As Passed by the House
134th General Assembly
Regular Session Sub. H. B. No. 230
2021-2022
Representatives Ray, Hall
Cosponsors: Representatives Riedel, Fraizer, Holmes, Hoops, Click, McClain, Carfagna, Abrams, Jones, Powell, Cross, Young, T., Kick, Koehler, Stephens, Hillyer, Troy, Plummer, Baldridge, Boyd, Brent, Carruthers, Galonski, Ghanbari, Ginter, Gross, Hicks-Hudson, Ingram, Jarrells, John, Johnson, Lanese, Lightbody, Liston, Merrin, Miller, A., Miller, J., Richardson, Russo, Schmidt, Smith, K., Sobecki, Swearingen, West, White
A BILL
To amend sections 107.03, 125.18, and 126.506 and to enact sections 103.28, 126.41, and 126.42 of the Revised Code regarding the state's information technology systems and shared services.
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:
Section 1. That sections 107.03, 125.18, and 126.506 be amended and sections 103.28, 126.41, and 126.42 of the Revised Code be enacted to read as follows:
Sec. 103.28. (A) As used in this section:
(1) "Department" has the same meaning as in section 121.01 of the Revised Code, except that it also includes the bureau of workers' compensation, department of education, department of higher education, department of taxation, and public utilities commission of Ohio.
(2) "Statewide elected official" means the governor, lieutenant governor, secretary of state, auditor of state, attorney general, and treasurer of state.
(B)(1) Not later than October 1, 2022, and not later than the first day of October of every even-numbered year thereafter, the administrative head of each department and each statewide elected official shall submit to the director of budget and management a report that includes information regarding each department's and official's total expenditures on information technology systems and services with respect to the previous biennium.
(2) The administrative department heads and statewide elected officials shall include in the report described under division (B)(1) of this section expenditures for the following types of information technology systems and services:
(a) Internet service;
(b) Information technology hardware, software, security, and services;
(c) Contracts with respect to any services related to maintaining and repairing information technology systems;
(d) Projects undertaken with respect to information technology;
(e) The salaries, wages, and benefits paid to employees whose duties primarily include performing information technology services.
(C) The director of budget and management shall compile the information the director receives under division (B)(1) of this section. Not later than November 1, 2022, and not later than the first day of November of every even-numbered year thereafter, the director shall submit the information to the director of the legislative service commission.
(D)(1) On receiving the information compiled under division (C) of this section, the director of the legislative service commission shall use the information to create a state information technology biennial expenditure report. The director shall make the report as brief as practicable and include both of the following in the report:
(a) The name of each department and each statewide elected official's office;
(b) Each department's and office's total expenditures in the previous biennium with respect to information technology systems and services.
(2) Not later than February 1, 2023, and not later than the first day of February of each odd-numbered year thereafter, the director shall submit the report to the general assembly in accordance with section 101.68 of the Revised Code.
Sec. 107.03. (A) As used in this section, "transportation budget" means the biennial budget that primarily includes the following:
(1) Motor fuel excise tax-related appropriations for the department of transportation, public works commission, and department of development;
(2) Other appropriations that pertain to transportation and infrastructure related to transportation.
(B) The governor shall submit a transportation budget to the general assembly not later than four weeks after the general assembly's organization.
(C) The governor shall submit to the general assembly, not later than four weeks after its organization, a state budget containing a complete financial plan for the ensuing fiscal biennium, excluding items of revenue and expenditure described in section 126.022 of the Revised Code. However, in years of a new governor's inauguration, this budget shall be submitted not later than the fifteenth day of March.
(D) In years of a new governor's inauguration, only the new governor shall submit a budget to the general assembly. In addition to other things required by law, each of the governor's budgets shall contain:
(1) A general budget summary by function and agency setting forth the proposed total expenses from each and all funds and the anticipated resources for meeting such expenses; such resources to include any available balances in the several funds at the beginning of the biennium and a classification by totals of all revenue receipts estimated to accrue during the biennium under existing law and proposed legislation.
(2) A detailed statement showing the amounts recommended to be appropriated from each fund for each fiscal year of the biennium for current expenses, including, but not limited to, information technology systems and services, personal services, supplies and materials, equipment, subsidies and revenue distribution, merchandise for resale, transfers, and nonexpense disbursements, obligations, interest on debt, and retirement of debt, and for the biennium for capital outlay, to the respective departments, offices, institutions, as defined in section 121.01 of the Revised Code, and all other public purposes; and, in comparative form, the actual expenses by source of funds during each fiscal year of the previous two bienniums for each such purpose. No alterations shall be made in the requests for the legislative and judicial branches of the state filed with the director of budget and management under section 126.02 of the Revised Code. If any amount of federal money is recommended to be appropriated or has been expended for a purpose for which state money also is recommended to be appropriated or has been expended, the amounts of federal money and state money involved shall be separately identified.
(3) A detailed estimate of the revenue receipts in each fund from each source under existing laws during each year of the biennium; and, in comparative form, actual revenue receipts in each fund from each source for each year of the two previous bienniums;
(4) The estimated cash balance in each fund at the beginning of the biennium covered by the budget; the estimated liabilities outstanding against each such balance; and the estimated net balance remaining and available for new appropriations;
(5) A detailed estimate of the additional revenue receipts in each fund from each source under proposed legislation, if enacted, during each year of the biennium;
(6) A description of each tax expenditure; a detailed estimate of the amount of revenues not available to the general revenue fund under existing laws during each fiscal year of the biennium covered by the budget due to the operation of each tax expenditure; and, in comparative form, the amount of revenue not available to the general revenue fund during each fiscal year of the immediately preceding biennium due to the operation of each tax expenditure. The report prepared by the department of taxation pursuant to section 5703.48 of the Revised Code shall be submitted to the general assembly as an appendix to the governor's budget. As used in this division, "tax expenditure" has the same meaning as in section 5703.48 of the Revised Code.
(7) The most recent TANF spending plan prepared by the department of job and family services under section 5101.806 of the Revised Code, which shall be submitted to the general assembly as an appendix to the governor's budget.
Sec. 125.18. (A) There is hereby established the office of information technology within the department of administrative services. The office shall be under the supervision of a state chief information officer to be appointed by the director of administrative services and subject to removal at the pleasure of the director. The chief information officer is an assistant director of administrative services.
(B) Under the direction of the director of administrative services, the state chief information officer shall lead, oversee, and direct state agency activities related to information technology development and use. In that regard, the state chief information officer shall do all of the following:
(1) Coordinate and superintend statewide efforts to promote common use and development of technology by state agencies. The office of information technology shall establish policies and standards that govern and direct state agency participation in statewide programs and initiatives.
(2) Coordinate with the office of procurement services to establish policies and standards for state agency acquisition of information technology supplies and services;
(3) Establish policies and standards for the use of common information technology by state agencies, including, but not limited to, hardware, software, technology services, and security, and the extension of the service life of information technology systems, with which state agencies shall comply;
(4) Establish criteria and review processes to identify state agency information technology projects or purchases that require alignment or oversight. As appropriate, the department of administrative services shall provide the governor and the director of budget and management with notice and advice regarding the appropriate allocation of resources for those projects. The state chief information officer may require state agencies to provide, and may prescribe the form and manner by which they must provide, information to fulfill the state chief information officer's alignment and oversight role;
(5) Establish policies and procedures for the security of personal information that is maintained and destroyed by state agencies;
(6) Employ a chief information security officer who is responsible for the implementation of the policies and procedures described in division (B)(5) of this section and for coordinating the implementation of those policies and procedures in all of the state agencies;
(7) Employ a chief privacy officer who is responsible for advising state agencies when establishing policies and procedures for the security of personal information and developing education and training programs regarding the state's security procedures;
(8) Establish policies on the purchasing, use, and reimbursement for use of handheld computing and telecommunications devices by state agency employees;
(9) Establish policies for the reduction of printing and for the increased use of electronic records by state agencies;
(10) Establish policies for the reduction of energy consumption by state agencies;
(11) Compute the amount of revenue attributable to the amortization of all equipment purchases and capitalized systems from information technology service delivery and major information technology purchases, MARCS administration, enterprise applications, and the professions licensing system operating appropriation items and major computer purchases capital appropriation items that is recovered as part of the information technology services rates the department of administrative services charges and deposits into the information technology fund created in section 125.15 of the Revised Code, the user fees the department of administrative services charges and deposits in the MARCS administration fund created in section 4501.29 of the Revised Code, the rates the department of administrative services charges to benefiting agencies for the operation and management of information technology applications and deposits in the enterprise applications fund, and the rates the department of administrative services charges for the cost of ongoing maintenance of the professions licensing system and deposits in the professions licensing system fund. The enterprise applications fund is hereby created in the state treasury.
(12) Regularly review and make recommendations regarding improving the infrastructure of the state's cybersecurity operations with existing resources and through partnerships between government, business, and institutions of higher education;
(13) Assist, as needed, with general state efforts to grow the cybersecurity industry in this state;
(14) Establish a strategic roadmap for migrating the state's information technology systems to the state of Ohio computer center and to the state's commercial cloud providers managed by the office of information technology.
(C)(1) The chief information security officer shall assist each state agency with the development of an information technology security strategic plan and review that plan, and each state agency shall submit that plan to the state chief information officer. The chief information security officer may require that each state agency update its information technology security strategic plan annually as determined by the state chief information officer.
(2) Prior to the implementation of any information technology data system, a state agency shall prepare or have prepared a privacy impact statement for that system.
(D) When a state agency requests a purchase of information technology supplies or services under Chapter 125. of the Revised Code, the state chief information officer may review and reject the requested purchase for noncompliance with information technology direction, plans, policies, standards, or project-alignment criteria.
(E) The office of information technology may operate technology services for state agencies in accordance with this chapter.
Notwithstanding
any provision of the Revised Code to the contrary, the office of
information technology may assess a transaction fee on each license
or registration issued as part of an electronic licensing system
operated by the office in an amount
determined by the office not to exceed three dollars and fifty cents.
The transaction fee shall apply to all transactions, regardless of
form, that immediately precede the issuance, renewal, reinstatement,
reactivation of, or other activity that results in, a license or
registration to operate as a regulated professional or entity. Each
license or registration is a separate transaction to which a fee
under this division applies. Notwithstanding any provision of the
Revised Code to the contrary, if a fee is assessed under this
section, no agency, board, or commission shall issue a license or
registration unless a fee required by this division has been
received. The director of administrative services may collect the fee
or require a state agency, board, or commission for which the system
is being operated to collect the fee. Amounts received under this
division shall be deposited in or transferred to the professions
licensing system fund created in division (H)
(I)
of
this section.
(F) With the approval of the director of administrative services, the office of information technology may establish cooperative agreements with federal and local government agencies and state agencies that are not under the authority of the governor for the provision of technology services and the development of technology projects.
(G) The office of information technology may operate a program to make information technology purchases. The director of administrative services may recover the cost of operating the program from all participating government entities by issuing intrastate transfer voucher billings for the procured technology or through any pass-through billing method agreed to by the director of administrative services, the director of budget and management, and the participating government entities that will receive the procured technology.
If the director of administrative services chooses to recover the program costs through intrastate transfer voucher billings, the participating government entities shall process the intrastate transfer vouchers to pay for the cost. Amounts received under this section for the information technology purchase program shall be deposited to the credit of the information technology governance fund created in section 125.15 of the Revised Code.
(H) Upon request from the director of administrative services, the director of budget and management may transfer cash from the information technology fund created in section 125.15 of the Revised Code, the MARCS administration fund created in section 4501.29 of the Revised Code, the enterprise applications fund created in division (B)(11) of this section, or the professions licensing system fund created in division (I) of this section to the major information technology purchases fund in an amount not to exceed the amount computed under division (B)(11) of this section. The major information technology purchases fund is hereby created in the state treasury.
(I) There is hereby created in the state treasury the professions licensing system fund. The fund shall be used to operate the electronic licensing system referenced in division (E) of this section.
(J) As used in this section:
(1) "Personal information" has the same meaning as in section 149.45 of the Revised Code.
(2) "State agency" means every organized body, office, or agency established by the laws of the state for the exercise of any function of state government, other than any state-supported institution of higher education, the office of the auditor of state, treasurer of state, secretary of state, or attorney general, the adjutant general's department, the bureau of workers' compensation, the industrial commission, the public employees retirement system, the Ohio police and fire pension fund, the state teachers retirement system, the school employees retirement system, the state highway patrol retirement system, the general assembly or any legislative agency, the capitol square review advisory board, or the courts or any judicial agency.
Sec. 126.41. (A) The biannual advisory committee on state information and technology is created. The committee shall examine the state's information technology systems and services, including all of the following topics:
(1) The state's spending on information technology systems and services;
(2) Possible enhancements to the state's information technology systems and services, including improvements to state-owned application software;
(3) Initiatives regarding the state's information technology systems and services;
(4) Any feedback from state and county users of the state's information technology systems and services.
(B)(1) The committee may develop recommendations with respect to the topics the committee examines under division (A) of this section. In developing the recommendations, the committee shall consider the report the cybersecurity and fraud advisory board submits to the committee pursuant to section 126.42 of the Revised Code.
(2) After the committee receives the report from the cybersecurity and fraud advisory board, the committee may submit its recommendations to the director of administrative services, who shall make them publicly available on the internet web site maintained by the department of administrative services.
(3) The committee may require the cybersecurity and fraud advisory board to submit an updated report as the committee determines necessary to ensure the report reflects the best practices regarding cybersecurity and fraud prevention that exist at the time the board submits the updated report. If the committee requires the updated report, the committee may update the committee's recommendations and submit them to the director, who shall make them publicly available on the department's internet web site.
(C) The committee consists of the following nine members:
(1) The chairpersons of the standing committees of the senate and the house of representatives to which legislation pertaining to information technology is customarily referred, as appointed by the president of the senate and the speaker of the house of representatives, respectively;
(2) Two members of the senate, appointed by the president of the senate, not more than one of whom shall be a member of the majority party;
(3) Two members of the house of representatives, appointed by the speaker of the house of representatives, not more than one of whom shall be a member of the majority party;
(4) The state chief information officer appointed under section 125.18 of the Revised Code or the officer's designee;
(5) The chief information security officer employed under section 125.18 of the Revised Code or the officer's designee;
(6) One member who is a state employee appointed by the governor.
(D) The committee member appointed by the governor serves for a term of two years ending on the same day as the date of the member's original appointment. Legislative members serve during the session of the general assembly in which they are appointed to the committee and for as long as they are members of the general assembly. Vacancies shall be filled in the same manner as original appointments.
(E) Members of the committee serve without compensation and shall not be reimbursed for expenses. Members serve at the pleasure of the appointing authority.
(F)(1) The committee shall organize itself and select co-chairpersons from among its members, one of whom shall be a member of the senate, and one of whom shall be a member of the house of representatives. The committee shall meet at the call of the co-chairpersons.
(2) The committee shall hold at least two meetings each year. For at least one meeting, the committee shall focus solely on soliciting feedback from county departments that use the state's information technology systems and services. The committee shall use the feedback to assist the committee in developing recommendations regarding possible improvements to those systems.
Sec. 126.42. (A)(1) The cybersecurity and fraud advisory board is created. The board shall examine and develop recommendations with regard to best practices in, shared experiences regarding, and future efforts to improve cybersecurity and fraud prevention with respect to the information technology systems and shared services used across state agencies.
(2) The board shall not examine open vulnerabilities, security protocols, or legal issues with respect to the state's cybersecurity and fraud prevention measures.
(B)(1) The board shall submit a report of its findings and recommendations concerning the topics the board examines under division (A)(1) of this section to the biannual advisory committee on state information and technology not later than six months after the date of the board's first meeting. Pursuant to division (B) of section 126.41 of the Revised Code, the committee may require the board to submit an updated report as the committee determines necessary to ensure the report reflects the best practices regarding cybersecurity and fraud prevention that exist at the time the board submits the updated report.
(2) The board periodically shall review the most recent report submitted under division (B)(1) of this section as the board determines necessary to ensure the report reflects the best practices that exist at the time of review.
(C) The board consists of the following six members, all of whom must have a background and expertise in cybersecurity or fraud prevention to be eligible for appointment:
(1) One member, who is an employee of the department of administrative services, appointed by the governor;
(2) One member, who is an employee of the department, appointed by the attorney general;
(3) One member, who is an employee of the department, appointed by the auditor of state;
(4) One member, who is an employee of the department, appointed by the secretary of state;
(5) One member, who is an employee of the department, appointed by the treasurer of state;
(6) The chief information security officer employed under section 125.18 of the Revised Code.
(D) The chief information security officer serves as the chairperson of the board. The board shall meet at the call of the chairperson and shall meet at least twice each year.
(E) Members serve without compensation and shall not be reimbursed for expenses. Members serve at the pleasure of the appointing authority. Vacancies shall be filled in the same manner as original appointments.
(F) The board shall not hold an executive session pursuant to division (G) of section 121.22 of the Revised Code.
Sec. 126.506. (A) Each state agency shall participate in information technology consolidation projects implemented by the state chief information officer under section 125.18 of the Revised Code.
(B) At the direction of and in the format specified by the director of administrative services, each state agency shall maintain a list of information technology assets possessed by the agency and associated costs related to those assets.
(C) The director shall maintain a list of state-owned application software and associated hardware in a format specified by the director.
Section 2. That existing sections 107.03, 125.18, and 126.506 of the Revised Code are hereby repealed.
Section 3. (A) As used in this section, "state agency" has the same meaning as in section 126.50 of the Revised Code.
(B) Subject to division (C) of this section, the Director of Administrative Services, in accordance with the requirements for competitive sealed proposals under section 125.071 of the Revised Code, shall enter into a contract with a private entity pursuant to which the entity agrees to do both of the following:
(1) Study all of the following:
(a) The state's management practices regarding information technology systems and shared services, including procurement, centralization opportunities, and other future improvements;
(b) The state's best practices and standards regarding the state's use of cloud services, including software as a service;
(c) Notwithstanding any provision of section 125.32 of the Revised Code to the contrary, the state's data sharing practices and opportunities to leverage the state's centralized data sharing platform.
(2) Prepare a report that includes the entity's findings from the study performed under division (B)(1) of this section and submit the report to the General Assembly not later than eighteen months after the date the Director awards the contract to perform the study.
(C) Before entering into the contract described in division (B) of this section, the Director shall request approval from the Controlling Board to make expenditures under the contract. If the Controlling Board denies the Director's request, the Director shall not enter into the contract.
(D)(1) The Director shall do both of the following:
(a) Identify opportunities to leverage the buying power of the state for application software used at multiple state agencies;
(b) Identify existing data and information silos that exist throughout the state's information technology systems.
(2) The Director shall prepare and submit a report that includes the information described in division (D)(1) of this section to the General Assembly not later than twenty months after the effective date of this section.
(E) The Director of Administrative Services, in consultation with the Director of Budget and Management, shall conduct a study that analyzes the average industry fee rates charged for data hosting services. The Director of Administrative Services shall conclude the study and submit the findings of the study to the Director of Budget and Management not later than six months after the effective date of this section. Not later than six months after the Director of Administrative Services submits the study, the Director of Budget and Management may set the fees the Director of Budget and Management charges for data hosting services to rates that are comparable to average industry rates.