While some of the potential legislation has the support of the state CIO, other bits raise questions and, as he sees it, set the stage for issues. Government Technology caught up with Oregon CIO Alex Pettit to discuss some of the legal moves being made in the state.
Codifying Security Standing
Senate Bill 90 would formally make law what Gov. Kate Brown outlined in Executive Order 16-13, which unifies informational security personnel throughout the state under the direction and authority of the CIO’s office.As Pettit explained, the order and proposed bill both tackle a number of issues that need addressing. In looking at the cybersecurity stance of many agencies, he said many agencies were without dedicated IT personnel, and even fewer had dedicated cybersecurity personnel.
Because of the state’s connectedness among agencies, Pettit compared the existing security structure to castles with wide moats and high walls, but little protection against quickly spreading fires from neighboring castles. Senate Bill 90 would lay the permanent foundation to address these security deficiencies.
The legislation also creates the Cybersecurity Center of Excellence, a civilian-run hub for addressing cyberthreats with other state and federal agencies. As senior policy communications strategist Travis Miller explained, the legislation would also establish a fund and mechanism for the state to pursue federal monies to bolster the cybersecurity efforts within Oregon’s borders.
“We are really trying to shift the security posture of the state of Oregon,” Miller said.
This legislation was proposed at the request of the Department of Administrative Services, which serves as the parent organization for the state's IT functions and the Office of the State Chief Information Officer.
Out from Under Administrative Services
One of the more substantial proposals aimed at state IT is Senate Bill 872, which establishes a state Department of Information Technology, and effectively transfers all duties, functions, powers and responsibilities related to IT from the Oregon Department of Administrative Services to the new department.Though the arrangement is not unheard of in the state space, many states have designated central IT agencies to lead the charge across largely federated landscapes. Though the bill, if made law, would separate IT operations from the Department of Administrative Services (DAS), the CIO and the DAS director would still cooperatively report to the governor.
In addition to establishing the agency itself, the proposal also sets rules for procurement, which is something Pettit would like more time to carefully evaluate. As it currently stands, IT procurement varies from agency to agency because of the breadth of specific IT needs.
Despite supporting the idea of the standalone agency aspects of the bill, Pettit noted that there is some concern about how effective it might be to broadly prescribe procurement authority across a host of very different agencies. “We seek a more deliberate approach,” he said.
When asked what he saw as the impetus for SB 872, Pettit said it was not based on any glaring issues, and fell more to lawmakers outlining what they see as a legislative priority for the session.
Should lawmakers pass this piece of legislation, which was proposed by the joint Legislative Information Management and Technology Committee, the Department of Information Technology would become operative on July 1, 2018.
A New Role, Rules Around State Data
House Bill 3361 creates a position for a state chief data officer, to be appointed by the state CIO, and establishes data standards and practices.Bill sponsor Rep. Nancy Nathanson (D-Eugene) said in a written comment that the bill has two key objectives: increasing transparency by making more data available for public use and to set the stage for increasing data sharing within and between state agencies.
“Sharing data will enable cross-agency analysis and metrics-based decision-making to provide much better information for program design and budgeting decisions," she said. "This bill is a continuation of my work on improving the business of government and doing things more efficiently and effectively."
According to Pettit, HB 3361 is similar to legislation pulled back at the last minute by Gov. Brown’s office during the previous session. Where this version differs, Miller said, is in the accountability and reporting requirements.
Pettit argues that the rules could ultimately be limiting when data is pushed out to meet reporting requirements.
During his time in Denton, Texas, Pettit said looking at city data more carefully allows analysts to pinpoint correlations between the amount of cardboard at waste facilities and incoming tax revenues. He fears the obligations to meet certain reporting benchmarks could set the stage for poor quality data and less obvious data mining opportunities.
“Our hope was an analytics garage to look for correlations," Pettit said. And while he would not go as far as to call the proposal damaging, he did say it could inadvertently “handicap” data efforts moving forward.
Each of these three bills is also equipped with special language reading “declares emergency, effective on passage.” This language is a tool that makes each passed bill effective immediately, rather than delaying it until the start of the new year.
As it stands, each piece of legislation is in a different stage of the process with little information about how successful they might be in the long haul.
