|
House Engrossed Senate Bill |
|
State of Arizona Senate Fifty-second Legislature Second Regular Session 2016
|
|
SENATE BILL 1434 |
|
|
|
|
AN ACT
amending Title 41, chapter 32, article 1, Arizona Revised Statutes, by adding sections 41-3509 and 41-3510; relating to information technology.
(TEXT OF BILL BEGINS ON NEXT PAGE)
Be it enacted by the Legislature of the State of Arizona:
Section 1. Title 41, chapter 32, article 1, Arizona Revised Statutes, is amended by adding sections 41-3509 and 41-3510, to read:
41-3509. Consolidation and shared services; transfer of information technology infrastructure; report
A. The department shall IDENTIFY OPPORTUNITIES for information technology consolidation and shared services, including consolidating servers and data centers.
B. The department shall adopt a policy that establishes a two-year hardware, platform and software refresh evaluation cycle for budget units that requires each budget unit to evaluate and progressively migrate the budget unit's information technology assets to use a commercial cloud computing model or cloud model as defined by the national institute of standards and technology. The policy must direct budget units to consider purchasing and using cloud computing services before making any new information technology or telecommunications investment.
C. policies adopted pursuant to subsection b of this section shall include the following guidelines:
1. privacy and security that requires any off-premises environment to conform to the applicable federal risk and authorization management program, health insurance portability and accountability act privacy standards (42 code of federal regulations section 164.512 (e)), family educational rights and privacy act of 1974 (p.l. 93‑380), criminal justice information services security policy, payment card industry data security standard, internal revenue service publication 1075, federal information security modernization act of 2014 (p.l. 113‑283), national institute of standards and technology special publication 800‑53, national institute of standards and technology special publication 800‑171 and federal information processing standards publication 200 based on data attributes.
2. cyber security that addresses and incorporates applicable cyber security management and incident reporting requirements in the policy pursuant to the national institute of standards and technology publications and the national institute of standards and technology cyber security framework.
3. data categorization that assesses data and determines privacy and security limits before migration and that conforms with applicable internal revenue service publication 1075, federal information processing standards publication 199 and standards for SECURITY CATEGORIZATION of federal information and information systems.
4. third party categories, including hardware, platform or software migrations, that require third parties to conform to the applicable national institute of standards and technology definition of cloud computing Special publication 800-145.
5. economic value that requires evaluation of the total cost of ownership analysis of a period of not less than five years for all consolidation efforts considered.
6. DATA AND NETWORK STANDARDS THAT REQUIRE ANY ENVIRONMENT CONSIDERED FOR USE CERTIFIES ALL TRAFFIC TO AND FROM the hosting environment and the location of the data will reside within the united states.
7. applicable data security that conforms to data in transit and data at rest encryption standards as referenced in federal information processing standards publication 140‑2, security requirements for cryptographic modules.
D. On or before January 1, 2017, each budget unit shall report to the department regarding the budget unit's plan for migrating the budget unit's information technology INFRASTRUCTURE.
E. Beginning January 1, 2017, each budget unit shall report to the department, the chief information officer and the chairperson of the joint legislative budget committee on or before January 1 and July 1 of each year on the budget unit's progress in transferring data pursuant to subsection B of this section and any factors delaying or inhibiting the expansion of cloud computing usage.
f. notwithstanding any other law, a purchase or contract for information technology projects that exceeds one hundred thousand dollars pursuant to this section requires the department to solicit at least two written bids from qualified bidders before the contract may be awarded.
41-3510. Information technology infrastructure plan; joint legislative budget committee review
A budget unit shall submit each information technology infrastructure plan to the joint legislative budget committee for review within ninety days after awarding any contract for information technology INFRASTRUCTURe that exceeds two million five hundred thousand dollars. The joint legislative budget committee may meet in executive session to consider the plan. The plan shall include all of the following:
1. A project investment justification or request for proposal.
2. The name of each bidder that was requested to bid, and each bidder that submitted a bid for the project and the amounts and conditions of the bids.