Back to Pennsylvania

SB373 • 2025

An Act amending Title 71 (State Government) of the Pennsylvania Consolidated Statutes, in boards and offices, providing for information technology and security.

An Act amending Title 71 (State Government) of the Pennsylvania Consolidated Statutes, in boards and offices, providing for information technology and security.

Technology
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
PHILLIPS-HILL
Last action
2025-03-06
Official status
Referred to COMMUNICATIONS AND TECHNOLOGY, March 6, 2025
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

An Act amending Title 71 (State Government) of the Pennsylvania Consolidated Statutes, in boards and offices, providing for information technology and security.

An Act amending Title 71 (State Government) of the Pennsylvania Consolidated Statutes, in boards and offices, providing for information technology and security.

What This Bill Does

  • An Act amending Title 71 (State Government) of the Pennsylvania Consolidated Statutes, in boards and offices, providing for information technology and security.

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2025-03-06 COMMUNICATIONS AND TECHNOLOGY

    Referred to COMMUNICATIONS AND TECHNOLOGY, March 6, 2025

Official Summary Text

An Act amending Title 71 (State Government) of the Pennsylvania Consolidated Statutes, in boards and offices, providing for information technology and security.

Current Bill Text

Read the full stored bill text
PRINTER'S NO. 321
THE GENERAL ASSEMBLY OF PENNSYLVANIA
SENATE BILL
No. 373
Session of
2025
INTRODUCED BY PHILLIPS-HILL, BROWN, STEFANO, CULVER, DUSH AND
LAUGHLIN, MARCH 6, 2025
REFERRED TO COMMUNICATIONS AND TECHNOLOGY, MARCH 6, 2025
AN ACT
Amending Title 71 (State Government) of the Pennsylvania
Consolidated Statutes, in boards and offices, providing for
information technology and security.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Part V of Title 71 of the Pennsylvania
Consolidated Statutes is amended by adding a chapter to read:
CHAPTER 43
INFORMATION TECHNOLOGY
Subchapter
A. General Provisions (Reserved)
C. Security
SUBCHAPTER A
GENERAL PROVISIONS
(Reserved)
SUBCHAPTER C
SECURITY
Sec.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
4351. Statewide security standards.
4352. Security standards and risk assessments.
4353. Assessment of compliance with security standards.
4354. Joint Cybersecurity Oversight Committee.
§ 4351. Statewide security standards.
(a) Establishment.--
(1) The Chief Information Officer within the Office of
Administration shall establish a Statewide set of standards
for information technology security to maximize the
functionality, security and interoperability of the
Commonwealth's distributed information technology assets,
including:
(i) Data classification.
(ii) Management.
(iii) Communications.
(iv) Encryption technologies.
(2) The standards under this subsection shall conform to
the industry's best practices and standards regarding
information technology security.
(b) Review and revision.--The Chief Information Officer
shall review and revise the security standards annually as
necessary. As part of this function, the Chief Information
Officer shall review periodically existing security standards
and practices in place among the various State agencies to
determine whether those standards and practices meet Statewide
security and encryption requirements.
(c) Assumption of responsibilities.--The Chief Information
Officer may assume the direct responsibility of providing for
the information technology security of a State agency that fails
to adhere to security standards adopted under this chapter.
20250SB0373PN0321 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
§ 4352. Security standards and risk assessments.
(a) Authorization to operate.--Notwithstanding any other
provision of law and except as otherwise provided by this
chapter, all information technology security goods, software or
services purchased using taxpayer money, or for use by a State
agency or in a public facility, shall require an authorization
to operate by the head of the State agency in accordance with
security standards under this chapter. No information technology
system or service may be operated by, or in support of, a State
agency without an authorization to operate.
(b) Standards.--The Chief Information Officer within the
Office of Administration shall define a risk-based set of
control standards that identify specific security and privacy
protections for all information technology and information
technology services in line with the specific threats and risks
to the residents of this Commonwealth and State agency
operations.
(c) Assessments.--
(1) The Chief Information Officer shall conduct risk
assessments to identify compliance and operational and
strategic risks to the information technology network and
agency operations.
(2) The assessments may include methods such as
penetration testing, social-engineered security threats or
similar assessment methodologies.
(3) The Chief Information Officer may contract with
another party to perform the assessments.
(4) The following assessment reviews shall be performed
prior to the information security audit under subsection (e)
and the assessment shall be performed consistent with the
20250SB0373PN0321 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Federal information processing standards:
(i) Identity management.
(ii) Security incident management.
(iii) Network perimeter security.
(iv) Systems development.
(v) Project management.
(vi) Information technology risk management.
(vii) Data management.
(viii) Vulnerability management.
(5) Detailed reports of the risk and security issues
identified in the assessments shall be reported to the Chief
Information Officer and shall be kept confidential.
(6) The agency head, in consultation with the Office of
Administration, shall identify corrective or mitigating
actions as needed.
(d) Interim authority to operate.--If the agency head
determines that the information technology system or service is
needed, the agency head may seek authorization from the Chief
Information Officer for a period not longer than 180 days to
implement the corrective or mitigating actions.
(e) Security audit.--
(1) The Chief Information Officer shall contract with an
independent certified information security auditor or entity
to perform an information security audit of State agencies.
(2) The Chief Information Officer shall determine a
schedule for continuous State agency information security
audits.
(f) Notification and audits.--
(1) The party conducting the assessment or audit shall
provide the Chief Information Officer and head of the
20250SB0373PN0321 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
reviewed State agency with a detailed report of the security
issues identified, which shall not be publicly disclosed.
(2) The State agency, in cooperation with the Office of
Administration, shall provide the Chief Information Officer
with a corrective action plan that remediates issues
identified in the detailed report under paragraph (1), which
may not be publicly disclosed.
(3) The Chief Information Officer shall issue a public
report on the general results of the assessment that shall be
accessible on the Office of Administration's publicly
accessible Internet website.
(g) Effect of section.--Nothing in this section shall be
construed to preclude the Auditor General or the General
Assembly from assessing the security practices of State
information technology systems as part of its statutory duties
and responsibilities.
§ 4353. Assessment of compliance with security standards.
(a) Frequency.--The Chief Information Officer within the
Office of Administration shall biannually assess the ability of
each State agency's contracted vendors to comply with the
current security standards established under this chapter.
(b) Contents.--The Chief Information Officer shall establish
a quantifiable objective metric that measures the degree of
compliance with current security standards. The assessment under
this section shall, at a minimum:
(1) Quantify the degree of compliance with the current
security standards using the metric.
(2) Include security organization, security practices,
security information standards, network security
architecture, systems development and lifecycle management
20250SB0373PN0321 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
and current expenditures of State funds for information
security.
(3) Include an estimate of the cost to implement the
security measures needed for State agencies to fully comply
with the established standards.
(c) Submittal of information.--A State agency shall submit
information required by the Chief Information Officer for the
assessments under this section.
§ 4354. Joint Cybersecurity Oversight Committee.
(a) Establishment and membership.--The Joint Cybersecurity
Oversight Committee is established and shall consist of the
following members:
(1) The director.
(2) The following individuals appointed by the President
pro tempore of the Senate:
(i) Two members of the Senate.
(ii) A representative of the Chief Clerk of the
Senate.
(iii) A representative from the Information
Technology Office of the majority caucus of the Senate.
(3) The following individuals appointed by the Minority
Leader of the Senate:
(i) One member of the Senate.
(ii) A representative from the Information
Technology Office of the minority caucus of the Senate.
(4) The following individuals appointed by the Speaker
of the House of Representatives:
(i) Two members of the House of Representatives.
(ii) A representative of the Chief Clerk of the
House of Representatives.
20250SB0373PN0321 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(iii) A representative from the Information
Technology Office of the majority caucus of the House of
Representatives.
(5) The following individuals appointed by the Minority
Leader of the House of Representatives:
(i) One member of the House of Representatives.
(ii) A representative from the Information
Technology Office of the minority caucus of the House of
Representatives.
(6) The Attorney General or a designee of the Attorney
General.
(7) The Chief Information Officer of:
(i) The Department of the Auditor General.
(ii) The Treasury Department.
(iii) The Office of Attorney General.
(iv) The Administrative Office of Pennsylvania
Courts.
(v) The Pennsylvania Public Utility Commission.
(8) Four private citizens appointed by the Governor with
professional cybersecurity experience.
(9) The Commissioner of Pennsylvania State Police or a
designee of the commissioner.
(10) A member of the National Guard experienced in
cybersecurity, as appointed by the Adjutant General.
(11) The president of the County Commissioners
Association of Pennsylvania or a designee of the president.
(b) Chairperson and vice chairperson.--The chairperson of
the committee shall be appointed by the Governor, and the vice
chairperson of the committee shall be appointed by the
chairperson.
20250SB0373PN0321 - 7 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(c) Staffing.--
(1) The committee shall be staffed by the Office of
Administration, which shall support and assist the committee.
(2) Costs incurred for mileage for a member shall be
reimbursed by the individual or entity appointing the member.
(d) Service of members.--Each member of the committee shall
serve at the pleasure of the individual who appointed the
member.
(e) Vacancies.--A vacancy in the membership of the committee
shall be filled by the appointing authority in the same manner
as the original appointment.
(f) Meetings.--
(1) The committee shall meet at least on a quarterly
basis and no later than the first Thursday of each quarter.
(2) The chairperson of the committee, with the consent
of the vice chairperson of the committee, may schedule
additional meetings of the committee.
(3) The chairperson of the committee shall provide the
members of the committee with notice of the time and location
of each meeting of the committee no later than one week prior
to the meeting. Notice shall also be provided to the
Governor, the President pro tempore of the Senate and the
Speaker of the House of Representatives.
(4) Notice of the meetings of the committee shall be
provided by regular mail and email.
(5) A member of the committee may participate in a
meeting of the committee in person, by teleconference, by
video conference or by other means as agreed to by the
chairperson and vice chairperson of the committee.
(6) A meeting of the committee shall be subject to 65
20250SB0373PN0321 - 8 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Pa.C.S. Ch. 7 (relating to open meetings).
(7) Executive sessions may be held in accordance with 65
Pa.C.S. § 708 (relating to executive sessions) and may be
held to discuss, plan or review matters and records that are
deemed necessary for emergency preparedness, protection of
public safety and security of all property in a manner that,
if disclosed, would be reasonably likely to jeopardize or
threaten public safety or preparedness or public protection.
(g) Duties.--
(1) The committee shall review and coordinate
cybersecurity policies and discuss emerging cybersecurity
threats, recommended policy changes and assess current
cybersecurity within this Commonwealth.
(2) The committee shall prepare a report of its
activities, which shall be transmitted to the following:
(i) The Governor.
(ii) The President pro tempore of the Senate.
(iii) The Speaker of the House of Representatives.
(iv) The Majority Leader and the Minority Leader of
the Senate.
(v) The Majority Leader and the Minority Leader of
the House of Representatives.
(vi) The Court Administrator of Pennsylvania.
(h) Definitions.--As used in this section, the following
words and phrases shall have the meanings given to them in this
subsection unless the context clearly indicates otherwise:
"Committee." The Joint Cybersecurity Oversight Committee
established under this section.
Section 2. This act shall take effect immediately.
20250SB0373PN0321 - 9 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29