|
Public Act 104-0195
|
| HB1631 Enrolled | LRB104 07727 BDA 17772 b |
|
|
AN ACT concerning State government.
|
Be it enacted by the People of the State of Illinois, |
represented in the General Assembly:
|
Section 5. The Department of Innovation and Technology Act |
is amended by changing Sections 1-5, 1-10, 1-15, and 1-25 as |
follows:
|
(20 ILCS 1370/1-5) |
Sec. 1-5. Definitions. In this Act: |
"Client agency" means each transferring agency, or its |
successor, and any other public agency to which the Department |
provides service to the extent specified in an interagency |
agreement with the public agency. |
"Dedicated unit" means the dedicated bureau, division, |
office, or other unit within a transferred transferring agency |
that is responsible for the information technology functions |
of the transferred transferring agency. |
"Department" means the Department of Innovation and |
Technology. |
"Information technology" means technology, |
infrastructure, equipment, systems, software, networks, and |
processes used to create, send, receive, and store electronic |
or digital information, including, without limitation, |
computer systems and telecommunication services and systems. |
|
"Information technology" shall be construed broadly to |
incorporate future technologies that change or supplant those |
in effect as of the effective date of this Act. |
"Information technology functions" means the development, |
procurement, installation, retention, maintenance, operation, |
possession, storage, and related functions of all information |
technology. |
"Secretary" means the Secretary of Innovation and |
Technology. |
"State agency" means each State agency, department, board, |
and commission under the jurisdiction of the Governor to which |
the Department provides services. |
"Transferred Transferring agency" means the Department on |
Aging; the Departments of Agriculture, Central Management |
Services, Children and Family Services, Commerce and Economic |
Opportunity, Corrections, Employment Security, Financial and |
Professional Regulation, Healthcare and Family Services, Human |
Rights, Human Services, Insurance, Juvenile Justice, Labor, |
Lottery, Military Affairs, Natural Resources, Public Health, |
Revenue, Transportation, and Veterans' Affairs; the Illinois |
State Police; the Capital Development Board; the Deaf and Hard |
of Hearing Commission; the Environmental Protection Agency; |
the Governor's Office of Management and Budget; the |
Guardianship and Advocacy Commission; the Abraham Lincoln |
Presidential Library and Museum; the Illinois Arts Council; |
the Illinois Council on Developmental Disabilities; the |
|
Illinois Emergency Management Agency; the Illinois Gaming |
Board; the Illinois Liquor Control Commission; the Office of |
the State Fire Marshal; the Prisoner Review Board; and the |
Department of Early Childhood. |
(Source: P.A. 102-376, eff. 1-1-22; 102-538, eff. 8-20-21; |
102-813, eff. 5-13-22; 102-870, eff. 1-1-23; 103-588, eff. |
6-5-24.)
|
(20 ILCS 1370/1-10) |
Sec. 1-10. Transfer of functions. On and after March 25, |
2016 (the effective date of Executive Order 2016-001): |
(a) (Blank). |
(b) (Blank). |
(c) The personnel of each transferred transferring agency |
designated by the Governor are transferred to the Department. |
The status and rights of the employees and the State of |
Illinois or its transferred transferring agencies under the |
Personnel Code, the Illinois Public Labor Relations Act, and |
applicable collective bargaining agreements or under any |
pension, retirement, or annuity plan shall not be affected by |
this Act. Under the direction of the Governor, the Secretary, |
in consultation with the transferred transferring agencies and |
labor organizations representing the affected employees, shall |
identify each position and employee who is engaged in the |
performance of functions transferred to the Department, or |
engaged in the administration of a law the administration of |
|
which is transferred to the Department, to be transferred to |
the Department. An employee engaged primarily in providing |
administrative support for information technology functions |
may be considered engaged in the performance of functions |
transferred to the Department. |
(d) All books, records, papers, documents, property (real |
and personal), contracts, causes of action, and pending |
business pertaining to the powers, duties, rights, and |
responsibilities relating to dedicated units and information |
technology functions transferred under this Act to the |
Department, including, but not limited to, material in |
electronic or magnetic format and necessary computer hardware |
and software, shall be transferred to the Department. |
(e) All unexpended appropriations and balances and other |
funds available for use relating to dedicated units and |
information technology functions transferred under this Act |
shall be transferred for use by the Department at the |
direction of the Governor. Unexpended balances so transferred |
shall be expended only for the purpose for which the |
appropriations were originally made. |
(f) The powers, duties, rights, and responsibilities |
relating to dedicated units and information technology |
functions transferred by this Act shall be vested in and shall |
be exercised by the Department. |
(g) Whenever reports or notices are now required to be |
made or given or papers or documents furnished or served by any |
|
person to or upon each dedicated unit in connection with any of |
the powers, duties, rights, and responsibilities relating to |
information technology functions transferred by this Act, the |
same shall be made, given, furnished, or served in the same |
manner to or upon the Department. |
(h) This Act does not affect any act done, ratified, or |
canceled or any right occurring or established or any action |
or proceeding had or commenced in an administrative, civil, or |
criminal cause by each dedicated unit relating to information |
technology functions before the transfer of responsibilities |
under this Act; such actions or proceedings may be prosecuted |
and continued by the Department. |
(i) (Blank). |
(j) (Blank). |
(Source: P.A. 102-376, eff. 1-1-22.)
|
(20 ILCS 1370/1-15) |
Sec. 1-15. Powers and duties. |
(a) The head officer of the Department is the Secretary, |
who shall be the chief information officer for the State and |
the steward of State data with respect to those transferred |
agencies under the jurisdiction of the Governor. The Secretary |
shall be appointed by the Governor, with the advice and |
consent of the Senate. The Department may employ or retain |
other persons to assist in the discharge of its functions, |
subject to the Personnel Code. |
|
(b) The Department shall promote best-in-class innovation |
and technology to transferred client agencies to foster |
collaboration among client agencies, empower client agencies |
to provide better service to residents of Illinois, and |
maximize the value of taxpayer resources. The Department shall |
be responsible for information technology functions on behalf |
of transferred client agencies. |
(c) When requested and when in the best interest of the |
State, the The Department may shall provide for and assist |
with coordinate information technology for non-transferred |
State agencies, and, when requested and when in the best |
interests of the State, for State constitutional offices, |
other State government entities, units of federal or local |
governments, and public and not-for-profit institutions of |
primary, secondary, and higher education, or other parties not |
associated with State government. The Department shall |
establish charges for information technology for State |
agencies, and, when requested, for State constitutional |
offices, other State government entities, units of federal or |
local government, and public and not-for-profit institutions |
of primary, secondary, or higher education and for use by |
other parties not associated with State government for any |
services requested and provided. Entities charged for these |
services shall make payment to the Department. The Department |
may instruct all State agencies to report their usage of |
information technology regularly to the Department in the |
|
manner the Secretary may prescribe. |
(d) The Department shall establish principles develop and |
implement standards for the protection of , policies, and |
procedures to protect the security and interoperability of |
State data with respect to State those agencies under the |
jurisdiction of the Governor, including in particular data |
that are confidential, sensitive, or protected from disclosure |
by privacy or other laws, while recognizing and balancing the |
need for collaboration and public transparency. |
(e) The Department shall be responsible for providing the |
Governor with timely, comprehensive, and meaningful |
information pertinent to the formulation and execution of |
fiscal policy. In performing this responsibility, the |
Department shall have the power to do the following: |
(1) Control the procurement, retention, installation, |
maintenance, and operation, as specified by the |
Department, of information technology equipment used by |
State client agencies in such a manner as to achieve |
maximum economy and provide appropriate assistance in the |
development of information suitable for management |
analysis. |
(2) Establish principles and standards for the |
implementation of information technology-related |
reporting by State client agencies and priorities for |
completion of research by those agencies in accordance |
with the requirements for management analysis specified by |
|
the Department. State agencies shall work with the |
Department to follow the principles and standards |
developed by the Department. |
(3) Establish charges for information technology and |
related services requested by transferred client agencies |
and rendered by the Department. The Department is likewise |
empowered to establish prices or charges for all |
information technology reports purchased by State agencies |
and governmental entities individuals not connected with |
State government using the Department's services. |
(4) Instruct all State client agencies to report |
regularly to the Department, in the manner the Department |
may prescribe, their usage of information technology, the |
cost incurred, the information produced, and the |
procedures followed in obtaining the information. All |
State client agencies shall request from the Department |
assistance and consultation in securing any necessary |
information technology to support their requirements. |
(5) Examine the accounts and information |
technology-related data of any organization, body, or |
agency receiving appropriations from the General Assembly, |
except for a State constitutional office, the Office of |
the Executive Inspector General, or any office of the |
legislative or judicial branches of State government. For |
a State constitutional office, the Office of the Executive |
Inspector General, or any office of the legislative or |
|
judicial branches of State government, the Department |
shall have the power to examine the accounts and |
information technology-related data of the State |
constitutional office, the Office of the Executive |
Inspector General, or any office of the legislative or |
judicial branches of State government when requested by |
those offices. |
(6) Install and operate a modern information |
technology system for State agencies using equipment |
adequate to satisfy the requirements for analysis and |
review as specified by the Department. Expenditures for |
information technology and related services rendered shall |
be reimbursed by the recipients. The reimbursement shall |
be determined by the Department as amounts sufficient to |
reimburse the Technology Management Revolving Fund for |
expenditures incurred in rendering the services. |
(f) In addition to the other powers and duties listed in |
subsection (e), the Department shall analyze the present and |
future aims, needs, and requirements of information |
technology, research, and planning for State agencies in order |
to provide for the formulation of overall policy relative to |
the use of information technology and related equipment by the |
State of Illinois. In making this analysis, the Department |
shall formulate a master plan for information technology, |
using information technology most advantageously, and advising |
whether information technology should be leased or purchased |
|
by the State. The Department shall prepare and submit interim |
reports of meaningful developments and proposals for |
legislation to the Governor on or before January 30 each year. |
The Department shall engage in a continuing analysis and |
evaluation of the master plan so developed, and it shall be the |
responsibility of the Department to recommend from time to |
time any needed amendments and modifications of any master |
plan enacted by the General Assembly. |
(g) The Department may make information technology and the |
use of information technology available to units of local |
government, elected State officials, State educational |
institutions, the judicial branch, the legislative branch, and |
all other governmental units of the State requesting them. The |
Department shall establish prices and charges for the |
information technology so furnished and for the use of the |
information technology. The prices and charges shall be |
sufficient to reimburse the cost of furnishing the services |
and use of information technology. |
(h) The Department may establish principles and standards |
to provide consistency in the operation and use of information |
technology by State agencies. State agencies shall work with |
the Department to follow the principles and standards |
developed by the Department. |
(i) The Department may adopt rules under the Illinois |
Administrative Procedure Act necessary to carry out its |
responsibilities under this Act. |
|
(Source: P.A. 102-376, eff. 1-1-22.)
|
(20 ILCS 1370/1-25) |
Sec. 1-25. Charges for services; non-State funding. The |
Department may establish charges for services rendered by the |
Department to State client agencies from funds provided |
directly to the State client agency by appropriation or |
otherwise. In establishing charges, the Department shall |
consult with State client agencies to make charges transparent |
and clear and seek to minimize or avoid charges for costs for |
which the Department has other funding sources available. |
State Client agencies shall continue to apply for and |
otherwise seek federal funds and other capital and operational |
resources for technology for which the agencies are eligible |
and, subject to compliance with applicable laws, regulations, |
and grant terms, make those funds available for use by the |
Department. |
(Source: P.A. 102-870, eff. 1-1-23.)
|
(20 ILCS 1370/1-75 rep.) |
Section 10. The Department of Innovation and Technology |
Act is amended by repealing Section 1-75.
|
Section 15. The Illinois Information Security Improvement |
Act is amended by changing Sections 5-5, 5-15, and 5-25 and by |
adding Section 5-35 as follows:
|
|
(20 ILCS 1375/5-5) |
Sec. 5-5. Definitions. As used in this Act: |
"Critical information system" means any information system |
(including any telecommunications system) used or operated by |
a State agency or by a contractor of a State agency or other |
organization or entity on behalf of a State agency: that |
contains health insurance information, medical information, or |
personal information as defined in the Personal Information |
Protection Act; where the unauthorized disclosure, |
modification, destruction of information in the information |
system could be expected to have a serious, severe, or |
catastrophic adverse effect on State agency operations, |
assets, or individuals; or where the disruption of access to |
or use of the information or information system could be |
expected to have a serious, severe, or catastrophic adverse |
effect on State operations, assets, or individuals. |
"Department" means the Department of Innovation and |
Technology. |
"Information security" means protecting information and |
information systems from unauthorized access, use, disclosure, |
disruption, modification, or destruction in order to provide: |
integrity, which means guarding against improper information |
modification or destruction, and includes ensuring information |
non-repudiation and authenticity; confidentiality, which means |
preserving authorized restrictions on access and disclosure, |
|
including means for protecting personal privacy and |
proprietary information; and availability, which means |
ensuring timely and reliable access to and use of information. |
"Incident" means an occurrence that: actually or |
imminently jeopardizes, without lawful authority, the |
confidentiality, integrity, or availability of information or |
an information system; or constitutes a violation or imminent |
threat of violation of law, security policies, security |
procedures, or acceptable use policies or standard security |
practices. |
"Information system" means a discrete set of information |
resources organized for the collection, processing, |
maintenance, use, sharing, dissemination, or disposition of |
information created or maintained by or for the State of |
Illinois. |
"Office" means the Office of the Statewide Chief |
Information Security Officer. |
"Secretary" means the Secretary of Innovation and |
Technology. |
"Security controls" means the management, operational, and |
technical controls (including safeguards and countermeasures) |
for an information system that protect the confidentiality, |
integrity, and availability of the system and its information. |
"State agency" means any State agency, department, board, |
and commission under the jurisdiction of the Governor to which |
the Department provides services. |
|
(Source: P.A. 100-611, eff. 7-20-18.)
|
(20 ILCS 1375/5-15) |
Sec. 5-15. Office of the Statewide Chief Information |
Security Officer. |
(a) The Office of the Statewide Chief Information Security |
Officer is established within the Department of Innovation and |
Technology. The Office is directly subordinate to the |
Secretary of Innovation and Technology. |
(b) The Office shall: |
(1) serve as the strategic planning, facilitation, and |
coordination office for information technology security in |
this State and as the lead and central coordinating entity |
to guide and oversee the information security functions of |
State agencies; |
(2) provide information security services to support |
the secure delivery of State agency services that utilize |
information systems and to assist State agencies with |
fulfilling their responsibilities under this Act; |
(3) conduct information and cybersecurity strategic, |
operational, and resource planning and facilitating an |
effective enterprise information security architecture |
capable of protecting the State; |
(4) identify information security risks to each State |
agency, to third-party providers, and to key supply chain |
partners, including an assessment of the extent to which |
|
information resources or processes are vulnerable to |
unauthorized access or harm, including the extent to which |
the State agency's or contractor's electronically stored |
information is vulnerable to unauthorized access, use, |
disclosure, disruption, modification, or destruction, and |
recommend risk mitigation strategies, methods, and |
procedures to reduce those risks. These assessments shall |
also include, but not be limited to, assessments of |
information systems, computers, printers, software, |
computer networks, interfaces to computer systems, mobile |
and peripheral device sensors, and other devices or |
systems which access the State's network, computer |
software, and information processing or operational |
procedures of the State agency or of a contractor of the |
State agency. |
(5) manage the response to information security and |
information security incidents involving State agency |
State of Illinois information systems and ensure the |
completeness of information system security plans for |
critical information systems; |
(6) conduct pre-deployment information security |
assessments for critical information systems and submit |
findings and recommendations to the Secretary and State |
agency heads; |
(7) develop and conduct targeted operational |
evaluations, including threat and vulnerability |
|
assessments on State agency information systems; |
(8) monitor and report compliance of each State |
agency's compliance agency with State information security |
policies, standards, and procedures; |
(9) coordinate statewide information security |
awareness and training programs; and |
(10) develop and execute other strategies as necessary |
to protect State agency's this State's information |
technology infrastructure and the data stored on or |
transmitted by such infrastructure. |
(c) The Office may temporarily suspend operation of an |
information system or information technology infrastructure |
that is owned, leased, outsourced, or shared by one or more |
State agencies in order to isolate the source of, or stop the |
spread of, an information security breach or other similar |
information security incident. State agencies shall comply |
with directives to temporarily discontinue or suspend |
operations of information systems or information technology |
infrastructure. |
(Source: P.A. 100-611, eff. 7-20-18.)
|
(20 ILCS 1375/5-25) |
Sec. 5-25. Responsibilities. |
(a) The Secretary shall: |
(1) appoint a Statewide Chief Information Security |
Officer pursuant to Section 5-20; |
|
(2) provide the Office with the staffing and resources |
deemed necessary by the Secretary to fulfill the |
responsibilities of the Office; |
(3) oversee statewide information security policies |
and practices for State agencies, including: |
(A) directing and overseeing the development, |
implementation, and communication of statewide |
information security policies, standards, and |
guidelines; |
(B) overseeing the education of State agency |
personnel regarding the requirement to identify and |
provide information security protections commensurate |
with the risk and magnitude of the harm resulting from |
the unauthorized access, use, disclosure, disruption, |
modification, or destruction of information in a |
critical information system; |
(C) overseeing the development and implementation |
of a statewide information security risk management |
program; |
(D) overseeing State agency compliance with the |
requirements of this Section; |
(E) coordinating Information Security policies and |
practices with related information and personnel |
resources management policies and procedures; and |
(F) providing an effective and efficient process |
to assist State agencies with complying with the |
|
requirements of this Act; and |
(4) subject to appropriation, establish a |
cybersecurity liaison program to advise and assist units |
of local government in identifying cyber threats, |
performing risk assessments, sharing best practices, and |
responding to cyber incidents. |
(b) The Statewide Chief Information Security Officer |
shall: |
(1) serve as the head of the Office and ensure the |
execution of the responsibilities of the Office as set |
forth in subsection (c) of Section 5-15, the Statewide |
Chief Information Security Officer shall also oversee |
State agency personnel with significant responsibilities |
for information security and ensure a competent workforce |
that keeps pace with the changing information security |
environment; |
(2) develop and recommend information security |
policies, standards, procedures, and guidelines to the |
Secretary for statewide adoption and monitor compliance |
with these policies, standards, guidelines, and procedures |
through periodic testing; |
(3) develop and maintain risk-based, cost-effective |
information security programs and control techniques to |
address all applicable security and compliance |
requirements throughout the life cycle of State agency |
information systems; |
|
(4) establish the procedures, processes, and |
technologies for State agencies to rapidly and effectively |
identify threats, risks, and vulnerabilities to State |
information systems, and ensure the prioritization of the |
remediation of vulnerabilities that pose risk to the |
State; |
(5) develop and implement capabilities and procedures |
for detecting, reporting, and responding to information |
security incidents; |
(6) establish and direct a statewide information |
security risk management program to identify information |
security risks in State agencies and deploy risk |
mitigation strategies, processes, and procedures; |
(7) establish the State's capability to sufficiently |
protect the security of data through effective information |
system security planning, secure system development, |
acquisition, and deployment, the application of protective |
technologies and information system certification, |
accreditation, and assessments; |
(8) ensure that State agency personnel, including |
contractors, are appropriately screened and receive |
information security awareness training; |
(9) convene meetings with State agency heads and other |
State officials to help ensure: |
(A) the ongoing communication of risk and risk |
reduction strategies, |
|
(B) effective implementation of information |
security policies and practices, and |
(C) the incorporation of and compliance with |
information security policies, standards, and |
guidelines into the policies and procedures of the |
State agencies; |
(10) provide operational and technical assistance to |
State agencies in implementing policies, principles, |
standards, and guidelines on information security, |
including implementation of standards promulgated under |
subparagraph (A) of paragraph (3) of subsection (a) of |
this Section, and provide assistance and effective and |
efficient means for State agencies to comply with the |
State agency requirements under this Act; |
(11) in coordination and consultation with the |
Secretary and the Governor's Office of Management and |
Budget, review State agency budget requests related to |
Information Security systems and provide recommendations |
to the Governor's Office of Management and Budget; |
(12) ensure the preparation and maintenance of plans |
and procedures to provide cyber resilience and continuity |
of operations for critical information systems that |
support the operations of the State; and |
(13) take such other actions as the Secretary may |
direct. |
(Source: P.A. 101-81, eff. 7-12-19; 102-753, eff. 1-1-23.)
|
|
(20 ILCS 1375/5-35 new) |
Sec. 5-35. Local government cybersecurity designee. The |
principal executive officer, or his or her designee, of each |
municipality with a population of 35,000 or greater and of |
each county shall designate a local official or employee as |
the primary point of contact for local cybersecurity issues. |
Each jurisdiction must provide the name and contact |
information of the cybersecurity designee to the Statewide |
Chief Information Security Officer and update the information |
as necessary.
|
Section 20. The Uniform Electronic Transactions Act is |
amended by changing Section 18 as follows:
|
(815 ILCS 333/18) |
Sec. 18. Acceptance and distribution of electronic records |
by governmental agencies. |
(a) Except as otherwise provided in Section 12(f), each |
governmental agency of this State shall determine whether, and |
the extent to which, it will send and accept electronic |
records and electronic signatures to and from other persons |
and otherwise create, generate, communicate, store, process, |
use, and rely upon electronic records and electronic |
signatures. |
(b) To the extent that a governmental agency uses |
|
electronic records and electronic signatures under subsection |
(a), the governmental agency, giving due consideration to |
security, may Department of Innovation and Technology and the |
Secretary of State, pursuant to their rulemaking authority |
under other law and giving due consideration to security, |
shall, no later than 6 months after the effective date of this |
amendatory Act of the 103rd General Assembly, adopt |
administrative rules that specify: |
(1) the manner and format in which the electronic |
records must be created, generated, sent, communicated, |
received, and stored and the systems established for those |
purposes; |
(2) if electronic records must be signed by electronic |
means, the type of electronic signature required, the |
manner and format in which the electronic signature must |
be affixed to the electronic record, and the identity of, |
or criteria that must be met by, any third party used by a |
person filing a document to facilitate the process; |
(3) control processes and procedures as appropriate to |
ensure adequate preservation, disposition, integrity, |
security, confidentiality, and auditability of electronic |
records; and |
(4) any other required attributes for electronic |
records which are specified for corresponding |
nonelectronic records or reasonably necessary under the |
circumstances. |
|
(b-5) Pursuant to their rulemaking authority under other |
laws, the Secretary of State and the Department of Innovation |
and Technology may adopt rules setting forth their respective |
minimum requirements under subsection (b) of this Section. Any |
rules adopted by the Secretary of State under this subsection |
shall only apply with respect to the Secretary of State and any |
rules adopted by the Department of Innovation and Technology |
under this subsection shall only apply with respect to State |
agencies, departments, boards, and commissions under the |
jurisdiction of the Governor to which the Department of |
Innovation and Technology provides services. |
(c) Except as otherwise provided in Section 12(f), this |
Act does not require a governmental agency of this State to use |
or permit the use of electronic records or electronic |
signatures. |
(Source: P.A. 102-38, eff. 6-25-21; 103-390, eff. 7-28-23.) |