The chief information security officer in the governor's office of information technology (OIT), the director of OIT, the department of state, and the executive director of the department of regulatory agencies are required to take certain actions to protect state records containing trusted sensitive and confidential information from criminal, unauthorized, or inadvertent manipulation or theft.
The chief information security officer is required to:
- Identify, assess, and mitigate cyber threats to state government;
- Annually collect information from all public agencies to assess the nature of threats to data systems and the potential risks and civil liabilities from the theft or inadvertent release of such information;
- In coordination and partnership with specified agencies, boards, and councils, annually assess the data systems of each public agency for the benefits and costs of adopting and applying distributed ledger technologies such as blockchains;
- Develop and maintain a series of metrics to identify, assess, and monitor each public agency data system for its platform descriptions, vulnerabilities, risks, liabilities, appropriate employee access control, and the benefits and costs of adopting encryption and distributed ledger technologies.
The director of OIT is required to consider the annual metrics from the office of the chief information security officer to recommend programs, contracts, and upgrades of data systems that have good cost-benefit potential or return on investment. In addition, OIT and the office of the chief information security officer are required to consider developing public-private partnerships and contracts to allow capitalization of encryption technologies while protecting intellectual property rights.
The department of state is required to consider research, development, and implementation for encryption and data integrity techniques, including distributed ledger technologies such as blockchains. The department of state is required to consider using distributed ledger technologies when accepting business licensing records and when distributing department of state data to other departments and agencies.
The executive director of the department of regulatory agencies or the director's designee is required to consider secure encryption methods, including distributed ledger technologies, to protect against falsification, create visibility to identify external hacking threats, and to improve internal data security.
In addition, the bill specifies that institutions of higher education may include distributed ledger technologies within their curricula and research and development activities.
The bill also specifies that the university of Colorado at Colorado Springs and any nonprofit organization with which the university has a partnership may consider:
- Encouraging coordination with the United States department of commerce and the national institute of standards and technologies to develop the capability to act as a Colorado in-state center of excellence on cybersecurity advice and national institute of standards and technologies standards;
- Studying efforts to protect privacy of personal identifying information maintained within distributed ledger programs, ensuring that programs make all attempts to follow best practices for privacy, and providing advice to all program stakeholders on the requirement to maintain privacy in accordance with required regulatory bodies and governing standards; and
- Encouraging the use of distributed ledger technologies, such as blockchains, within their proposed curricula for public sector education.
(Note: This summary applies to the reengrossed version of this bill as introduced in the second house.)