NOTE: The governor signed this measure on 3/24/2012. HOUSE BILL 12-1288 BY REPRESENTATIVE(S) Murray, Brown, Gerou, Holbert, Liston, Todd, Wilson; also SENATOR(S) Bacon, Newell, Williams S. Concerning the administration of information technology projects in state government. Be it enacted by the General Assembly of the State of Colorado: SECTION 1. In Colorado Revised Statutes, 24-37.5-101, add (1) (a.5) as follows: 24-37.5-101. Legislative declaration - findings. (1) The general assembly hereby finds and declares that: (a.5) It is imperative that the long-term sustainability and eventual retirement of information technology systems be considered when initiating a major information technology project and that project plans include the various components that will result in project success; SECTION 2. In Colorado Revised Statutes, 24-37.5-102, add (1.8), (1.9), (2.6), and (3.2) as follows: 24-37.5-102. Definitions - repeal. As used in this article, unless the context otherwise requires: (1.8) "Independent verification and validation" means ensuring that a product, service, or system meets required specifications and that it fulfills its intended purpose. The review of such product, service, or system is typically performed by an independent third party. (1.9) "Information security" means the protection of communication and information resources from unauthorized access, use, disclosure, disruption, modification, or destruction in order to: (a) Prevent improper information modification or destruction; (b) Preserve authorized restrictions on information access and disclosure; (c) Ensure timely and reliable access to and use of information; and (d) Maintain the confidentiality, integrity, and availability of information. (2.6) (a) "Major information technology project" means a project of state government that has a significant information technology component, including, without limitation, the replacement of an existing information technology system. (b) As used in this subsection (2.6), "significant" means the project has a specific level of business criticality and manifests either a security risk or an operational risk as determined by a comprehensive risk assessment performed by the office. (3.2) "Project manager" means a person who is trained and experienced in the leadership and management of information technology projects from the commencement of such projects through their completion. SECTION 3. In Colorado Revised Statutes, 24-37.5-105, amend (3) (i), (3) (j), and (4) (a); and add (3) (k), (4) (c), and (4) (d) as follows: 24-37.5-105. Office - responsibilities - rules - repeal. (3) The office shall: (i) Initiate or approve all procurements of information technology resources for state agencies and enter into any agreement or contract in connection with such a procurement on behalf of a state agency or agencies; and (j) Provide information and expertise, to the extent possible, regarding interoperable and emergency communications planning, technology, training, and funding opportunities to state, regional, tribal, and local agencies and emergency personnel and all other stakeholders, including but not limited to public, private, and nongovernmental organizations; and (k) Develop a comprehensive risk assessment that will be applied to every new information technology project to assess risk levels related to the project and determine whether the project should be classified as a major information technology project. (4) (a) The office shall establish policies and procedures for acceptable project plans, project budgets, and feasibility studies for projects of all sizes, including major information technology projects. (c) As part of any major information technology project by a state agency, classified as such according to a comprehensive risk assessment performed by the office, the project plan at a minimum shall include: (I) The identification of a project manager; (II) A business case for the project that is in alignment with the strategic goals of the state agency; (III) Business requirements for the project developed in collaboration with the state agency and end users; (IV) Information security requirements and best practices; (V) A disaster recovery plan; (VI) Consideration of and inclusion in the business continuity plan of the state agency; (VII) Independent verification and validation of the project; and (VIII) A funding strategy for the ongoing maintenance and eventual disposal of the information technology system. (d) In connection with any major information technology project that it plans to undertake, a state agency shall: (I) Consult with the office on the development of the project plan for any major information technology project; (II) Submit and obtain approval from the office of the project plan for any major information technology project before commencing work on the project; (III) (A) Consult with and obtain approval from the office of significant changes to the plan or budget of any major information technology project. (B) As used in this subparagraph (III), "significant changes" means the removal of, or any additions or substantial changes to, any of the project plan's components listed in paragraph (c) of this subsection (4). (IV) Consult with and obtain approval from the office for changes to the funding strategy for the ongoing maintenance and eventual disposal of a major information technology system. SECTION 4. In Colorado Revised Statutes, 24-37.5-106, add (1) (e.5) as follows: 24-37.5-106. Chief information officer - duties and responsibilities - broadband inventory fund created. (1) The chief information officer shall: (e.5) Develop a staged review process for information technology projects that ensures a project meets specific requirements and complies with the project plan approved by the office; SECTION 5. In Colorado Revised Statutes, 24-37.5-109, amend (1) (c) and (1) (d); and add (1) (e) as follows: 24-37.5-109. Status of state agencies. (1) State agencies shall: (c) Comply with information requests of the office, the general assembly, and the joint budget committee; and (d) Upon request of the general assembly or the joint budget committee, provide satisfactory evidence of said compliance; and (e) In connection with any major information technology project that a state agency plans to undertake, satisfy the requirements set forth in section 24-37.5-105 (4) (d). SECTION 6. In Colorado Revised Statutes, 24-75-301, add (1) (g) as follows: 24-75-301. Definitions. As used in this part 3, unless the context otherwise requires: (1) "Capital construction" means: (g) The purchase of services from the office of information technology on the condition that the use of such services is the most cost beneficial option or falls within the duties and responsibilities of the office or the office's chief information officer as described in sections 24-37.5-105 and 24-37.5-106, C.R.S. SECTION 7. Act subject to petition - effective date. This act takes effect at 12:01 a.m. on the day following the expiration of the ninety-day period after final adjournment of the general assembly (August 8, 2012, if adjournment sine die is on May 9, 2012); except that, if a referendum petition is filed pursuant to section 1 (3) of article V of the state constitution against this act or an item, section, or part of this act within such period, then the act, item, section, or part will not take effect unless approved by the people at the general election to be held in November 2012 and, in such case, will take effect on the date of the official declaration of the vote thereon by the governor. ________________________________________________________ Frank McNulty Brandon C. Shaffer SPEAKER OF THE HOUSE PRESIDENT OF OF REPRESENTATIVES THE SENATE ____________________________ ____________________________ Marilyn Eddins Cindi L. Markwell CHIEF CLERK OF THE HOUSE SECRETARY OF OF REPRESENTATIVES THE SENATE APPROVED________________________________________ _________________________________________ John W. Hickenlooper GOVERNOR OF THE STATE OF COLORADO