H.F. 651 DIVISION I 1 CLOUD COMPUTING 2 Section 1. Section 8B.1, Code 2021, is amended by adding the 3 following new subsections: 4 NEW SUBSECTION . 2A. “Cloud computing” means the same as 5 defined in the United States national institute of standards 6 and technology’s special publication 800-145. 7 NEW SUBSECTION . 5A. “Foreign government” means a government 8 other than the government of the United States, its states, 9 territories, or possessions. 10 Sec. 2. Section 8B.9, Code 2021, is amended by adding the 11 following new subsection: 12 NEW SUBSECTION . 5A. An annual report regarding the cloud 13 computing solutions the office procured pursuant to section 14 8B.24, subsection 5A. The annual report shall include all of 15 the following: 16 a. The cost, security, and capacity of the cloud computing 17 solutions. 18 b. The compatibility of the cloud computing solutions with 19 associated state information technology applications. 20 c. The cloud computing solutions’ compliance with state 21 and federal laws, regulations, and standards for information 22 technology. 23 Sec. 3. Section 8B.9, subsection 6, Code 2021, is amended 24 to read as follows: 25 6. Beginning October 1, 2019, a quarterly an annual report 26 regarding the status of technology upgrades or enhancements 27 for state agencies, submitted to the general assembly and to 28 the chairpersons and ranking members of the senate and house 29 committees on appropriations. The quarterly annual report 30 shall also include a listing of state agencies coordinating or 31 working with the office and a listing of state agencies not 32 coordinating or working with the office. 33 Sec. 4. Section 8B.24, Code 2021, is amended by adding the 34 following new subsection: 35 -1- LSB 1409HV (3) 89 jda/rn 1/ 6

H.F. 651 NEW SUBSECTION . 5A. a. The office shall, when feasible, 1 procure from cloud computing service providers that meet or 2 exceed applicable state and federal laws, regulations, and 3 standards for information technology, cloud computing solutions 4 and other information technology and related services that are 5 not hosted on premises by the state. 6 b. The office shall contract with multiple cloud computing 7 service providers. 8 c. The control and ownership of state data stored with cloud 9 computing service providers shall remain with the state. The 10 office shall ensure the portability of state data stored with 11 cloud computing service providers. 12 d. Cloud computing service providers shall store state data 13 on servers located within the United States. The servers on 14 which state data is stored shall not be under the control of a 15 foreign government. 16 e. For purposes of this subsection, “cloud computing service 17 provider” includes third-party vendors, the state and its 18 political subdivisions, and any other person that meets or 19 exceeds applicable state and federal laws, regulations, and 20 standards for information technology. 21 Sec. 5. Section 8B.24, subsection 6, Code 2021, is amended 22 to read as follows: 23 6. The office shall adopt rules pursuant to chapter 17A to 24 implement the procurement methods and procedures provided for 25 in subsections 2 through 5 5A . 26 Sec. 6. INVENTORY OF INFORMATION TECHNOLOGY ASSETS, CURRENT 27 CLOUD COMPUTING ADOPTION, AND CLOUD COMPUTING MIGRATION PLAN 28 —— REPORT. By November 1, 2021, the office of the chief 29 information officer, in collaboration with other state agencies 30 and departments, shall provide a report to the general assembly 31 that includes all of the following: 32 1. An inventory of all state information technology 33 applications, including the date a state agency or department 34 began using each information technology application, the life 35 -2- LSB 1409HV (3) 89 jda/rn 2/ 6

H.F. 651 expectancy of each information technology application, and the 1 percentage of the information technology applications that are 2 cloud-based applications. 3 2. Recommendations regarding state information technology 4 applications that should migrate to cloud-based applications. 5 Each such recommendation shall include a description of 6 workloads and information technology applications that are best 7 suited to migrate to cloud-based applications given all of the 8 following considerations: 9 a. Whether the information technology application has 10 underlying storage, networks, or infrastructure that supports 11 another information technology application, and whether the 12 information technology application is supported by another 13 information technology application. 14 b. How critical the information technology application is 15 to the mission of the state agency or department. 16 c. The difficulty of migrating the information technology 17 application to a cloud-based application. 18 d. The total cost of ownership of the target environment in 19 which the information technology application shall operate if 20 migrated to a cloud-based application. 21 DIVISION II 22 BUDGETARY INFORMATION 23 Sec. 7. Section 8.6, subsection 16, paragraph b, Code 2021, 24 is amended to read as follows: 25 b. The department of revenue, the department of 26 administrative services, the office of the chief information 27 officer, the institutions governed by the state board of 28 regents pursuant to section 262.7 , each judicial district’s 29 department of correctional services, and the state department 30 of transportation shall provide salary data to the department 31 of management and the legislative services agency to operate 32 the state’s salary model. The format and frequency of 33 provision of the salary data shall be determined by the 34 department of management and the legislative services agency. 35 -3- LSB 1409HV (3) 89 jda/rn 3/ 6

H.F. 651 Sec. 8. Section 8.35A, subsection 1, Code 2021, is amended 1 to read as follows: 2 1. By July 1, the director of the department of management, 3 in conjunction with the director of the department of 4 administrative services and the chief information officer of 5 the state , shall provide a projected expenditure breakdown 6 of each appropriation for the beginning fiscal year to the 7 legislative services agency in the form and level of detail 8 requested by the legislative services agency. By the fifteenth 9 of each month, the director, in conjunction with the director 10 of the department of administrative services and the chief 11 information officer of the state , shall transmit to the 12 legislative services agency a record for each appropriation 13 of actual expenditures for the prior month of the fiscal year 14 and the fiscal year to date in the form and level of detail 15 as requested by the legislative services agency. By October 16 1, the director, in conjunction with the director of the 17 department of administrative services and the chief information 18 officer of the state , shall transmit the total record of an 19 appropriation, including reversions and transfers for the prior 20 fiscal year ending June 30, to the legislative services agency. 21 Sec. 9. EFFECTIVE DATE. This division of this Act, being 22 deemed of immediate importance, takes effect upon enactment. 23 EXPLANATION 24 The inclusion of this explanation does not constitute agreement with 25 the explanation’s substance by the members of the general assembly. 26 This bill relates to the office of the chief information 27 officer, including procurement preferences and a report 28 detailing state information technology assets. 29 The bill defines “cloud computing” by reference to the 30 United States national institute of standards and technology’s 31 special publication 800-145, which defines the term as a model 32 for enabling ubiquitous, convenient, on-demand network access 33 to a shared pool of configurable computing resources that can 34 be rapidly provisioned and released with minimal management 35 -4- LSB 1409HV (3) 89 jda/rn 4/ 6

H.F. 651 effort or service provider interaction. The bill defines 1 “foreign government” as a government other than the government 2 of the United States, its states, territories, and possessions. 3 The bill requires the office to submit an annual report 4 regarding the cloud computing solutions procured by the office 5 containing information required in the bill. 6 Current law requires the office to submit a quarterly report 7 regarding the status of technology upgrades or enhancements for 8 state agencies. The bill requires this report to be submitted 9 annually. 10 The bill requires the office to, when feasible, procure 11 cloud computing solutions and other information technology and 12 related services that are not hosted on premises by the state 13 from cloud computing service providers that meet or exceed 14 applicable state and federal laws, regulations, and standards 15 for information technology. For purposes of this requirement, 16 the bill defines “cloud computing service provider” to include 17 third-party vendors, the state and its political subdivisions, 18 and any other person that meets or exceeds applicable laws and 19 standards for information technology. 20 The bill provides the office shall contract with multiple 21 cloud computing service providers. 22 The bill establishes that control and ownership of state 23 data stored with cloud computing service providers shall remain 24 with the state. The bill requires the office to ensure the 25 portability of state data stored with cloud computing service 26 providers. Additionally, the bill requires cloud computing 27 service providers to store data on servers located within the 28 United States and requires those servers to not be controlled 29 by a foreign government. 30 The bill requires the office to provide a report to the 31 general assembly by November 1, 2021, that includes an 32 inventory of all state information technology applications, 33 and recommendations regarding state information technology 34 applications that should migrate to cloud-based applications. 35 -5- LSB 1409HV (3) 89 jda/rn 5/ 6

H.F. 651 The bill requires the office to provide salary data to the 1 department of management and the legislative services agency to 2 operate the state’s salary model. 3 Additionally, the bill requires the chief information 4 officer to provide information related to expenditures and 5 appropriations to the legislative services agency. This 6 provision, related to the chief information officer providing 7 information related to expenditures and appropriates, takes 8 effect upon enactment. 9 -6- LSB 1409HV (3) 89 jda/rn 6/ 6