GENERAL ASSEMBLY OF NORTH CAROLINA

SESSION 2013

 

 

SESSION LAW 2013-188

HOUSE BILL 390

 

 

AN ACT making various changes to the laws relating to state information technology governance.

 

The General Assembly of North Carolina enacts:

 

SECTION 1.  G.S. 143-135.9(a)(3) is repealed.

SECTION 2.  G.S. 147-33.72C(e) reads as rewritten:

"(e)       Performance Contracting. - All contracts between a State agency and a private party for information technology projects shall include provisions for vendor performance review and accountability. The State CIO may require that these contract provisions require a performance bond, include monetary penalties penalties, or require other performance assurance measures for projects that are not completed or performed within the specified time period or that involve costs in excess of those specified in the contract. The State CIO may require contract provisions requiring a vendor to provide a performance bond.utilize cost-savings realized on government-vendor partnerships, as defined in G.S. 143-135.9, as performance incentives for an information technology project vendor."

SECTION 3.  G.S. 147-33.91(a) reads as rewritten:

"(a)       With respect to State agencies, the State Chief Information Officer shall exercise general coordinating authority for all telecommunications matters relating to the internal management and operations of those agencies. In discharging that responsibility, the State Chief Information Officer, in cooperation with affected State agency heads, may:

(1)        Provide for the establishment, management, and operation, through either State ownership, contract, or commercial leasing, of the following systems and services as they affect the internal management and operation of State agencies:

a.         Central telephone systems and telephone networks.

b.         Repealed by Session Laws 2004-129, s. 23, effective July 1, 2004.

c.         Repealed by Session Laws 2004-129, s. 23, effective July 1, 2004.

d.         Satellite services.

e.         Closed-circuit TV systems.

f.          Two-way radio systems.

g.         Microwave systems.

h.         Related systems based on telecommunication technologies.

i.          The "State Network", managed by the Office, which means any connectivity designed for the purpose of providing Internet Protocol transport of information to any building.

(2)        Coordinate the development of cost-sharing systems for respective user agencies for their proportionate parts of the cost of maintenance and operation of the systems and services listed in subdivision (1) of this subsection.

(3)        Assist in the development of coordinated telecommunications services or systems within and among all State agencies and recommend, where appropriate, cooperative utilization of telecommunication facilities by aggregating users.

(4)        Perform traffic analysis and engineering for all telecommunications services and systems listed in subdivision (1) of this subsection.

(5)        Pursuant to G.S. 143-49, establish Establish telecommunications specifications and designs so as to promote and support compatibility of the systems within State agencies.

(6)        Pursuant to G.S. 143-49 and G.S. 143-50, coordinate Coordinate the review of requests by State agencies for the procurement of telecommunications systems or services.

(7)        Pursuant to G.S. 143-341 and Chapter 146 of the General Statutes, coordinate Coordinate the review of requests by State agencies for State government property acquisition, disposition, or construction for telecommunications systems requirements.

(8)        Provide a periodic inventory of telecommunications costs, facilities, systems, and personnel within State agencies.

(9)        Promote, coordinate, and assist in the design and engineering of emergency telecommunications systems, including, but not limited to, the 911 emergency telephone number program, Emergency Medical Services, and other emergency telecommunications services.

(10)      Perform frequency coordination and management for State agencies and local governments, including all public safety radio service frequencies, in accordance with the rules and regulations of the Federal Communications Commission or any successor federal agency.

(11)      Advise all State agencies on telecommunications management planning and related matters and provide through the State Personnel Training Center or the Office of Information Technology Services training to users within State agencies in telecommunications technology and systems.

(12)      Assist and coordinate the development of policies and long-range plans, consistent with the protection of citizens' rights to privacy and access to information, for the acquisition and use of telecommunications systems, and base such policies and plans on current information about State telecommunications activities in relation to the full range of emerging technologies.

(13)      Work cooperatively with the North Carolina Agency for Public Telecommunications in furthering the purpose of this section."

SECTION 4.  G.S. 147-33.92(b) reads as rewritten:

"(b)      The State Chief Information Officer shall establish switched broadband telecommunications services and permit, in addition to State agencies, cities, counties, and other local government entities, the following organizations and entities to share on a not-for-profit basis:

(1)        Nonprofit educational institutions.

(2)        MCNC.

(3)        Research MCNC and research affiliates of MCNC for use only in connection with research activities sponsored or funded, in whole or in part, by MCNC, if such research activities relate to health care or education in North Carolina.

(4)        Agencies of the United States government operating in North Carolina for use only in connection with activities that relate to health care or education in North Carolina.

(5)        Hospitals, clinics, and other health care facilities for use only in connection with activities that relate to health care or education in North Carolina.

Provided, however, that sharing of the switched broadband telecommunications services by State agencies with entities or organizations in the categories set forth in this subsection shall not cause the State, the Office of Information Technology Services, or the MCNC to be classified as a public utility as that term is defined in G.S. 62-3(23) a.6. Nor shall the State, the Office of Information Technology Services, or the MCNC engage in any activities that may cause those entities to be classified as a common carrier as that term is defined in the Communications Act of 1934, 47 U.S.C. § 153(10). Provided further, authority to share the switched broadband telecommunications services with the non-State agencies set forth in subdivisions (1) through (5) of this subsection shall terminate one year from the effective date of a tariff that makes the broadband services available to any customer."

SECTION 5.  G.S. 147-33.111 reads as rewritten:

"§ 147-33.111.  State CIO approval of security standards and security assessments.

(a)        Notwithstanding G.S. 143-48.3 or any other provision of law, and except as otherwise provided by this section, all information technology security purchased using State funds, or for use by a State agency or in a State facility, shall be subject to approval by the State Chief Information Officer in accordance with security standards adopted under this Article.

(a1)      The State Chief Information Officer shall conduct assessments of information system security, network vulnerability, including network penetration or any similar procedure. The State Chief Information Officer may contract with another party or parties to perform the assessments. Detailed reports of the security issues identified shall be kept confidential as provided in G.S. 132-6.1(c).

(b)        If the legislative branch, the judicial branch, The University of North Carolina and its constituent institutions, local school administrative units as defined by G.S. 115C-5, or the North Carolina Community Colleges System develop their own security standards, taking into consideration the mission and functions of that entity, that are comparable to or exceed those set by the State Chief Information Officer under this section, then these entities may elect to be governed by their own respective security standards, and approval of the State Chief Information Officer shall not be required before the purchase of information technology security. The State Chief Information Officer shall consult with the legislative branch, the judicial branch, The University of North Carolina and its constituent institutions, local school administrative units, and the North Carolina Community Colleges System in reviewing the security standards adopted by those entities.

(c)        Before a State agency may enter into any contract with another party for an assessment of information system security or network vulnerability, the State agency shall notify the State Chief Information Officer and obtain approval of the request. If the State agency enters into a contract with another party for assessment and testing, after approval of the State Chief Information Officer, the State agency shall issue public reports on the general results of the reviews. The contractor shall provide the State agency with detailed reports of the security issues identified that shall not be disclosed as provided in G.S. 132-6.1(c). The State agency shall provide the State Chief Information Officer with copies of the detailed reports that shall not be disclosed as provided in G.S. 132-6.1(c).

(d)        Nothing in this section shall be construed to preclude the Office of the State Auditor from assessing the security practices of State information technology systems as part of that Office's duties and responsibilities."

SECTION 6.  G.S. 147-33.112 reads as rewritten:

"§ 147-33.112.  Assessment of agency compliance with security standards.

The State Chief Information Officer shall assess periodically the ability of each agency and each agency's contracted vendors to comply with the current security enterprise-wide set of standards established pursuant to this section. The assessment shall include, at a minimum, the rate of compliance with the enterprise-wide security standards in each agency and an assessment of each agency's security organization, security practices, security industry standards, network security architecture, and current expenditures of State funds for information technology security. The assessment of an agency shall also estimate the cost to implement the security measures needed for agencies to fully comply with the standards. Each agency subject to the standards shall submit information required by the State Chief Information Officer for purposes of this assessment. The State Chief Information Officer shall include the information obtained from the assessment in the State Information Technology Plan required under G.S. 147-33.72B."

SECTION 7.  G.S. 150B-2(8a) reads as rewritten:

"§ 150B-2.  Definitions.

As used in this Chapter,

(8a)      "Rule" means any agency regulation, standard, or statement of general applicability that implements or interprets an enactment of the General Assembly or Congress or a regulation adopted by a federal agency or that describes the procedure or practice requirements of an agency. The term includes the establishment of a fee and the amendment or repeal of a prior rule. The term does not include the following:

a.         Statements concerning only the internal management of an agency or group of agencies within the same principal office or department enumerated in G.S. 143A-11 or 143B-6, including policies and procedures manuals, if the statement does not directly or substantially affect the procedural or substantive rights or duties of a person not employed by the agency or group of agencies.

b.         Budgets and budget policies and procedures issued by the Director of the Budget, by the head of a department, as defined by G.S. 143A-2 or G.S. 143B-3, by an occupational licensing board, as defined by G.S. 93B-1, or by the State Board of Elections.

c.         Nonbinding interpretative statements within the delegated authority of an agency that merely define, interpret, or explain the meaning of a statute or rule.

d.         A form, the contents or substantive requirements of which are prescribed by rule or statute.

e.         Statements of agency policy made in the context of another proceeding, including:

1.         Declaratory rulings under G.S. 150B-4.

2.         Orders establishing or fixing rates or tariffs.

f.          Requirements, communicated to the public by the use of signs or symbols, concerning the use of public roads, bridges, ferries, buildings, or facilities.

g.         Statements that set forth criteria or guidelines to be used by the staff of an agency in performing audits, investigations, or inspections; in settling financial disputes or negotiating financial arrangements; or in the defense, prosecution, or settlement of cases.

h.         Scientific, architectural, or engineering standards, forms, or procedures, including design criteria and construction standards used to construct or maintain highways, bridges, or ferries.

i.          Job classification standards, job qualifications, and salaries established for positions under the jurisdiction of the State Personnel Commission.

j.          Establishment of the interest rate that applies to tax assessments under G.S. 105-241.21 and the variable component of the excise tax on motor fuel under G.S. 105-449.80.

k.         The State Medical Facilities Plan, if the Plan has been prepared with public notice and hearing as provided in G.S. 131E-176(25), reviewed by the Commission for compliance with G.S. 131E-176(25), and approved by the Governor.

l.          Standards adopted by the Office of Information Technology Services applied to information technology as defined by G.S. 147-33.81."

SECTION 8.  This act is effective when it becomes law.

In the General Assembly read three times and ratified this the 18th day of June, 2013.

 

 

                                                                    s/  Tom Apodaca

                                                                         Presiding Officer of the Senate

 

 

                                                                    s/  Thom Tillis

                                                                         Speaker of the House of Representatives

 

 

                                                                    s/  Pat McCrory

                                                                         Governor

 

 

Approved 4:20 p.m. this 26th day of June, 2013