GENERAL ASSEMBLY OF NORTH CAROLINA
SESSION 2003
SESSION LAW 2004-129
SENATE BILL 991
AN ACT to improve state government information technology planning, adopt standards, make project development more efficient, reduce cost overruns, provide assistance to state agencies, and increase accountability.
The General Assembly of North Carolina enacts:
PART I. INFORMATION TECHNOLOGY MANAGEMENT.
SECTION 1. Part 1 of Article 3D of Chapter 147 of the General Statutes is redesignated as Part 1A.
SECTION 2. Article 3D of Chapter 147 of the General Statues is amended by adding a new Part 1 to read:
"Office ofState Information
Technology Services.
"Part 1. State Information Technology Management.
"§ 147-33.72A. Purpose.
The purposes of this Article are to:
(1) Establish a systematic process for planning and financing the State's information technology resources.
(2) Develop standards and accountability measures for information technology projects, including criteria for adequate project management.
(3) Implement procurement procedures that will result in cost savings on information technology purchases.
(4) Create an Information Technology Advisory Board.
(5) Create the Information Technology Fund for statewide information technology efforts.
"§ 147-33.72B. Planning and financing State information technology resources.
(a) In order to provide a systematic process for meeting the State's technology needs, the State Chief Information Officer shall develop a biennial State Information Technology Plan (Plan). The Plan shall be transmitted to the General Assembly by February 1 of each regular session.
(b) The Plan shall include the following elements:
(1) An inventory of current information technology assets and major projects currently in progress. As used in this subdivision, the term 'major project' includes projects subject to review and approval under G.S. 147-33.72C, or that cost more than five hundred thousand dollars ($500,000) to implement.
(2) An evaluation and estimation of the significant unmet needs for information technology resources over a five-year time period. The Plan shall rank the unmet needs in priority order according to their urgency.
(3) A statement of the financial requirements posed by the significant unmet needs, together with a recommended funding schedule for each major project currently in progress or recommended for initiation during the upcoming fiscal biennium.
(4) An analysis of opportunities for statewide initiatives that would yield significant efficiencies or improve effectiveness in State programs.
(c) Each executive agency shall biennially develop an agency information technology plan that includes the information required under subsection (b) of this section. The Office of Information Technology Services shall consult with and assist agencies in the preparation of these plans. Each agency shall submit its plan to the State Chief Information Officer by October 1 of each even-numbered year.
"§ 147-33.72C. Project approval standards.
(a) Project Review and Approval. - The State Chief Information Officer shall:
(1) Review all State agency information technology projects that cost or are expected to cost more than five hundred thousand dollars ($500,000), whether the project is undertaken in a single phase or component or in multiple phases or components. If the State Chief Information Officer determines a project meets the quality assurance requirements established under this Article, the State Chief Information Officer shall approve the project.
(2) Establish thresholds for determining which information technology projects costing or expected to cost five hundred thousand dollars ($500,000) or less shall be subject to review and approval under subdivision (a)(1) of this section. When establishing the thresholds, the State Chief Information Officer shall consider factors such as project cost, potential project risk, agency size, and projected budget.
(b) Project Implementation. - No State agency shall proceed with an information technology project that is subject to review and approval under subsection (a) of this section until the State CIO approves the project. If a project is not approved, the State CIO shall specify in writing to the agency the grounds for denying the approval. The State CIO shall provide this information to the agency within five business days of the denial.
(c) Suspension of Approval. - The State Chief Information Officer may suspend the approval of any information technology project that does not continue to meet the applicable quality assurance standards. This authority extends to any information technology project that costs more than five hundred thousand dollars ($500,000) to implement regardless of whether the project was originally subject to review and approval under subsection (a) of this section. If the State CIO suspends approval of a project, the State CIO shall specify in writing to the agency the grounds for suspending the approval. The State CIO shall provide this information to the agency within five business days of the suspension.
The Office of Information Technology Services shall report any suspension immediately to the Office of the State Controller and the Office of State Budget and Management. The Office of State Budget and Management shall not allow any additional expenditure of funds for a project that is no longer approved by the State Chief Information Officer.
(d) General Quality Assurance. - Information technology projects that are not subject to review and approval under subsection (a) of this section shall meet all other standards established under this Article.
(e) Performance Contracting. - All contracts between a State agency and a private party for information technology projects shall include provisions for vendor performance review and accountability. The State CIO may require that these contract provisions include monetary penalties for projects that are not completed within the specified time period or that involve costs in excess of those specified in the contract. The State CIO may require contract provisions requiring a vendor to provide a performance bond.
"§ 147-33.72D. Agency/State CIO Dispute Resolution.
(a) Agency Request for Review. - In any instance where the State CIO has denied or suspended the approval of an information technology project, or has denied an agency's request for deviation pursuant to G.S. 147-33.84, the agency may request a committee review of the State CIO's decision. The agency shall submit a written request for review to the State Controller within 10 working days following the agency's receipt of the State CIO's written grounds for denial or suspension. The agency's request for review shall specify the grounds for its disagreement with the State CIO's determination. The agency shall include with its request for review a copy of the State CIO's written grounds for denial or suspension.
(b) Review Process. - The review committee shall consist of the State Controller, the State Budget Officer, and the Secretary of Administration. The State Controller shall serve as the chair of the review committee. If the chair or one of the members of the review committee is an official of the agency that has requested the review, that person is deemed to have a conflict of interest and is ineligible to participate in the consideration of the matter, and the two remaining members of the review committee shall select an alternate official to serve as a member of the review committee for that specific matter. Within 10 business days following receipt of an agency's request for review, the committee shall meet to consider the matter. The committee shall review the information provided, and may request additional information from either the agency or the State CIO. The committee may affirm, reverse, or modify the decision of the State CIO, or may remand the matter back to the State CIO for additional findings. Within 30 days after initial receipt of the agency's request for review, the committee shall notify the agency and the State CIO of its decision in the matter. The notification shall be in writing, and shall specify the grounds for the committee's decision. The committee may reverse or modify a decision of the State CIO when the committee finds at least one of the following:
(1) The decision of the State CIO is unsupported by substantial evidence that the agency project fails to meet one or more standards of efficiency and quality of State government information technology as required under this Article.
(2) The State CIO did not have the requisite statutory authority or jurisdiction to render the decision.
(3) The decision of the State CIO was rendered in a manner that was arbitrary, capricious, or indicative of an abuse of discretion.
"§ 147-33.72E. Project management standards.
(a) Agency Responsibilities. - Each agency shall provide for a project manager who meets the applicable quality assurance standards for each information technology project that is subject to approval under G.S. 143-33.72C(a). The project manager shall be subject to the review and approval of the State Chief Information Officer.
The agency project manager shall provide periodic reports to the project management assistant assigned to the project by the State CIO under subsection (b) of this section. The reports shall include information regarding project costs, issues related to hardware, software, or training, projected and actual completion dates, and any other information related to the implementation of the information technology project.
(b) State Chief Information Officer Responsibilities. - The State Chief Information Officer shall designate a project management assistant from the Office of Information Technology Services for projects that receive approval under G.S. 147-33.72C(a). The State Chief Information Officer may designate a project management assistant for any other information technology project.
The project management assistant shall advise the agency with the initial planning of a project, the content and design of any request for proposals, contract development, procurement, and architectural and other technical reviews. The project management assistant shall also monitor agency progress in the development and implementation of the project and shall provide status reports to the State Chief Information Officer, including recommendations regarding continued approval of the project.
"§ 147-33.72F. Procurement procedures; cost savings.
Pursuant to Part 4 of this Article, the Office of State Technology Services shall establish procedures for the procurement of information technology. The procedures may include aggregation of hardware purchases, the use of formal bid procedures, restrictions on supplemental staffing, enterprise software licensing, hosting, and multiyear maintenance agreements. The procedures may require agencies to submit information technology procurement requests to the Office of State Technology Services on October 1, January 1, and June 1 of each fiscal year in order to allow for bulk purchasing.
"§ 147-33.72G. Information Technology Advisory Board.
(a) Creation; Membership. - The Information Technology Advisory Board is established and shall be located within the Office of Information Technology Services for organizational, budgetary, and administrative purposes. The Board shall consist of 12 members, four appointed by the Governor, four appointed by the President Pro Tempore of the Senate, and four appointed by the Speaker of the House of Representatives. All appointments shall be from among persons knowledgeable in the subject area and having experience with State government or information technology deployment within large organizations. Each member shall serve at the pleasure of the officer who appointed the member. The Governor shall designate a chair from among the membership.
(b) Conflicts of Interest. - Members of the Advisory Board shall not serve on the board of directors or other governing body of, be employed by, or receive any remuneration of any kind from any information systems, computer hardware, computer software, or telecommunications vendor of goods and services to the State of North Carolina.
No member of the Advisory Board shall vote on an action affecting solely that person's State agency.
(c) Powers and Duties. - The Board shall:
(1) Review and comment on the State Information Technology Plan developed by the State Chief Information Officer under G.S. 147-33.72B(b).
(2) Review and comment on the information technology plans of the executive agencies prepared under G.S. 147-33.72B(c).
(3) Review and comment on the statewide technology initiatives developed by the State Chief Information Officer.
(d) Meetings. - The Information Technology Advisory Board shall adopt bylaws containing rules governing its meeting procedures. The Board shall meet at least quarterly. The Office of Information Technology Services shall provide administrative staff and facilities for Advisory Board meetings. The expenses of the Board shall be paid from receipts available to the Office of Information Technology Services as requested by the Board. Advisory Board members shall receive per diem, subsistence, and travel allowances as follows:
(1) Commission members who are officials or employees of the State or of local government agencies, at the rate established in G.S. 138-6; and
(2) All other commission members, at the rate established in G.S. 138-5.
"§ 147-33.72H. Information Technology Fund.
There is established a special revenue fund to be known as the Information Technology Fund, which may receive transfers or other credits as authorized by the General Assembly. Money may be appropriated from the Information Technology Fund to meet statewide requirements, including planning, project management, security, electronic mail, State portal operations, and the administration of systemwide procurement procedures. Expenditures involving funds appropriated to the Office of Information Technology Services from the Information Technology Fund shall be made by the State CIO in consultation with the Information Technology Advisory Board. By October 1 of each year, the State CIO shall submit to the Joint Legislative Oversight Committee on Information Technology a report on all expenditures involving funds appropriated to the Office of Information Technology Services from the Information Technology Fund for the preceding fiscal year. Interest earnings on the Information Technology Fund balance shall be credited to the Information Technology Fund."
SECTION 3. G.S. 147-33.76 reads as rewritten:
"§ 147-33.76.
Head of the Office of Information Technology Services; qualification and
appointmentQualification, appointment, and duties of the State
Chief Information Officer.
(a) The Office of
Information Technology Services shall be managed and administered by the State
Chief Information Officer. Officer ('State CIO'). The State Chief
Information Officer shall be qualified by education and experience for the
office and shall be appointed by the Governor after consultation with the
Senate Committee on Information Technology and the House Committee on
Technology meeting jointly (or by similar committees designated by the rules of
each house). and serve at the pleasure of the Governor.
(b) The
Governor shall submit the name of the person to be appointed for review by the
entities specified in subsection (a) of this section.
(b1) The State CIO shall be responsible for developing and administering a comprehensive long-range plan to ensure the proper management of the State's information technology resources. The State CIO shall set technical standards for information technology, review and approve major information technology projects, review and approve State agency information technology budget requests, establish information technology security standards, provide for the procurement of information technology resources, and develop a schedule for the replacement or modification of major systems. The State CIO is authorized to adopt rules to implement this Article.
(c) The salary of the State Chief Information Officer shall be set by the General Assembly in the Current Operations Appropriations Act. The State Chief Information Officer shall receive longevity pay on the same basis as is provided to employees of the State who are subject to the State Personnel Act."
SECTION 4. G.S. 147-33.78 is repealed.
SECTION 5. G.S. 147-33.79 is repealed.
SECTION 6. All (i) records, (ii) personnel positions and salaries, (iii) property, and (iv) unexpended balances of appropriations, allocations, reserves, support costs, and other funds of the Information Resources Management Commission are transferred to and vested in the Office of Information Technology Services authorized by Article 3D of Chapter 147 of the General Statutes.
SECTION 7.(a) On June 30, 2004, the State Controller shall transfer the sum of seven million five hundred thousand dollars ($7,500,000) from the Information Technology Services Internal Service Fund to the Information Technology Fund.
SECTION 7.(b) For the fiscal year 2004-2005 appropriations are made from the Information Technology Fund as follows:
(1) The sum of two million seven hundred thousand dollars ($2,700,000) to the Office of State Controller to implement the recommendations of the statewide Business Infrastructure Study; and
(2) The sum of four million eight hundred thousand dollars ($4,800,000) to the Office of Information Technology Services for the following purposes:
Security Assessment and Remediation $3,000,000
Project Management Office Expansion $600,000
Legacy Systems Study $1,000,000
Legal Services $100,000
ITS Management Staff $100,000
SECTION 7A.(a) The heading for Article 26 of Chapter 120 of the General Statutes reads as rewritten:
"Article 26.
Joint Select Legislative Oversight Committee
on Information Technology."
SECTION 7A.(b) G.S. 120-230 reads as rewritten:
"§ 120-230.
Creation and purpose of the Joint Select Legislative Oversight Committee
on Information Technology.
There is established the Joint Select Legislative
Oversight Committee on Information Technology. The Committee shall review
current information technology that impacts public policy, including electronic
data processing and telecommunications, software technology, and information
processing. The goals and objectives of the Committee shall be to develop electronic
commerce in the State and to coordinate the use of information technology by
State agencies in a manner that assures that the citizens of the State receive
quality services from all State agencies and that the needs of the citizens are
met in an efficient and effective manner. The Committee
shall examine, on a continuing basis, systemwide issues affecting State
government information technology, including, but not limited to, State
information technology operations, infrastructure, development, financing,
administration, and service delivery. The Committee may examine State agency or
enterprise-specific information technology issues. The Committee shall make
ongoing recommendations to the General Assembly on ways to improve the
effectiveness, efficiency, and quality of State government information
technology."
SECTION 7A.(c) G.S. 120-231 reads as rewritten:
"§ 120-231. Committee duties; reports.
(a) The Joint Select Legislative
Oversight Committee on Information Technology may:
(1) Evaluate the current technological infrastructure of State government and information systems use and needs in State government and determine potential demands for additional information staff, equipment, software, data communications, and consulting services in State government during the next 10 years. The evaluation may include an assessment of ways technological infrastructure and information systems use may be leveraged to improve State efficiency and services to the citizens of the State, including an enterprise-wide infrastructure and data architecture.
(2) Evaluate information technology governance, policy, and management practices, including policies and practices related to personnel and acquisition issues, on both a statewide and project level.
(3) Study, evaluate, and recommend changes to the North Carolina General Statutes relating to electronic commerce.
(4) Study, evaluate, and recommend action regarding reports received by the Committee.
(5) Study, evaluate, and recommend any changes proposed for future development of the information highway system of the State.
(b) The Committee may
consult with the Information Resource Management Commission State
Chief Information Officer on statewide technology strategies and initiatives
and review all legislative proposals and other recommendations of the
Information Resource Management Commission Office of Information
Technology Services.
(c) The Committee shall report
by March 1 of each year to the Appropriations Committees of the Senate and the
House of Representatives concerning the Committee's activities and findings and
any recommendations for statutory changes. submit annual reports to the
General Assembly on or before the convening of the regular session of the
General Assembly each year. The Committee may submit interim reports at any
time it deems appropriate."
SECTION 7A.(d) G.S. 120-232 reads as rewritten:
"§ 120-232. Committee membership; terms; organization; vacancies.
(a) The Committee shall consist of 16 members as follows:
(1) Five Eight members
of the Senate at the time of their appointment, appointed by the President Pro
Tempore of the Senate. At least two appointees shall be members of the Senate
Appropriations Committee.
(2) Five Eight members
of the House of Representatives at the time of their appointment, appointed by
the Speaker of the House of Representatives. At least two appointees shall
be members of the House of Representatives Appropriations Committee.
(3) Three
members of the public, appointed by the President Pro Tempore of the Senate.
(4) Three
members of the public, appointed by the Speaker of the House of
Representatives.
The members appointed to the Committee from the public
shall be chosen from among individuals who have the ability and commitment to
promote and fulfill the purposes of the Committee, including individuals who
have expertise in the field of computer technology or commercial transactions.
(b) Members of the
Committee shall serve terms of two years beginning on August 15 of at
the convening of the General Assembly in each odd-numbered year, with no
prohibition against being reappointed, except initial appointments shall begin
on appointment and end on the day of convening of the 2005 General Assembly. be
for terms as follows:
(1) The public
members shall serve terms of three years.
(2) The members
who are members of the General Assembly shall serve terms of two years.
Initial terms shall commence on August 15, 1999.
(c) Members who are
elected officials may complete a term of service on the Committee even if
they do not seek reelection or are not reelected, but resignation or removal
from service constitutes resignation or removal from service on the Committee.
(d) The President Pro Tempore of the Senate and the Speaker of the House of Representatives shall each select a legislative member from their appointees to serve as cochair of the Committee.
(e) The Committee shall meet at least once a quarter and may meet at other times upon the call of the cochairs. A majority of the members of the Committee shall constitute a quorum for the transaction of business. The affirmative vote of a majority of the members present at meetings of the Committee shall be necessary for action to be taken by the Committee.
(f) All members shall serve at the will of their appointing officer. A member continues to serve until the member's successor is appointed. A vacancy shall be filled within 30 days by the officer who made the original appointment."
PART II. CONFORMING CHANGES IN ARTICLE 3D OF CHAPTER 147.
SECTION 8. The heading of Part 1A of Article 3D of Chapter 147 of the General Statutes, as redesignated under Section 1 of this act, reads as rewritten:
"Part 1A. Transfer and Organization of Office of
Information Technology Services."
SECTION 9. G.S. 147-33.75 reads as rewritten:
"§ 147-33.75.
Transfer to Office located in the Office of the Governor.
(a) The Office of
Information Technology Services ("Office") of the Department of
Commerce and the Information Resource Management Commission are hereby
transferred to shall be housed in the Office of the Governor.
(b) The Governor has the authority, powers, and duties over the Office that are assigned to the Governor and the head of department pursuant to Article 1 of Chapter 143B of the General Statutes, G.S. 143A-6(b), and the Constitution and other laws of this State."
SECTION 10. G.S. 147-33.82(d)(2) is repealed.
SECTION 11. G.S. 147-33.82(e) is repealed.
SECTION 12. G.S. 147-33.82(c), G.S. 147-33.82(d) as amended by Section 10 of this act, G.S. 147-33.82(e1), and G.S. 147-33.82(f), are recodified as separate sections as Part 5 of Article 3D of Chapter 147 of the General Statutes, G.S. 147-33.110 through G.S. 147-33.113 respectively.
SECTION 13. G.S. 147-33.82(a) reads as rewritten:
"§ 147-33.82.
Powers and duties Functions of the State Chief Information
Officer and the Office of Information Technology Services.
(a) The In
addition to any other functions required by this Article, the Office of
Information Technology Services shall:
(1) Procure all information technology for State agencies, as provided in Part 4 of this Article.
(2) Submit for approval of
the Information Resources Management CommissionOffice of State Budget
and Management all rates and fees for common, shared State government-wide
technology services provided by the Office. Office on a fee-for-service
basis and not covered by another fund.
(3) Conduct an annual
assessment of State agencies for compliance with statewide policies for
information technology and Submit submit for approval review
of the Information Resources Management CommissionTechnology Advisory
Board recommended State government-wide, enterprise-level policies statewide
policies for information technology.
(4) Develop standards,
procedures, and processes to implement policies approved by the Information
Resources Management Commission. State CIO.
(5) Assure that Review
State agencies implement and manage agency information
technology portfolio-based management of State information technology resources,
in accordance resources for compliance with the direction set by
the State Chief Information Officer.this Article.
(6) Assure Review
that State agencies implement and manage agency
implementation of statewide information technology enterprise management
efforts of State government, in accordance government for compliance with
the direction set by the State Chief Information Officer.this
Article.
(7) Provide
recommendations to the Information Resources Management Commission for its
biennial technology strategy and to develop State government-wide technology
initiatives to be approved by the Information Resources Management Commission.
(8) Develop a project
management, quality assurance, and architectural review process that adheres
to the Information Resources Management Commission's certification program and
portfolio-based management initiative.for projects that require review
and approval under G.S. 147-33.72C(a).
(9) Establish
and utilize the Information Technology Management Advisory Council to consist
of representatives from other State agencies to advise the Office on
information technology business management and technology matters."
SECTION 14. Part 5 of Article 3D of Chapter 147 of the General Statutes, as recodified by Section 12 of this act, reads as rewritten:
"Part 5. Security for Information Technology Services.
"§ 147-33.110. Statewide security standards.
The State Chief Information Officer shall establish an
enterprise-wide a statewide set of standards for information
technology security to maximize the functionality, security, and
interoperability of the State's distributed information technology assets,
including communications and encryption technologies. The State CIO shall
review and revise the security standards annually. As part of this
function, the State Chief Information Officer shall review periodically
existing security standards and practices in place among the various State
agencies to determine whether those standards and practices meet enterprise-wide
statewide security and encryption requirements. The State Chief
Information Officer may assume the direct responsibility of providing for the
information technology security of any State agency that fails to adhere to
security standards adopted pursuant to this section.under this
Article. Any actions taken by the State Chief Information Officer under
this subsection section shall be reported to the Information
Resources Management Commission Information Technology Advisory Board at
its next scheduled meeting.
"§ 147-33.111. State CIO approval of security standards and security assessments.
(a)
Notwithstanding G.S. 143-48.3 or any other provision of law, and except as
otherwise provided by this subsection, section, all information
technology security purchased using State funds, or for use by a State agency
or in a State facility, shall be subject to approval by the State Chief
Information Officer in accordance with security standards adopted under this section.Article.
(1)(b) If the legislative branch, the
judicial branch, The University of North Carolina and its constituent
institutions, local school administrative units as defined by G.S. 115C-5,
or the North Carolina Community Colleges System develop their own security
standards, taking into consideration the mission and functions of that entity,
that are comparable to or exceed those set by the State Chief Information
Officer under this section, then these entities may elect to be governed by
their own respective security standards, and approval of the State Chief
Information Officer shall not be required before the purchase of information
technology security. The State Chief Information Officer shall consult with the
legislative branch, the judicial branch, The University of North Carolina and its
constituent institutions, local school administrative units, and the North
Carolina Community Colleges System in reviewing the security standards adopted
by those entities.
(2) Repealed.
(3)(c) Before a State agency may enter
into any contract with another party for an assessment of network
vulnerability, including network penetration or any similar procedure, the
State agency shall notify the State Chief Information Officer and obtain
approval of the request. The State Chief Information Officer shall refer the
request to the State Auditor for a determination of whether the Auditor's
office can perform the assessment and testing. If the State Auditor determines
that he the Auditor's office can perform the assessment and
testing, then the State Chief Information Officer shall authorize the
assessment and testing by the Auditor. If the State Auditor determines that his
the Auditor's office cannot perform the assessment and testing, then
with the approval of the State Chief Information Officer and State Auditor, the
State agency may enter into a contract with another party for the assessment
and testing. If the State agency enters into a contract with another party for
assessment and testing, the State agency shall issue public reports on the
general results of the reviews undertaken pursuant to this subdivision, but
the reviews. The contractor must shall provide the
State agency with detailed reports of the security issues identified pursuant
to this subdivision that shall not be disclosed as provided in
G.S. 132-6.1(c). The State agency shall provide the State Chief
Information Officer and the State Auditor with copies of the detailed reports.reports
that shall not be disclosed as provided in G.S. 132-6.1(c).
"§ 147-33.112. Assessment of agency compliance with security standards.
The State Chief Information Officer shall assess the ability
of each agency to comply with the current security enterprise-wide set of
standards established pursuant to this section. The assessment shall include,
at a minimum, the rate of compliance with the standards in each agency and an
assessment of each agency's security organization, network security
architecture, and current expenditures for information technology security. The
assessment shall also estimate the cost to implement the security measures
needed for agencies to fully comply with the standards. Each agency subject to
the standards shall submit information required by the State Chief Information
Officer for purposes of this assessment. Not later than May 4, 2004, the
Information Resources Management Commission and the The State Chief
Information Officer shall submit a public report that summarizes the status
of the assessment, including the available estimates of additional funding
needed to bring agencies into compliance, to the Joint Legislative Commission
on Governmental Operations and shall provide updated assessment information by
January 15 of each subsequent year.include the information obtained from
the assessment in the State Information Technology Plan required under
G.S. 147-33.72B.
"§ 147-33.113. State agency cooperation.
(a) The head of each State agency shall cooperate with the State Chief Information Officer in the discharge of his or her duties by:
(1) Providing the full details of the agency's information technology and operational requirements and of all the agency's information technology security incidents within 24 hours of confirmation.
(2) Providing comprehensive information concerning the information technology security employed to protect the agency's information technology.
(3) Forecasting the parameters of the agency's projected future information technology security needs and capabilities.
(4) Designating an agency liaison in the information technology area to coordinate with the State Chief Information Officer. The liaison shall be subject to a criminal background report from the State Repository of Criminal Histories, which shall be provided by the State Bureau of Investigation upon its receiving fingerprints from the liaison. If the liaison has been a resident of this State for less than five years, the background report shall include a review of criminal information from both the State and National Repositories of Criminal Histories. The criminal background report shall be provided to the State Chief Information Officer and the head of the agency. In addition, all personnel in the Office of State Auditor who are responsible for information technology security reviews pursuant to G.S. 147-64.6(c)(18) shall be subject to a criminal background report from the State Repository of Criminal Histories, which shall be provided by the State Bureau of Investigation upon receiving fingerprints from the personnel designated by the State Auditor. For designated personnel who have been residents of this State for less than five years, the background report shall include a review of criminal information from both the State and National Repositories of Criminal Histories. The criminal background reports shall be provided to the State Auditor.
(b) The
information provided by State agencies to the State Chief Information Officer
under this subsection section is protected from public disclosure
pursuant to G.S. 132-6.1(c)."
SECTION 15. G.S. 147-33.83 reads as rewritten:
"§ 147-33.83. Information resources centers and services.
(a) With respect to all executive departments and agencies of State government, except the Department of Justice if they do not elect at their option to participate, the Office of Information Technology Services shall have all of the following powers and duties:
(1) To establish and
operate information resource centers and services to serve two or more
departments on a cost-sharing basis, if the Information Resources Management
Commission State CIO, after consultation with the Office of State Budget
and Management, decides it is advisable from the standpoint of efficiency
and economy to establish these centers and services.
(2) With the approval of
the Information Resources Management Commission, Office of State
Budget and Management, to charge each department for which services are
performed its proportionate part of the cost of maintaining and operating the
shared centers and services.
(3) With the approval
of the Information Resources Management Commission, to To require
any department served to transfer to the Office ownership, custody, or control
of information processing equipment, supplies, and positions required by the
shared centers and services.
(4) With the approval
of the Information Resources Management Commission, to To adopt
reasonable rules for the efficient and economical management and operation of
the shared centers, services, and the integrated State telecommunications
network.
(5) With the approval
of the Information Resources Management Commission, to To adopt
plans, policies, procedures, and rules for the acquisition, management, and use
of information technology resources in the departments affected by this section
to facilitate more efficient and economic use of information technology in
these departments.
(6) To develop and promote training programs to efficiently implement, use, and manage information technology resources.
(7) To provide cities, counties, and other local governmental units with access to the Office of Information Technology Services, information resource centers and services as authorized in this section for State agencies. Access shall be provided on the same cost basis that applies to State agencies.
(b) No data of a confidential nature, as defined in the General Statutes or federal law, may be entered into or processed through any cost-sharing information resource center or network established under this section until safeguards for the data's security satisfactory to the department head and the State Chief Information Officer have been designed and installed and are fully operational. Nothing in this section may be construed to prescribe what programs to satisfy a department's objectives are to be undertaken, nor to remove from the control and administration of the departments the responsibility for program efforts, regardless whether these efforts are specifically required by statute or are administered under the general program authority and responsibility of the department. This section does not affect the provisions of G.S. 147-64.6, 147-64.7, or 147-33.91.
(c) Notwithstanding any other provision of law, the Office of Information Technology Services shall provide information technology services on a cost-sharing basis to the General Assembly and its agencies as requested by the Legislative Services Commission."
SECTION 16. G.S. 147-33.84 reads as rewritten:
"§ 147-33.84.
Deviations authorized for Department of Revenue. Revenue; agency requests
for deviations.
(a) The Department of
Revenue is authorized to deviate from any provision in G.S. 147-33.83(a)
that requires departments or agencies to consolidate information processing
functions on equipment owned, controlled, or under custody of the Office of
Information Technology Services. All deviations by the Department of Revenue
pursuant to this section shall be reported in writing within 15 days by the
Department of Revenue to the Information Resources Management Commission
State CIO and shall be consistent with available funding. Any State
agency may apply in writing to the State CIO for authority to deviate. If
granted, any deviation shall be consistent with available funding and shall be
subject to such terms and conditions as may be specified by the State CIO. If
the agency's request for deviation is denied by the State CIO, the agency may
request a review of the decision pursuant to G.S. 147-33.72D.
(b) The Department of
Revenue is authorized to adopt and shall adopt plans, policies, procedures,
requirements, and rules for the acquisition, management, and use of information
processing equipment, information processing programs, data communications
capabilities, and information systems personnel in the Department of Revenue. If
the plans, policies, procedures, requirements, rules, or standards adopted by
the Department of Revenue deviate from the policies, procedures, or guidelines
adopted by the Office of Information Technology Services or the Information
Resources Management Commission, Services, those deviations shall be
allowed and shall be reported in writing within 15 days by the Department of
Revenue to the Information Resources Management Commission. State
CIO. The Department of Revenue and the Office of Information Technology
Services shall develop data communications capabilities between the two
computer centers utilizing the North Carolina Integrated Network, subject to a
security review by the Secretary of Revenue.
(c) The Department of Revenue shall prepare a plan to allow for substantial recovery and operation of major, critical computer applications. The plan shall include the names of the computer programs, databases, and data communications capabilities, identify the maximum amount of outage that can occur prior to the initiation of the plan and resumption of operation. The plan shall be consistent with commonly accepted practices for disaster recovery in the information processing industry. The plan shall be tested as soon as practical, but not later than six months, after the establishment of the Department of Revenue information processing capability.
(d) Notwithstanding the provisions of subsections (a) and (b) of this section, the Department of Revenue shall review and evaluate any deviations and shall, in consultation with the Office of Information Technology Services, adopt a plan to phase out any deviations that are not determined to be necessary in carrying out functions and responsibilities unique to the Department. The plan adopted by the Department shall include a strategy to coordinate its general information processing functions with the Office of Information Technology Services in the manner prescribed by G.S. 147-33.83(a) and provide for its compliance with policies, procedures, and guidelines adopted by the Office of Information Technology Services. The Department of Revenue shall submit its plan to the Office of State Budget and Management by January 15, 2005."
SECTION 17. G.S. 147-33.85 is repealed.
SECTION 18. G.S. 147-33.86 is repealed.
SECTION 19. G.S. 147-33.87 reads as rewritten:
"§ 147-33.87. Financial reporting and accountability for information technology investments and expenditures.
The Office of Information Technology Services, the Office of
State Budget and Management, and the Office of the State Controller shall
jointly develop a system for budgeting and accounting of expenditures for
information technology operations, services, projects, infrastructure, and
assets. The system shall include hardware, software, personnel, training,
contractual services, and other items relevant to information technology, and
the sources of funding for each. This system must integrate seamlessly with
the enterprise portfolio management system. Annual reports regarding
information technology shall be coordinated by the Office with the Office of
State Budget and Management and the Office of the State Controller, and
submitted to the Governor, General Assembly, and the Information Resources
Management Commission Governor and the General Assembly on or before
October 1 of each year."
SECTION 20. G.S. 147-33.88 reads as rewritten:
"§ 147-33.88. Information technology reports.
(a) The Office shall
develop an annual budget for review and approval by the Information
Resources Management Commission Office of State Budget and
Management prior to April 1 of each year. A copy of the approved budget
shall be submitted to the Joint Select Committee on Information Technology and
the Fiscal Research Division.
(b) The Office shall
report to the Joint Select Legislative Oversight Committee on
Information Technology and the Fiscal Research Division on the Office's
Internal Service Fund on a quarterly basis, no later than the first day of the
second month following the end of the quarter. The report shall include current
cash balances, line-item detail on expenditures from the previous quarter, and
anticipated expenditures and revenues. The Office shall report to the Joint
Legislative Oversight Committee on Information Technology and the Fiscal
Research Division on expenditures for the upcoming quarter, projected year-end
balance, and the status report on personnel position changes including new
positions created and existing positions eliminated. The Office spending
reports shall comply with the State Accounting System object codes."
SECTION 21. G.S. 147-33.89(b) reads as rewritten:
"(b) Each State agency
shall submit its disaster recovery plan on an annual basis to the Information
Resource Management Commission and the State Chief Information
Officer."
SECTION 22. G.S. 147-33.90 reads as rewritten:
"§ 147-33.90. Analysis of State agency legacy systems.
(a) The Office of
Information Technology Services, in conjunction with the Information
Resources Management Commission, Services shall analyze the State's
legacy information technology systems and develop a plan to ascertain the
needs, costs, and time frame required for State agencies to progress to more
modern information technology systems.
(b) In conducting the legacy system assessment phase of the analysis, the Office shall:
(1) Examine the hierarchical structure and interrelated relationships within and between State agency legacy systems.
(2) Catalog and analyze the portfolio of legacy applications in use in State agencies and consider the extent to which new applications could be used concurrently with, or should replace, legacy systems.
(3) Consider issues related to migration from legacy environments to Internet-based and client/server environments, and related to the availability of programmers and other information technology professionals with the skills to migrate legacy applications to other environments.
(4) Study any other issue relative to the assessment of legacy information technology systems in State agencies.
By March 1, 2004, the Office shall complete the assessment
phase of the analysis and shall make a report of the assessment to the Joint
Legislative Commission on Governmental Operations (Commission). Thereafter, the
Office shall make an ongoing annual report on these matters to the Commission
by March 1 of each year.
(c) Upon completion of the legacy system assessment phase of the analysis, the Office shall ascertain the needs, costs, and time frame required to modernize State agency information technology. The Office shall complete this phase of the assessment by January 31, 2005, and shall report its findings and recommendations to the 2005 General Assembly. The findings and recommendations shall include a cost estimate and time line for modernization of legacy information technology systems in State agencies. The Office shall submit an ongoing, updated report on modernization needs, costs, and time lines to the General Assembly on the opening day of each biennial session."
SECTION 23. G.S. 147-33.91 reads as rewritten:
"§ 147-33.91. Telecommunications services; duties of State Chief Information Officer with respect to State agencies.
(a) With respect
to State agencies, the State Chief Information Officer shall exercise general
coordinating authority for all telecommunications matters relating to the
internal management and operations of those agencies. In discharging that
responsibility, the State Chief Information Officer may Officer, in
cooperation with affected State agency heads, do such of the following
things as the State Chief Information Officer deems necessary and advisable:may:
(1) Provide for the
establishment, management, and operation, through either State ownership ownership,
contract, or commercial leasing, of the following systems and services as
they affect the internal management and operation of State agencies:
a. Central
telephone systems and telephone networks; networks.
b. Teleprocessing
systems;
c. Teletype
and facsimile services;
d. Satellite services;services.
e. Closed-circuit
TV systems; systems.
f. Two-way
radio systems; systems.
g. Microwave systems;
and systems.
h. Related systems based on telecommunication technologies.
i. The 'State Network', managed by the Office, which means any connectivity designed for the purpose of providing Internet Protocol transport of information to any building.
(2) With the approval
of the Information Resources Management Commission, coordinate Coordinate
the development of cost-sharing systems for respective user agencies for
their proportionate parts of the cost of maintenance and operation of the
systems and services listed in subdivision (1) of this section.subsection.
(3) Assist in the development of coordinated telecommunications services or systems within and among all State agencies and recommend, where appropriate, cooperative utilization of telecommunication facilities by aggregating users.
(4) Perform traffic analysis and engineering for all telecommunications services and systems listed in subdivision (1) of this subsection.
(5) Pursuant to G.S. 143-49, establish telecommunications specifications and designs so as to promote and support compatibility of the systems within State agencies.
(6) Pursuant to G.S. 143-49 and G.S. 143-50, coordinate the review of requests by State agencies for the procurement of telecommunications systems or services.
(7) Pursuant to G.S. 143-341 and Chapter 146 of the General Statutes, coordinate the review of requests by State agencies for State government property acquisition, disposition, or construction for telecommunications systems requirements.
(8) Provide a periodic inventory of telecommunications costs, facilities, systems, and personnel within State agencies.
(9) Promote, coordinate, and assist in the design and engineering of emergency telecommunications systems, including, but not limited to, the 911 emergency telephone number program, Emergency Medical Services, and other emergency telecommunications services.
(10) Perform frequency coordination and management for State agencies and local governments, including all public safety radio service frequencies, in accordance with the rules and regulations of the Federal Communications Commission or any successor federal agency.
(11) Advise all State agencies on telecommunications management planning and related matters and provide through the State Personnel Training Center or the Office of Information Technology Services training to users within State agencies in telecommunications technology and systems.
(12) Assist and coordinate the development of policies and long-range plans, consistent with the protection of citizens' rights to privacy and access to information, for the acquisition and use of telecommunications systems, and base such policies and plans on current information about State telecommunications activities in relation to the full range of emerging technologies.
(13) Work cooperatively with the North Carolina Agency for Public Telecommunications in furthering the purpose of this section.
(b) The provisions of this section shall not apply to the Criminal Information Division of the Department of Justice or to the Judicial Information System in the Judicial Department."
SECTION 24. G.S. 147-33.95 reads as rewritten:
"(a) Notwithstanding any
other provision of law, the Office of Information Technology Services shall
procure all information technology for State agencies. For purposes of this
section, agency means any department, institution, commission, committee,
board, division, bureau, office, officer, or official of the State, unless
specifically exempted in this Article. The Office shall integrate
technological review, cost analysis, and procurement for all information
technology needs of those State agencies in order to make procurement and
implementation of technology more responsive, efficient, and cost-effective.
All contract information shall be made a matter of public record after the
award of contract. Provided, that trade Trade secrets, test data,
similar proprietary information, and security information protected under
G.S. 132-6.1(c) may remain confidential.
(b) The Office shall have the authority and responsibility, subject to the provisions of this Part, to:
(1) Purchase or to contract
for, by suitable means, including, but not limited to, negotiations, reverse
auctions, and the solicitation, offer, and acceptance of electronic bids, and
in conformity with G.S. 143-135.9, for all information
technology in the State government, or any of its departments, institutions, or
agencies covered by this Part, or to Part. The Office may authorize
any department, institution, or State agency covered by this Part
to purchase or contract for such information technology. The Office
or a State agency may use any authorized means, including negotiations, reverse
auctions, and the solicitation, offer, and acceptance of electronic bids.
G.S. 143-135.9 shall apply to these procedures.
(2) Establish processes,
specifications, and standards which that shall apply to all
information technology to be purchased, licensed, or leased in the State
government or any of its departments, institutions, or agencies covered by this
Part.
(3) Comply with the State
government-wide technical architecture, as required by the Information
Resources Management CommissionState CIO.
(c) For purposes of this section, "reverse auction" means a real-time purchasing process in which vendors compete to provide goods or services at the lowest selling price in an open and interactive electronic environment. The vendor's price may be revealed during the reverse auction. The Office may contract with a third-party vendor to conduct the reverse auction.
(d) For purposes of this section, "electronic bidding" means the electronic solicitation and receipt of offers to contract. Offers may be accepted and contracts may be entered by use of electronic bidding.
(e) The Office may use the electronic procurement system established by G.S. 143-48.3 to conduct reverse auctions and electronic bidding. All requirements relating to formal and competitive bids, including advertisement, seal, and signature, are satisfied when a procurement is conducted or a contract is entered in compliance with the reverse auction or electronic bidding requirements established by the Office.
(f) The Office may
shall adopt rules consistent with this section."
SECTION 25. G.S. 147-33.101(b) reads as rewritten:
"(b) Prior to submission
of any contract for review by the Board of Awards pursuant to this section for any
contract for information technology being acquired for the benefit of the
Office and not on behalf of any other State agency, the Director of the Budget
shall review and approve the procurement to ensure compliance with the
established processes, specifications, and standards applicable to all
information technology purchased, licensed, or leased in State government,
including established procurement processes, and compliance with the State
government-wide technical architecture as established by the Information
Resources Management Commission.State CIO."
SECTION 26. G.S. 147-33.103(b) is repealed.
PART III. OTHER CONFORMING CHANGES.
SECTION 27. G.S. 66-58.12(c) reads as rewritten:
"(c) The fee imposed under
subsection (b) of this section must be approved by the Information Resource
Management Commission, State Chief Information Officer, in
consultation with the Joint Legislative Commission on Governmental Operations.
The revenue derived from the fee must be credited to a nonreverting agency
reserve account. The funds in the account may be expended only for e-commerce
initiatives and projects approved by the Information Resource Management
Commission, State Chief Information Officer, in consultation with
the Joint Select Legislative Oversight Committee on Information
Technology. For purposes of this subsection, the term 'public agencies' does
not include a county, unit, special district, or other political subdivision of
government."
SECTION 28. G.S. 66-58.20 reads as rewritten:
"§ 66-58.20. Development and implementation of Web portals; public agency links.
(a) The Office of
Information Technology Services (ITS) shall develop the architecture,
requirements, and standards for the development, implementation and operation
of one or more centralized Web portals that will allow persons to access State
government services on a 24-hour basis. ITS shall submit its plan for the
implementation of the Web portals to the Information Resource Management
Commission (IRMC) State Chief Information Officer for its review
and approval. When the plan is approved by the IRMC, State Chief
Information Officer, ITS shall move forward with development and
implementation of the statewide Web Portal system.
(b) Each State
department, agency, and institution under the review of the IRMC State
Chief Information Officer shall functionally link its Internet or
electronic services to a centralized Web portal system established pursuant to
subsection (a) of this section."
SECTION 29. G.S. 115C-102.6B reads as rewritten:
"§ 115C-102.6B. Approval of State school technology plan.
(a) The Commission shall present the State school technology plan it develops to the Joint Legislative Commission on Governmental Operations and the Joint Legislative Education Oversight Committee for their comments prior to January 1, 1995. At least every two years thereafter, the Commission shall develop any necessary modifications to the State school technology plan and present them to the Joint Legislative Commission on Governmental Operations and the Joint Legislative Education Oversight Committee.
(b) After presenting the
plan or any proposed modifications to the plan to the Joint Legislative
Commission on Governmental Operations and the Joint Legislative Education Oversight
Committee, the Commission shall submit the plan or any proposed modifications
to (i) the Information Resources Management Commission for its State
Chief Information Officer for approval of the technical components of the
plan set out in G.S. 115C-102.6A(1) through (4), and (ii) the State Board
of Education for information purposes only. The State Board shall adopt a plan
that includes the components of a plan set out in G.S. 115C-103.6A(1)
through (16).
At least one-fourth of the members of any technical committee
that reviews the plan for the Information Resources Management Commission State
Chief Information Officer shall be people actively involved in primary or
secondary education.
(c) If no changes are
made to the plan or the proposed modifications to the plan after the submission
to the Information Resources Management Commission State Chief
Information Officer and the State Board of Education, the plan or the
proposed modifications shall take effect upon approval by the Information
Resources Management Commission State Chief Information Officer and
the State Board of Education."
SECTION 30. G.S. 115C-102.6C(a) reads as rewritten:
"§ 115C-102.6C. Approval of local school system technology plans.
(a) Each local board of education shall develop a local school system technology plan that meets the requirements of the State school technology plan. In developing a local school system technology plan, a local board of education is encouraged to coordinate its planning with other agencies of State and local government, including other local school administrative units.
The Information Resources Management Commission Office
of Information Technology Services shall assist the local boards of
education in developing the parts of the plan related to its technological
aspects, to the extent that resources are available to do so. The Department of
Public Instruction shall assist the local boards of education in developing the
instructional and technological aspects of the plan.
Each local board of education shall
submit the local plan it develops to the Information Resources Management
Commission Office of Information Technology Services for its
evaluation of the parts of the plan related to its technological aspects and to
the Department of Public Instruction for its evaluation of the instructional
aspects of the plan. The State Board of Education, after consideration of the
evaluations of the Information Resources Management Commission Office
of Information Technology Services and the Department of Public
Instruction, shall approve all local plans that comply with the requirements of
the State school technology plan."
SECTION 31. G.S. 115C-102.7(b) reads as rewritten:
"(b) The Commission shall
provide notice of meetings, copies of minutes, and periodic briefings to the chair
of the Information Resources Management Commission and the chair of the
Technical Committee of the Information Resources Management Commission.Office
of Information Technology Services."
SECTION 32. G.S. 115C-102.15(b)(16) reads as rewritten:
"(b) The Business and Education Technology Alliance shall be composed of 27 members who have knowledge and interest in ensuring that the effective use of technology is built into the North Carolina School System for the purpose of preparing a globally competitive workforce and citizenry for the 21st century. These members shall be appointed as follows:
…
(16) One representative of the Information
Resource Management Commission appointed by the Commission's Chair.Office
of Information Technology Services appointed by the State Chief Information
Officer."
SECTION 33. G.S. 115C-472.5(d) reads as rewritten:
"(d) The Department of
Public Instruction shall report to the Information Resource Management
Commission State Chief Information Officer on an annual basis on all
loans made from the fund."
SECTION 34. G.S. 115C-529 reads as rewritten:
"§ 115C-529. Useful life guidelines.
The Information Resource Management Commission State
Office of Information Technology Services shall develop and annually revise
guidelines for determining the useful life of computers purchased under
G.S. 115C-528. The Division of Purchase and Contract shall develop and
periodically revise guidelines for determining the useful life of automobiles,
school buses, and photocopiers purchased under G.S. 115C-528. The Local
Government Commission shall develop and periodically revise guidelines for
determining the useful life of mobile classroom units purchased under
G.S. 115C-528. Guidelines for computers and photocopiers shall include
provisions for upgrades during the term of the contract. The Information
Resource Management Commission, State Office of Information Technology
Services, the Division of Purchase and Contract, and the Local Government
Commission shall provide their respective guidelines to the State Board of
Education by November 1, 1996. The State Board of Education shall provide the
guidelines to local boards of education by January 1, 1997."
SECTION 35. G.S. 120-123(57) is repealed.
SECTION 36. G.S. 120-231(b) reads as rewritten:
"(b) The Committee may
consult with the Information Resource Management Commission State
Chief Information Officer on statewide technology strategies and
initiatives and review all legislative proposals and other recommendations of
the Information Resource Management Commission. State Chief
Information Officer."
SECTION 37. G.S. 126-5(c1)(17) is repealed.
SECTION 38. G.S. 132-6.2(b) reads as rewritten:
"(b) Persons requesting
copies of public records may request that the copies be certified or
uncertified. The fees for certifying copies of public records shall be as
provided by law. Except as otherwise provided by law, no public agency shall
charge a fee for an uncertified copy of a public record that exceeds the actual
cost to the public agency of making the copy. For purposes of this subsection,
"actual cost" is limited to direct, chargeable costs related to the
reproduction of a public record as determined by generally accepted accounting
principles and does not include costs that would have been incurred by the
public agency if a request to reproduce a public record had not been made.
Notwithstanding the provisions of this subsection, if the request is such as to
require extensive use of information technology resources or extensive clerical
or supervisory assistance by personnel of the agency involved, or if producing
the record in the medium requested results in a greater use of information
technology resources than that established by the agency for reproduction of
the volume of information requested, then the agency may charge, in addition to
the actual cost of duplication, a special service charge, which shall be
reasonable and shall be based on the actual cost incurred for such extensive
use of information technology resources or the labor costs of the personnel
providing the services, or for a greater use of information technology
resources that is actually incurred by the agency or attributable to the
agency. If anyone requesting public information from any public agency is
charged a fee that the requester believes to be unfair or unreasonable, the
requester may ask the Information Resource Management Commission State
Chief Information Officer or his designee to mediate the dispute."
SECTION 39. G.S. 143-6 reads as rewritten:
"(b2) Any department, bureau,
division, officer, board, commission, institution, or other State agency or
undertaking desiring to request financial aid from the State for the purpose of
acquiring or maintaining information technology as defined by G.S. 147-33.81(2)
shall, before making the request for State financial aid, submit to the State
Chief Information Officer (CIO)(State CIO) a statement of its
needs in terms of information technology and other related requirements and
shall furnish the State CIO with any additional information requested by
the State CIO. The CIO shall then review the statement of needs submitted
by the requesting department, bureau, division, officer, board, commission,
institution, or other State agency or undertaking and perform additional
analysis, as necessary, to comply with G.S. 147-33.82. Article
3D of Chapter 147 of the General Statutes. All requests for financial aid
for the purpose of acquiring or maintaining information technology shall be
accompanied by a certification from the State CIO deeming the request
for financial aid to be consistent with Article 3D of Chapter 147 of the
General Statutes. The State CIO shall make recommendations to the
Governor regarding the merits of requests for financial aid for the purpose of
acquiring or maintaining information technology. This subsection shall not
apply to requests for appropriations of less than one hundred thousand dollars
($100,000)."
SECTION 40. G.S. 143-48.3(a1) reads as rewritten:
"(a1) The Department of Administration
shall comply with the State government-wide technical architecture for
information technology, as required by the Information Resources Management
Commission State Chief Information Officer."
SECTION 40A. G.S. 143-48.3(e) reads as rewritten:
"(e) The Board of
Governors of The University of North Carolina shall exempt North Carolina State
University and The University of North Carolina at Chapel Hill from the
electronic procurement system authorized by this Article until May 1, 2003.
Each exemption shall be subject to the Board of Governors' annual review and
reconsideration. Exempted constituent institutions shall continue working with
the North Carolina E-Procurement Service as that system evolves and shall
ensure that their proposed procurement systems are compatible with the North
Carolina E-Procurement Service so that they may take advantage of this service
to the greatest degree possible. Before an exempted institution expands any
electronic procurement system, that institution shall consult with the Joint
Legislative Commission on Governmental Operations and the Joint Select Legislative
Oversight Committee on Information Technology. By May 1, 2003, the General
Assembly shall evaluate the efficacy of the State's electronic procurement
system and the inclusion and participation of entities in the system."
SECTION 41. G.S. 143-48.3(f) reads as rewritten:
"(f) Any State entity,
local school administrative unit, or community college operating a functional
electronic procurement system established prior to September 1, 2001, may until
May 1, 2003, continue to operate that system independently or may opt into the
North Carolina E-Procurement Service. Each entity subject to this section shall
notify the Office of Information Technology Services Information
Resources Management Commission by January 1, 2002, and annually thereafter, of
by January 1 of each year of its intent to participate in the North
Carolina E-Procurement Service."
SECTION 41A. G.S. 143-52.1(e) reads as rewritten:
"(e) Reports on
recommendations made by the Board on matters presented by the State Chief
Information Officer to the Board shall be reported monthly by the Board to the
chairs of the Joint Select Legislative Oversight Committee on
Information Technology."
SECTION 42. G.S. 143-661(b)(5) reads as rewritten:
"(b) The Board shall consist of 21 members, appointed as follows:
…
(5) One member appointed
by the Chair of the Information Resource Management Commission, who is the
Chair or a member of that Commission, for a term to begin on September 1, 1996
and to expire on June 30, 1999.State Chief Information Officer."
SECTION 43. G.S. 143-663(a)(2) reads as rewritten:
"§ 143-663. Powers and duties.
(a) The Board shall have the following powers and duties:
…
(2) To develop and adopt
uniform standards and cost-effective information technology, after thorough
evaluation of the capacity of information technology to meet the present and
future needs of the State and, in consultation with the Information Resource
Management Commission, Office of Information Technology Services, to
develop and adopt standards for entering, storing, and transmitting information
in criminal justice databases and for achieving maximum compatibility among
user technologies."
SECTION 44. G.S. 143-725(a) reads as rewritten:
"§ 143-725. Council established; role of the Center for Geographic Information and Analysis.
(a) Council Established. - The North Carolina Geographic Information Coordinating Council ("Council") is established to develop policies regarding the utilization of geographic information, GIS systems, and other related technologies. The Council shall be responsible for the following:
(1) Strategic planning.
(2) Resolution of policy and technology issues.
(3) Coordination, direction, and oversight of State, local, and private GIS efforts.
(4) Advising the Governor,
the General Assembly, and the Information Resource Management Commission
(IRMC) State Chief Information Officer as to needed directions,
responsibilities, and funding regarding geographic information.
The purpose of this statewide geographic information coordination effort shall be to further cooperation among State, federal, and local government agencies; academic institutions; and the private sector to improve the quality, access, cost-effectiveness, and utility of North Carolina's geographic information and to promote geographic information as a strategic resource in the State. The Council shall be located in the Office of the Governor for organizational, budgetary, and administrative purposes."
SECTION 45. G.S. 143B-146.13 reads as rewritten:
"§ 143B-146.13. School technology plan.
(a) No later than December 15, 1998, the Secretary shall develop a school technology plan for the residential schools that meets the requirements of the State school technology plan. In developing a school technology plan, the Secretary is encouraged to coordinate its planning with other agencies of State and local government, including local school administrative units.
The Information Resources Management Commission Office
of Information Technology Services shall assist the Secretary in developing
the parts of the plan related to its technological aspects, to the extent that
resources are available to do so. The Department of Public Instruction shall
assist the Secretary in developing the instructional and technological aspects
of the plan.
The Secretary shall submit the plan that is developed to the Information
Resources Management Commission Office of Information Technology
Services for its evaluation of the parts of the plan related to its
technological aspects and to the Department of Public Instruction for its
evaluation of the instructional aspects of the plan. The State Board of
Education, after consideration of the evaluations of the Information
Resources Management Commission Office of Information Technology
Services and the Department of Public Instruction, shall approve all plans
that comply with the requirements of the State school technology plan."
SECTION 45A. G.S. 143B-437.47(e) reads as rewritten:
"(e) Reports. - The
Authority shall submit quarterly reports to the Governor, the Joint Select Legislative
Oversight Committee on Information Technology, and the Joint Legislative
Commission on Governmental Operations. The reports shall summarize the
Authority's activities during the quarter and contain any information about the
Authority's activities that is requested by the Governor, the Committee, or the
Commission."
SECTION 46. G.S. 147-64.6(b)(18) reads as rewritten:
"(b) The Auditor shall be responsible for the following acts and activities:
…
(18) The Auditor shall, after
consultation and in coordination with the State Chief Information Officer,
assess, confirm, and report on the security practices of information technology
systems. If an agency has adopted standards pursuant to G.S. 147-33.82(d)(1)
or (2), G.S. 147-33.111(a), the audit shall be in accordance
with those standards. The Auditor's assessment of information security
practices shall include an assessment of network vulnerability. The Auditor may
conduct network penetration or any similar procedure as the Auditor may deem
necessary. The Auditor may enter into a contract with a State agency under G.S. 147-33.82(d)(3)
G.S. 147-33.111(c) for an assessment of network vulnerability,
including network penetration or any similar procedure. Any contract with the
Auditor for the assessment and testing shall be on a cost-reimbursement basis.
The Auditor may investigate reported information technology security breaches,
cyber attacks, and cyber fraud in State government. The Auditor shall issue
public reports on the general results of the reviews undertaken pursuant to
this subdivision but may provide agencies with detailed reports of the security
issues identified pursuant to this subdivision which shall not be disclosed as
provided in G.S. 132-6.1(c). The Auditor shall provide the State Chief
Information Officer with detailed reports of the security issues identified
pursuant to this subdivision. For the purposes of this subdivision only, the
Auditor is exempt from the provisions of Article 3 of Chapter 143 of the
General Statutes in retaining contractors."
SECTION 46A. G.S. 147-68(d2) reads as rewritten:
"(d2) After consulting with the Select
Committee on Information Technology and the Joint Legislative Commission on
Governmental Operations and after consultation with and approval of the
Information Resources Management Commission, the Department of State Treasurer
may spend departmental receipts for the 2000-2001 fiscal year to continue
improvement of the Department's investment banking operations system,
retirement payroll systems, and other information technology infrastructure
needs. The Department of State Treasurer shall report by January 1, 2001, and
annually thereafter to the following regarding the amount and use of the
departmental receipts: the Joint Legislative Commission on Governmental Operations,
the Chairs of the General Government Appropriations Subcommittees of both the
House of Representatives and the Senate, and the Select Joint
Legislative Committee on Information Technology."
PART IV. STUDIES.
SECTION 47.(a) Each State agency, with the exception of The University of North Carolina and its constituent institutions, the Administrative Office of the Courts, and the General Assembly shall conduct a thorough, agencywide examination and analysis of its Information Technology (IT) infrastructure, including IT expenditures and management functions. The purpose of the examination is to enable the General Assembly, the State CIO, the Office of State Budget and Management, and the State Controller to readily determine the amount of State funds being expended annually on each and all IT functions. As part of this examination, each agency shall review IT contracts with outside vendors, including the adequacy of contract management, and shall consider the implementation of performance measures in the development of future IT contracts. Each agency shall also identify IT functions that could be performed more economically through statewide approach across all agencies. Each agency shall report its plan in a format developed and approved by the State CIO and the Office of State Budget and Management. Reports shall be submitted to the Office of State Budget and Management and the State CIO on or before March 1, 2005.
SECTION 47.(b) The Office of State Budget and Management, in conjunction with the State CIO, the Information Technology Advisory Board, and the State Controller, shall develop a plan to consolidate information technology infrastructure, staffing, and expenditures where a statewide approach would be more economical. The plan shall not include The University of North Carolina and its constituent institutions, the Administrative Office of the Courts, and the General Assembly. The plan shall consider agency-specific program needs. The plan shall include specific recommendations to convert contractor FTE to State positions for recurring activities where the contractor positions have been filled for 12 months, beginning July 1, 2003. In developing the recommendations for converting contractor positions, the OSBM shall consider the nature of the work being performed by the contractors, the level of technical expertise required for the work, and whether the use of State positions would be more economical. The plan also shall identify agencies that lack the budgetary and technical resources to operate modern, secure information technology systems, and propose a method of consolidating those information technology systems under a centralized authority, with the approval of the agency. The OSBM shall use reports compiled by each State agency, as required by subsection (a) of this section, in the development of the plan. The office shall report the plan to the Joint Legislative Commission on Governmental Operations on or before January 1, 2006.
PART V. APPLICABILITY AND EFFECTIVE DATE.
SECTION 48. Nothing in this act shall be construed to require a State agency that has issued a request for proposals for an information technology project approved by the Information Resources Management Commission to seek approval of the information technology project by the State Chief Information Officer under G.S. 147-33.72C or otherwise revise the request for proposals.
SECTION 49. This act becomes effective July 1, 2004.
In the General Assembly read three times and ratified this the 17th day of July, 2004.
s/ Beverly E. Perdue
President of the Senate
s/ James B. Black
Speaker of the House of Representatives
s/ Michael F. Easley
Governor
Approved 10:31 a.m. this 27th day of July, 2004