The act modifies the laws that create the joint technology committee (JTC), the Colorado cybersecurity council (council), and the office of information technology (office), to reflect the current information technology (IT) environment and direction in the state.
Modifications related to the JTC are as follows:
- Updates definitions used by the JTC to be consistent with the definitions used by the office; and
- Allows the JTC to request information and presentations regarding data privacy and data security, specifies that the JTC oversees any state agency that has been delegated IT functions by the office, and makes other modifications to make the provisions governing the JTC and the office consistent.
Modifications related to the council are as follows:
- Specifies additional functions of the council, modifies the composition of the council, and allows the council to coordinate with other entities regarding cybersecurity.
Modifications related to the office are as follows:
- Consolidates all of the definitions that apply to the office into one section and updates some definitions to align with best practices and industry standards;
- Relocates provisions of current law regarding the information technology revolving fund and the coordination of the statewide geographic information system;
- Repeals and reenacts the roles and responsibilities section of law for the office and defines the office's roles and responsibilities in connection with IT;
- adds additional responsibilities when a state agency undertakes a major IT project, when a state agency is the business owner of an IT system, and when the office is involved in a state agency's IT project only as a party to the contract;
- Authorizes the office to delegate an IT function to a state agency and specifies procedures and requirements that the office and the state agency are required to follow when such delegation occurs;
- Repeals and reenacts the current provisions in law regarding the duties and responsibilities of the chief information officer (CIO) and updates the duties and responsibilities of the CIO;
- Relocates current law that authorizes the revisor of statutes to change certain statutory references in connection with the creation of the office;
- Updates the timelines and dates for the development of IT security plans and certain required reports regarding those plans for state agencies, institutions of higher education, and the legislative branch;
- Repeals and reenacts current law regarding interdepartmental data protocol that governs data-sharing among state agencies and specifies requirements of the office and the government data advisory board regarding the creation of a data-sharing and privacy master plan and additional requirements for when a state agency shares personal identifying information with another state agency; and
- Updates the office's annual reporting requirement to the general assembly regarding IT asset inventory.
The act makes conforming amendments and repeals obsolete provisions regarding the consolidation of IT functions to the office, the transfer of employees and officers to the office, the creation of a work eligibility verification portal, the creation and implementation of the Colorado financial reporting system, and a reporting requirement on the transfer of IT infrastructure ownership. The act also repeals provisions regarding the statewide communications and information infrastructure that are incorporated into other provisions of law.
(Note: This summary applies to this bill as enacted.)