|Posted:||January 11, 2019 04:28 PM|
|From:||Senator Kristin Phillips-Hill and Sen. Ryan P. Aument|
|To:||All Senate members|
|Subject:||Strengthening State Government Cybersecurity and Consolidation of IT Services|
|In the near future, we plan to re-introduce House Bill 1704 which was also Senate Bill 914 from last session that consolidates administration and management of the commonwealth’s Information Technology (IT) under the Office of Information Technology (OIT). This legislation would address the problems the commonwealth has faced in handling IT projects across many Administrations and Agencies.
The failure of the Commonwealth in handling IT projects is abundantly clear in the State Police Radio project as well as the Unemployment Compensation (UC) Call Centers. Additionally, the Departments of Human Services, Corrections, and Education (Teacher Information Management System) all had data breaches which exposed the names and personal information of thousands of individuals, including citizens of this Commonwealth and state employees. These data breaches came on the heels of the cyber-attack that caused the Department of Human Services Bureau of Vital Statistics computer system for birth certificates and death certificates to go offline from June 20 until June 26 of 2018. This greatly impeded Pennsylvanians access to essential documents with absolutely no explanation. The state has mismanaged hundreds of millions of dollars while many projects remain incomplete. Too many times government is the last to respond to IT related issues, which often results in wasting of taxpayer money.
Under the legislation, as passed by the House State Government Committee last session, OIT is given the broad necessary powers to consolidate and oversee all IT systems and contracts within the executive branch. These powers include:
In order to accomplish these duties, this legislation requires each agency’s chief IT employee and other associated staff to work under the office in their respective agency. These employees answer to the director who serves as the Commonwealth’s Chief Information Technology Officer. As part of the responsibility of overseeing the office, the director is also given broad powers concerning the state’s IT infrastructure. These include:
As amended by the House State Government Committee the legislation includes House Bill 2610 from last session which requires contractors to use software to verify billable hours. This software is meant to reduce fraudulent charges, which is yet another mechanism to prevent wasteful spending on projects which can often run over budget.
Equally important to the IT consolidation within the bill, are the improvements made to the commonwealth’s cybersecurity capabilities. As cyberattacks within the United States from hackers or hostile nations continue to increase, the commonwealth must begin to update our security. This bill requires all state agencies to adopt new cybersecurity standards created by the director which must, at least, match industry best practices. The director is also required to develop a two year schedule to test the cybersecurity capabilities of all state agencies which are to be paid for by the respective agency. These cybersecurity audits/assessments are to be performed by a nationally recognized organization in the field of cybersecurity.
The bill also establishes a new committee on cybersecurity which is to be comprised of members of the House and Senate and their IT staffs. Additionally, the committee will include members of the administration, state row officers and the Administrative Office of the Pennsylvania Courts and their IT staff. This committee will meet quarterly to hear testimony on emerging threats and current policy. The committee will then issue an annual report which will include policy recommendations to the governor, House and Senate Leadership along with the Pennsylvania Court Administrator.
We must guard against and close potential points of entry for cyber attackers. Their disruptive actions shut down the progress of government, waste taxpayer time and money, and imperil the safety and security of every Pennsylvanian. Please join us and co-sponsor this comprehensive draft to consolidate and improve the commonwealth’s IT procurement and oversight while also improving our cybersecurity.
Introduced as SB810