Please wait while the document is loaded.

A00192
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
40
Session of
2021
INTRODUCED BY GROVE, RYAN, THOMAS, SAYLOR AND MOUL,
JANUARY 11, 2021
REFERRED TO COMMITTEE ON STATE GOVERNMENT, JANUARY 11, 2021
AN ACT
Amending Title 71 (State Government) of the Pennsylvania
Consolidated Statutes, in boards and offices, providing for
information technology; establishing the Office of
Information Technology and the Information Technology Fund;
providing for administrative and procurement procedures and
for the Joint Cybersecurity Oversight Committee; and imposing
penalties.
Amending Title 71 (State Government) of the Pennsylvania
Consolidated Statutes, in boards and offices, providing for
information technology; establishing the Office of
Information Technology and the Information Technology Fund;
providing for administrative and procurement procedures and
for the Joint Cybersecurity Oversight Committee; imposing
duties on the Office of Information Technology; providing for
administration of Pennsylvania Statewide Radio Network and
imposing penalties.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Part V of Title 71 of the Pennsylvania
Consolidated Statutes is amended by adding a chapter to read:
CHAPTER 43
INFORMATION TECHNOLOGY
Subchapter
A. General Provisions
B. Office of Information Technology
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
C. Procurement and Business Operations
D. Security
E. Enforcement and Penalties
SUBCHAPTER A
GENERAL PROVISIONS
Sec.
4301. Scope of chapter.
4302. Findings and declarations.
4303. Definitions.
§ 4301. Scope of chapter.
This chapter relates to administrative procedures and
procurement regarding information technology.
§ 4302. Findings and declarations.
The General Assembly finds and declares the following:
(1) The Commonwealth has struggled to keep information
technology costs under control.
(2) M any of the Commonwealth's information technology
contracts extend well beyond their anticipated date of
completion.
(3) The Commonwealth can begin to reduce information
technology costs by the consolidation of information
technology functions and resources within the executive
branch.
(4) Consolidation of information technology services
will not only reduce costs but create more efficient
information technology operations.
(5) By reforming the Commonwealth's outdated approach to
information technology, the Commonwealth can improve data and
analytic capabilities and improve cybersecurity.
(6) The improvement of operations will enhance taxpayer
A00192 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
satisfaction and make it easier for residents to navigate.
(7) Consolidation of information technology services
must be designed to improve accountability and transparency
to taxpayers and enhance the Commonwealth's data and
analytics capabilities.
§ 4303. Definitions.
The following words and phrases when used in this chapter
shall have the meanings given to them in this section unless the
context clearly indicates otherwise:
"Director." The administrative head of the office.
"Distributed information technology assets." Hardware,
software and communications equipment not classified as
traditional mainframe-based items, including, but not limited
to, personal computers, local area networks, servers, mobile
computers, peripheral equipment and other related hardware and
software items.
"Electronic bidding." The electronic solicitation and
receipt of offers to contract.
"Fund." The In formation Technology Fund established under
section 4316 (relating to Information Technology Fund).
"Independent agency." A board, commission, authority or
other agency of the Commonwealth that is not subject to the
policy supervision and control of the Governor. The term does
not include:
(1) a court or agency of the unified judicial system; or
(2) the General Assembly or an agency of the General
Assembly.
"Independent department." Any of the following:
(1) The Department of the Auditor General.
(2) The Treasury Department.
A00192 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(3) The Office of Attorney General.
(4) A board or commission of an entity under paragraph
(1), (2) or (3).
"Information technology." Hardware, software and
telecommunications equipment, including, but not limited to, the
following:
(1) Personal computers.
(2) Servers.
(3) Mainframes.
(4) Wired or wireless wide and local area networks.
(5) Broadband.
(6) Mobile or portable computers.
(7) Peripheral equipment.
(8) Telephones.
(9) Wireless communications.
(10) Handheld devices.
(11) Public safety radio services.
(12) Facsimile machines.
(13) Technology facilities, including, but not limited
to, data centers, dedicated training facilities or switching
facilities.
(14) Electronic payment processing services.
(15) Other relevant hardware and software items or
personnel tasked with the planning, implementation or support
of technology, including hosting or vendor-managed service
solutions.
"Information technology security incident." A computer-based
activity, network-based activity or paper-based activity which
results directly or indirectly in misuse, damage, denial of
service, compromise of integrity or loss of confidentiality of a
A00192 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
network, a computer, an application or data.
"Office." The Office of Information Technology established
under Subchapter B (relating to Office of Information
Technology).
"Reverse auction." A real-time purchasing process in which
vendors compete to provide goods or services at the lowest
selling price in an open and interactive electronic environment.
"Secretary." The Secretary of Administration.
"State agency." Any of the following:
(1) The Governor's Office.
(2) A department, board, commission, authority or other
agency of the Commonwealth that is subject to the policy
supervision and control of the Governor.
(3) The office of Lieutenant Governor.
(4) An independent agency.
SUBCHAPTER B
OFFICE OF INFORMATION TECHNOLOGY
Sec.
4311. Establishment of office.
4312. Duties of office.
4313. Transfer of duties.
4314. Director.
4315. Planning and financing information technology resources.
4316. Information Technology Fund.
4317 . Financial accountability and information technology .
4318 . Statewide electronic portal and annual report.
4319 . Budget for information technology.
4320 . Commonwealth portal.
4321 . Information technology request.
4322. Status of information technology projects and corrective
A00192 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
action plans.
§ 4311. Establishment of office.
The Office of Information Technology is established within
the Governor's Office of Administration.
§ 4312. Duties of office.
(a) Duties generally.--The office shall:
(1) Consolidate information technology functions,
powers, duties, obligations infrastructure and support
services vested in State agencies.
(2) Direct the management and operations of information
technology services for each State agency, including, but not
limited to, the following:
(i) The development of priorities and strategic
plans.
(ii) The management of information technology
investments, procurement and policy.
(iii) Oversight of each State agency to ensure
compliance with the provisions of this chapter.
(3) Recommend any changes to staffing or operations
regarding information technology.
(b) Specific duties.--As part of the general duties under
subsection (a), the office shall:
(1) Assist in developing annual information technology
strategic plans for each State agency that include
priorities, coordination and monitoring of resource use and
expenditures, performance review measures, procurement and
other governance and planning measures.
(2) Review and approve the information technology plans
for each State agency.
(3) Consult with the Governor's Office of the Budget on
A00192 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
budgetary matters regarding information technology planning
and procurement.
(4) Create an advisory structure to advise on matters
involving overall technology and data governance.
(5) Establish and maintain an information technology
portfolio management process for overall monitoring of
information technology program objectives, alignment with
priorities, budgets and expenditures.
(6) Identify common information technology business
functions within each State agency.
(7) Make recommendations for consolidation, integration
and investment.
(8) Facilitate the use of common technology, as
appropriate.
(9) Expand the use of project management methodologies
and principles on information technology projects, including
measures to review project delivery and quality.
(10) Ensure compliance by each State agency with
required business process reviews.
(11) Maintain a central procurement organization.
(12) Procure or supervise the procurement of all
information technology.
(13) Oversee information technology contract issues,
monitoring and compliance.
(14) Serve as a liaison between State agencies and
contracted information technology vendors.
(15) Align the appropriate technology and procurement
methods with the service strategy.
(16) E stablish an information technology architecture
framework that governs information technology investments.
A00192 - 7 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
This architecture framework shall include the following, as
appropriate:
(i) The development of standards, policies,
processes and strategic technology roadmaps.
(ii) The performance of technical reviews and
capability assessments of services, technologies and
State agency systems.
(iii) The evaluation of requests for information
technology policy exceptions.
(17) Develop and implement efforts to standardize data
elements and determine data ownership assignments.
(18) Develop and maintain a comprehensive information
technology inventory.
(19) Monitor compliance with information technology
policy and standards through an architectural review process.
(20) Maintain and strengthen the Commonwealth's
cybersecurity posture through security governance.
(21) Develop security solutions, services and programs
to protect data and infrastructure.
(22) Identify and remediate security risks and maintain
citizen trust in securing computerized personal information.
(23) Implement programs, processes and solutions to
maintain cybersecurity situational awareness and effectively
respond to cybersecurity attacks and information technology
security incidents.
(24) Foster a culture of situational and risk awareness.
(25) Conduct evaluations and compliance audits of State
agency security infrastructure.
(26) Recommend and conduct the consolidation of State
agency information technology services, including, but not
A00192 - 8 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
limited to, infrastructure, personnel, investments,
operations and support services.
(27) Establish and facilitate a process for the
identification, evaluation and optimization of information
technology shared services.
(28) Establish, maintain and communicate service level
agreements for shared services.
(29) Establish a process for:
(i) the development and implementation of
telecommunications policies, services and infrastructure;
and
(ii) reviewing and authorizing State agency requests
for enhanced services.
(30) Identify opportunities for convergence and
leveraging existing assets to reduce or eliminate duplicative
telecommunication networks.
(31) Establish and maintain an information technology
service management process library to govern the services
provided to each State agency.
(32) Establish a formal governance body to evaluate the
introduction of new information technology services and the
retiring of existing information technology services.
(33) Establish metrics to monitor the health of the
services provided and make appropriate corrections as
necessary.
(34) Establish information technology data management
and development policy frameworks for each State agency that
include policies, processes and standards that adhere to
commonly accepted principles for, among other things, data
governance, data development and the quality, sourcing, use,
A00192 - 9 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
accessibility, content, ownership and licensing of open data.
(35) Create and maintain a comprehensive open data
portal for public accessibility.
(36) Provide guidance regarding the procurement of
supplies and services related to the subject matter of this
chapter.
(37) Facilitate communication with the public by
publishing open data plans and policies and by soliciting or
allowing for public input on the subject matter of this
chapter.
(38) Ensure the internal examination of Commonwealth
data sets for business, confidentiality, privacy and security
issues and the reasonable mitigation of those issues, prior
to the data's release for open data purposes.
(39) Develop and facilitate the engagement with private
and other public stakeholders, including, but not limited to,
arranging for and expediting data-sharing agreements and
encouraging and facilitating cooperation and substantive and
administrative efficiencies.
(40) Develop and facilitate data sharing and data
analytics.
(41) Oversee and manage the information technology
contracts of each State agency. The following shall apply:
(i) The office shall obtain, review and maintain, on
an ongoing basis, records of the appropriations,
allotments, expenditures and revenues of each State
agency for information technology.
(ii) The office shall not manage but shall
coordinate efforts as necessary and appropriate regarding
the information technology contracts of an independent
A00192 - 10 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
department, the General Assembly and its agencies or the
agencies of the judicial branch.
§ 4313. Transfer of duties.
Upon the effective date of this section, information
technology functions, powers, duties, obligations and services
shall be transferred to and vested in the office. The following
shall apply:
(1) The c hief information officer of each State agency
shall:
(i) Report directly to the director.
(ii) Work within the chief information officer's
respective State agency on behalf of the office as an
employee of the office.
(2) The salary and costs related to the chief
information officer of each State agency shall be paid by the
chief information officer's respective State agency from
funds appropriated for general government operations.
(3) The following shall apply for an employee of a State
agency who handles or otherwise has responsibility for the
State agency's information technology services:
(i) Except as provided in subparagraph (ii), the
employee shall be transferred to the office as an
employee of the State agency and operate in the physical
location of the State agency, but the employee shall
report matters to the office and be supervised by the
office.
(ii) Subparagraph (i) shall not apply to an employee
who handles proprietary information technology programs.
The employee shall remain an employee of the State agency
and shall coordinate with the office.
A00192 - 11 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
§ 4314. Director.
(a) Appointment and salary.--The secretary shall appoint the
director and set the salary of the director.
(b) Qualifications.--The director shall be qualified by
education and experience for the office.
(c) Duties.--In addition to other duties specified under
this chapter, the director shall:
(1) Manage the operations of the office.
(2) Develop and administer a comprehensive long-range
plan to ensure the proper management of the Commonwealth's
information technology resources.
(3) Set technical standards for information technology
and review and approve information technology projects and
budgets.
(4) Establish information technology security standards.
(5) Provide for the procurement of information
technology resources.
(6) Develop a schedule for the replacement or
modification of information technology systems.
(7) Require and review reports by each State agency
concerning information technology assets, systems, personnel
and projects and prescribe the form of the reports.
(8) Prescribe the manner in which information technology
assets, systems and personnel shall be provided and
distributed among State agencies.
(9) Prescribe the manner of inspecting or testing
information technology assets, systems or personnel to
determine compliance with information technology plans,
specifications and requirements.
(10) Hire personnel as necessary to perform the
A00192 - 12 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
functions of the office.
§ 4315. P lanning and financing information technology
resources.
(a) Development of policies.--The director shall develop
necessary policies for State agency information technology
planning and financing to achieve the purposes of this chapter.
(b) Development of plan.--
(1) T he director shall analyze the information
technology systems and develop a plan to ascertain the needs,
costs and time frame required for State agencies to
efficiently use information technology systems, resources,
security and data management to achieve the purposes of this
chapter. The plan may include current applications and
infrastructure, migration from current environments and other
information necessary for fiscal or technology planning.
(2) The director shall develop strategic plans for
information technology as necessary.
(c) Consultation and cooperation.--
(1) In determining whether a strategic plan is necessary
for a State agency, the director shall consider the State
agency's operational needs, functions and performance
capabilities.
(2) The director shall consult with and assist State
agencies in the preparation of plans under this subsection.
(3) Each State agency shall actively participate in
preparing, testing and implementing an information technology
plan as determined by the director. A State agency shall
provide all financial information to the director necessary
to determine full costs and expenditures for information
technology assets, including resources provided by the State
A00192 - 13 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
agency or through contracts or grants.
(4) Each State agency shall prepare and submit plans as
required by the director.
(5) A plan by a State agency shall be submitted to the
director no later than October 1 of each even-numbered year.
(d) Biennial plan.--
(1) The director shall develop a biennial State
Information Technology Plan, which shall be transmitted to
the General Assembly in conjunction with the Governor's
budget submission that year.
(2) The biennial plan shall include:
(i) An inventory of current information technology
assets and major projects.
(ii) An inventory of significant unmet needs for
information technology resources over a five-year time
period, along with a ranking of the unmet needs in
priority order according to their urgency.
(iii) A statement of the financial requirements,
together with a recommended funding schedule for major
projects in progress or anticipated for approval during
the upcoming fiscal biennium.
(iv) An analysis of opportunities for Statewide
initiatives that would yield significant efficiencies or
improve effectiveness in State programs.
(3) As used in this subsection, the term "major project"
includes a project costing more than $500,000 to implement.
§ 4316. Information Technology Fund.
(a) Establishment.-- An account is established in the General
Fund to be known as the Information Technology Fund.
(b) Receipt of money.--The fund may receive money for the
A00192 - 14 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
operations of the office and to fulfill the duties of the office
under this chapter by the following methods:
(1) The transfer of encumbered funds from each State
agency which were designated for information technology
purposes prior to the effective date of this section.
(2) Transfers as authorized by the General Assembly that
are not already provided for under this section.
(3) The transfer of a portion of a State agency's funds
regarding general government operations for information
technology employees.
(c) Use of fund money.--
(1) Subject to paragraph (2), the director shall approve
the disbursement of money from the fund, which shall be used
for the following purposes and other legitimate purposes:
(i) P roject management.
(ii) Security.
(iii) E-mail operations.
(iv) State portal operations.
(2) Expenditures made from the fund which involve money
appropriated from the General Fund shall be approved by the
director.
§ 4317 . Financial accountability and information technology .
(a) Development of processes.--The office, along with the
Secretary of the Budget and the State Treasurer, shall develop
processes for budgeting and accounting of expenditures for
information technology operations, services, projects,
infrastructure and assets across all State agencies.
(b) Included information.--T he budgeting and accounting
processes under subsection (a) may include information regarding
the following:
A00192 - 15 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(1) Hardware.
(2) S oftware.
(3) Personnel.
(4) Training.
(5) Contractual services.
(6) Other items relevant to information technology.
(c) Reports.--By February 1 of each year, the director shall
also report to the General Assembly the following information:
(1) Services currently provided and associated
transaction volumes or other relevant indicators of
utilization by user type.
(2) New services added during the previous year.
(3) The total appropriation for each service.
(4) The total amount remitted to the vendor for each
service.
(5) Any other use of State data by the vendor and the
total amount of revenue collected per use and in total.
(6) User satisfaction with each service.
(7) Any other issues associated with the provision of
each service.
(d) Financial information.--The director shall, at a
minimum, include in the report under subsection (c) the
following financial information:
(1) Current budgetary balances for the fund and each
information technology project.
(2) Line-item details on expenditures.
(3) Anticipated expenditures for the next three years.
(4) The financial activities of the fund, including fund
expenditures, during the immediately prior fiscal year.
(e) Issuance.--In addition to the General Assembly, a report
A00192 - 16 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
under subsection (c) shall be submitted to the following:
(1) The Secretary of the Budget.
(2) The Independent Fiscal Office.
(3) The General Assembly.
§ 4318 . Statewide electronic portal and annual report.
The office shall develop and operate a Statewide electronic
portal to increase the convenience of the public in conducting
online transactions with and obtaining information from State
government. The portal shall be designed to facilitate and
improve public interactions along with communications between
State agencies.
§ 4319 . B udget for information technology.
The office, along with the Secretary of the Budget, shall
develop and implement a plan to manage all information
technology funding, including State and other receipts, as soon
as practicable. As part of the plan and implementation, the
following shall apply:
(1) F unding for information technology resources,
projects and contracts shall be appropriated to and managed
by the office.
(2) Funding for the office's information technology
shared services and approved contracts shall remain with the
State agencies.
(3) Information technology budget codes and fund codes
shall be created as required.
§ 4320 . Commonwealth portal.
Each State agency shall functionally link its Internet or
electronic services to a centralized web portal system
established under this chapter.
§ 4321 . Information technology request.
A00192 - 17 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30