Senate File 2409 S-5228 Amend Senate File 2409 as follows: 1 1. Page 24, after line 30 by inserting: 2 < Sec. ___. Section 8.57C, subsection 3, paragraph a, Code 3 2024, is amended by striking the paragraph and inserting in 4 lieu thereof the following: 5 a. There is appropriated from the general fund of the 6 state to the technology reinvestment fund for the fiscal year 7 beginning July 1, 2025, and for each subsequent fiscal year 8 thereafter, the sum of seventeen million five hundred thousand 9 dollars. > 10 2. Page 24, line 31, by striking < a, > 11 3. Page 30, after line 33 by inserting: 12 < Sec. ___. NEW SECTION . 8.92 Cybersecurity. 13 1. It is the intent of the general assembly that state 14 and local governmental entities work collaboratively in a 15 whole-of-state approach to protect against cybersecurity risks 16 and threats to information systems owned or operated by, or on 17 behalf of, state and local governmental entities. State and 18 local governmental entities shall take steps to modernize their 19 approach to cybersecurity, including by adopting cybersecurity 20 best practices wherever possible. 21 2. A state or local governmental entity that complies 22 with chapter 554G by implementing a cybersecurity program, as 23 described in chapter 554G, shall be deemed a covered entity, 24 as defined in section 554G.1. 25 3. The department shall establish a cybersecurity reporting 26 function for local governments. The cybersecurity reporting 27 function must include but is not limited to all of the 28 following capabilities: 29 a. A hotline available continuously for local government 30 reporting of cybersecurity incidents resulting in system 31 outages or data breaches. 32 b. A method for the reporting of local government 33 cybersecurity protections including the presence of multifactor 34 authentication, event logging, use of data encryption at rest 35 -1- SF 2409.4501 (1) 90 (amending this SF 2409 to CONFORM to HF 2708) ns/jh 1/ 3 #1. #2. #3.

and in transit, the ability to reconstitute systems in the 1 event of data loss, use of the “.gov” internet domain, and 2 related cybersecurity practices. 3 4. The department is authorized to provide support to all 4 state and local governmental entities in furtherance of this 5 section, in accordance with fee schedules established by the 6 department. The department may retain fees collected under 7 this subsection in a fund created under section 8B.13. 8 5. The department is authorized to establish a grant program 9 to support local governments and political subdivisions of 10 the state in addressing cybersecurity for information systems 11 owned or operated by, or on behalf of, state, local, or tribal 12 governments. Contingent on a specific appropriation by the 13 general assembly, the department may award grants to local 14 governments and political subdivisions of the state under 15 the program for such purposes. The department may establish 16 criteria for grant program priorities, as well as policies and 17 procedures relating to the program. > 18 4. Page 31, by striking lines 27 through 29 and inserting 19 < event logging and correlation, and content caching. Network 20 services do not also include services provided by cybersecurity 21 support and information technology support for the public 22 broadcasting division of the department of education. “Network 23 services” does not extend to control of the federally licensed 24 television airwaves. > 25 5. Page 42, line 1, after < funds > by inserting < , and also 26 includes the Iowa state association of counties, the Iowa 27 league of cities, and the Iowa association of school boards > 28 6. Page 55, after line 24 by inserting: 29 < 6. a. The department shall, when feasible, prioritize the 30 procurement of cloud computing solutions and other information 31 technology and related services that are not hosted on premises 32 by the state. The department may contract for multiple cloud 33 computing solutions. The ownership of state data stored within 34 cloud computing solutions shall remain with the state. 35 -2- SF 2409.4501 (1) 90 (amending this SF 2409 to CONFORM to HF 2708) ns/jh 2/ 3 #4. #5. #6.

b. The department shall make reasonable efforts to ensure 1 the portability of state data stored within cloud computing 2 solutions. The department shall develop contractual terms 3 and conditions for cloud computing solutions to ensure the 4 confidentiality, integrity, and availability of state data and 5 to maximize cybersecurity protections. 6 c. For purposes of this subsection, “cloud computing 7 solutions” means the same as described in section 8.2, 8 subsection 20, paragraph “l” . > 9 7. Page 55, line 25, by striking < 6. > and inserting < 6. 7. > 10 8. Page 55, line 27, by striking < 5 > and inserting < 5 6 > 11 9. Page 55, line 28, by striking < 7. > and inserting < 8. > 12 10. Page 58, after line 22 by inserting: 13 < Sec. ___. NEW SECTION . 546.13 Confidential records and 14 data. 15 1. Notwithstanding sections 8E.104 and 8E.209, the 16 department of insurance and financial services shall not share 17 or provide to the department of management any trade secrets, 18 information regulated by third parties, or information deemed 19 confidential by law or contractual commitment. 20 2. The department of management shall not be the lawful 21 custodian of any department of insurance and financial services 22 records or data for purposes of chapter 22. Information 23 provided to the department of management pursuant to sections 24 8E.104 and 8E.209 shall remain confidential information of 25 the department of insurance and financial services, and any 26 statistical information derived from such information shall 27 only be disseminated by the department of management in 28 anonymized and aggregate form. > 29 11. By renumbering as necessary. 30 ______________________________ MIKE BOUSSELOT -3- SF 2409.4501 (1) 90 (amending this SF 2409 to CONFORM to HF 2708) ns/jh 3/ 3 #7. #8. #9. #10. #11.