Print
House Study Bill 15 - IntroducedA Bill ForAn Act 1creating a cybersecurity unit within the office of the
2chief information officer.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 8B.4, Code 2023, is amended by adding the
2following new subsection:
3 NEW SUBSECTION. 18A. Administer the cybersecurity unit
4established in section 8B.34.
5 Sec. 2. NEW SECTION. 8B.34 Cybersecurity unit.
61. As used in this section, unless the context otherwise
7requires, “cybersecurity incident” means a violation, or
8imminent threat of violation, of computer security policies,
9acceptable use policies, or cybersecurity practices.
102. A cybersecurity unit is created for the purpose of
11monitoring, managing, coordinating, and reporting cybersecurity
12incidents occurring within the state or a political subdivision
13of the state within the office of the chief information
14officer. The unit shall be administered by the chief
15information officer as provided in section 8B.4.
163. On or before December 31 of each year, and when requested
17by the general assembly, the cybersecurity unit shall provide
18a report to members of the general assembly containing the
19number and nature of incidents reported to the unit during
20the preceding calendar year or since the most recent report
21and making recommendations to the general assembly regarding
22cybersecurity standards for the state. If a request is made by
23the general assembly, a report shall be provided within thirty
24days of receipt of the request.
254. Qualified cybersecurity incidents shall be reported by a
26state agency or political subdivision to the cybersecurity unit
27no later than ten days following a determination that the state
28or political subdivision of the state experienced a qualified
29cybersecurity incident. A qualified cybersecurity incident
30shall meet at least one of the following criteria:
31a. A state or federal law requires the reporting of the
32incident to regulatory or law enforcement agencies or affected
33citizens.
34b. The ability of the state or political subdivision that
35experienced the incident to conduct business is substantially
-1-1affected.
2c. The incident would be classified as emergency, severe, or
3high risk by the U.S. cybersecurity and infrastructure security
4agency.
55. The report of the cybersecurity incident to the
6cybersecurity unit shall include:
7a. The approximate date of the incident.
8b. The date the incident was discovered.
9c. The nature of any data that may have been illegally
10obtained or accessed.
11d. A list of the state and federal regulatory agencies,
12self-regulatory bodies, and foreign regulatory agencies to whom
13a notification has been or will be provided by the state agency
14or political subdivision.
15e. Additional information to the extent available.
166. The unit shall make available information regarding
17recent or ongoing qualified cybersecurity incidents to
18political subdivisions of the state and businesses operating in
19the state. The information shall include:
20a. The nature of the cybersecurity attack.
21b. The actor or actors perpetrating the cybersecurity
22attack.
23c. Other relevant details that would assist a political
24subdivision or business in addressing or securing their systems
25against cybersecurity attacks.
267. Procedures for reporting a cybersecurity incident
27shall be established by the office by rule, made available on
28the office’s internet site, and distributed to the state and
29political subdivisions of the state.
30EXPLANATION
31The inclusion of this explanation does not constitute agreement with
32the explanation’s substance by the members of the general assembly.
33This bill creates a cybersecurity unit under the office
34of the chief information officer. The office shall be
35administered by the chief information officer.
-2- 1The bill defines “cybersecurity incident” to mean a
2violation, or imminent threat of violation, of computer
3security policies, acceptable use policies, or cybersecurity
4practices.
5The bill provides that the cybersecurity unit shall be
6responsible for managing and coordinating cyber and computer
7security for the state and political subdivisions of the state.
8Annually or at the request of the general assembly, the unit
9will provide a report including the number of cybersecurity
10incidents since the last report and updated recommendations for
11cybersecurity practices. If a request is made by the general
12assembly, the unit shall provide a report within 30 days of the
13receipt of the request.
14The bill provides a reporting mechanism and criteria for
15the state or political subdivisions of the state to inform the
16cybersecurity unit of cybersecurity incidents. Cybersecurity
17incidents shall be reported to the office no later than 10 days
18following an incident. The bill provides that the office shall
19provide information to political subdivisions or businesses
20operating in the state regarding cybersecurity incidents. The
21information shall include the nature of the cybersecurity
22attack, the actors perpetrating the attack, and other relevant
23information businesses or political subdivisions should be
24aware of to protect information systems. The office shall
25establish reporting procedures required by rule and distribute
26the procedures to the state and political subdivisions of the
27state.
-3-es/rn
2chief information officer.
3BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA:
1 Section 1. Section 8B.4, Code 2023, is amended by adding the
2following new subsection:
3 NEW SUBSECTION. 18A. Administer the cybersecurity unit
4established in section 8B.34.
5 Sec. 2. NEW SECTION. 8B.34 Cybersecurity unit.
61. As used in this section, unless the context otherwise
7requires, “cybersecurity incident” means a violation, or
8imminent threat of violation, of computer security policies,
9acceptable use policies, or cybersecurity practices.
102. A cybersecurity unit is created for the purpose of
11monitoring, managing, coordinating, and reporting cybersecurity
12incidents occurring within the state or a political subdivision
13of the state within the office of the chief information
14officer. The unit shall be administered by the chief
15information officer as provided in section 8B.4.
163. On or before December 31 of each year, and when requested
17by the general assembly, the cybersecurity unit shall provide
18a report to members of the general assembly containing the
19number and nature of incidents reported to the unit during
20the preceding calendar year or since the most recent report
21and making recommendations to the general assembly regarding
22cybersecurity standards for the state. If a request is made by
23the general assembly, a report shall be provided within thirty
24days of receipt of the request.
254. Qualified cybersecurity incidents shall be reported by a
26state agency or political subdivision to the cybersecurity unit
27no later than ten days following a determination that the state
28or political subdivision of the state experienced a qualified
29cybersecurity incident. A qualified cybersecurity incident
30shall meet at least one of the following criteria:
31a. A state or federal law requires the reporting of the
32incident to regulatory or law enforcement agencies or affected
33citizens.
34b. The ability of the state or political subdivision that
35experienced the incident to conduct business is substantially
-1-1affected.
2c. The incident would be classified as emergency, severe, or
3high risk by the U.S. cybersecurity and infrastructure security
4agency.
55. The report of the cybersecurity incident to the
6cybersecurity unit shall include:
7a. The approximate date of the incident.
8b. The date the incident was discovered.
9c. The nature of any data that may have been illegally
10obtained or accessed.
11d. A list of the state and federal regulatory agencies,
12self-regulatory bodies, and foreign regulatory agencies to whom
13a notification has been or will be provided by the state agency
14or political subdivision.
15e. Additional information to the extent available.
166. The unit shall make available information regarding
17recent or ongoing qualified cybersecurity incidents to
18political subdivisions of the state and businesses operating in
19the state. The information shall include:
20a. The nature of the cybersecurity attack.
21b. The actor or actors perpetrating the cybersecurity
22attack.
23c. Other relevant details that would assist a political
24subdivision or business in addressing or securing their systems
25against cybersecurity attacks.
267. Procedures for reporting a cybersecurity incident
27shall be established by the office by rule, made available on
28the office’s internet site, and distributed to the state and
29political subdivisions of the state.
30EXPLANATION
31The inclusion of this explanation does not constitute agreement with
32the explanation’s substance by the members of the general assembly.
33This bill creates a cybersecurity unit under the office
34of the chief information officer. The office shall be
35administered by the chief information officer.
-2- 1The bill defines “cybersecurity incident” to mean a
2violation, or imminent threat of violation, of computer
3security policies, acceptable use policies, or cybersecurity
4practices.
5The bill provides that the cybersecurity unit shall be
6responsible for managing and coordinating cyber and computer
7security for the state and political subdivisions of the state.
8Annually or at the request of the general assembly, the unit
9will provide a report including the number of cybersecurity
10incidents since the last report and updated recommendations for
11cybersecurity practices. If a request is made by the general
12assembly, the unit shall provide a report within 30 days of the
13receipt of the request.
14The bill provides a reporting mechanism and criteria for
15the state or political subdivisions of the state to inform the
16cybersecurity unit of cybersecurity incidents. Cybersecurity
17incidents shall be reported to the office no later than 10 days
18following an incident. The bill provides that the office shall
19provide information to political subdivisions or businesses
20operating in the state regarding cybersecurity incidents. The
21information shall include the nature of the cybersecurity
22attack, the actors perpetrating the attack, and other relevant
23information businesses or political subdivisions should be
24aware of to protect information systems. The office shall
25establish reporting procedures required by rule and distribute
26the procedures to the state and political subdivisions of the
27state.
-3-es/rn