SENATE BILL NO. 148
INTRODUCED BY D. MCGEE
BY REQUEST OF THE DEPARTMENT OF ADMINISTRATION
A BILL FOR AN ACT ENTITLED: "AN ACT REQUIRING THE IDENTIFICATION OF CERTAIN POSITIONS WITHIN STATE GOVERNMENT FOR WHICH A CRIMINAL RECORDS CHECK MUST BE PERFORMED TO ENSURE THE SECURITY OF DATA AND INFORMATION TECHNOLOGY RESOURCES; REQUIRING EMPLOYEES HOLDING CERTAIN POSITIONS WITHIN STATE GOVERNMENT TO PERIODICALLY CERTIFY THAT THEY HAVE NOT BEEN CONVICTED OF AND ARE NOT AWAITING TRIAL ON CERTAIN CRIMES; AUTHORIZING CERTAIN EMPLOYMENT ACTIONS IF A CRIMINAL RECORDS CHECK REVEALS CERTAIN CRIMINAL CONVICTIONS OR IF AN EMPLOYEE OCCUPYING ANY OF CERTAIN POSITIONS PROVIDES FALSE INFORMATION REGARDING CONVICTION OF OR INDICTMENT ON CERTAIN CRIMES; AUTHORIZING THE DEPARTMENT OF ADMINISTRATION, THE JUDICIAL BRANCH, THE LEGISLATIVE BRANCH, AND THE BOARD OF REGENTS TO TAKE ENFORCEMENT ACTIONS TO ENSURE THE SECURITY OF DATA AND INFORMATION TECHNOLOGY RESOURCES; AMENDING SECTIONS 2-15-114, 2-17-512, 2-17-514, 2-17-516, 2-17-534, 3-2-605, 5-11-105, 5-11-112, AND 20-25-301, MCA; AND PROVIDING AN IMMEDIATE EFFECTIVE DATE AND AN APPLICABILITY DATE."
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MONTANA:
NEW SECTION. Section 1. Criminal records check to ensure information technology security. (1) For the purposes of 2-17-524 and 44-5-601 and to obtain a criminal records check pursuant to Public Law 92-544, 42 U.S.C. 14616, each person referred to in subsection (3) who occupies, who may occupy, or who performs a service under contract for a position identified under subsection (2) shall provide a full set of fingerprints to the department, the supreme court, or the consolidated legislative branch provided for in 5-2-504, as appropriate.
(2) Each position that has access to areas, equipment, software, or information that, if tampered with, could incapacitate, damage, destroy, or interfere with the operation of information technology resources or data or compromise the safety or security of the state must be identified and included on a list of positions by:
(a) the department for each state agency, except the university system;
(b) the supreme court for judicial branch agencies;
(c) the legislative council, with the concurrence of the legislative audit committee and the legislative finance committee, for the consolidated legislative branch; and
(d) the board of regents for the Montana university system.
(3) This section applies to:
(a) an applicant for employment who has received a conditional job offer in any position identified in subsection (2);
(b) each employee who holds a position identified in subsection (2); and
(c) each employee of each vendor who contracts with any state agency, the judicial branch, or the consolidated legislative branch to provide services for any position identified in subsection (2).
(4) The state agency, the judicial branch, or the consolidated legislative branch shall:
(a) pay for the cost of the criminal records check required under this section if the criminal records check is conducted for an employee or a prospective employee; and
(b) require any vendor whose employee is subject to the criminal records check required under this section to reimburse the state agency, the judicial branch, or the consolidated legislative branch for the cost of the criminal records check.
NEW SECTION. Section 2. Certification. (1) The department, the supreme court, or the legislative council shall, as frequently as considered to be necessary or advisable, require each employee included in [section 1(3)] to certify that the employee is not awaiting trial on and has not been convicted of a felony or any criminal offense in this state or another state, jurisdiction, or country involving breach of trust, theft, embezzlement, destruction of property, unauthorized access to or tampering with a computer system, any other computer-related crime, espionage, or treason against the United States.
(2) The department shall provide a form to be used by state agencies for the certifications required in subsection (1). The supreme court or the consolidated legislative branch provided for in 5-2-504 may use the form for the certifications. However, if the supreme court or the legislative branch uses a different form for the certifications, the information on the form must be substantially the same as the information required on the form provided by the department.
(3) An employee who provides false information under this section is subject to the actions authorized in [section 3], including immediate discharge.
NEW SECTION. Section 3. Authorized action in case of felony charge or conviction -- department review and action. (1) Subject to subsection (2), a person found, through a criminal records check conducted pursuant to [section 1], a certification required under [section 2], or by other means, to be awaiting trial on or to have been convicted of an offense referred to in [section 2(1)] is subject to the following action:
(a) for a person described in [section 1(3)(a)], the offer of employment may be withdrawn;
(b) for a person described in [section 1(3)(b)], the state agency, the judicial branch, or the consolidated legislative branch provided for in 5-2-504 may demote, transfer, or discharge the person;
(c) for a person described in [section 1(3)(c)], the state agency, the judicial branch, or the consolidated legislative branch may:
(i) require the vendor who employs the person to replace the person with another person; or
(ii) cancel the contract with the vendor.
(2) Before a state agency may take an action authorized in this section, the state agency shall, based on current state and federal employment law on convictions, make a tentative recommendation concerning the action to the department and the department shall:
(a) review the recommendation, including the state agency's reasons for the recommendation and current state and federal employment law on convictions; and
(b) approve or reject the recommendation.
Section 4. Section 2-15-114, MCA, is amended to read:
"2-15-114. Security responsibilities of departments for data and information technology resources. Each department head is responsible for ensuring an adequate level of security for all data and information technology resources within that department and shall:
(1) develop and maintain written internal policies and procedures to ensure security of data. The internal policies and procedures are confidential information and exempt from public inspection, except that the information must be available to the legislative auditor in performing postauditing duties.
(2) designate an information security manager to administer the department's security program for data;
(3) implement appropriate cost-effective safeguards to reduce, eliminate, or recover from identified threats to data;
(4) ensure that internal evaluations of the security program for data are conducted. The results of the internal evaluations are confidential and exempt from public inspection, except that the information must be available to the legislative auditor in performing postauditing duties.
(5) include appropriate security requirements, as determined by the department, in the written specifications for the department's solicitation of data and information technology resources; and
(6) include a general description of the existing security program and future plans for ensuring security of data in the agency information technology plan as provided for in 2-17-523;
(7) ensure that the position list required to be compiled under [section 1] is complete and current; and
(8) ensure that the criminal records checks required under [section 1] and the certifications required under [section 2] are performed and that appropriate authorized action under [section 3] is taken to secure the data and information technology resources of the department."
Section 5. Section 2-17-512, MCA, is amended to read:
"2-17-512. Powers and duties of department. (1) The department is responsible for carrying out the planning and program responsibilities for information technology for state government, except the national guard. The department:
(a) shall encourage and foster the development of new and innovative information technology within state government;
(b) shall promote, coordinate, and approve the development and sharing of shared information technology application software, management systems, and information that provide similar functions for multiple state agencies;
(c) shall cooperate with the office of economic development to promote economic development initiatives based on information technology;
(d) shall establish and enforce a state strategic information technology plan as provided for in 2-17-521;
(e) shall establish and enforce statewide information technology policies and standards;
(f) shall review and approve state agency information technology plans provided for in 2-17-523;
(g) shall coordinate with the office of budget and program planning to evaluate budget requests that include information technology resources. The department shall make recommendations to the office of budget and program planning for the approval or disapproval of information technology budget requests, including an estimate of the useful life of the asset proposed for purchase and whether the amount should be expensed or capitalized, based on state accounting policy established by the department. An unfavorable recommendation must be based on a determination that the request is not provided for in the approved agency information technology plan provided for in 2-17-523.
(h) shall staff the information technology board provided for in 2-15-1021;
(i) shall fund the administrative costs of the information technology board provided for in 2-15-1021;
(j) shall review the use of information technology resources for all state agencies;
(k) shall review and approve state agency specifications and procurement methods for the acquisition of information technology resources;
(l) shall review, approve, and sign all state agency contracts and shall review and approve other formal agreements for information technology resources provided by the private sector and other government entities;
(m) shall operate and maintain a central computer center for the use of state government, political subdivisions, and other participating entities under terms and conditions established by the department;
(n) shall operate and maintain a statewide telecommunications network for the use of state government, political subdivisions, and other participating entities under terms and conditions established by the department;
(o) shall ensure that the statewide telecommunications network is properly maintained. The department may establish a centralized maintenance program for the statewide telecommunications network.
(p) shall coordinate public safety communications on behalf of all state agencies as provided for in 2-17-541 through 2-17-543;
(q) shall manage the state 9-1-1 program as provided for in Title 10, chapter 4, part 3;
(r) shall provide electronic access to information and services of the state as provided for in 2-17-532;
(s) shall provide assistance to the legislature, the judiciary, the governor, and state agencies relative to state and interstate information technology matters;
(t) shall establish rates and other charges for services provided by the department;
(u) must accept federal funds granted by congress or by executive order and gifts, grants, and donations for any purpose of this section;
(v) shall dispose of personal property owned by it in a manner provided by law when, in the judgment of the department, the disposal best promotes the purposes for which the department is established;
(w) shall implement this part and all other laws for the use of information technology in state government;
(x) shall report to the appropriate interim committee on a regular basis and to the legislature as provided in 5-11-210 on the information technology activities of the department; and
(y) shall represent the state with public and private entities on matters of information technology;
(z) shall ensure that the position list required to be compiled under [section 1] is complete and current for each state agency; and
(aa) shall ensure that the criminal records checks required under [section 1] and the certifications required under [section 2] are performed and that appropriate authorized action under [section 3] is taken to secure the data and information technology resources of the state.
(2) If it is in the state's best interest, the department may contract with qualified private organizations, foundations, or individuals to carry out the purposes of this section.
(3) The director of the department shall appoint the chief information officer to assist in carrying out the department's information technology duties."
Section 6. Section 2-17-514, MCA, is amended to read:
"2-17-514. Department -- enforcement responsibilities. (1) If the department determines that an a state agency is not in compliance with the state strategic information technology plan provided for in 2-17-521, the agency information technology plan provided for in 2-17-523, or the statewide information technology policies and standards provided for in 2-17-512, the requirement for compilation of a list of positions as provided for in [section 1], the requirement for certifications in [section 2], or the recommendation and authorization provisions described in [section 3], the department may cancel or modify any contract, project, or activity that is not in compliance.
(2) Prior to taking action provided for in subsection (1), the department shall review with the board any activities that are not in compliance.
(3) Any contract entered into by an a state agency that includes information technology resources must include language developed by the department that references the department's enforcement responsibilities provided for in subsection (1). A contract that does not contain the required language is considered to be in violation of state law and is voidable pursuant to subsection (1). The language developed by the department may not be varied pursuant to 18-4-224."
Section 7. Section 2-17-516, MCA, is amended to read:
"2-17-516. Exemptions -- university system -- office of public instruction -- national guard. (1) Unless the proposed activities would detrimentally affect the operation of the central computer center or the statewide telecommunications network, the office of public instruction is exempt from 2-17-512(1)(k) and (1)(l).
(2) Unless the proposed activities would detrimentally affect the operation of the central computer center or the statewide telecommunications network, the university system is exempt from:
(a) the enforcement provisions of 2-17-512(1)(d), and (1)(e), and (1)(aa) and 2-17-514;
(b) the approval provisions of 2-17-512(1)(f), 2-17-523, and 2-17-527;
(c) the budget approval provisions of 2-17-512(1)(g);
(d) the provisions of 2-17-512(1)(k) and (1)(l); and
(e) the transfer provisions of 2-17-531.
(3) The department, upon notification of proposed activities by the university system or the office of public instruction, shall determine if the central computer center or the statewide telecommunications network would be detrimentally affected by the proposed activity.
(4) For purposes of this section, a proposed activity affects the operation of the central computer center or the statewide telecommunications network if it detrimentally affects the processing workload, reliability, cost of providing service, or support service requirements of the central computer center or the statewide telecommunications network.
(5) When reviewing proposed activities of the university system, the department shall consider and make reasonable allowances for the unique educational needs and characteristics and the welfare of the university system as determined by the board of regents.
(6) When reviewing proposed activities of the office of public instruction, the department shall consider and make reasonable allowances for the unique educational needs and characteristics of the office of public instruction to communicate and share data with school districts.
(7) Section 2-17-512(1)(u) may not be construed to prohibit the university system from accepting federal funds or gifts, grants, or donations related to information technology or telecommunications.
(8) The national guard, as defined in 10-1-101(3), is exempt from 2-17-512."
Section 8. Section 2-17-534, MCA, is amended to read:
"2-17-534. Security responsibilities of department. The department is responsible for providing centralized management and coordination of state policies for security of data and information technology resources and shall:
(1) establish and maintain the minimum security standards and policies to implement 2-15-114, including the physical security of the central computer center, statewide telecommunications network, and backup facilities consistent with these standards;
(2) establish guidelines to assist agencies in identifying information technology personnel occupying positions of special trust or responsibility or sensitive locations, including the positions described in [section 1];
(3) establish standards and policies for the exchange of data between any agency information technology resource and any other state agency, private entity, or public entity to ensure that exchanges do not jeopardize data security and confidentiality;
(4) coordinate and provide for a training program regarding security of data and information technology resources to serve governmental technical and managerial needs;
(5) include appropriate security requirements in the specifications for solicitation of state contracts for procuring data and information technology resources; and
(6) develop policies and procedures to effectively administer the review required and the actions authorized under [section 3]; and
(6)(7) upon request, provide technical and managerial assistance relating to information technology security."
Section 9. Section 3-2-605, MCA, is amended to read:
"3-2-605. Responsibilities of supreme court for security of data and information. The supreme court is responsible for ensuring an adequate level of security for data and information technology resources, as the terms are defined in 2-15-102, within the judicial branch. In carrying out this responsibility, the supreme court shall, at a minimum:
(1) address the responsibilities prescribed in 2-15-114 and [sections 1 through 3]; and
(2) develop written minimum standards and guidelines for the judicial branch to follow in developing its security program."
Section 10. Section 5-11-105, MCA, is amended to read:
"5-11-105. Powers and duties of council. (1) The legislative council shall:
(a) employ and, in accordance with the rules for classification and pay established as provided in this section, set the salary of an executive director of the legislative services division, who serves at the pleasure of and is responsible to the legislative council;
(b) with the concurrence of the legislative audit committee and the legislative finance committee, adopt rules for classification and pay of legislative branch employees, other than those of the office of consumer counsel;
(c) with the concurrence of the legislative audit committee and the legislative finance committee, adopt rules governing personnel management of branch employees, other than those of the office of consumer counsel;
(d) adopt procedures to administer legislator claims for reimbursements authorized by law for interim activity;
(e) establish time schedules and deadlines for the interim committees of the legislature, including dates for requesting bills and completing interim work;
(f) review proposed legislation for agencies or entities that are not assigned to an interim committee, as provided in 5-5-223 through 5-5-228, or to the environmental quality council, as provided in 75-1-324; and
(g) ensure compliance by the legislative branch with [sections 1 through 3]; and
(g)(h) perform other duties assigned by law.
(2) If a question of statewide importance arises when the legislature is not in session and a legislative interim committee has not been assigned to consider the question, the legislative council shall assign the question to an appropriate interim committee, as provided in 5-5-202, or to the appropriate statutorily created committee."
Section 11. Section 5-11-112, MCA, is amended to read:
"5-11-112. Functional organization and responsibilities. (1) The legislative council may establish a functional organization within the legislative services division in order to effectively and efficiently carry out all of the responsibilities delegated to the division by law or legislative rule. The responsibilities of the legislative services division include the following:
(a) document services:
(i) bill drafting and preparation for introduction;
(ii) engrossing and enrolling;
(iii) distribution of legislative bills and information;
(iv) coordination of legislative printing; and
(v) publication of legislative records;
(b) research and reference services:
(i) general and specialized legislative research; and
(ii) legislative reference and information;
(c) legal services:
(i) legal review of draft bills;
(ii) legal counseling on legislative matters;
(iii) legal support for consolidated entities; and
(iv) support for the functions of the code commissioner provided in 1-11-201;
(d) committee services:
(i) research, legal, and administrative staff support for consolidated committees as assigned, including support for interim committees organized under Title 5, chapter 5, part 2; and
(ii) research and legal support for legislative standing and select committees;
(e) broadcasting services, in accordance with Title 5, chapter 11, part 11;
(f) management and business services:
(i) financial records;
(ii) claims and payrolls;
(iii) coordination of procurement of printing, supplies, and equipment; and
(iv) maintenance of property inventories;
(g) personnel and administrative services:
(i) rules for classification and pay; and
(ii) personnel and administrative policies; and
(h) information technology services:
(i) legislative branch network support services;
(ii) application support and development;
(iii) communications support and coordination; and
(iv) information technology planning; and
(v) data and information technology resources security planning, including the position list required in [section 1].
(2) The responsibilities of the legislative services division must be fulfilled collaboratively with consolidated entities whenever the efficient operation of the legislative branch is served."
Section 12. Section 20-25-301, MCA, is amended to read:
"20-25-301. Regents' powers and duties. The board of regents of higher education shall serve as regents of the Montana university system, shall use and adopt this style in all its dealings with the university system, and:
(1) must have has general control and supervision of the units of the Montana university system, which is considered for all purposes one university;
(2) shall adopt rules for its own government that are consistent with the constitution and the laws of the state and that are proper and necessary for the execution of the powers and duties conferred upon it by law;
(3) shall provide, subject to the laws of the state, rules for the government of the system;
(4) shall grant diplomas and degrees to the graduates of the system upon the recommendation of the faculties and have discretion to confer honorary degrees upon persons other than graduates upon the recommendation of the faculty of the institutions;
(5) shall keep a record of its proceedings;
(6) must have, when has, if not otherwise provided by law, control of all books, records, buildings, grounds, and other property of the system;
(7) must receive from the board of land commissioners, from other boards or persons, or from the government of the United States all funds, income, and other property that the system may be entitled to and use and appropriate the property for the specific purpose of the grant or donation;
(8) must have has general control of all receipts and disbursements of the system;
(9) shall appoint a president or chancellor and faculty for each of the institutions of the system, appoint any other necessary officers, agents, and employees, and fix their compensation;
(10) shall confer upon the executive board of each of the units of the system authority that may be considered expedient relating to immediate control and management, other than authority relating to financial matters or the selection of the teachers, employees, and faculty;
(11) shall confer, at the regents' discretion, upon the president and faculty of each of the units of the system for the best interest of the unit authority relating to the immediate control and management, other than financial, and the selection of teachers and employees;
(12) shall prevent unnecessary duplication of courses at the units of the system;
(13) shall appoint a certified professional geologist or registered mining engineer as the director of the Montana state bureau of mines and geology, who is the state geologist, and appoint any other necessary assistants and employees and fix their compensation;
(14) shall supervise and control the agricultural experiment station, along with any executive or subordinate board or authority that may be appointed by the governor with the advice and consent of the regents;
(15) shall adopt a seal bearing on its face the words "Montana university system", which must be affixed to all diplomas and all other papers, instruments, or documents that may require it;
(16) shall ensure an adequate level of security for data and information technology resources, as the terms are defined in 2-15-102, within the state university system. In carrying out this responsibility, the board of regents shall, at a minimum, address the responsibilities prescribed in 2-15-114 and [sections 1 through 3].
(17) shall offer courses in vocational-technical education of a type and in a manner considered necessary or practical by the regents."
NEW SECTION. Section 13. Codification instruction. [Sections 1 through 3] are intended to be codified as an integral part of Title 2, chapter 17, part 5, and the provisions of Title 2, chapter 17, part 5, apply to [sections 1 through 3].
NEW SECTION. Section 14. Effective date -- applicability. [This act] is effective on passage and approval and applies October 1, 2005.
- END -
Latest Version of SB 148 (SB0148.01)
Processed for the Web on December 22, 2004 (4:45pm)
New language in a bill appears underlined, deleted material appears stricken.
Sponsor names are handwritten on introduced bills, hence do not appear on the bill until it is reprinted.
See the status of this bill for the bill's primary sponsor.
Status of this Bill | 2005 Legislature | Leg. Branch Home
This bill in WP 5.1 | All versions of all bills (WP 5.1 format)
Authorized print version w/line numbers (PDF format)
[ NEW SEARCH ]
Prepared by Montana Legislative Services
(406) 444-3064