Back to Nevada

AB432 • 2025

Revises provisions relating to governmental administration. (BDR 19-551)

AN ACT relating to governmental administration; creating and setting forth the duties of the Security Operations Center within the Office of the Chief Information Officer within the Office of the Governor; creating the Account for the Security Operations Center and prescribing the use of money in the Account; requiring the Security Operations Center to prepare an annual report that assesses the effectiveness of the Security Operations Center; establishing the Cybersecurity Talent Pipeline Program; revising the purpose of the Office; authorizing the board of trustees of a school district to use the services and equipment of the Office; making various other changes relating to the cybersecurity of governmental entities; and providing other matters properly relating thereto. Close title AN ACT relating to governmental administration; creating and setting forth the duties of the Security Operations Center within the Office of the Chief Information Officer within the Office of the Governor; creating the Account for the Security Operations Center and prescribing the use of money in the Account; requiring the Security Operations Center to prepare an annual report that assesses the effectiveness of the Security Operations Center; establishing the Cybersecurity Talent Pipeline Program; revising the purpose of the Office; authorizing the board of trustees of a school district to use the services and equipment of the Office; making various other changes relating to the cybersecurity of governmental entities; and providing other matters properly relating thereto.

Education
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
View 1 Primary Sponsors Close Primary Sponsors Assemblymember Toby Yurek
Last action
Official status
(No further action taken.) (See full list below)
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Revises provisions relating to governmental administration. (BDR 19-551)

Revises provisions relating to governmental administration.

What This Bill Does

  • Revises provisions relating to governmental administration.
  • (BDR 19-551)

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Amendments

These notes stay tied to the official amendment files and metadata from the legislature.

Adopted Amendments

Plain English: 2025 Session (83rd) A AB432 281 ADM/HAC - Date: 4/19/2025 A.B.

  • 2025 Session (83rd) A AB432 281 ADM/HAC - Date: 4/19/2025 A.B.
  • No.
  • 432—Revises provisions relating to governmental administration.
  • (BDR 19-551) Page 1 of 13 *A_AB432_281* Amendment No.

Bill History

  1. 2025-03-13 Nevada Electronic Legislative Information System

    (No further action taken.) (See full list below)

Official Summary Text

Revises provisions relating to governmental administration. (BDR 19-551)

Current Bill Text

Read the full stored bill text
EXEMPT
(Reprinted with amendments adopted on April 21, 2025)
FIRST REPRINT A.B. 432

- *AB432_R1*

ASSEMBLY BILL NO. 432–ASSEMBLYMEMBER YUREK

MARCH 13, 2025
____________

Referred to Committee on Government Affairs

SUMMARY—Revises provisions relating to governmental
administration. (BDR 19-551)

FISCAL NOTE: Effect on Local Government: May have Fiscal Impact.
Effect on the State: Yes.

~

EXPLANATION – Matter in bolded italics is new; matter between brackets [omitted material] is material to be omitted.

AN ACT relating to governmental administration; creating and
setting forth the duties of the Security Operations Center
within the Office of the Chief Information Officer within
the Office of the Governor; creating the Account for the
Security Operations C enter and prescribing the use of
money in the Account; requiring the Security Operations
Center to prepare an annual report that assesses the
effectiveness of the Security Operations Center;
establishing the Cybersecurity Talent Pipeline Program;
revising the purpose of the Office; authorizing the board
of trustees of a school district to use the services and
equipment of the Office; making various other changes
relating to the cybersecurity of governmental entities; and
providing other matters properly relating thereto.
Legislative Counsel’s Digest:
Existing law provides that the Office of the Chief Information Officer within 1
the Office of the Governor is composed of: (1) the Administration Unit; (2) the 2
Client Services Unit; (3) the Computing Services Uni t; (4) the Network Services 3
Unit, including a Network Transportation Services Group and a 4
Telecommunications Group; (5) the Office of Information Security; and (6) certain 5
other units, groups, divisions or departments deemed necessary by the Chief 6
Information Officer. (NRS 242.080) Section 12 of this bill creates the Security 7
Operations Center in the Office of the Chief Information Officer. 8
Existing law: (1) requires the Office to provide certain state agencies and 9
elected officers with all their required design of information systems; (2) authorizes 10
certain other state agencies to negotiate with the Office for its services or the use of 11
its equipment; and (3) authorizes, upon request, the Office to provide certain 12
services to state agencies not under the control of the Governor and local 13

– 2 –

- *AB432_R1*
governmental agencies. (NRS 242.131, 242.141) Section 15 of this bill requires the 14
Security Operations Center to provide certain state agencies and elected officers 15
with cybersecurity services, including real -time monitoring of cyberinfrastructure, 16
threat mitigation, incident response and cybersecurity enforcem ent. Sections 15 17
and 24 of this bill reorganize provisions that authorize certain state agencies and 18
local governmental agencies to use the equipment and services of the Office. 19
Section 15 also requires any local governmental agency which has agreed to use 20
the equipment and services of the Office to apply to the Chief to withdraw from the 21
use. Section 9 of this bill revises the definition of “local governmental agency” to 22
include the board of trustees of a school district, which has the effect of authorizin g 23
the board of trustees of a school district to use the services of the Office pursuant to 24
section 15. Section 10 of this bill amends the definition of “using agency” so that 25
the term includes any state agency, state officer or local governmental agency th at 26
uses the services and equipment of the Office. 27
Section 2 of this bill requires the Security Operations Center to develop certain 28
policies and procedures to: (1) combat the increasing threats to using agencies 29
posed by cybercriminals; (2) protect sensi tive data in the possession of a using 30
agency; and (3) ensure a coordinated and rapid response to any cybersecurity 31
incident that affects a using agency. 32
Section 3 of this bill provides that if a using agency does not comply with the 33
cybersecurity policies and protocols developed by the Security Operations Center, 34
the Chief may impose additional oversight or audit requirements on the using 35
agency relating to cybersecurity. 36
Section 4 of this bill creates the Account for the Security Operations Center in 37
the State General Fund to be administered by the Chief . Section 4 requires the 38
money in the Account to be used for the purposes of supporting and carrying out 39
the duties of the Security Operations Center. Section 4 also authorizes the Security 40
Operations C enter to serve as a fiscal agent to pool federal grant funds for the 41
purposes of cybersecurity support and infrastructure development. 42
Section 5 of this bill requires the Security Operations Center to collaborate 43
with the Nevada Office of Cyber Defense Co ordination to enhance communication 44
and coordination of incident responses to cyber threats or cyberattacks on 45
information systems. 46
Section 6 of this bill requires the Security Operations Center to submit an 47
annual report to the Governor, Attorney General and the Director of the Legislative 48
Counsel Bureau for transmission to the Legislature that includes certain 49
information relating to the duties of the Security Operations Center. 50
Section 6.5 of this bill provides that the provisions of the Nevada Revised 51
Statutes relating to information services do not impair or affect existing agreements 52
with a federally recognized American Indian tribe and that any interlocal agreement 53
entered into must respect the sovereign governance of the tribe and provide for 54
jointly agreed data protocols. 55
To the extent that funding is available, section 7 of this bill requires the 56
Security Operations Center, in collaboration with the Nevada System of Higher 57
Education, to develop the Cybersecurity Talent Pipeline Program. 58
Section 8 of this bill amends the definition of “information service,” as 59
provided by the Office to a using agency, to include the real -time monitoring of 60
cyberinfrastructure, threat mitigation, incident response and cybersecurity 61
enforcement. 62
Existing law makes certain legislative determinations and declarations relating 63
to the creation and purpose of the Office. (NRS 242.071) Section 11 of this bill 64
revises these determinations and declarations to include performing information 65
services for using agencies. 66
Existing law provides that certain documents relating to homeland security that 67
are assembled, maintained, overseen or prepared by the Office to mitigate, prevent 68

– 3 –

- *AB432_R1*
or respond to acts of terrorism are confidential. (NRS 242.105) Section 13 of this 69
bill provides that certain documents relating to the cybersecurity of a using agency 70
are also confidential. 71
Existing law requires the Chief to adopt certain regulations relating to 72
information systems of certain state agencies. (NRS 242.111) Section 14 of this bill 73
instead requires the Chief to adopt certain regulations relating to information 74
systems of using agencies. 75
Existing law requires the Chief to advise using agencies regarding the policy 76
for information services of the Executive Branch of Government. (NRS 242 .151) 77
Section 16 of this bill instead requires the Chief to advise the using agencies of the 78
policy for information services of the Office. 79
Existing law provides that all equipment of an agency or elected state officer 80
which is owned or leased by the Stat e must be under the managerial control of the 81
Office. (NRS 242.161) Section 17 of this bill : (1) provides instead that all 82
equipment of a using agency which is owned or leased by the State must be under 83
the managerial control of the Office ; (2) prohibits the Security Operations Center 84
from assuming operational control of the equipment or software systems of a using 85
agency; and (3) requires the Security Operations Center to provide standards and 86
policies for the equipment or software systems which must be ag reed upon in 87
writing before the Security Operations Center provides services. 88
Section 18 of this bill provides that the Office is responsible for any application 89
of an information system which it furnishes to using agencies. 90
Section 19 of this bill requires: (1) any using agency which uses the equipment 91
or services of the Office to adhere to the regulations, standards, practices, policies 92
and conventions of the Office; and (2) each using agency to report certain 93
information relating to certain suspected incidents to the Security Operations 94
Center. 95
Existing law requires the Chief to investigate and resolve any breach of an 96
information system of a state agency or elected officer that uses the equipment or 97
services of the Office. (NRS 242.1 83) Section 20 of this bill requires instead that 98
the Chief, in consultation with the Security Operations Center, investigate and 99
resolve any breach of an information system of using agency. 100
Existing law provides that the amount receivable from a state agency or officer 101
or local governmental agency which uses the service of the Office must be 102
determined by the Chief. (NRS 242.191) Section 21 of this bill provides instead 103
that the amount receiv able from a using agency which uses the services or 104
equipment of the Office must be determined by the Chief. 105
Section 22 of this bill requires each using agency using the services and 106
equipment of the Office to pay a fee to the Fund for Information Services. 107

THE PEOPLE OF THE STATE OF NEVADA, REPRESENTED IN
SENATE AND ASSEMBLY, DO ENACT AS FOLLOWS:

Section 1. Chapter 242 of NRS is hereby amended by adding 1
thereto the provisions set forth as sections 2 to 7, inclusive, of this 2
act. 3
Sec. 2. 1. The Security Operations Center shall develop 4
policies and procedures to: 5
(a) Combat the increasing threats to using agencies posed by 6
cybercriminals; 7

– 4 –

- *AB432_R1*
(b) Protect sensitive data in the possession of a using agency; 1
and 2
(c) Ensure a coordinated and rapid r esponse to any 3
cybersecurity incident that affects a using agency. 4
2. The policies and procedures developed pursuant to 5
subsection 1 must include, without limitation: 6
(a) A requirement that a using agency notify the Security 7
Operations Center of any spe cific or immediate threat to the 8
cybersecurity of an information system operated or maintained by 9
the using agency; 10
(b) A requirement that the Security Operations Center notify 11
the appropriate law enforcement agency and prosecuting attorney 12
and any other appropriate public or private entity of any specific 13
threat to the cybersecurity of an information system of which the 14
Security Operations Center has been notified; 15
(c) A strategy for developing ongoing programs for 16
professional development in cybersecur ity for the employees of a 17
using agency; and 18
(d) The use of security orchestration automation and response 19
systems to automate repetitive tasks, enhance operational 20
efficiency and standardize procedures and responses for the 21
various information technology support of using agencies. 22
Sec. 3. If a using agency does not comply with the 23
cybersecurity policies and protocols developed by the Security 24
Operations Center, the Chief may impose additional oversight or 25
audit requirements on the using agency relating to cybersecurity. 26
Sec. 4. 1. The Account for the Security Operations Center 27
is hereby created in the State General Fund. The Chief must 28
administer the Account. 29
2. The money in the Account must only be used for the 30
purposes of supporting and carrying out the duties of the Security 31
Operations Center. 32
3. The Chief may apply for and accept federal grants for the 33
purposes of this section. 34
4. The Security Operations Center may serve as a fiscal agent 35
to pool federal grant funds for the purposes of cybersecurity 36
support and infrastructure development. The Security Operations 37
Center may establish criteria for using agencies to access shared 38
resources which must ensure equitable distribution of the 39
resources and maximize competiveness for federal opportunities. 40
5. All interest earned on the money in the Account, after 41
deducting any applicable charges, must be credited to the Account. 42
6. All claims against the Account must be paid as other 43
claims against the State are paid. 44

– 5 –

- *AB432_R1*
7. Any money remaining in the Account at the end of a fiscal 1
year does not revert to the State General Fund and must be carried 2
forward to the next fiscal year. 3
Sec. 5. The Security Operations Center shall collaborate with 4
the Nevada Office of Cyber Defense Coordination created by NRS 5
480.920 to enhance communication and coordination of incident 6
responses to cyber threats or cyberattacks on inform ation systems 7
and to provide each using agency information relating to 8
emerging cyber threats and best practices for cybersecurity. 9
Sec. 6. 1. On or before January 1 of each year, the Security 10
Operations Center shall prepa re a report assessing the 11
effectiveness of the Security Operations Center relating to its 12
duties. The report must include, without limitation: 13
(a) A summary of the progress made by the Security 14
Operations Center during the previous year in performing its 15
duties and exercising such powers as are conferred upon it; 16
(b) A general description of any threats or attacks responded to 17
by the Security Operations Center during the previous year, and a 18
summary of the response to the threat; 19
(c) A summary of the goa ls and objectives of the Security 20
Operations Center for the upcoming year; 21
(d) A summary of any issues presenting challenges to the 22
Security Operations Center; and 23
(e) Any other information that the Chief determines is 24
appropriate to include in the report. 25
2. The report required pursuant to subsection 1 must be 26
submitted not later than July 1 of each year to the Governor, 27
Attorney General and Director of the Legislative Counsel Bureau 28
for transmission to the Legislature. 29
Sec. 6.5. Nothing in this chapter shall be construed to impair 30
or affect existing agreements with a federally recognized 31
American Indian tribe. Any interlocal agreement entered into with 32
the governing body of an Indian tribe, g roup of tribes, organized 33
segment of a tribe or any organization representing two or more 34
such entities must respect sovereign governance and provide for 35
jointly agreed data protocols. 36
Sec. 7. To the extent that funding is available: 37
1. The Security Operations Center shall, in collaboration with 38
the Nevada System of Higher Education, develop the 39
Cybersecurity Talent Pipeline Program. The Program must 40
develop a system for the career development of students in the 41
field of computer science or cybersecurity. 42
2. The Program must provide opportunities for students 43
within the Nevada System of Higher Education who are majoring 44

– 6 –

- *AB432_R1*
in a field related to cybersecurity to obtain working experience in 1
the Security Operations Center. 2
Sec. 8. NRS 242.055 is hereby amended to read as follows: 3
242.055 “Information service” means any service relating to 4
the creation, maintenance, operation, security validation, testing, 5
continuous monitoring or use of an i nformation system. The term 6
includes, without limitation, the real -time monitoring of 7
cyberinfrastructure, threat mitigation, incident response and 8
cybersecurity enforcement. 9
Sec. 9. NRS 242.061 is hereby amended to read as follows: 10
242.061 “Local governmental agency” means any [branch,] : 11
1. Branch, agency, bureau, board, commission, department or 12
division of a county, incorporated city or town in this State [.] ; or 13
2. The board of trustees of a school district. 14
Sec. 10. NRS 242.068 is hereby amended to read as follows: 15
242.068 “Using agency” means [an agency of the State which 16
has a function requiring the use of information technology, 17
information services or an information system.] : 18
1. A state agency or elected state officer who is required to 19
use the services and equipment of the Office pursuant to 20
subsection 1 of NRS 242.131. 21
2. Any other state agency or local governmental agency that 22
has negotiated with the Office for its services and equipment 23
pursuant to subsection 2 of NRS 242.131. 24
Sec. 11. NRS 242.071 is hereby amended to read as follows: 25
242.071 1. The Legislature hereby determines and declares 26
that the creation of the Office of the Chief Information Officer 27
within the Office of the Governor is necessary for the secure, 28
coordinated, orderly and economical processing of data and 29
information in State G overnment, to ensure the secure and 30
economical use of information systems and to prevent the 31
unnecessary proliferation of equipment and personnel among the 32
various state agencies. 33
2. The purposes of the Office are: 34
(a) To perform information services for [state] using agencies. 35
(b) To provide technical advice but not administrative control of 36
the information systems within the [state] using agencies . [and, as 37
authorized, of local governmental agencies.] 38
Sec. 12. NRS 242.080 is hereby amended to read as follows: 39
242.080 1. The Office of the Chief Information Officer is 40
hereby created within the Office of the Governor. 41
2. The Office consists of the Chief and: 42
(a) The Administration Unit. The Chief is the head of the 43
Administration Unit. 44
(b) The Client Services Unit. 45

– 7 –

- *AB432_R1*
(c) The Computing Services Unit. 1
(d) The Network Services Unit. 2
(e) The Office of Information Security. 3
(f) The Security Operations Center. 4
(g) Other units, groups, divisions or departments deemed 5
necessary by the Chief to the extent such functions are supported by 6
the appropriations allocated to the functions of the Office. 7
3. A Network Transport Services Group and a 8
Telecommunications Group are hereby created within the Network 9
Services Unit of the Office. 10
Sec. 13. NRS 242.105 is hereby amended to read as follows: 11
242.105 1. Except as otherwise provided in subsection 3, 12
records and portions of records that are assembled, maintained, 13
overseen or prepared by the Office to mitigate, prevent or respond to 14
cybersecurity incidents or acts of terrorism, the public disclosure of 15
which would, in the determination of the Chief, create a substantial 16
likelihood of threatening the cybersecurity of a using agency or the 17
safety of the general public are confidential and not subject to 18
inspection by the general public to the extent that such records and 19
portions of records consist of or include: 20
(a) Information regarding the infrastructure and security of 21
information systems, including, without limitation: 22
(1) Access codes, passwords and programs used to ensure the 23
security of an information system; 24
(2) Access codes used to ensure the security of software 25
applications; 26
(3) Procedures and processes used to ensure the securit y of 27
an information system; and 28
(4) Plans used to re -establish security and service with 29
respect to an information system after security has been breached or 30
service has been interrupted. 31
(b) Assessments and plans that relate specifically and uniquely 32
to the vulnerability of an information system or to the measures 33
which will be taken to respond to such vulnerability, including, 34
without limitation, any compiled underlying data necessary to 35
prepare such assessments and plans. 36
(c) The results of tests of the security of an information system, 37
insofar as those results reveal specific vulnerabilities relative to the 38
information system. 39
2. The Chief shall maintain or cause to be maintained a list of 40
each record or portion of a record that the Chief has dete rmined to 41
be confidential pursuant to subsection 1. The list described in this 42
subsection must be prepared and maintained so as to recognize the 43
existence of each such record or portion of a record without 44
revealing the contents thereof. 45

– 8 –

- *AB432_R1*
3. At least once each biennium, the Chief shall review the list 1
described in subsection 2 and shall, with respect to each record or 2
portion of a record that the Chief has determined to be confidential 3
pursuant to subsection 1: 4
(a) Determine that the record or portion of a record remains 5
confidential in accordance with the criteria set forth in subsection 1; 6
(b) Determine that the record or portion of a record is no longer 7
confidential in accordance with the criteria set forth in subsection 1; 8
or 9
(c) If the Chief determines that the record or portion of a record 10
is obsolete, cause the record or portion of a record to be disposed of 11
in the manner described in NRS 239.073 to 239.125, inclusive. 12
4. On or before February 15 of each year, the Chief shall: 13
(a) Prepare a report setting forth a detailed description of each 14
record or portion of a record determined to be confidential pursuant 15
to this section, if any, accompanied by an explanation of why each 16
such record or portion of a record was determined to be confidential; 17
and 18
(b) Submit a copy of the report to the Director of the Legislative 19
Counsel Bureau for transmittal to: 20
(1) If the Legislature is in session, the standing committees 21
of the Legislature which have jurisdiction of the subject matter; or 22
(2) If th e Legislature is not in session, the Legislative 23
Commission. 24
5. As used in this section, “act of terrorism” has the meaning 25
ascribed to it in NRS 239C.030. 26
Sec. 14. NRS 242.111 is hereby amended to read as follows: 27
242.111 The Chief shall adopt regulations necessary for the 28
administration of this chapter, including: 29
1. The policy for the information systems of [the Executive 30
Branch of Government, excluding the Nevada System of Higher 31
Education and the Nevada Crimi nal Justice Information System, ] 32
using agencies, as that policy relates, but is not limited, to such 33
items as standards for systems and programming and criteria for 34
selection, location and use of information systems to meet the 35
requirements of [state] using agencies and officers [at] in the [least 36
cost to] best interests of the State [;] and using agencies; 37
2. The procedures of the Office in providing information 38
services, which may include provision for the performance, by [an] 39
using agency which uses the services or equipment of the Office, of 40
preliminary procedures, such as data recording and verification, 41
within the using agency; 42
3. The effective administration of the Office, including, 43
without limitation, security to prevent unau thorized access to 44

– 9 –

- *AB432_R1*
information systems and plans for the recovery of systems and 1
applications after they have been disrupted; 2
4. The development of standards to ensure the security of the 3
information systems of the [Executive Branch of Government; ] 4
using agencies; and 5
5. Specifications and standards for the employment of all 6
personnel of the Office. 7
Sec. 15. NRS 242.131 is hereby amended to read as follows: 8
242.131 1. The Office shall provide state agencies and 9
elected state officers with all their required design of information 10
systems. Additionally, the Security Operations Center shall 11
provide each state agency and elected state officer with 12
cybersecurity services, in cluding, without limitation, real -time 13
monitoring of cyberinfrastructure, threat mitigation, incident 14
response and cybersecurity enforcement. All agencies and officers 15
must use those services and equipment, except as otherwise 16
provided in subsection 2. 17
2. The following agencies may negotiate with the Office for its 18
services , including, without limitation, cybersecurity services, 19
including, without limitation, real -time monitoring of 20
cyberinfrastructure, threat mitigation, incident response and 21
cybersecurity enforcement or the use of its equipment, subject to 22
the provisions of this chapter, and the Office shall provide those 23
services and the use of that equipment as may be mutually agreed: 24
(a) The Court Administrator; 25
(b) The Department of Motor Vehicles; 26
(c) The Department of Public Safety; 27
(d) The Department of Transportation; 28
(e) The Employment Security Division of the Department of 29
Employment, Training and Rehabilitation; 30
(f) The Department of Wildlife; 31
(g) The Housing Division of the Department of Business and 32
Industry; 33
(h) The Legislative Counsel Bureau; 34
(i) The State Controller; 35
(j) The Nevada Gaming Control Board and Nevada Gaming 36
Commission; [and] 37
(k) The Nevada System of Higher Education [.] ; 38
(l) Any local governmental agency. 39
3. Any state agency or elected state officer who uses the 40
services of the Office and desires to withdraw substantially from 41
that use must apply to the Chief for approval. The application must 42
set forth justification for the withdrawal. If the Chief denies the 43
application, the agency or officer must: 44

– 10 –

- *AB432_R1*
(a) If the Legislature is in regular or special session, obtain the 1
approval of the Legislature by concurrent resolution. 2
(b) If the Legislature is not in regular or special session, obtain 3
the approval of the Inter im Finance Committee. The Chief shall, 4
within 45 days after receipt of the application, forward the 5
application together with his or her recommendation for approval or 6
denial to the Interim Finance Committee. The Interim Finance 7
Committee has 45 days after the application and recommendation 8
are submitted to its Secretary within which to consider the 9
application. Any application which is not considered by the 10
Committee within the 45-day period shall be deemed approved. 11
4. Any local governmental agency whic h has entered into an 12
agreement to use the equipment and services of the Office and 13
desires to withdraw substantially from that use must apply to the 14
Chief for approval. The application must set forth the justification 15
for the withdrawal. 16
5. If the dema nd for services or use of equipment exceeds the 17
capability of the Office to provide them, the Office may contract 18
with other agencies or independent contractors to furnish the 19
required services or use of equipment and is responsible for the 20
administration of the contracts. 21
Sec. 16. NRS 242.151 is hereby amended to read as follows: 22
242.151 The Chief shall advise the using agencies regarding: 23
1. The policy for information services of the [Executive Branch 24
of Government,] Office as that policy relates, but is not limited, to 25
such items as standards for systems and programming and criteria 26
for the selection, location and use of information systems in order 27
that the requirements of [state agencies and officers] using agencies 28
may be met at the least cost ; [to the State;] 29
2. The procedures in performing information services; and 30
3. The effective administration and use of the computer 31
facility, including security to prevent unauthorized access to data, 32
information and plans for the recovery of systems and applications 33
after they have been disrupted. 34
Sec. 17. NRS 242.161 is hereby amended to read as follows: 35
242.161 1. All equipment of [an agency or elected state 36
officer] a using agency which is owned or leased by the State must 37
be under the managerial control of the Office, except the equipment 38
of the agencies and officers specified in subsection 2 of 39
NRS 242.131. 40
2. The Office may permit [an] a using agency which is 41
required to use s uch equipment to operate it on the using agency’s 42
premises. 43
3. The Security Operations Center shall not assume 44
operational control of the equipment or software systems of a 45

– 11 –

- *AB432_R1*
using agency . Before providing services, the Security Operations 1
Center shall provide to the using agency standards and policies for 2
the equipment or software systems of the using agency which must 3
be agreed upon in writing. 4
Sec. 18. NRS 242.171 is hereby amended to read as follows: 5
242.171 1. The Office is responsible for: 6
(a) The applications of information systems; 7
(b) Designing and placing those information systems in 8
operation; 9
(c) Any application of an information system which it furnishes 10
to [state] using agencies [and officers] after negotiation; and 11
(d) The security validation, testing, including, without 12
limitation, penetration testing, and continuous monitoring of 13
information systems, 14
 for using agencies . [and for state agencies and officers which use 15
the equipment or services of the Office pursuant to subsection 2 of 16
NRS 242.131.] 17
2. The Chief shall review and approve or disapprove, pursuant 18
to standards for justifying cost, any application of an information 19
system having an estimated developmental cost of $50,000 or more. 20
No using agency may commence development work on any such 21
applications until approval and authorization have been obtained 22
from the Chief. 23
3. As used in this section, “penetration testing” means a 24
method of evaluating the security of an information system or 25
application of an information system by simulating unauthorized 26
access to the information system or application. 27
Sec. 19. NRS 242.181 is hereby amended to read as follows: 28
242.181 1. Any [state agency or elected state officer] using 29
agency which uses the equipment or services of the Office shall 30
adhere to the regulations, standards, practices, policies and 31
conventions of the Office. 32
2. Each [state] using agency [or elected state officer described 33
in subsection 1] shall report any suspected incident of: 34
(a) [Unauthorized access to an information system or application 35
of an information system of the Office used by the state agency or 36
elected state officer; and] A data breach; 37
(b) A distributed denial of service incident; 38
(c) A ransomware incident; 39
(d) Any other incident that disrupts the delivery or essential 40
services for more than 1 business day or directly affects life or 41
property; or 42
(e) Noncompliance with the regulations, standards, practices, 43
policies and conventions of the Office that is identified by the Office 44
as security-related, 45

– 12 –

- *AB432_R1*
 to the Office of Information Security of the Office and Security 1
Operations Center within 24 hours after discovery of the suspected 2
incident. If the Office of Information Security , in consultation with 3
the Security Operations Center, determines that an incident of 4
unauthorized access or noncompliance occurred, it shall 5
immediately report the incident to the Chief. The Chief shall assist 6
in the investigation and resolution of any such incident. 7
3. The report submitted pursuant to subsection 2 must 8
contain the following information: 9
(a) The date and time of the incident; 10
(b) The type of incident; 11
(c) The type of information system or data affected by the 12
incident; 13
(d) The known and projected impact of the incident to the 14
using agency; 15
(e) Whether law enforcement, a regulatory body or any other 16
entity that could be affected by the incident has been notified, as 17
applicable; and 18
(f) Any additional resources needed by the us ing agency to 19
respond to the incident, as applicable. 20
4. The Chief may establish a uniform reporting system if the 21
Office and Security Operations Center are organizationally 22
collocated. 23
5. The Office shall provide services to each [state] using 24
agency [and elected state officer described in subsection 1 ] 25
uniformly with respect to degree of service, priority of service, 26
availability of service and cost of service. 27
Sec. 20. NRS 242.183 is hereby amended to read as follows: 28
242.183 1. The Chief of the Office of Information Security , 29
in consultation with the Security Operations Center, shall 30
investigate and resolve any breach of an information system of a 31
[state] using agency [or elected officer that uses the equipment or 32
services of the Office of the Chief Information Officer ] or an 33
application of such an information system or unauthorized 34
acquisition of computerized data that materially compromises the 35
security, confidentiality or integrity of such an information system. 36
2. The Chief Information Officer or Chief of the Office of 37
Information Security, at his or her discretion, may inform members 38
of the Technological Crime Advisory Board created by NRS 39
205A.040, the Nevada Commission on Homeland Security created 40
by NRS 239C.120 and the Information Technology Advisory Board 41
created by NRS 242.122 of any breach of an information system of 42
a [state] using agency [or elected officer ] or application of such an 43
information system or unauthorized acquisition of computerized 44

– 13 –

- *AB432_R1*
data or information that materially compromises the security, 1
confidentiality or integrity of such an information system. 2
Sec. 21. NRS 242.191 is hereby amended to read as follows: 3
242.191 1. Except as otherwise provided in subsection 3, the 4
amount receivable from a [state] using agency [or officer or local 5
governmental agency] which uses the services and equipment of the 6
Office must be determined by the Chief in each case and include: 7
(a) The annual expense, including depreciation, of operating and 8
maintaining the Network Services Unit [,] and the cybersecurity 9
services provided by the Security Operations Center, distributed 10
among the agencies in proportion to the services performed for each 11
agency. 12
(b) A service charge in an amount determined by distributing the 13
monthly installment for the construction costs of the computer 14
facility among the agencies in proportion to the services performed 15
for each agency. 16
2. The Chief shall prepare and su bmit monthly to the [state 17
agencies and officers and local governmental ] using agencies for 18
which services of the Office have been performed an itemized 19
statement of the amount receivable from each [state] using agency . 20
[or officer or local governmental agency.] 21
3. The Chief may authorize, if in his or her judgment the 22
circumstances warrant, a fixed cost billing, including a factor for 23
depreciation, for services rendered to a [state] using agency . [or 24
officer or local governmental agency.] 25
Sec. 22. NRS 242.211 is hereby amended to read as follows: 26
242.211 1. The Fund for Information Services is hereby 27
created as an internal service fund. Money from the Fund must be 28
paid out on claims as other claims against the State are paid. The 29
claims must be made in accordance with budget allotments and are 30
subject to postaudit examination and approval. 31
2. All operating, maintenance, rental, repair and replacement 32
costs of equipment and all salaries of personnel assigned to the 33
Office must be paid from the Fund. 34
3. Each using agency using the services or equipment of the 35
Office shall pay a fee for that use to the Fund, which must be set by 36
the Chief in an amount sufficient to reimburse the Office for the 37
entire cost of pro viding those services, including overhead. Each 38
using agency shall budget for those services. All fees, proceeds from 39
the sale of equipment and any other money received by the Office 40
must be deposited with the State Treasurer for credit to the Fund. 41
Sec. 23. The provisions of NRS 218D.380 do not apply to any 42
provision of this act which adds or revises a requirement to submit a 43
report to the Legislature. 44
Sec. 24. NRS 242.141 is hereby repealed. 45

– 14 –

- *AB432_R1*

TEXT OF REPEALED SECTION

242.141 Services provided for agencies not under
Governor’s control and local governmental agencies. To
facilitate the economical processing of data or information
throughout the State Government, the Office may pr ovide service
for agencies not under the control of the Governor, upon the request
of any such agency. The Office may provide services, including,
without limitation, purchasing services, to a local governmental
agency upon request, if provision of such se rvices will result in
reduced costs to the State for equipment and services.

H