediate family members or
employers to benefit financially, whether directly or
indirectly, from Commonwealth initiatives that result from
recommendations or advice provided by the Cybersecurity
Coordination Board under this section.
20230HB1139PN1189 - 7 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(o) This section shall expire four years after the effective
date of this subsection.
Section 2. This act shall take effect in 60 days.
20230HB1139PN1189 - 8 -
1
2
3