House File 1028 - Enrolled House File 1028 AN ACT RELATING TO MATTERS UNDER THE PURVIEW OF THE DEPARTMENT OF MANAGEMENT, AND INCLUDING EFFECTIVE DATE AND APPLICABILITY PROVISIONS. BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: Section 1. Section 8.39, subsection 2, Code 2026, is amended to read as follows: 2. If the appropriation of a department, institution, or agency is insufficient to properly meet the legitimate expenses of the department, institution, or agency, the director of the department of management , with the approval of the governor, may make an interdepartmental transfer from any other department, institution, or agency of the state having an appropriation in excess of its needs, of sufficient funds moneys to meet that deficiency. Such transfer shall be to an appropriation made from the same funding source and within the same fiscal year. The amount of a transfer made from an appropriation under this subsection shall be limited to not more than one-tenth of one percent of the total of all

House File 1028, p. 2 appropriations made from the funding source of the transferred appropriation for the fiscal year in which the transfer is made. An interdepartmental transfer to an appropriation which is not an entitlement appropriation is not authorized when the general assembly is in regular session and, in addition, the sum of interdepartmental transfers in a fiscal year to an appropriation which is not an entitlement appropriation shall not exceed fifty one hundred percent of the amount of the appropriation as enacted by the general assembly. For the purposes of this subsection , an entitlement appropriation is : a. “Appropriation in excess of its needs” means the amount appropriated by the general assembly for a purpose is determined by the department, institution, or agency receiving the appropriation to be more than the amount necessary to carry out that purpose. An appropriation for an unspecified dollar amount, whether the appropriation is limited to be sufficient to carry out a particular purpose or is unlimited, shall not be considered an appropriation in excess of a department’s, institution’s, or agency’s needs. b. “Entitlement appropriation” means a line item appropriation to the state public defender for indigent defense or to the department of health and human services for foster care, state supplementary assistance, medical assistance, or for the family investment program. Sec. 2. Section 8.57C, subsections 2, 3, and 4, Code 2026, are amended to read as follows: 2. Moneys in the fund in a fiscal year shall be used as appropriated by the general assembly for the acquisition of computer hardware and software, software development, telecommunications equipment, and maintenance and lease agreements associated with technology components and for the purchase of equipment intended to provide an uninterruptible power supply to the department of management to provide a stable funding source for implementation costs of state information technology projects that enhance the state’s technology infrastructure, improve government services, and promote innovation and economic development, including but not limited to new information technology projects and infrastructure replacement efforts of a department or

House File 1028, p. 3 establishment, while protecting the privacy of residents of this state . 3. a. There is appropriated from the general fund of the state to the technology reinvestment fund for the fiscal year beginning July 1, 2026, and for each fiscal year thereafter, the sum of seventeen million five hundred thousand dollars. b. There is appropriated from the rebuild Iowa infrastructure fund for the fiscal year beginning July 1, 2025, and ending June 30, 2026, the sum of eighteen million two hundred sixty-nine thousand two hundred seventeen dollars to the technology reinvestment fund, notwithstanding section 8.57, subsection 3 , paragraph “c” . 3. a. The department of management shall prioritize proposed projects based on all of the following considerations: (1) Whether the project aligns with the state’s strategic priorities. (2) Whether the project promotes or introduces new technology or significantly improves an existing system. (3) Whether the project is feasible and whether the department or establishment has established readiness for the project to proceed, including a clear assessment of timelines, budgets, and measurable outcomes. (4) Whether the project includes a clear change management strategy to support user adoption and aligns with lean enterprise principles to maximize value, minimize waste, and ensure continuous improvement. (5) Whether the project provides a positive return on investment, considering both financial returns and nonfinancial benefits such as improved public safety, education, or health care. (6) Whether the project results in infrastructure that is scalable across the state enterprise. (7) Whether the department or establishment has identified how the completed project will be sustained beyond the initial funding period. (8) Whether the project improves access to governmental services, particularly in rural communities. (9) Whether the project involves an infrastructure project as opposed to maintenance or standard upgrades of existing

House File 1028, p. 4 technology. b. The department of management shall provide a prioritized list of proposed projects for funding to the governor, who shall use the list in developing a budgetary recommendation for the general assembly pursuant to section 8.21 for the fiscal year beginning July 1, 2027, and for each fiscal year thereafter. c. Notwithstanding section 8.33, moneys in the technology reinvestment fund that remain unencumbered or unobligated at the close of a fiscal year shall not revert but shall remain available for expenditure for the purposes designated until the close of the fiscal year that ends two years after the end of the fiscal year for which the appropriation was made. Notwithstanding section 12C.7, subsection 2, interest or earnings on moneys in the fund shall be credited to the fund. 4. Annually, on On or before January 15 of each year, a state agency that received an appropriation from this fund the department of management shall report to the legislative services agency and the department of management general assembly the status of all projects funded under this section that have been completed since the previous report was submitted or that are in progress. The report shall must include a description of the project, the progress of work completed, the total estimated cost of the project, a list of all revenue sources being used to fund the project, the amount of funds moneys expended, the amount of funds moneys obligated, and the date the project was completed or an estimated completion date of the project, where applicable. Sec. 3. Section 8.78, Code 2026, is amended to read as follows: 8.78 Background checks. An applicant for employment with the department, or an applicant for employment with a supported entity for a position as information technology staff, may be subject to a background investigation by the department. The background investigation may include, without limitation, a work history, financial review, request for criminal history data, and national criminal history check through the federal bureau of investigation. In addition, a contractor, vendor, employee, or

House File 1028, p. 5 any other individual performing work for the department, or an individual on the information technology staff of a supported entity, may be subject to a national criminal history check through the federal bureau of investigation at least once every ten five years, including, without limitation, any time the department or supported entity has reason to believe an individual has been convicted of a crime. The department may request the national criminal history check and, if requested, shall provide the individual’s fingerprints to the department of public safety for submission through the state criminal history repository to the federal bureau of investigation. The individual shall authorize release of the results of the national criminal history check to the department and the applicable supported entity. The department shall pay the actual cost of the fingerprinting and national criminal history check, if any, unless otherwise agreed as part of a contract between the department or supported entity and a vendor or contractor performing work for the department or supported entity. The results of a criminal history check conducted pursuant to this section shall not be considered a public record under chapter 22 . Sec. 4. NEW SECTION . 8.94 Contracts —— prohibited terms. Provisions included in a contract entered into pursuant to this subchapter that impose terms or conditions prohibited by this section are void as contrary to public policy. Such a contract shall be interpreted and enforced as if the contract did not include the prohibited terms or conditions. Prohibited terms and conditions include all of the following: 1. A provision requiring the department or a supported entity to defend, indemnify, hold harmless another person, or otherwise assume the debt or liability of another person in violation of Article VII, section 1, of the Constitution of the State of Iowa. 2. A provision that seeks to impose a term that is unknown to the department or supported entity at the time of signing the contract or that can be unilaterally changed by an entity other than the department or a supported entity. 3. A provision that violates chapter 13 by not allowing the department or a supported entity to participate in its own

House File 1028, p. 6 defense through representation by the attorney general. 4. A provision that grants to a person other than the attorney general the authority to convey to a court or litigant the state’s consent to any settlement of a suit involving the contract when such settlement could impose liability on the state. 5. A provision that specifies that the contract is governed by the laws of a foreign state or nation. 6. A provision that claims blanket confidentiality of the contract’s terms. 7. A provision that claims that payment terms, including but not limited to cost proposals or other pricing information, of the contract are confidential. 8. A provision that authorizes or requires a venue for litigation other than an appropriate state or federal court sitting in Iowa. 9. A provision that requires the department or a supported entity to pay attorney fees, court costs, or other litigation expenses in the event of a contractual dispute. 10. A provision that imposes on the department or a supported entity binding arbitration or any other binding extrajudicial dispute resolution process in which the final resolution is not determined by the state. 11. A provision that waives the department’s or a supported entity’s right to a jury trial. 12. A provision that obligates the department or a supported entity to pay late payment charges not consistent with section 8A.514, interest greater than allowed under section 8A.514 or other applicable law, or any cancellation charges, as such charges constitute pledges of the state’s credit. 13. A provision that obligates the department or a supported entity to pay a tax. 14. A provision that imposes a prior notice obligation on the department or a supported entity as a condition for the automatic renewal of a software license. The department or a supported entity may provide notice of its intent to terminate a software license at any time before the renewal date established in the contract. 15. A provision that obligates the department or a supported

House File 1028, p. 7 entity to accept risk of loss before the receipt of items or goods. 16. A provision that obligates the department or a supported entity to have commercial insurance. 17. A provision that obligates the department or a supported entity to grant to a nongovernmental entity full or partial ownership of intellectual property developed pursuant to the contract when the intellectual property is developed in whole or in part using federal funding. 18. A provision that limits the time in which the department or a supported entity may bring a legal claim under the contract to a period shorter than that provided in Iowa law. 19. A boilerplate provision included in transactional documents received by the department or a supported entity that seeks to alter the terms of the contract or to impose new terms in the contract. Sec. 5. NEW SECTION . 8.95 Contracts —— required terms. All of the following provisions shall be deemed to be included in a contract entered into by the department or a supported entity under this subchapter: 1. Governing law. The contract shall be governed by the laws of the state of Iowa, without giving effect to any conflicts of law principles of Iowa law that may require the application of another jurisdiction’s law. 2. Venue. Any litigation commenced in connection with the contract shall be brought and maintained in an appropriate state or federal court sitting in Iowa. 3. State data. “State data” means all data, records, information, or content, in any form, that is provided by a state governmental entity to a vendor or that is collected, generated, or otherwise obtained by the vendor in the course of providing a good or service to the state governmental entity. “State data” does not include aggregated or deidentified data collected by the vendor and used exclusively for the vendor’s internal purposes directly related to evaluating or improving system performance, ensuring reliability, evaluating product functionality, conducting system analytics, projecting needs through capacity planning, ensuring license compliance, or evaluating security. State data shall at all times remain the

House File 1028, p. 8 sole and exclusive property of the state, and the vendor shall use state data only as necessary to provide the contracted services to the state. Upon request, the vendor shall provide the state, at no cost, a current copy of all state data in a commercially reasonable and state-acceptable digital format that enables the state to readily use, transfer, or migrate the state data. Except to the extent retention of state data is required by law, grant, or other governmental requirement, the vendor shall, after confirming that the state has received a copy of the state data, permanently delete all state data within a commercially reasonable period of time after the conclusion or termination of the contract. At all times, including any post-contract period in which state data is retained due to record retention obligations, the vendor shall protect state data in accordance with current state data protection policies. Sec. 6. NEW SECTION . 8.96 Contracts —— limitation of liability —— prohibited terms. Notwithstanding section 8A.311, subsection 22, and rules adopted pursuant to that subsection, the director may include a contractual limitation of vendor liability in information technology goods and services contracts. A contractual limitation of vendor liability must take into consideration the public interest and the mitigation of risks associated with the use of information technology goods or services. Any portion of a contractual limitation of vendor liability that includes a repudiation of all liability for cybersecurity incidents or a limitation on the vendor’s liability for intentional torts, criminal acts, fraudulent conduct, intentional or willful misconduct, gross negligence, death, bodily injury, damage to real or personal property, intellectual property violations, liquidated damages, compliance with applicable laws, violations of confidential information obligations, or contractual obligations of the vendor pertaining to indemnification shall be void as a matter of law as contrary to public policy. A contractual limit of vendor liability that does not apply equally to the contracted parties or that limits a vendor’s liability to less than the contract value inclusive of all possible extensions is void as a matter of law as contrary to

House File 1028, p. 9 public policy. Sec. 7. NEW SECTION . 8.97 Confidentiality of communications with chief information security officer. In the interest of facilitating communication between the chief information security officer and other entities concerning security incidents and security breaches, all such communications and any documents generated based in whole or in part on such communications are confidential. Notwithstanding chapter 22 or any other provision of law to the contrary, the department shall not release such communications pursuant to state open records laws, and such communications shall not be received into evidence, subject to discovery, or otherwise used in a trial, hearing, or other proceeding in or before any court, regulatory body, or other authority of the state or a political subdivision of the state, unless the communications are subject to a protective order that prohibits further disclosure of such communications and requires any court filings of such communications to be made under seal. It is the intent of the general assembly that these prohibitions and restrictions also apply to federal courts, regulatory bodies, and other authorities and for purposes of federal open records laws, to the extent allowed by federal law and court rules. The chief information security officer shall not release such communications other than for any of the following purposes: 1. Identifying a cybersecurity threat, including the source of the cybersecurity threat, or a security vulnerability, and then only to government officials for purposes of addressing the threat. 2. Responding to, or otherwise preventing or mitigating, a specific threat of death, serious bodily harm, or serious economic harm. 3. Responding to, investigating, prosecuting, or otherwise preventing or mitigating a serious threat to a minor, including sexual exploitation and threats to physical safety. 4. Preventing, investigating, disrupting, or prosecuting an offense under state or federal law. 5. Providing a confidential cybersecurity briefing to the governor or a member of the general assembly. Sec. 8. NEW SECTION . 8.98 Criminal justice information.

House File 1028, p. 10 1. The department is authorized to maintain an integrated information system that enables automated data sharing among the executive branch, judicial branch, and local agencies. 2. The department is designated as the Iowa statistical analysis center for the purpose of coordinating with data resource agencies to provide data and analytical information to federal, state, and local governments. Notwithstanding any other provision of state law to the contrary, unless prohibited by federal law or regulation, the department shall be granted access, for purposes of research and evaluation, to all of the data listed in this subsection, except that intelligence data and peace officer investigative reports maintained by the department of public safety shall not be considered data for the purposes of this section. The department of management and any record, data, or information obtained by the department under this subsection is subject to the federal and state confidentiality laws and rules, including as described in chapter 22, applicable to the original record, data, or information, and to the original custodian of the record, data, or information. Authorized access under this subsection includes but is not limited to all of the following: a. Juvenile court records and all other information maintained under sections 232.147 through 232.151. b. Child abuse information under sections 235A.15 through 235A.19. c. Dependent adult abuse records maintained under chapter 235B. d. Criminal history data maintained under chapter 692. e. Sex offender registry information maintained under chapter 692A. f. Presentence investigation reports maintained under section 901.4. g. Corrections records maintained under sections 904.601 and 904.602. h. Community-based correctional program records maintained under chapter 904. i. Parole records maintained under chapter 906. j. Deferred judgment, deferred or suspended sentence, and probation records maintained under chapter 907.

House File 1028, p. 11 k. Violation of parole or probation records maintained under chapter 908. l. Fine and victim restitution records maintained under chapters 909 and 910. m. Child welfare records maintained under chapter 235. 3. The department is authorized to provide data analysis and reporting on issues that may affect the state’s correctional population and various subgroups of the population. This reporting may include the review of filed, public legislative bills, joint resolutions, and amendments, and compiling criminal justice data for completion of correctional impact statements under section 2.56, minority impact statements, and an annual prison population forecast. 4. The department is authorized to maintain a multiagency information system to track the progress of juveniles and adults who have been charged with a criminal offense in the court system through various state and local agencies and programs. This system must utilize existing databases, including the Iowa court information system, the Iowa corrections offender network, the child welfare information system of the department of health and human services, the federally mandated national adoption and foster care information system, and other state and local databases pertaining to juveniles and to adults who have been charged with a criminal offense in the court system, to the extent practicable. 5. The multiagency information system is authorized to count and track decision points for juveniles in the juvenile justice system and minors in the child welfare system, evaluate the experiences of the juveniles and minors, and evaluate the success of the services provided. The system is also authorized to count and track decision points for adults who have been charged with a criminal offense in the court system, including but not limited to dismissed charges, convictions, deferred judgments, and sentence information. 6. If the department has insufficient moneys or resources to implement this section, the department is authorized to determine which portion of this section may be implemented, if any, and the remainder of this section shall not apply.

House File 1028, p. 12 Sec. 9. NEW SECTION . 8.99 Confidentiality of data. 1. For purposes of chapter 22, the department shall not be deemed to be the lawful custodian of records the department maintains for another department or establishment under this subchapter, to the extent the records in question are held by the department as an automated data processing unit of government or held by the department solely for storage for another department or establishment. Such records include but are not limited to all of the following: a. Electronic messaging system data. b. Mainframe data. c. Storage solutions or other electronic information, such as on-premises server data storage and cloud data storage. 2. If the department receives a request pursuant to chapter 22 for records over which the department has determined it is not the lawful custodian, the department shall deny the request and inform the requester to seek the information from the lawful custodian as provided in chapter 22. The department’s determination that it is not the lawful custodian of records is presumed valid. The presumption may be rebutted by clear and convincing evidence to the contrary. 3. The department shall provide assistance to the lawful custodian of records held by the department so that the lawful custodian can comply with the production obligations of chapter 22. 4. If the department receives a subpoena in an administrative, civil, or criminal case for records for which the department is not the lawful custodian, the department shall notify the lawful custodian and the attorney general’s office and cooperate in any efforts to resist the subpoena. Sec. 10. Section 216A.131A, Code 2026, is amended to read as follows: 216A.131A Criminal and juvenile justice planning. The department shall fulfill the responsibilities of this subchapter , including the duties specified in sections 216A.133, 216A.135, 216A.136 , 216A.137 , 216A.138 , and 216A.140 . Sec. 11. Section 216A.133, subsection 1, paragraphs d, e, f, l, and t, Code 2026, are amended by striking the paragraphs. Sec. 12. Section 216A.133, subsection 1, paragraph q,

House File 1028, p. 13 subparagraphs (1) and (6), Code 2026, are amended by striking the subparagraphs. Sec. 13. Section 216A.133, subsection 1, paragraph s, Code 2026, is amended to read as follows: s. Provide expertise and advice to the legislative services agency, the department of management, the department of corrections, the judicial branch, and others charged with formulating fiscal, correctional, or minority impact statements. Sec. 14. Section 216A.135, subsection 2, paragraph e, Code 2026, is amended by striking the paragraph. Sec. 15. Section 232.147, subsection 2, paragraph i, Code 2026, is amended to read as follows: i. The statistical analysis center for the purposes stated in section 216A.136 8.98 . Sec. 16. Section 232.147, subsection 3, paragraph n, Code 2026, is amended to read as follows: n. The statistical analysis center for the purposes stated in section 216A.136 8.98 . Sec. 17. Section 232.147, subsection 4, paragraph i, Code 2026, is amended to read as follows: i. The statistical analysis center for the purposes stated in section 216A.136 8.98 . Sec. 18. Section 232.149, subsection 5, paragraph f, Code 2026, is amended to read as follows: f. The statistical analysis center for the purposes stated in section 216A.136 8.98 . Sec. 19. Section 232.149A, subsection 3, paragraph m, Code 2026, is amended to read as follows: m. The statistical analysis center for the purposes stated in section 216A.136 8.98 . Sec. 20. REPEAL. Sections 216A.136, 216A.137, and 216A.138, Code 2026, are repealed. Sec. 21. EFFECTIVE DATE. The following take effect July 1, 2027: The portions of the section of this Act amending section 8.57C, subsections 2 and 4. Sec. 22. APPLICABILITY. The following apply to contracts entered into or renewed on or after July 1, 2026:

House File 1028, p. 14 1. The section of this Act enacting section 8.94. 2. The section of this Act enacting section 8.95. 3. The section of this Act enacting section 8.96. ______________________________ PAT GRASSLEY Speaker of the House ______________________________ AMY SINCLAIR President of the Senate I hereby certify that this bill originated in the House and is known as House File 1028, Ninety-first General Assembly. ______________________________ MEGHAN NELSON Chief Clerk of the House Approved _______________, 2026 ______________________________ KIM REYNOLDS Governor