Office of information technology - information security - cyber coding cryptology - state records - institutions of higher education - appropriation. The chief information security officer in the governor's office of information technology (OIT), the director of OIT, the department of state, and the executive director of the department of regulatory agencies are required to take certain actions to protect state records containing trusted sensitive and confidential information from criminal, unauthorized, or inadvertent manipulation or theft.
The chief information security officer is required to:
- Identify, assess, and mitigate cyber threats to state government;
- Annually collect information from all public agencies to assess the nature of threats to data systems and the potential risks and civil liabilities from the theft or inadvertent release of such information; and
- In coordination and partnership with specified agencies, boards, and councils, annually assess the data systems of each public agency for the benefits and costs of adopting and applying distributed ledger technologies such as blockchains.
The chief information security officer is also encouraged to develop and maintain a series of metrics to identify, assess, and monitor each public agency data system for its platform descriptions, vulnerabilities, risks, liabilities, appropriate employee access control, and the benefits and costs of adopting encryption and distributed ledger technologies.
The director of OIT is required to consider the annual metrics from the office of the chief information security officer to recommend programs, contracts, and upgrades of data systems that have good cost-benefit potential or return on investment. In addition, OIT and the office of the chief information security officer are required to consider developing public-private partnerships and contracts to allow capitalization of encryption technologies while protecting intellectual property rights.
The department of state is required to consider research, development, and implementation for encryption and data integrity techniques, including distributed ledger technologies such as blockchains. The department of state is required to consider using distributed ledger technologies when accepting business licensing records and when distributing department of state data to other departments and agencies.
The executive director of the department of regulatory agencies or the director's designee is required to consider secure encryption methods, including distributed ledger technologies, to protect against falsification, create visibility to identify external hacking threats, and to improve internal data security.
In addition, institutions of higher education (institutions) may include distributed ledger technologies within their curricula and research and development activities.
The university of Colorado at Colorado Springs and any nonprofit organization with which the university has a partnership may consider:
- Encouraging coordination with the United States department of commerce and the national institute of standards and technologies to develop the capability to act as a Colorado in-state center of excellence on cybersecurity advice and national institute of standards and technologies standards;
- Studying efforts to protect privacy of personal identifying information maintained within distributed ledger programs, ensuring that programs make all attempts to follow best practices for privacy, and providing advice to all program stakeholders on the requirement to maintain privacy in accordance with required regulatory bodies and governing standards; and
- Encouraging the use of distributed ledger technologies, such as blockchains, within their proposed curricula for public sector education.
The department of higher education is required to allocate to the governing boards of the institutions participating in activities related to cybersecurity and distributed ledger technologies, money appropriated to the department of higher education for cybersecurity and distributed ledger technologies. The institutions are required to ensure that certain percentages of the money that they receive in connection with cybersecurity and distributed ledger technologies will be used to provide scholarships to students at the institution who are doing work in such fields. The department of higher education is also required to prepare an annual report to the general assembly containing specified information in connection with the use of the money appropriated for cybersecurity and distributed ledger technologies.
For the 2018-19 state fiscal year:
- $250,000 is appropriated from the general fund to the office of the governor for use by the office of information technology for security governance to evaluate the potential use of distributed ledger technologies in state data systems; and
- $5,100,000 is appropriated from the general fund to the department of higher education to implement the act. Specified amounts are allocated to Colorado Mesa university, Metropolitan state university of Denver, Western state Colorado university, the Colorado state university system, university of Colorado state board for community colleges and occupational education state system, and to the community colleges.
(Note: This summary applies to this bill as enacted.)