JTC advances bill to strengthen OIT security procedures, adds audit and reporting requirements

Chair Marchman walked members through a combined bill (LLS 979) that would allow the Joint Technology Committee to call the state's chief information security officer to testify, request a third-party IT security audit under certain conditions, and require an information-technology security compliance report including open audit recommendations and remediation timelines.

The proposal includes a draft vendor registry listing active IT vendor contracts (agency name, vendor, contract value and dates, CISO compliance contact, and date of last security assessment). OIT representatives asked the committee to pair any contract registry with implementation-level risk assessments (penetration testing, vulnerability assessments) because contract text alone can mask implementation gaps. Director Thunberg said a registry is helpful but urged authority to perform deeper assessments to provide meaningful security risk information.

The committee debated public posting of technology standards and accepted an emergency exception for "0-day" vulnerabilities: Thunberg asked for the ability to post changes to an internal portal and, in true emergencies, have a short grace period before public posting so fixes are not disclosed prematurely. Members also discussed delegation limits for the CISO and the idea of regular third-party audits (for example, every two years) as an alternative to unrestricted audit triggers.

Vice Chair Titone moved to introduce the OIT security procedures bill. The committee held a roll-call vote and approved introduction (5–0, one member excused). Members asked legislative legal services and OIT to work on language so concept amendments discussed in committee could be included before floor introduction if possible.