Bill Text - HB487 (2021)

Establishing an information technology supply chain risk authority.


Revision: Jan. 11, 2021, 2:32 p.m.

HB 487  - AS INTRODUCED

 

 

2021 SESSION

21-0822

04/08

 

HOUSE BILL 487

 

AN ACT establishing an information technology supply chain risk authority.

 

SPONSORS: Rep. Somssich, Rock. 27; Rep. Meuse, Rock. 29; Rep. Woods, Merr. 23; Rep. Hamblet, Rock. 31; Rep. Gould, Hills. 7; Rep. Ward, Rock. 28; Rep. Ammon, Hills. 40

 

COMMITTEE: Science, Technology and Energy

 

-----------------------------------------------------------------

 

ANALYSIS

 

This bill establishes an information technology supply chain risk authority.

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Explanation: Matter added to current law appears in bold italics.

Matter removed from current law appears [in brackets and struckthrough.]

Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.

21-0822

04/08

 

STATE OF NEW HAMPSHIRE

 

In the Year of Our Lord Two Thousand Twenty One

 

AN ACT establishing an information technology supply chain risk authority.

 

Be it Enacted by the Senate and House of Representatives in General Court convened:

 

1  Department of Information Technology; Subdivision Heading Amended.  Amend the subdivision heading preceding RSA 21-R:15 to read as follows:

[Cybersecurity Software]

Information Technology Supply Chain Risk Authority

2  Department of Information Technology; Information Technology Supply Chain Risk Authority  RSA 21-R:15 is repealed and reenacted to read as follows:

21-R:15  Information Technology Supply Chain Risk Authority Established.

I.  There is hereby created an information technology supply chain risk authority ("authority") within the department of information technology.  

II.  The members of the authority shall be as follows:

(a)  Three members of the house of representatives, appointed by the speaker of the house of representatives.

(b)  Two senators, appointed by the president of the senate.

(c)  Four members with expertise in information technology supply chain security, appointed by the governor.

(d)  The chief justice of the superior court, or designee.

(e)   The attorney general, or designee.

(f)  The commissioner of the department of information technology, or designee.

(g)  The commissioner of the department of administrative services, or designee.

III.  Legislative members of the authority shall receive mileage at the legislative rate when attending to the duties of the authority.  Members of the authority shall serve terms coterminous with their terms in office, except that the member appointed under subparagraph (c) shall serve 3-year terms and may be reappointed.  Vacancies shall be filled in the same manner as the original appointment.  

IV.  The members of the commission shall elect a chairperson from among the members.  The first named house member shall call the first meeting of the commission.  Seven members of the commission shall constitute a quorum.

V.  The authority shall develop policies to govern and approve or deny all information technology acquisitions and procurements statewide for all branches of state government and all state departments and agencies, including the purchase or acquisition of any software, hardware, or telecommunication services to ensure security and minimize risk.  The authority may veto an acquisition or purchase request if it determines that it would present a security risk to the state's information technology infrastructure.  The authority shall only review acquisitions or purchases proposed or made on or after the effective date of this section.

VI.  Beginning November 1, 2022, and annually thereafter, the authority shall submit an annual report of its activities for the year, including any findings and recommendations for proposed legislation to the president of the senate, the speaker of the house of representatives, the senate clerk, the house clerk, the governor, and the state library.  

3  Effective Date.  This act shall take effect 60 days after its passage.