ARTICLE 6B. CYBER SECURITY PROGRAM.

§5A-6B-4a. High-risk platforms, services, applications, programs, and products.

(a) The Legislature hereby finds and declares that it is in the best interest of the citizens of West Virginia and to national security to enact measures designed to safeguard against untrustworthy and high-risk technology and to block such technology from interfering with or damaging critical state networks and infrastructure, including election systems. The use of certain information and communication technologies and services can create opportunities for hostile actors to exploit vulnerabilities and take adverse action against the United States or allies, which could directly or indirectly affect the safety and security of West Virginia citizens, and such use also creates opportunities for adversaries to exploit vulnerabilities and take adverse action against state or local government networks and infrastructure within or connected to West Virginia. As the threat landscape evolves, West Virginia shall work in cooperation with the federal government to implement appropriate safeguards to defend government networks in West Virginia and in the United States from foreign technology threats.

(b) Notwithstanding the provision of §5A-6B-1(b) of this code, all state agencies, including without limitation agencies within the executive branch, all constitutional officers, local government entities as defined by §7-1-1 or §8-1-2 of this code, county boards of education as defined by §18-1-1 of this code, and all state institutions of higher education as defined by §18B-1-2 of this code, shall enforce statewide standards developed by the Chief Information Security Officer regarding high-risk technology platforms, services, applications, programs, or products. Additionally, all government entities subject to this subsection must, consistent with those standards and any other applicable state or federal law, restrict, remove, ban or otherwise block access to high-risk technology platforms, services, applications, programs, or products on all government systems, services, networks, devices, or locations. For purposes of this subsection, high-risk technology platforms, services, applications, programs, or products are those designated as such in the Statewide Cybersecurity Standard published and maintained by the Chief Information Security Officer: Provided, That any standards developed by the Chief Information Security Officer regarding high-risk technology platforms, services, applications, programs, or products shall contain exceptions permitting, in appropriate circumstances, the use of those platforms, services, applications, programs, or products for law enforcement activities, national security interests and activities, security research, investigative efforts authorized by this code, and for other purposes related to actual or potential litigation involving the state or one of its agencies or officers: Provided, however, that the Chief Information Security Officer shall develop standards and requirements designed to mitigate the risk of any such authorized use of a high-risk platform, service, application, program, or product pursuant to the exceptions set forth in this section: Provided, further that law enforcement agencies of the state are hereby exempt from the provisions of this section if such use of high-risk technology platforms, services, applications, programs, or products is necessary in the performance of their duties.

(c) Agencies within the legislative and judicial branches are recommended to consult these statewide standards developed by the Chief Information Security Officer regarding high-risk technology platforms, services, applications, programs, or products as part of their best management practices.

(d) The Secretary of the Department of Administration may propose rules for legislative approval in accordance with the provisions of §29A-3-1 et seq. of this code and may also promulgate emergency rules pursuant to the provisions of §29A-3-15 of this code when necessary to facilitate

(1) completion of the duties imposed on the Chief Information Security Officer by this section, and

(2) enforcement of the standards referenced in this section.

(e) The Chief Information Security Officer will provide an annual report by June 1 of each year on threats posed by untrustworthy and high-risk platforms, services, applications, programs, or products, and the actions required to mitigate those threats to the Joint Interim Committee on Government Operations.

Adopted

Rejected