April 23, 2026 · Technology Committee · 8,627 words · 8 speakers · 108 segments
JTC will come to order. Ms. Falco, will you please call the roll?
Senators and Representatives Baisley. Excused. Excused.
Kelty. Here.
Pascal. Here.
Rodriguez. Excused.
Tatone. Here.
Chair Mergeman. Here. Okay. We have a number of things to get through today. We're going to start with our statewide internet portal authority. So would you like to begin?
Yes. Thank you, Madam Speaker.
Thank you.
Sorry, Madam Chair. Well, I'm projecting. I'm projecting.
I wouldn't want that job, but thank you.
Madam Vice Chair, members of the Joint Technology Committee, I would first like to introduce a couple of really important people this morning. First at the table with me is CIPA's COO, Dr. Catherine Kuntz. Catherine is all things CIPA and has been here for now 13 years. And on my left here is our newest superstar and our newly minted CTO, John Sabre. John has been here for three weeks, three weeks and 13 years on either side of me. And he's already making an incredible impact and we're really excited to have him and his technology mind joining our small yet hopefully mighty, you will think, organization. And just behind me here is Kara Volheim. Kara is Mrs. Kara Volheim, not Kara Finch anymore, which I'm still getting used to, but I'm doing a lot better, I think. So we've got the three of us, the four of us here, and a lot of others listening remotely. So I have quite a few slides, but I promise it won't take too long. I will get through them, and if you need to stop me, please do at any time. Next slide, please. So before I get into anything, I just wanted to tell a quick story about arriving in Denver. When I arrived in Denver, I came as an analyst at Janus Capital Group over at Cherry Creek working for Tom Bailey. When I arrived, well, a year after I arrived, Janus had about $300 billion of assets under management in 2000. So it was a pretty big company. I remember looking outside my window and seeing people with checks and applications standing in line to give us money. I couldn't believe what was going on. But what stands out to me most about that experience is what my boss said to me. And it resonated with me because I've held it my entire career. And what he said was, Ajay, this is a moment. And I asked him about this, so this is verbatim. Ajay, this is a moment in time. Seize it. They don't come around often, if but once in your life. It's this whole operation. It's the team that makes the difference. We're all here because we believe in each other and what we do. I was 25 when he said that. I had no idea what he was talking about. And eventually everybody sort of departed had great careers worked in different places abroad everywhere management consulting and I came back to Denver And I saw him again 15 years later and I told him I finally understood what he meant At Janus, we were so uniquely positioned to capture a market opportunity that no one was positioned for. By the time most entrants got into tech stocks, the rally was over and the recession had begun. Being late is a killer in the investment management world. This haunted me Despite all the work that I had done That I thoroughly enjoyed It never really measured to those early days at Janus Again, my apologies for this story But I assure you the numbers, the words And the flashy images Will make you very, very proud But what you, our board The governments of Colorado And our residents should be proud of Is this amazing SIPA team Not me, this team Some of which are here today and again, some of whom are cheering us on. This is an organization of we. There is nothing we cannot do. There is no customer we will not give everything we have to. There is no obstacle we cannot overcome, and there is no shortage of good that we can do in this state. That comes from a strong desire to work together and serve. It is currency that you cannot pay. It is togetherness you cannot rebuild. It is success you cannot replicate without the right people. and our collective vision. It's how we come to work every day, thinking about over the 1,100 governments and customers we serve and the private partnerships that connect them to about every technology service they could ask for. We've had virtually no attrition in the last five years, and when we have an opening, virtually everyone is involved in bringing our next star in. Ask John. Every climber knows so much of the work to reach a summit is in preparing for the climb itself. The team is prepared and has just started climbing. That's the good news. And with your help and trust in our capabilities, we will all reach the summit with smiles on our faces. As my boss so succinctly and correctly put it, it's this whole operation, it's the team that makes the difference. We are here because we believe in each other and what we do. So I'm happy to report that I believe I have found my second precious moment in time. So thank you for allowing me to say that, and away we go. Okay, next slide, please. You can see right. Okay, I'll say the most important thing on this slide to start. We are not asking for any money. We serve state and local governments, special districts, K-12 public education, and public colleges and universities. Next slide. And again, SIPA mission, vision, purpose. Many of you have seen a lot of this before, but at the core of this is we are government serving governments to provide efficient and effective services for residents, transform public service delivery, and to improve the quality of life in Colorado by connecting the public to tech services, enabling governments to focus on their core missions. not to go back to the opening soliloquy but it's this whole team and my board that provides the foundational trust in our efforts it's amazing to see a few familiar faces on this slide today I'd like to acknowledge Representative Paschal Senator Baisley and also Senator Weinberg who is not here and of course Representative Titone who is no longer on our board but has been instrumental to our success in the past five years Thank you for your unflinching support of our mission Without their belief in CIPA and the freedom to execute our mission none of this is possible We're committed to ensuring everyone has the same customer service experience online, regardless of location or any other characterization. How do we do it? Through our three towers. The first is digital government services, which is our traditional portal. We have professional services and licensing, which is all of our technology portfolio. And all of this leads to our burgeoning grant program, which you'll hear about shortly. We call this ultimately the virtuous cycle. As I mentioned, we work with 1,100 governments plus across the state, literally across every corner of the state. 46 state agencies, 60 counties, 223 municipalities, 17 higher education institutions, 81 school districts, 295 metro districts, 610 other special districts, and 32 others, which you will see in the next slide. This chart, this pie chart roughly, from a color standpoint, roughly equates to the colors on the dots in the other chart. But please don't audit that. We are geographically diverse across governments as well as geography. So through our partnership with Tyler Technologies, we've gathered some statistics that we think are important. Today, we are co-managing or helping with Tyler hosting 512 websites, 520 engagement builder forms, 1,207 payment applications, 19 custom applications. Annually there are 140 million users to Colorado.gov, almost half of which come in from a mobile device. 19,685 resident and customer support inquiries were addressed in 2025, all on the back of almost 10 million transactions and $4 billion collected for governments annually. Next slide, please. Excuse me. Accessibility is one of our crowning achievements in the past fiscal year. Our sites received a 96% accessibility score by Web Almanac, ranking Colorado first in the country. I cannot thank OIT enough and the TAP team for their partnership and relentless pursuit of this constant goal. We always say internally, success in accessibility cannot truly be measured in a point in time. It's constantly evolving, and we must constantly stay in front of it. The platform is significantly more accessible than it was a year ago. A total of 47 platform accessibility issues were successfully remediated in 2025 with six software releases. Governments are increasingly turning to SIPA for accessibility support, and we are happy to help provide subject matter expertise to government customers. We've started an internal accessibility program with website reviews and employee trainings to ensure our knowledge of accessibility is strong. And to advance accessibility on colorado.gov, in 2025, CIPA formed the CMS Accessibility Steering Committee to prioritize and triage issues, conduct acceptance testing, and monitor platform health. It's comprised of 10 to 15 members of state and local government and includes release testers who are technical experts In March of 2026 our digital accessibility specialist Josh Schroeder formed a local government accessibility user group with almost 118 individuals It's a collaborative effort with Aurora Public Schools, the City of Colorado Springs, and OIT's TAP team. We could not be more excited to be in and lead many of these partnerships, And again, it's constant work that I'm confident we have the right people doing. Okay, next slide. The benefits of contracting with CIPA, simply put, we accelerate the procurement process for all governments. CIPA negotiates master contracts with suppliers, many selected via competitive procurement, and screen through our careful screening process. So that includes terms and conditions, pricing, security standards, insurance requirements, accessibility compliance. Next, all the government needs to do is execute an EGE, which is an eligible governmental entity agreement, an intergovernmental agreement with CIPA. And our statute satisfies most procurement rules and requirements. So the key here, in my view, is instead of the money being pocketed towards earnings per share or profit, as some of the other options do, any margin SIPA retains supports government. It never leaves a loop and ultimately recycles as grant funding. This is a message I love for, this is a message we carry really strongly internally and I hope all of you can carry for us as well. When we talk about almost all technology services, it extends beyond technology services into many different resources. So these are some of the areas of focus. And to the next slide, this is what it actually looks like. I'm sorry for the eye chart. But what it looks like on our website, this is our service page where you can go find services and suppliers that you may be able to partner with to solve your issues. If you fill out, if you can see maybe slightly on the top left, it's a service request form. Someone will always get back to you within 48 hours and at least start the process of connecting you with a really, really well vet and really strong supplier for the specific solution that you're looking for. This is SIPA's supplier portfolio as it stands today. There are 42, if you want a count of all of those. And since January 1st, we've added 17 new suppliers because our customers have advocated for some of these companies and encouraged them to apply to become a CIPA supplier. They've specifically filled niches within our portfolio that are not filled. So when I think about portfolios, thinking about the background that I just presented, I think about this as an investment portfolio in some ways. because along every slice of the pie within the coverage area that we have, there's a value chain and various price points required for local governments that may not have the budgets that the state governments do. And so what's important to us is that we are looking at all the price points, all the service offerings, and also looking at whether or not a state agency can anchor tenants some projects or some solutions so that we can replicate those solutions for local government usage. So I think this is an incredible portfolio, but really what's more incredible is connecting them with solutions for our customers and driving down costs because we have competition as well. Next slide, please. Okay, I'm really proud of this chart. This is what we're all about. In the past fiscal year, we've experienced a 20% lift in quotes and contracts in one single fiscal year. Since 2021, quotes have increased by 125%. Contracts have increased by 112%. And I just learned earlier, I asked for our 2020 government serve number. We are serving 60% more governments than we were in 2000 in the last five-ish years. And most importantly is this green line along the top on that Z-axis, which is impossible to read, I'm sorry. That's our customer satisfaction scores. So as we've been increasing in volume, we have increased and held our customer satisfaction at 92%. That is pretty hard to do, and I think demonstrates a really strong, unwavering commitment to our customers. For the sake of time, I'm going to allow you to read most of the details in this slide. But quickly, we're connected with CASE, which is the Colorado Association of School Executives, and they identified a challenge with us about vetting educational software, which includes accessibility, security, and privacy compliance. CIPA supported the launch of a collaborative, connective platform. So now districts have eliminated redundant vetting and can piggyback on completed agreements, which particularly benefit smaller districts. And you can see the profound results of this pilot in green. In just one year, CASE estimates that this platform has saved thousands of hours already, allowing IT staff to focus on technology that directly impacts student educational outcomes. Okay, grant programs. We have two fully functioning grant programs in flight today. The first is our micro-grant program, which has been around since 2010. They're specifically designed for technology projects expected to cost less than $10,000. The second is our newest program, the SIPA GovGrants program, which is for projects over $25,000. Since 2010, the microgrant program has delivered over $2.3 million in funding, and the GovGrants program has delivered over $30 million in funding since 2024. Not on here is an additional grant program we created last fiscal year, specifically for accessibility that we called our Accessibility Grant Program. We delivered nearly 4,000 licenses to over 300 governments to support their accessibility compliance. That program accounted for about a million dollars. Next slide, please. So GovGrants highlights. We ran two cycles of CIPA GovGrants for spring and fall of 2025. To date, the program is awarded more than 80 grants, from the smallest special districts to the largest statewide agencies. Awards in the program's first three cohorts will reinvest more than $30 million back into Colorado governments. CIPA collaborates with each recipient to develop ambitious outcome metrics. We want this funding to create impact. Here are a few examples of the kinds of things that people are getting grants for and the kind of impact that it having So Colorado Springs and Pike Peak Regional OEM implemented a powerful new tool for advanced evacuation planning utilizing a digital twin of the Colorado Springs region and El Paso County to model likely traffic flows in an emergency and simulate evacuation scenarios. This tool helps planners optimize evacuation routes, reduce evacuation times, and improve overall emergency response outcomes. This was about $96,000. Longmont started a new unified digital identity approach that will enable residents to access all of their city's accounts with a single sign-on, which is significantly simplifying the digital user experience and reducing friction for accessing digital government services. That's $396,000. And CDLE piloted a generative AI chatbot solution to help individuals with disabilities better navigate their benefits and workforce needs. Based on the results of that successful pilot, CDLE has now been funded to scale the effort to a fully featured deployment, about $326,500. I'm going to move through these next ones pretty quickly. please let me know if you have any questions. The program has matured in its second year, and here are some of the ways in which it has. Our GovGrants Committee is comprised of CIPA board members and is instrumental in providing grant recommendations as well as direction for the future, as identified in this slide here. So how does it all come together? Well, 74 governments have received grants from CIPA since 2021. As you can see, as you did see and through this graph, we are fairly diverse in everything that we do as well as in grant distribution. The more applications we receive, the more diverse this will get. So this last round, just incidentally, which is not part of this, but we have the largest number of applications ever and the largest number of dollars requested. This is exactly what we want. We want to be able to select from the best applications that we can. So we don't just do things online, we host events as well. And CIPA events engage participants alongside government peers and seasoned experts focused on critical topics in a collaborative and learning environment to foster positive change within government communities and organizations. We do this through three specific ways. One of them is online. It's Webinar Wednesdays. It's a more in-depth presentation of our suppliers and the services they offer that can be obtained through SIPA. Typically, we hold these about one to two times a month, May through September. Regional workshops, which we're really proud of, focus on critical topics that matter most to attendees. And of course, our annual user conference, which is a full day of technology trends, use cases, and professional development. This user conference last year was the largest one we've ever held, with over 500 attendees. It was at Empower Field this past September. It was highlighted by our keynote speaker, Bronco legend Terrell Davis. If you have not heard Mr. Davis speak about his journey, it is captivating and it really touched our crowd. We were delighted to host him this year in probably the best venue you could. Thank you. If you have not been to one of our events and I know that Senator Baisley has and Representative Paschal was there I really appreciate you and Representative Titone in the past you been there and I really appreciate that It is an amazing experience and it really really really focuses and gives you a great knowledge base of the myriad technology challenges and solutions that our governments are looking for and face every day. Regional workshops. We've talked about this before. We have a couple coming up. April 29th, 30th, May 15th. It's nonstop. This is another important geographic and topic diverse event. And the one thing that we've committed to do that's, and you can read what it's all about here, but the special ad that we've created was we want local governments to not feel intimidated by the application process to apply for funding. So we've added to our agenda at least a section related to how to apply for a Gov grant. Who has applied for Gov grants that are similar to you? What kinds of things are they looking to solution? And so we have had some pretty good success. We've had one of these spots in our regional workshops, and people are starting to really understand this isn't, you know, I'm not locked out of this. I don't need to be a grant writer to actually get funding. So I think this is a really big advancement, and being able to do it in person and then have people champion it in the region I think has gone a very, very long way. And also I think our just ability to get it out even before doing this in public routinely has increased our application pool significantly. And here's who's in that precious moment with me. The best team of 18, yeah, 18 people do all of this work that I hope you'll ever meet with four of us here today. So in summary, CIPA serves over 1,100 governments across the state with the same degree of care. We are government-serving government. We're not requesting funding. We're committed to delivering funding. We provide resources to governments in all areas of technology. We're committed to successful, measurable technology outcomes. And hopefully, we're coming to a region near you soon. And that's it. Thank you so much for your time, focus, and continued support of CIPA, and I'd be happy to answer any questions that you may have.
I appreciate that so much and congratulations on all your work. It's nice to meet you and we do need to hurry. So I'm really happy to, I'm going to recognize Rep. Paschal and then Vice Chair Titone. We need to get moving to introduce our bills. Rep. Paschal.
Thank you, Madam Chair. I just wanted to make a quick comment and say that I have seen that program that the El Paso County Emergency Management put in place for traffic evacuation analysis, and it's fantastic. And I really appreciate that you guys were able to help deliver that to my county. It's really a positive contribution. Thank you.
And Vice Chair Titone.
Thank you, Madam Chair. I mean, you know, always a good report. I love seeing the growth and more funding and opportunities given out to people People are aware of your services now and that really good and now they coming for it and there was a slow burn there I was just wondering, I mean, State Internet Portal Authority doesn't seem like an appropriate name to describe what you do. I don't know if there's something you need to maybe think about a rebrand in the future, but I don't know. I don't want to put that on your plate right now. Got any ideas?
Director Baga, we will think about it.
And in the meantime, would you please include the entire Joint Technology Committee on invitations to your user conference and other things? And if we can make it, we'd really like to.
Absolutely.
Wonderful. Well, seeing no other questions at this time, we're going to go ahead and release you guys.
Thank you so much for being here today. Thanks for all your work. Thank you all so much. Thank you. Take care.
Okay. We have three bills in front of us that we need to discuss. Let's pull up the CDLE bill first. It is, yes, Nicole Myers, our drafter, is here.
The bill is called Concerning Updates to the Workers' Compensation Act of Colorado, necessitated by technology updates. Ms. Myers, do you mind telling us about this bill briefly? Thank you, Madam Chair and Committee. Good morning. I'm Nicole Myers with the Office of Legislative Legal Services. Sir? Okay. All right. Nicole Myers with the Office of Legislative Legal Services. I am actually filling in for Ms. Berman this morning, who is the bill drafter, who was unable to be here today. So this bill was brought to you by CDLE. The bill makes various updates to language in the Workers' Compensation Act of Colorado to align with technology changes in the Division of Workers' Compensation in the Department of Labor and Employment. These updates include changing current statutory language, requiring mailing of documents to allow for electronic mailing or filing of those documents. And I believe CDLE is here if you have questions.
Very good. It feels like a thick pack of bill for not a ton of change, but I think I'm understanding this is making a number of changes, but allowing free electronic over just mailing. So thank you so much. You're doing an amazing job filling in for everybody, because I know you took on at least two drafts just from our committee. So thank you, Ms. Myers. Ms. Falco, do we just need to, do you have questions? Do we just need to vote on whether or not to introduce the bill? Is that what we're doing?
If we're up to whoever wants to move it, we'll just move that we introduce and then the bill may. The draft.
Okay. Very good.
Vice Chair Titone. Thank you, Madam Chair. I move to the committee, move to introduce OLS number 26-0998. on the concerning updates to the Workers' Compensation Act of Colorado and necessitated by technology updates.
And that's a proper motion.
Ms. Falco, will you please pull the committee? Representatives and Senators, Baisley.
Aye. Kelty.
Yes.
Eskel. Yes.
Rodriguez.
Aye. Zatone.
Yes.
Madam Chair. And aye.
So that passes. is. So now magically the bill is going to be introduced. Is that correct? Miss Val, We decide the chamber and who will sponsor it.
Okay, beautiful. Preference.
Who wants this? Great. We're going to start it in the House. Sorry, no. Do you have a preference?
Yes. Thank you, Madam Chair. No, I don't have a preference. I just wanted to mention that whichever chamber you start in, you will need to get delayed bill permission,
if that is something that you want to take into consideration.
I think we're going to start in the Senate. You'll give us delayed, because maybe you'll give us delayed bill. Oh, Lord, we are giving a lot of power to our amazing JTC member, also the majority leader. I haven't had any conversations honestly with House leadership so I'm okay so that is interesting and it could kind of let's start all of them in the Senate and we'll see where we go from there so for this let's start it in the Senate
Senator Baisley
will you join me?
yeah me too
Yeah, she just said we have to have late bill status for this. It's good times. It's good times. So Senator Baisley and myself. No, we're going to pick two. Senator Baisley and I. And who in the House?
Rep. Kelty and Rep. Tatone.
Very good. Look at us. We are moving. All right. Let's go to Nicole.
I'm sorry, Ms. Myers. Thank you, Madam Chair. You can call me Nicole. I just wanted to check before we move on if the other members on the committee would like to be co-sponsors. Yes, Rep. Pascal would like to be a co-sponsor, Senator Rodriguez.
Yeah, oh yeah, we're all in. What's that? Me and Baisley.
Is that good for that one? Okay, we have a bit of a plan on that. Let's move to the bill that actually has Ms. Meyer's name on it,
which is LLS 0979 concerning measures to enhance the Office of Information Technologies Security Procedures. Let's take a little walk through the bill. The first section is, so what this was is we combined what were bills one and three, which was the audit components and the OIT security kind of measures that we had discussed, just to kind of save on numbers of bills and to try to be a bit more efficient. So in doing so, if you look at Section 1, the very first thing it says is we may call the CISO to testify before us and submit a report. And then the next provision says within 90 days after that, we may formally request the state auditor conduct an IT security audit. And I want to be really clear about this What the auditor has been doing is a process type of audit What this would do would be like hiring a third cybersecurity company to go and say oh OIT said that they were going to do this, and this third party can go and verify. So it's a trust, but verify it's not required every time we would make the decision. I put this in here because I felt like with the audit and then the audit coming again that we might want to have an opportunity to say, okay, they said they got this done, but did they get it done? So it's a bit of an accountability measure. So I'm on page 3 in 14. so if you keep going A says that yeah you can trigger you can do this if it's been remediated and resolved if there's a material discrepancy there's been a request from the department to perhaps define material discrepancy so I just want to highlight that I will share those notes as well And then if you turn the page, we can go to section 15, not section, but subsection 15. It says, if a majority of the committee votes to request an audit, the auditor shall do it. They can contract. The reimbursement must be paid from the TRPR fund. And that's that part. I'm going to stop there. Are we all okay so far on this? I have received some feedback that, and I've made a couple of changes here, but I have received a little bit of feedback that there is concern that maybe we're going to get crazy with audits. And we don't want to do that because, one, we can't afford it, and, two, that's not really our intention, I would say. So I just want to throw in here, there's been conversation about maybe capping this, maybe adding a little bit of qualifying language to make sure we're not just opening up ourselves to any time this committee wants to, we can say, now you have to do an audit and OIT has to pay. Because that's not really our intention, right? And I think that is too much of a growth. So I just share that because it's still a little bit of a conversation we need to have. But just kind of a flag there. So that's section one of the bill. Let's go to section two. Section two is around this whole idea of a list of active IT vendor contracts. And this has not necessarily been well received by the department. They don't really want to make this list. because it'll cost a lot and it feels more like an exercise than something meaningful. And I just want to highlight why this section's in the bill so that we can maybe have a conversation about where we go from here. But the reason this is in the bill is because the CISO is statutorily responsible for vendor security compliance. OIT cannot exercise that responsibility over vendors it does not enumerate The JTC was told that every agency has contracts for IT but that not a registry It evidence that one does not exist So what we were trying to do is create a foundational data infrastructure for vendor oversight. We don't need to know, but we need you to know what's going on with our vendors. I also had included originally, and I'll send all this to you, but a 30-day agency reporting requirement that if they come into place,
if they come into contact with a new contract, that they have to provide it because that was feedback I got from the department. But the registry should include the agency name, the vendor name, the contract matter, the value, start and end dates, the name of the CISO-designated compliance contact, and the date of the most recent vendor security assessment conducted pursuant to the CISO's duties. So we're just looking for a list that says these are all of the IT security contracts and this was the last time they were updated. So that is what we're looking for. They have asked that we strike this from the bill. Rep. Paschal.
I was just going to point out that it doesn't look like the list you just read is the same as the list that's in the bill.
That's correct. And it's my mistake. I have more details to share with Ms. Myers. So, no, you're exactly right, and I've got this data. Rep Kelty, I'd love to hear your voice.
Thank you. I'm just going to make sure. I was reading ahead, so I apologize. So you're saying on page 5, the list for the vendors, the name, contract, date of which contract expires, and all that, that's going to be struck?
The department has requested that.
I have a hard time with that.
So what we're going to do, I don't know that they've requested that it be struck. They want it to be different. And I think they understand what we're looking for, but they objected a bit to this. Would anyone in the department like to come up? All right. Is it okay if we're going to have Ms. Thunberg? come and join us. Maybe you can explain. I'm not trying to put words in your mouth. So we've got Director Thunberg and Director Frazier. Director Thunberg.
Thank you so much, Madam Chair. We want to ensure that we are providing meaningful security risk assessment and associated data to the members. our concern is that a list of contracts isn't the way to get there because what we see in practice is that the contract itself contains light security language. And what we would prefer, rather than anchoring just on the contracts, is that then we also are enabled to do implementation assessments and associated things like penetration testing, like vulnerability assessments. So that the reason is what we see is that lots of times in the contract, it meets our security standards. And then the implementation is where things get bad. So we don't want to just be on the surface. We would like to be enabled and then provide to you a deeper, more meaningful risk assessment So yes happy to do the list of the contracts And we ask that you ask us to do the deeper part also That incredibly helpful And see that was a much better way
of explaining it because I wasn't trying to, I really appreciate what you said. So thank you. Rep Kelty, thoughts?
So what you're saying is this information, but also in addition to you want to provide the further information. So it's going to include this, because I think part of it is to find out where all these contracts are, how many do we have, how many do we not need. Because remember, in the last conversation we had, we mentioned how there could be contracts out there that they're automatically being renewed and not even being used, could have been for years. So we want to make sure we can cut them out if we don't need them. So it includes that, correct?
Director Thunberg.
Correct. We would like the same thing. Our ask is that it's not just contracts but also subsequent implementation and product.
Fair enough. I want to move to the bottom of page 5, if you guys will stay put. it says on line 26 the office has publicly posted the standard on the office's website this is where technology standards were changing and people weren't knowing about them and so we're just trying to provide some visibility but I did get some feedback that this could cause security issues. And so I want to understand how departments in the government that are subject to OIT security standards are to be updated, because that's what this was intending to do. Not to tell the bad guys where the weaknesses are, but more to communicate with departments about that. Toonberg? Director Toonberg? Sorry, I didn't mean to call you Toonberg.
Thank you, Madam Chair. You can call me Toonberg in a sport. We are in support of the public posting on the website. The ask is that in emergency situations, for example, a zero-day vulnerability, that we can, one, make that change and post to an internal portal that IT leadership and you have access to and perhaps have a 24-hour grace period if it is truly an emergency, which we'd need to define. But we don't want to post that publicly. So in support, want that tiny piece. Also, there was one other thing. 30 days.
Oh, cool. It's gone. Also, yep, that sounds great. Very good. So that's what Section 2 does. It's about the technology standards. Okay, Section 3. This is one of the things that we uncovered was related to delegation. And so this is where we added, except that the CISO shall not delegate a duty, responsibility, or power. So we want you in charge of all security, and that's just what this is, and we just want to be really clear about what is and is not okay to delegate. Awesome. Section four. is section four, if you look on page seven, we are going to start having annual written compliance reports. The compliance reports will have applicable safety security standards, open audit recommendations, and a timeline for remediation for each open recommendation. and that's the bill. At the bottom it says they can designate. If something, Dr. Frazier's not around, they can designate. Okay, so thoughts, feelings, Director Thunberg.
Thank you, Madam Chair. In addition to compliance, we would recommend risk assessment be added. so that you are inquiring about the risk assessment, the risk itself, not just compliance with policy. That's great.
We like that. We need more information. So that would be on page 7 where we're going to ask about compliance status, open recommendations, a timeline for remediation, and risk assessment because that's really what your job is. I mean, that's what you do on a regular basis. Okay. Very good. Are we ready to introduce this bill and send it, or what do we want to do here?
Senator Baisley. Thank you, Madam Chair. Do we need to have it end in a safety clause? There was a reason that we did that. I believe it was, let me see if I can find, I think it was a timing thing with what we're requiring.
Oh, it's for the audit. I don't think we're going to need an audit before August. Right? Like, I think it was because one of the components, we put triggers in place that we can, oh, and we removed that trigger. So there was a trigger in place that said we could vote to have an audit. And that's been removed until 90 days after they report November. So the answer to your question is, yes, we can make this a petition clause instead of a safety clause. Uh-oh, Ms. Myers, tell me.
Thank you, Madam Chair. Just one question. You have, so I put in on page 7, line 12, this is for the report. Okay. The information technology security compliance report. I added a date for the first report, but I'm not sure if that date, I think with a safety clause maybe we should push that date out a year. I don't know if that would give, well, I defer, but I don't know if that would give people enough time to comply.
Director Toonberg. Thank you, Madam Chair. I don't know the answer to that question. Give me just a second. But one other thought was instead of to ensure that moving forward the state's security posture is strong, rather than voting to request the audit, which we appreciate, and to make sure that people after us do the best work, maybe it's every two years a third-party security audit is required, and then you could trigger it also.
Also sorry not to make this more complicated but throwing that out there Okay Do you believe that you would be ready to share compliance this November if we were to do something like this Is that not going to ruin your summer? Okay. Given that nod, we appreciate you. We would appreciate having some sort of a compliance and risk assessment report November. If it's not exactly what we're going to land on in the future, that's totally fine. But we would really appreciate that so that we can send this to voters if need be. I feel a little more comfortable with that too, if that's okay. So, all right, we're making that petition. Very good. I like your idea about the audit. I think it also puts a cap on the amount of money we could spend, perhaps, right? At least it makes it something. So that will be something that we'll have to negotiate with the Office of State Auditor. But it is something that we can certainly do. Okay. So. I'll move the bell. You've got a comment. Oh, sorry.
Rep Kelty, thank you. Thank you, Madam Chair. So I'm just, as long as I'm reading this correctly. So on page seven, this is basically they're submitting the report to us after the audit. or whatever recommendations or whatever was found, the findings that they found. In here it says they are to provide a timeline for remediation for each open recommendation made by the state auditor. In going through this, I don't see in here that they are providing what they're going to do about each finding. Like if they have a finding, what is the finding? What are they going to do about it? And if they can't do something about it, what is the mitigation? Like we can't do this update to the software because the software company themselves don't even have a – because sometimes they have to give a little grace because sometimes software companies drag their feet. I've seen them drag their feet sometimes a couple years. And so it's like it's not their fault. The software company themselves are not fixing whatever security hole is there. But what is the mitigation? What are you going to do about it? You know what I mean? Kind of thing. So instead of just the timeline, you're saying maybe a timeline, a strategy, and a mitigation plan for remediation?
Perfect. Is that something that, okay, I'm seeing nods. That is something that we could do. Amazing. And I do think that's important. Once we get out of this compliance stuff, we're really going to want to focus on risk assessment and where are we and what do we need to do. So this is all coming together very well. Vice Chair Titone.
All right. I move to introduce OLS 26-0979 concerning measures to enhance the Office of Information Technology Security Procedures.
Very good.
Ms. Falco, will you please pull the committee? Senators and Representatives. Baisley.
Aye.
Kelty.
Yes. Pascal.
Yes. Rodriguez.
Excused. Satone.
Yes. Madam Chair. Aye. Okay, so that one passes, 5-0. So we will introduce this bill. We're going to introduce in the Senate. Will you be my sponsor again? Okay, good. We're good on this one. This is going to be a Baisley and Marchman. I'm assuming Rodriguez will co-sponsor, but we'll confirm with him on the floor. I actually already have two late bills coming so if anyone else has capacity I would love that Thank you Okay great So we got Titone and Kelty on this one again
Are you willing to be a co-sponsor? Rep Pasco will co-sponsor.
Ms. Myers. Thank you, Madam Chair. So you've discussed several changes. Yes.
What is your preference? Would you like those changes incorporated before the bill is introduced, or do you plan to do those by amendment? That would be amazing if we could do it before introduction.
I know it was a bunch of conceptual bill amendments today, but if we could get on the floor with maybe Senator Baisley and myself,
I'm happy to talk you through any of the changes we did talk about,
and it would be ideal if we could introduce a bill that we've all just conceptualized here, if that's doable.
Sure. I think I just need to know what.
You wanted to know a plan. Concepts, but I feel like I need a little bit more direction. Can I, may I work with.
Absolutely. Absolutely.
Thunberg and Frazier.
Okay. Thank you. Thank you.
Ms. Myers. Sorry, it's me again. You're good. I neglected to ask on the first bill, but this is a question for all of the bills. May legislative legal services make technical corrections and changes? Thank you.
Yes. Very good. Okay, I'm looking at the time. Are you guys starting at the normal time today? You did. Okay, let's talk really quickly about thank you, Ms. Myers. Thank you both. We're going to welcome Mr. Doerr to the dais. We're going to try to be as quick as we can on this one just because it is nine, past nine. Um, so this bill was bill number two. Um, what this does is for the purposes, powers and duties, the bill gives the committee the power to subpoena witnesses, take testimony under oath and assemble records and documents. It also authorizes us to have access to all books, accounts, reports, vouchers of our agency. If a witness refuses to comply, they may vote on whether the witness has committed a legislative contempt. If they say yes, then the witness has committed that. And if they've done that and they're employed by the government, they will not receive compensation and will be terminated. Okay. Who wants to? Section one. I'll walk us through it. Section one is the authority to subpoena witnesses. We do have a few, a drafting note in here that says would the committee have to run a resolution? To get authority, do you want to give the committee to go to the power to the court without the authorization of the General Assembly?
Representative Titone. Thank you, Madam Chair. I think that being that this committee is a full-year committee, we shouldn't have to have to have a resolution. The idea for this was to confer with the audit committee because a lot of the overlap of what we do ends up being with the purview of the audit committee or the executive committee to have. So that way the power does not vest solely in the joint technology committee but has a check with another committee to have that authorization I think that that doesn give us too much power I don think that that appropriate But I think that we don't need to have a resolution because if we're out of session,
we can still have this ability. Okay. So that would be a bill concept kind of amendment change that we would do here for Section 1 One is that it wouldn't come directly through the JTC. It would come through, and I would say probably the executive committee might be the more appropriate with leadership. The second section is noncompliance, termination of state employment. I think this one speaks for itself. I'm curious where everyone is on this. They ask, there are two drafting questions. One is how does this come before the committee? Is it the chair or a member? What standards should the vote be based on? Those are reasonable doubt, clear and convincing, or preponderance of evidence.
Senator Baisley. Thank you, Madam Chair. Yeah, I'm not at all comfortable with the bill in that it changes the relationship quite a bit between the legislative and executive branch. And we have the procedures in place, including that nice independent organization of the audit folks and all that. So, yeah, I'm not feeling it on this one.
Okay.
Vice Chair Titone. Thank you, Madam Chair. And thank you for your comments, Senator Basley. I think that what this really is intended to do, and this is inspired by some statute that California has had since 1943 and is updated in 2003, if I remember correctly. just to be sure that these kinds of inquiries that we need to make to hold accountable the other branch, having a good check and balance between branches requires us to have an ability to hold accountable in some way. What this does is it puts into statute, and if the governor does sign the bill, they would be signing off on an employee being fired by the division for being in contempt. So it's not the legislative branch imposing that firing. It's putting into statute with the collaboration of the executive branch to sign a bill and then having that person be terminated because they are not abiding by what the legislative rules have put into play. So this is just a way for us to have people tell us what we need to know. How are we supposed to do our duty? How are we supposed to do our jobs that people sent us here to do if we have appointed people in the executive branch just not telling us. We have a responsibility of the people who voted for us to be here. And that's where if we have no authority and power to compel this kind of information, our knees are cut off as to our ability to oversee the executive branch. And that's where I'm coming from on this.
Any other comments on this?
Rep. Pascal. I understand that. Where Reptitone is coming from in terms of how do we compel information? Because we have really struggled to compel information. Well, or ask for it. We ask for it. It just doesn't show up. And that is problematic. But I also find this really harsh. So I'm not comfortable with it either. I find it really harsh.
And I'm just going to echo what I've heard. I do understand the frustration with getting people to come to the table with what we need, and I don't feel comfortable with this either. The California statute has all of the committees having this subpoena power, and I know we have the ability to subpoena through joint rules. So I want us to – I don't see this getting enough votes to pass, but if you would like, we can move and take a vote. But my inclination would be not to introduce this bill.
Well, I mean, you know, what's the point of doing a vote if we're not going to get it? I think that this is a missed opportunity. I don't believe that this is going to be used often. I think there you know we build in the proper checks and balances to it I don think that this is something that is too harsh because if someone withholding evidence for us to find out what going on I mean if that too harsh so they could just keep their job and lie to us and continue to lie to us? I think that that's really just letting people get away with murder, and I think that that's something that this committee and this legislative body needs to have some ability to hold the checks and balances which the Constitution is trying to put in place. And we're just letting the executive branch have too much power, and I think that that's an unfortunate reality. So I'm disappointed, but if I can't get the votes, I'm not going to offer the bill.
Very graciously offered. and I appreciate it. With that, we will adjourn JTC. Stay tuned. We'll do more work. Thanks. .