This is due in part to a 2023 cyber attack. Work on the bill was already underway when it downed state court systems last year, but the crisis pushed legislators to try to pass it sooner, Kansas Rep. Blake Carpenter told GovTech.
The legislation would require state agencies to clear a minimum baseline of cybersecurity and would see the judicial and legislative branches — as well as certain executive agencies — each get their own CISO. Among other duties, the new CISOs would give all IT contracts security reviews, require employees to participate in cybersecurity training, and have branches seek regular security audits from the Cybersecurity and Infrastructure Security Agency.
“It's really about the changing of the fundamental structure of how we do IT and cyber within the state of Kansas,” Carpenter said.
The bill also would consolidate executive branch IT under a more empowered chief information technology officer and CISO. All three branches would follow the same widely recognized cybersecurity standards: NIST Cybersecurity Framework 2.0.
Executive offices like the attorney general and state treasurer would get their own CISOs, too. This measure intends to let these offices retain some autonomy, especially if their heads disagree with the governor on IT policy, while still ensuring they meet the same security standards as the rest of the government, Carpenter said.
At present, each of Kansas’ five legislative branch agencies handles the bulk of its own IT needs, with a central chief IT officer offering support. The bill, however, would shift most IT and cybersecurity services under the chief IT officer.
Currently the judicial branch handles its own IT and receives supplemental support from the counties. The bill aims to change this so that “instead of having to use county resources — and a county that might have 400 people in it — they actually have the ability to use their own resources as a separate and equal branch of government to be able to sustain their efforts and really secure their environment,” Carpenter said.
In general in the U.S., it is common for state supreme courts to have a designated CISO and staff with dedicated cyber resilience responsibilities, National Center for State Courts Principal Court Management Consultant Jannet Okazaki said in an email. Meanwhile, the approach at trial and community courts often varies based on the court’s size, scale and funding. Courts without CISOs use court tech staff to oversee cyber resilience, and they may turn to vendors for further cyber services, Okazaki said.
The bill also revamps parts of the executive branch, including seeing tech acquisition managed by one office, rather than by each of nearly 60 separate executive agencies. This should reduce duplicative procurement and enable bulk purchasing discounts.
Instead, under this bill, each branch would turn to their own, branch-specific body. For example, the Legislative Coordinating Council would implement IT policies in the legislative branch.
Kansas’ proposed legislation anticipates that the state will need cybersecurity updates as the threat landscape evolves, said Rep. Barbara Wasinger. The bill’s measures would phase in over five years, and entities have the first 18 months in which to plan, hone details and prepare for next steps.
Preparing this bill quickly meant there wasn’t time to address everything, Carpenter said. He also wants to look at cybersecurity around the six major state universities, which might research classified information for government or have students connecting to a state network. While government can require employees to follow safety measures, it lacks that authority over non-employee state network users, like students. Policymakers need more time to determine the best approach to this challenge, and conversations are likely to continue over the next year.