S.F. 2141 Section 1. Section 8.57C, subsections 2, 3, and 4, Code 1 2026, are amended to read as follows: 2 2. Moneys in the fund in a fiscal year shall be used as 3 appropriated by the general assembly for the acquisition 4 of computer hardware and software, software development, 5 telecommunications equipment, and maintenance and lease 6 agreements associated with technology components and for the 7 purchase of equipment intended to provide an uninterruptible 8 power supply to the department of management to provide 9 a stable funding source for implementation costs of state 10 information technology projects that enhance the state’s 11 technology infrastructure, improve government services, 12 and promote innovation and economic development, including 13 but not limited to new information technology projects 14 and infrastructure replacement efforts of a department or 15 establishment, while protecting the privacy of residents of 16 this state . 17 3. a. There is appropriated from the general fund of the 18 state to the technology reinvestment fund for the fiscal year 19 beginning July 1, 2026, and for each fiscal year thereafter, 20 the sum of seventeen million five hundred thousand dollars. 21 b. There is appropriated from the rebuild Iowa 22 infrastructure fund for the fiscal year beginning July 1, 2025, 23 and ending June 30, 2026, the sum of eighteen million two 24 hundred sixty-nine thousand two hundred seventeen dollars to 25 the technology reinvestment fund, notwithstanding section 8.57, 26 subsection 3 , paragraph “c” . 27 3. a. The department of management shall prioritize 28 proposed projects based on all of the following considerations: 29 (1) Whether the project aligns with the state’s strategic 30 priorities. 31 (2) Whether the project promotes or introduces new 32 technology or significantly improves an existing system. 33 (3) Whether the project is feasible and whether the 34 department or establishment has established readiness for the 35 -1- LSB 5269SV (2) 91 sc/ns 1/ 15

S.F. 2141 project to proceed, including a clear assessment of timelines, 1 budgets, and measurable outcomes. 2 (4) Whether the project includes a clear change management 3 strategy to support user adoption and aligns with lean 4 enterprise principles to maximize value, minimize waste, and 5 ensure continuous improvement. 6 (5) Whether the project provides a positive return on 7 investment, considering both financial returns and nonfinancial 8 benefits such as improved public safety, education, or health 9 care. 10 (6) Whether the project results in infrastructure that is 11 scalable across the state enterprise. 12 (7) Whether the department or establishment has identified 13 how the completed project will be sustained beyond the initial 14 funding period. 15 (8) Whether the project improves access to governmental 16 services, particularly in rural communities. 17 (9) Whether the project involves an infrastructure project 18 as opposed to maintenance or standard upgrades of existing 19 technology. 20 b. The department of management shall provide a prioritized 21 list of proposed projects for funding to the governor, who 22 shall use the list in developing a budgetary recommendation 23 for the general assembly pursuant to section 8.21 for the 24 fiscal year beginning July 1, 2027, and for each fiscal year 25 thereafter. 26 c. Notwithstanding section 8.33, moneys in the technology 27 reinvestment fund that remain unencumbered or unobligated at 28 the close of a fiscal year shall not revert but shall remain 29 available for expenditure for the purposes designated until 30 the close of the fiscal year that ends two years after the 31 end of the fiscal year for which the appropriation was made. 32 Notwithstanding section 12C.7, subsection 2, interest or 33 earnings on moneys in the fund shall be credited to the fund. 34 4. Annually, on On or before January 15 of each year, a 35 -2- LSB 5269SV (2) 91 sc/ns 2/ 15

S.F. 2141 state agency that received an appropriation from this fund 1 the department of management shall report to the legislative 2 services agency and the department of management general 3 assembly the status of all projects funded under this section 4 that have been completed since the previous report was 5 submitted or that are in progress. The report shall must 6 include a description of the project, the progress of work 7 completed, the total estimated cost of the project, a list of 8 all revenue sources being used to fund the project, the amount 9 of funds moneys expended, the amount of funds moneys obligated, 10 and the date the project was completed or an estimated 11 completion date of the project, where applicable. 12 Sec. 2. Section 8.78, Code 2026, is amended to read as 13 follows: 14 8.78 Background checks. 15 An applicant for employment with the department, or 16 an applicant for employment with a supported entity for a 17 position as information technology staff, may be subject to a 18 background investigation by the department. The background 19 investigation may include, without limitation, a work history, 20 financial review, request for criminal history data, and 21 national criminal history check through the federal bureau of 22 investigation. In addition, a contractor, vendor, employee, or 23 any other individual performing work for the department, or an 24 individual on the information technology staff of a supported 25 entity, may be subject to a national criminal history check 26 through the federal bureau of investigation at least once 27 every ten five years, including, without limitation, any time 28 the department or supported entity has reason to believe an 29 individual has been convicted of a crime. The department may 30 request the national criminal history check and, if requested, 31 shall provide the individual’s fingerprints to the department 32 of public safety for submission through the state criminal 33 history repository to the federal bureau of investigation. 34 The individual shall authorize release of the results of the 35 -3- LSB 5269SV (2) 91 sc/ns 3/ 15

S.F. 2141 national criminal history check to the department and the 1 applicable supported entity. The department shall pay the 2 actual cost of the fingerprinting and national criminal history 3 check, if any, unless otherwise agreed as part of a contract 4 between the department or supported entity and a vendor or 5 contractor performing work for the department or supported 6 entity. The results of a criminal history check conducted 7 pursuant to this section shall not be considered a public 8 record under chapter 22 . 9 Sec. 3. NEW SECTION . 8.94 Contracts —— prohibited terms. 10 Provisions included in a contract entered into pursuant to 11 this subchapter that impose terms or conditions prohibited by 12 this section are void as contrary to public policy. Such a 13 contract shall be interpreted and enforced as if the contract 14 did not include the prohibited terms or conditions. Prohibited 15 terms and conditions include all of the following: 16 1. A provision requiring the department or a supported 17 entity to defend, indemnify, hold harmless another person, or 18 otherwise assume the debt or liability of another person in 19 violation of Article VII, section 1, of the Constitution of the 20 State of Iowa. 21 2. A provision that seeks to impose a term that is unknown 22 to the department or supported entity at the time of signing 23 the contract or that can be unilaterally changed by an entity 24 other than the department or a supported entity. 25 3. A provision that violates chapter 13 by not allowing 26 the department or a supported entity to participate in its own 27 defense through representation by the attorney general. 28 4. A provision that grants to a person other than the 29 attorney general the authority to convey to a court or litigant 30 the state’s consent to any settlement of a suit involving the 31 contract when such settlement could impose liability on the 32 state. 33 5. A provision that specifies that the contract is governed 34 by the laws of a foreign state or nation. 35 -4- LSB 5269SV (2) 91 sc/ns 4/ 15

S.F. 2141 6. A provision that claims blanket confidentiality of the 1 contract’s terms. 2 7. A provision that claims that payment terms, including but 3 not limited to cost proposals or other pricing information, of 4 the contract are confidential. 5 8. A provision that authorizes or requires a venue for 6 litigation other than an appropriate state or federal court 7 sitting in Iowa. 8 9. A provision that requires the department or a supported 9 entity to pay attorney fees, court costs, or other litigation 10 expenses in the event of a contractual dispute. 11 10. A provision that imposes on the department or a 12 supported entity binding arbitration or any other binding 13 extrajudicial dispute resolution process in which the final 14 resolution is not determined by the state. 15 11. A provision that waives the department’s or a supported 16 entity’s right to a jury trial. 17 12. A provision that obligates the department or a supported 18 entity to pay late payment charges not consistent with section 19 8A.514, interest greater than allowed under section 8A.514 or 20 other applicable law, or any cancellation charges, as such 21 charges constitute pledges of the state’s credit. 22 13. A provision that obligates the department or a supported 23 entity to pay a tax. 24 14. A provision that imposes a prior notice obligation 25 on the department or a supported entity as a condition for 26 the automatic renewal of a software license. The department 27 or a supported entity may provide notice of its intent to 28 terminate a software license at any time before the renewal 29 date established in the contract. 30 15. A provision that obligates the department or a supported 31 entity to accept risk of loss before the receipt of items or 32 goods. 33 16. A provision that obligates the department or a supported 34 entity to have commercial insurance. 35 -5- LSB 5269SV (2) 91 sc/ns 5/ 15

S.F. 2141 17. A provision that obligates the department or a supported 1 entity to grant to a nongovernmental entity full or partial 2 ownership of intellectual property developed pursuant to the 3 contract when the intellectual property is developed in whole 4 or in part using federal funding. 5 18. A provision that limits the time in which the department 6 or a supported entity may bring a legal claim under the 7 contract to a period shorter than that provided in Iowa law. 8 19. A boilerplate provision included in transactional 9 documents received by the department or a supported entity that 10 seeks to alter the terms of the contract or to impose new terms 11 in the contract. 12 Sec. 4. NEW SECTION . 8.95 Contracts —— required terms. 13 All of the following provisions shall be deemed to be 14 included in a contract entered into by the department or a 15 supported entity under this subchapter: 16 1. Governing law. The contract shall be governed by 17 the laws of the state of Iowa, without giving effect to any 18 conflicts of law principles of Iowa law that may require the 19 application of another jurisdiction’s law. 20 2. Venue. Any litigation commenced in connection with the 21 contract shall be brought and maintained in an appropriate 22 state or federal court sitting in Iowa. 23 3. State data. “State data” means all data, records, 24 information, or content, in any form, that is provided by a 25 state governmental entity to a vendor or that is collected, 26 generated, or otherwise obtained by the vendor in the course of 27 providing a good or service to the state governmental entity. 28 “State data” does not include aggregated or deidentified data 29 collected by the vendor and used exclusively for the vendor’s 30 internal purposes directly related to evaluating or improving 31 system performance, ensuring reliability, evaluating product 32 functionality, conducting system analytics, projecting needs 33 through capacity planning, ensuring license compliance, or 34 evaluating security. State data shall at all times remain the 35 -6- LSB 5269SV (2) 91 sc/ns 6/ 15

S.F. 2141 sole and exclusive property of the state, and the vendor shall 1 use state data only as necessary to provide the contracted 2 services to the state. Upon request, the vendor shall provide 3 the state, at no cost, a current copy of all state data in a 4 commercially reasonable and state-acceptable digital format 5 that enables the state to readily use, transfer, or migrate 6 the state data. Except to the extent retention of state data 7 is required by law, the vendor shall, after confirming that 8 the state has received a copy of the state data, permanently 9 delete all state data upon the conclusion or termination of 10 the contract. At all times, including any post-contract 11 period in which state data is retained due to record retention 12 obligations, the vendor shall protect state data in accordance 13 with current state data protection policies. 14 Sec. 5. NEW SECTION . 8.96 Contracts —— limitation of 15 liability —— prohibited terms. 16 Notwithstanding section 8A.311, subsection 22, and rules 17 adopted pursuant to that subsection, the director may include 18 a contractual limitation of vendor liability in information 19 technology goods and services contracts. A contractual 20 limitation of vendor liability must take into consideration the 21 public interest and the mitigation of risks associated with the 22 use of information technology goods or services. Any portion 23 of a contractual limitation of vendor liability that includes 24 a repudiation of all liability for cybersecurity incidents or 25 a limitation on the vendor’s liability for intentional torts, 26 criminal acts, fraudulent conduct, intentional or willful 27 misconduct, gross negligence, death, bodily injury, damage to 28 real or personal property, intellectual property violations, 29 liquidated damages, compliance with applicable laws, violations 30 of confidential information obligations, or contractual 31 obligations of the vendor pertaining to indemnification shall 32 be void as a matter of law as contrary to public policy. A 33 contractual limit of vendor liability that does not apply 34 equally to the contracted parties or that limits a vendor’s 35 -7- LSB 5269SV (2) 91 sc/ns 7/ 15

S.F. 2141 liability to less than the contract value inclusive of all 1 possible extensions is void as a matter of law as contrary to 2 public policy. 3 Sec. 6. NEW SECTION . 8.97 Confidentiality of communications 4 with chief information security officer. 5 In the interest of facilitating communication between 6 the chief information security officer and other entities 7 concerning security incidents and security breaches, all such 8 communications and any documents generated based in whole or in 9 part on such communications are confidential. Notwithstanding 10 chapter 22 or any other provision of law to the contrary, the 11 department shall not release such communications pursuant to 12 state open records laws, and such communications shall not be 13 received into evidence, subject to discovery, or otherwise 14 used in a trial, hearing, or other proceeding in or before any 15 court, regulatory body, or other authority of the state or a 16 political subdivision of the state, unless the communications 17 are subject to a protective order that prohibits further 18 disclosure of such communications and requires any court 19 filings of such communications to be made under seal. It is 20 the intent of the general assembly that these prohibitions and 21 restrictions also apply to federal courts, regulatory bodies, 22 and other authorities and for purposes of federal open records 23 laws, to the extent allowed by federal law and court rules. 24 The chief information security officer shall not release such 25 communications other than for any of the following purposes: 26 1. Identifying a cybersecurity threat, including the source 27 of the cybersecurity threat, or a security vulnerability, and 28 then only to government officials for purposes of addressing 29 the threat. 30 2. Responding to, or otherwise preventing or mitigating, 31 a specific threat of death, serious bodily harm, or serious 32 economic harm. 33 3. Responding to, investigating, prosecuting, or otherwise 34 preventing or mitigating a serious threat to a minor, including 35 -8- LSB 5269SV (2) 91 sc/ns 8/ 15

S.F. 2141 sexual exploitation and threats to physical safety. 1 4. Preventing, investigating, disrupting, or prosecuting an 2 offense under state or federal law. 3 5. Providing a confidential cybersecurity briefing to the 4 governor or a member of the general assembly. 5 Sec. 7. NEW SECTION . 8.98 Criminal justice information. 6 1. The department is authorized to maintain an integrated 7 information system that enables automated data sharing among 8 the executive branch, judicial branch, and local agencies. 9 2. The department is designated as the Iowa statistical 10 analysis center for the purpose of coordinating with data 11 resource agencies to provide data and analytical information 12 to federal, state, and local governments. Notwithstanding any 13 other provision of state law to the contrary, unless prohibited 14 by federal law or regulation, the department shall be granted 15 access, for purposes of research and evaluation, to all of 16 the data listed in this subsection, except that intelligence 17 data and peace officer investigative reports maintained 18 by the department of public safety shall not be considered 19 data for the purposes of this section. The department of 20 management and any record, data, or information obtained by the 21 department under this subsection is subject to the federal and 22 state confidentiality laws and rules, including as described 23 in chapter 22, applicable to the original record, data, or 24 information, and to the original custodian of the record, 25 data, or information. Authorized access under this subsection 26 includes but is not limited to all of the following: 27 a. Juvenile court records and all other information 28 maintained under sections 232.147 through 232.151. 29 b. Child abuse information under sections 235A.15 through 30 235A.19. 31 c. Dependent adult abuse records maintained under chapter 32 235B. 33 d. Criminal history data maintained under chapter 692. 34 e. Sex offender registry information maintained under 35 -9- LSB 5269SV (2) 91 sc/ns 9/ 15

S.F. 2141 chapter 692A. 1 f. Presentence investigation reports maintained under 2 section 901.4. 3 g. Corrections records maintained under sections 904.601 and 4 904.602. 5 h. Community-based correctional program records maintained 6 under chapter 904. 7 i. Parole records maintained under chapter 906. 8 j. Deferred judgment, deferred or suspended sentence, and 9 probation records maintained under chapter 907. 10 k. Violation of parole or probation records maintained under 11 chapter 908. 12 l. Fine and victim restitution records maintained under 13 chapters 909 and 910. 14 m. Child welfare records maintained under chapter 235. 15 3. The department is authorized to provide data analysis and 16 reporting on issues that may affect the state’s correctional 17 population and various subgroups of the population. This 18 reporting may include the review of filed, public legislative 19 bills, joint resolutions, and amendments, and compiling 20 criminal justice data for completion of correctional impact 21 statements under section 2.56, minority impact statements, and 22 an annual prison population forecast. 23 4. The department is authorized to maintain a multiagency 24 information system to track the progress of juveniles and 25 adults who have been charged with a criminal offense in 26 the court system through various state and local agencies 27 and programs. This system must utilize existing databases, 28 including the Iowa court information system, the Iowa 29 corrections offender network, the child welfare information 30 system of the department of health and human services, 31 the federally mandated national adoption and foster care 32 information system, and other state and local databases 33 pertaining to juveniles and to adults who have been charged 34 with a criminal offense in the court system, to the extent 35 -10- LSB 5269SV (2) 91 sc/ns 10/ 15

S.F. 2141 practicable. 1 5. The multiagency information system is authorized to 2 count and track decision points for juveniles in the juvenile 3 justice system and minors in the child welfare system, evaluate 4 the experiences of the juveniles and minors, and evaluate 5 the success of the services provided. The system is also 6 authorized to count and track decision points for adults who 7 have been charged with a criminal offense in the court system, 8 including but not limited to dismissed charges, convictions, 9 deferred judgments, and sentence information. 10 6. If the department has insufficient moneys or resources 11 to implement this section, the department is authorized to 12 determine which portion of this section may be implemented, if 13 any, and the remainder of this section shall not apply. 14 Sec. 8. NEW SECTION . 8.99 Confidentiality of data. 15 1. For purposes of chapter 22, the department shall not be 16 deemed to be the lawful custodian of records the department 17 maintains for another department or establishment under this 18 subchapter, to the extent the records in question are held 19 by the department as an automated data processing unit of 20 government or held by the department solely for storage for 21 another department or establishment. Such records include but 22 are not limited to all of the following: 23 a. Electronic messaging system data. 24 b. Mainframe data. 25 c. Storage solutions or other electronic information, such 26 as on-premises server data storage and cloud data storage. 27 2. If the department receives a request pursuant to chapter 28 22 for records over which the department has determined it is 29 not the lawful custodian, the department shall deny the request 30 and inform the requester to seek the information from the 31 lawful custodian as provided in chapter 22. The department’s 32 determination that it is not the lawful custodian of records is 33 presumed valid. The presumption may be rebutted by clear and 34 convincing evidence to the contrary. 35 -11- LSB 5269SV (2) 91 sc/ns 11/ 15

S.F. 2141 3. The department shall provide assistance to the lawful 1 custodian of records held by the department so that the lawful 2 custodian can comply with the production obligations of chapter 3 22. 4 4. If the department receives a subpoena in an 5 administrative, civil, or criminal case for records for which 6 the department is not the lawful custodian, the department 7 shall notify the lawful custodian and the attorney general’s 8 office and cooperate in any efforts to resist the subpoena. 9 Sec. 9. Section 216A.131A, Code 2026, is amended to read as 10 follows: 11 216A.131A Criminal and juvenile justice planning. 12 The department shall fulfill the responsibilities of 13 this subchapter , including the duties specified in sections 14 216A.133, 216A.135, 216A.136 , 216A.137 , 216A.138 , and 216A.140 . 15 Sec. 10. Section 216A.133, subsection 1, paragraphs d, e, f, 16 l, and t, Code 2026, are amended by striking the paragraphs. 17 Sec. 11. Section 216A.133, subsection 1, paragraph q, 18 subparagraphs (1) and (6), Code 2026, are amended by striking 19 the subparagraphs. 20 Sec. 12. Section 216A.133, subsection 1, paragraph s, Code 21 2026, is amended to read as follows: 22 s. Provide expertise and advice to the legislative 23 services agency, the department of management, the department 24 of corrections, the judicial branch, and others charged 25 with formulating fiscal, correctional, or minority impact 26 statements. 27 Sec. 13. Section 216A.135, subsection 2, paragraph e, Code 28 2026, is amended by striking the paragraph. 29 Sec. 14. Section 232.147, subsection 2, paragraph i, Code 30 2026, is amended to read as follows: 31 i. The statistical analysis center for the purposes stated 32 in section 216A.136 8.98 . 33 Sec. 15. Section 232.147, subsection 3, paragraph n, Code 34 2026, is amended to read as follows: 35 -12- LSB 5269SV (2) 91 sc/ns 12/ 15

S.F. 2141 n. The statistical analysis center for the purposes stated 1 in section 216A.136 8.98 . 2 Sec. 16. Section 232.147, subsection 4, paragraph i, Code 3 2026, is amended to read as follows: 4 i. The statistical analysis center for the purposes stated 5 in section 216A.136 8.98 . 6 Sec. 17. Section 232.149, subsection 5, paragraph f, Code 7 2026, is amended to read as follows: 8 f. The statistical analysis center for the purposes stated 9 in section 216A.136 8.98 . 10 Sec. 18. Section 232.149A, subsection 3, paragraph m, Code 11 2026, is amended to read as follows: 12 m. The statistical analysis center for the purposes stated 13 in section 216A.136 8.98 . 14 Sec. 19. REPEAL. Sections 216A.136, 216A.137, and 15 216A.138, Code 2026, are repealed. 16 Sec. 20. EFFECTIVE DATE. The following take effect July 1, 17 2027: 18 The portions of the section of this Act amending section 19 8.57C, subsections 2 and 4. 20 Sec. 21. APPLICABILITY. The following apply to contracts 21 entered into or renewed on or after July 1, 2026: 22 1. The section of this Act enacting section 8.94. 23 2. The section of this Act enacting section 8.95. 24 3. The section of this Act enacting section 8.96. 25 EXPLANATION 26 The inclusion of this explanation does not constitute agreement with 27 the explanation’s substance by the members of the general assembly. 28 This bill relates to matters under the purview of the 29 department of management (DOM). 30 The bill strikes current law providing for the use of moneys 31 in the technology reinvestment fund for certain technology 32 projects and instead requires DOM to use moneys in the fund for 33 technology projects using factors set forth in the bill. The 34 bill requires DOM to provide a prioritized list of proposed 35 -13- LSB 5269SV (2) 91 sc/ns 13/ 15

S.F. 2141 projects to the governor, who must use the list to develop 1 a budgetary recommendation to the general assembly, and to 2 report completed and ongoing projects to the general assembly 3 annually. The bill strikes the standing appropriations to 4 the technology reinvestment fund and provides that any moneys 5 in the fund shall remain available for two years after the 6 appropriation is made. 7 The bill increases the frequency at which a person 8 performing work for DOM or an individual on the information 9 technology staff of a supported entity may be subject to a 10 national criminal history check through the federal bureau of 11 investigation from at least once every 10 years to every 5 12 years. 13 The bill prohibits the inclusion of certain provisions in 14 information technology contracts and declares those provisions 15 void if present in such contracts. The bill also provides 16 that such contracts are deemed to include provisions relating 17 to state data, requiring the contract to be governed by Iowa 18 law, and requiring litigation related to the contract to be 19 brought and maintained in a state or federal court sitting 20 in Iowa. The bill authorizes the director of DOM to include 21 limitations of vendor liability in information technology goods 22 and services contracts, but sets forth prohibited terms in such 23 limitations of liability. 24 The bill makes all communication concerning cybersecurity 25 between the chief information security officer and other 26 entities confidential and allows the communications to be 27 released only for specific purposes. 28 Under current law, the department of health and human 29 services serves as the Iowa statistical analysis center and 30 maintains an integrated information system for data sharing 31 among federal, state, and local governments. The bill 32 transfers these powers and duties to DOM and grants DOM access 33 to criminal justice information other than intelligence data 34 and peace officer investigative reports maintained by the 35 -14- LSB 5269SV (2) 91 sc/ns 14/ 15

S.F. 2141 department of public safety. DOM is authorized to provide 1 data analysis and reporting on issues that may affect the 2 state’s correctional population and various subgroups of the 3 population, to maintain a multiagency information system to 4 track the progress of juveniles and adults charged with a 5 criminal offense through state and local agencies and programs, 6 and to count and track decision points for individuals in 7 the juvenile justice system, child welfare system, and 8 court system. If DOM lacks sufficient moneys to perform the 9 authorized tasks of the Iowa statistical analysis center, the 10 bill allows DOM to determine which, if any, to implement. 11 The bill states that DOM is not the lawful custodian under 12 Code chapter 22 (open records) for records DOM maintains in 13 DOM’s information technology capacity for other state entities 14 as an automated data processing unit of government or when 15 held by DOM solely for storage for another department or 16 establishment. The bill requires DOM to deny requests for 17 information for which DOM is not the lawful custodian, to 18 provide assistance to the lawful custodian to comply with 19 production obligations, and to cooperate in any efforts to 20 resist associated subpoenas. 21 -15- LSB 5269SV (2) 91 sc/ns 15/ 15