SB 1478 Summary

• Establishes an offensive cybersecurity program within the Office of Enterprise Technology Services to analyze threats, evaluate intelligence, promote awareness, conduct penetration testing, and implement proactive security measures across state and county agencies.

• Requires state and county agencies to report cybersecurity incidents affecting confidentiality, integrity, or availability of systems to the office expediently, including breaches, malware, denial of service attacks, ransom demands, identity theft, and incidents costing over $10,000 in remediation.

• Mandates the chief information officer submit a report to the legislature no later than 20 days before each regular session listing all disclosed cybersecurity incidents, their status, and remediation efforts.

• Requires the office to complete initial penetration testing on all agency information technology systems and assess vulnerabilities using the Common Vulnerability Scoring System by January 1, 2026, with agencies addressing vulnerabilities scoring above 3.9.

• Appropriates unspecified amounts for fiscal years 2023-2024 and 2024-2025 for software, services, and full-time equivalent positions necessary to establish the program; effective January 1, 2050.