House Status:
Senate Status:
Senate Status:
Minutes for HB2560 - Committee on Government, Technology and Security
Short Title
Enacting the Kansas cybersecurity act.
Minutes Content for Wed, Jan 31, 2018
The Chair opened the hearing on HB2560 - Creating the Kansas information security office.
Staff Jenna Moyer outlined the provisions of the bill (Attachment 1). She stated that the bill established the position and duties of Chief Information Security Officer, the duties of the Kansas Information Security Office (KISO), and the duties and requirements of the heads of state agencies. It creates a cyber fund, directs expenditure of funds, and allows the KISO to enter into contracts. Responding to a question, she replied that the bill does not address liability issues. The Chair commented that directives from one branch of government to another might be an issue.
Joe Acosta, Chief Information Security Officer (CISO), spoke as a proponent for the bill (Attachment 2). He traced the legislative efforts from 2010 to the present in attempting to address cybersecurity and, noting current security gaps, the changes required to move forward. He listed the bill's vision and guiding principles and identified the desired strategic outcomes of the bill. He referenced a National Conference of State Legislature (NCSL) article on budgeting for cybersecurity (Attachment 3) and noted the written testimony of Deputy Chief Information Security Officer Rodney Blunt (Attachment 4).
Eric Sweden, Program Director, National Association of State Chief Information Officers, testified that information security has become a top priority; cybersecurity protection, response, resiliency, and recovery now dominate the agendas of Chief Information Technology Officers (Attachment 5) and (Attachment 6). He traced the cyber disruptions in state governments, saying that such incursions are business risks that need priority attention. He noted three trends: awareness of the need for cybersecurity among governors is rising, cybersecurity is becoming a integral part of government operations, and government development of a formal strategy will provide additional resources. He commented on the paucity of experienced cybersecurity talent and identified six areas that offer a pathway to success. He also referenced the NCSL document, saying that in order for legislators to understand cybersecurity and budget for it, they need to familiarize themselves with cyber terminology, better understand the risks, and develop resources to plan for cybersecurity events.
James Lundsted, Homeland Security, called on state legislatures to protect identifiable personal information and recognize the value of information sharing. He cited examples of breaches and noted that successful cybersecurity uses the right tools and creates the right partnerships.
Jarod Waltner, Planning and Research Officer, Kansas Public Employees Retirement System (KPERS), offered support for the bill but requested that KPERS be included in the exclusion portion of the bill (Attachment 7).
Alexandra Blasi, Executive Director, Kansas Board of Pharmacy, expressed concern that the smaller agencies may not be given timely attention compared with the larger agencies. She also noted that it appears that background checks may be required for all employees; she recommended that the bill enable her agency to select the appropriate employees for background checks (Attachment 8).
Kathleem Lipperet, Executive Director, Kansas State Board of Healing Arts, expressed appreciation for the consulting attention provided by Mr. Acosta and the working group to assure that smaller agencies are accommodated according to their specific needs. She requested three modifications to the bill: that the advisory board include at least one member from a small agency, that cybersecurity positions be distinct from IT personnel, and that the executive director or agency head or agency leadership team participate in cybersecurity training (Attachment 9).
Adrian Guerrero, Kansas Board of Nursing, reviewed his agency's extensive use of technology; he noted that the agency currently utilizes the services of the KISO for cybersecurity. He then recommended a series of clarifications on certain aspects of the bill similar to those of Ms. Lippert's recommendations (Attachment 10).
Jeff Maxon, Information Assurance Manager, KISO, provided written testimony in support of HB2560 (Attachment 11).
Members queried conferees, to which they gave the following responses:
- We have not evaluated what other legislatures have provided for cybersecurity (Mr. Acosta).
- Federal cybersecurity funding may be in the offing, but it will be minimal and will only address startup funding for new programs (Mr. Lundsted).
- The current rate is $26 per person/site per month. There will be no rate changes in FY2018-2019. The proposed $700 cap could be removed from the bill (Mr. Acosta).
- One concern of small agencies is response time of the KISO to small agencies' needs (Ms. Blasi).
- The KISO will work with each agency to accommodate agency-appropriate standards (Mr. Acosta).
- The recommendations of the smaller agencies will make the bill better. The background-check requirement language is "may," not "shall" (Mr. Blunt).
- Prices for cyber insurance vary widely. It is not mentioned in the bill (Mr. Acosta).
The Chair closed the hearing on HB2560.
The meeting was adjourned at 10:23 a.m. The next meeting is scheduled for Monday, February 5, 2018.