HI SB1478

Establishes an offensive cybersecurity program within the office of enterprise technology services to analyze cybersecurity threats, evaluate intelligence, promote awareness, conduct penetration testing, and implement proactive security measures for state and county agencies.

Requires state and county agencies to disclose cybersecurity incidents affecting confidentiality, integrity, or availability of information systems expeditiously, including breaches, malware, denial of service attacks, ransom demands, identity theft, and incidents costing over $10,000 in remediation.

Mandates the office of enterprise technology services complete penetration testing on all state and county agency information technology systems by January 1, 2026, assess vulnerabilities using the common vulnerability scoring system, and work with agencies to address vulnerabilities scoring above 3.9.

Requires the chief information officer to submit a report to the legislature no later than twenty days prior to each regular session detailing disclosed cybersecurity incidents, their status, and any response or remediation actions taken.

Appropriates funds for fiscal years 2023-2024 and 2024-2025 to establish the offensive cybersecurity program with necessary software, services, and full-time equivalent positions; effective date June 30, 3000.