Senate
File
2409
S-5228
Amend
Senate
File
2409
as
follows:
1
1.
Page
24,
after
line
30
by
inserting:
2
<
Sec.
___.
Section
8.57C,
subsection
3,
paragraph
a,
Code
3
2024,
is
amended
by
striking
the
paragraph
and
inserting
in
4
lieu
thereof
the
following:
5
a.
There
is
appropriated
from
the
general
fund
of
the
6
state
to
the
technology
reinvestment
fund
for
the
fiscal
year
7
beginning
July
1,
2025,
and
for
each
subsequent
fiscal
year
8
thereafter,
the
sum
of
seventeen
million
five
hundred
thousand
9
dollars.
>
10
2.
Page
24,
line
31,
by
striking
<
a,
>
11
3.
Page
30,
after
line
33
by
inserting:
12
<
Sec.
___.
NEW
SECTION
.
8.92
Cybersecurity.
13
1.
It
is
the
intent
of
the
general
assembly
that
state
14
and
local
governmental
entities
work
collaboratively
in
a
15
whole-of-state
approach
to
protect
against
cybersecurity
risks
16
and
threats
to
information
systems
owned
or
operated
by,
or
on
17
behalf
of,
state
and
local
governmental
entities.
State
and
18
local
governmental
entities
shall
take
steps
to
modernize
their
19
approach
to
cybersecurity,
including
by
adopting
cybersecurity
20
best
practices
wherever
possible.
21
2.
A
state
or
local
governmental
entity
that
complies
22
with
chapter
554G
by
implementing
a
cybersecurity
program,
as
23
described
in
chapter
554G,
shall
be
deemed
a
covered
entity,
24
as
defined
in
section
554G.1.
25
3.
The
department
shall
establish
a
cybersecurity
reporting
26
function
for
local
governments.
The
cybersecurity
reporting
27
function
must
include
but
is
not
limited
to
all
of
the
28
following
capabilities:
29
a.
A
hotline
available
continuously
for
local
government
30
reporting
of
cybersecurity
incidents
resulting
in
system
31
outages
or
data
breaches.
32
b.
A
method
for
the
reporting
of
local
government
33
cybersecurity
protections
including
the
presence
of
multifactor
34
authentication,
event
logging,
use
of
data
encryption
at
rest
35
-1-
SF
2409.4501
(1)
90
(amending
this
SF
2409
to
CONFORM
to
HF
2708)
ns/jh
1/
3
#1.
#2.
#3.
and
in
transit,
the
ability
to
reconstitute
systems
in
the
1
event
of
data
loss,
use
of
the
“.gov”
internet
domain,
and
2
related
cybersecurity
practices.
3
4.
The
department
is
authorized
to
provide
support
to
all
4
state
and
local
governmental
entities
in
furtherance
of
this
5
section,
in
accordance
with
fee
schedules
established
by
the
6
department.
The
department
may
retain
fees
collected
under
7
this
subsection
in
a
fund
created
under
section
8B.13.
8
5.
The
department
is
authorized
to
establish
a
grant
program
9
to
support
local
governments
and
political
subdivisions
of
10
the
state
in
addressing
cybersecurity
for
information
systems
11
owned
or
operated
by,
or
on
behalf
of,
state,
local,
or
tribal
12
governments.
Contingent
on
a
specific
appropriation
by
the
13
general
assembly,
the
department
may
award
grants
to
local
14
governments
and
political
subdivisions
of
the
state
under
15
the
program
for
such
purposes.
The
department
may
establish
16
criteria
for
grant
program
priorities,
as
well
as
policies
and
17
procedures
relating
to
the
program.
>
18
4.
Page
31,
by
striking
lines
27
through
29
and
inserting
19
<
event
logging
and
correlation,
and
content
caching.
Network
20
services
do
not
also
include
services
provided
by
cybersecurity
21
support
and
information
technology
support
for
the
public
22
broadcasting
division
of
the
department
of
education.
“Network
23
services”
does
not
extend
to
control
of
the
federally
licensed
24
television
airwaves.
>
25
5.
Page
42,
line
1,
after
<
funds
>
by
inserting
<
,
and
also
26
includes
the
Iowa
state
association
of
counties,
the
Iowa
27
league
of
cities,
and
the
Iowa
association
of
school
boards
>
28
6.
Page
55,
after
line
24
by
inserting:
29
<
6.
a.
The
department
shall,
when
feasible,
prioritize
the
30
procurement
of
cloud
computing
solutions
and
other
information
31
technology
and
related
services
that
are
not
hosted
on
premises
32
by
the
state.
The
department
may
contract
for
multiple
cloud
33
computing
solutions.
The
ownership
of
state
data
stored
within
34
cloud
computing
solutions
shall
remain
with
the
state.
35
-2-
SF
2409.4501
(1)
90
(amending
this
SF
2409
to
CONFORM
to
HF
2708)
ns/jh
2/
3
#4.
#5.
#6.
b.
The
department
shall
make
reasonable
efforts
to
ensure
1
the
portability
of
state
data
stored
within
cloud
computing
2
solutions.
The
department
shall
develop
contractual
terms
3
and
conditions
for
cloud
computing
solutions
to
ensure
the
4
confidentiality,
integrity,
and
availability
of
state
data
and
5
to
maximize
cybersecurity
protections.
6
c.
For
purposes
of
this
subsection,
“cloud
computing
7
solutions”
means
the
same
as
described
in
section
8.2,
8
subsection
20,
paragraph
“l”
.
>
9
7.
Page
55,
line
25,
by
striking
<
6.
>
and
inserting
<
6.
7.
>
10
8.
Page
55,
line
27,
by
striking
<
5
>
and
inserting
<
5
6
>
11
9.
Page
55,
line
28,
by
striking
<
7.
>
and
inserting
<
8.
>
12
10.
Page
58,
after
line
22
by
inserting:
13
<
Sec.
___.
NEW
SECTION
.
546.13
Confidential
records
and
14
data.
15
1.
Notwithstanding
sections
8E.104
and
8E.209,
the
16
department
of
insurance
and
financial
services
shall
not
share
17
or
provide
to
the
department
of
management
any
trade
secrets,
18
information
regulated
by
third
parties,
or
information
deemed
19
confidential
by
law
or
contractual
commitment.
20
2.
The
department
of
management
shall
not
be
the
lawful
21
custodian
of
any
department
of
insurance
and
financial
services
22
records
or
data
for
purposes
of
chapter
22.
Information
23
provided
to
the
department
of
management
pursuant
to
sections
24
8E.104
and
8E.209
shall
remain
confidential
information
of
25
the
department
of
insurance
and
financial
services,
and
any
26
statistical
information
derived
from
such
information
shall
27
only
be
disseminated
by
the
department
of
management
in
28
anonymized
and
aggregate
form.
>
29
11.
By
renumbering
as
necessary.
30
______________________________
MIKE
BOUSSELOT
-3-
SF
2409.4501
(1)
90
(amending
this
SF
2409
to
CONFORM
to
HF
2708)
ns/jh
3/
3
#7.
#8.
#9.
#10.
#11.