GENERAL ASSEMBLY OF NORTH CAROLINA

SESSION 2003

 

 

SESSION LAW 2004-129

SENATE BILL 991

 

 

AN ACT to improve state government information technology planning, adopt standards, make project development more efficient, reduce cost overruns, provide assistance to state agencies, and increase accountability.

 

The General Assembly of North Carolina enacts:

 

PART I. INFORMATION TECHNOLOGY MANAGEMENT.

SECTION 1.  Part 1 of Article 3D of Chapter 147 of the General Statutes is redesignated as Part 1A.

SECTION 2.  Article 3D of Chapter 147 of the General Statues is amended by adding a new Part 1 to read:

"Article 3D.

"Office ofState Information Technology Services.

"Part 1. State Information Technology Management.

"§ 147-33.72A.  Purpose.

The purposes of this Article are to:

(1)       Establish a systematic process for planning and financing the State's information technology resources.

(2)       Develop standards and accountability measures for information technology projects, including criteria for adequate project management.

(3)       Implement procurement procedures that will result in cost savings on information technology purchases.

(4)       Create an Information Technology Advisory Board.

(5)       Create the Information Technology Fund for statewide information technology efforts.

"§ 147-33.72B.  Planning and financing State information technology resources.

(a)       In order to provide a systematic process for meeting the State's technology needs, the State Chief Information Officer shall develop a biennial State Information Technology Plan (Plan). The Plan shall be transmitted to the General Assembly by February 1 of each regular session.

(b)       The Plan shall include the following elements:

(1)       An inventory of current information technology assets and major projects currently in progress. As used in this subdivision, the term 'major project' includes projects subject to review and approval under G.S. 147-33.72C, or that cost more than five hundred thousand dollars ($500,000) to implement.

(2)       An evaluation and estimation of the significant unmet needs for information technology resources over a five-year time period. The Plan shall rank the unmet needs in priority order according to their urgency.

(3)       A statement of the financial requirements posed by the significant unmet needs, together with a recommended funding schedule for each major project currently in progress or recommended for initiation during the upcoming fiscal biennium.

(4)       An analysis of opportunities for statewide initiatives that would yield significant efficiencies or improve effectiveness in State programs.

(c)       Each executive agency shall biennially develop an agency information technology plan that includes the information required under subsection (b) of this section. The Office of Information Technology Services shall consult with and assist agencies in the preparation of these plans. Each agency shall submit its plan to the State Chief Information Officer by October 1 of each even-numbered year.

"§ 147-33.72C.  Project approval standards.

(a)       Project Review and Approval. - The State Chief Information Officer shall:

(1)       Review all State agency information technology projects that cost or are expected to cost more than five hundred thousand dollars ($500,000), whether the project is undertaken in a single phase or component or in multiple phases or components. If the State Chief Information Officer determines a project meets the quality assurance requirements established under this Article, the State Chief Information Officer shall approve the project.

(2)       Establish thresholds for determining which information technology projects costing or expected to cost five hundred thousand dollars ($500,000) or less shall be subject to review and approval under subdivision (a)(1) of this section. When establishing the thresholds, the State Chief Information Officer shall consider factors such as project cost, potential project risk, agency size, and projected budget.

(b)       Project Implementation. - No State agency shall proceed with an information technology project that is subject to review and approval under subsection (a) of this section until the State CIO approves the project. If a project is not approved, the State CIO shall specify in writing to the agency the grounds for denying the approval. The State CIO shall provide this information to the agency within five business days of the denial.

(c)       Suspension of Approval. - The State Chief Information Officer may suspend the approval of any information technology project that does not continue to meet the applicable quality assurance standards. This authority extends to any information technology project that costs more than five hundred thousand dollars ($500,000) to implement regardless of whether the project was originally subject to review and approval under subsection (a) of this section. If the State CIO suspends approval of a project, the State CIO shall specify in writing to the agency the grounds for suspending the approval. The State CIO shall provide this information to the agency within five business days of the suspension.

The Office of Information Technology Services shall report any suspension immediately to the Office of the State Controller and the Office of State Budget and Management. The Office of State Budget and Management shall not allow any additional expenditure of funds for a project that is no longer approved by the State Chief Information Officer.

(d)       General Quality Assurance. - Information technology projects that are not subject to review and approval under subsection (a) of this section shall meet all other standards established under this Article.

(e)       Performance Contracting. - All contracts between a State agency and a private party for information technology projects shall include provisions for vendor performance review and accountability. The State CIO may require that these contract provisions include monetary penalties for projects that are not completed within the specified time period or that involve costs in excess of those specified in the contract. The State CIO may require contract provisions requiring a vendor to provide a performance bond.

"§ 147-33.72D.  Agency/State CIO Dispute Resolution.

(a)       Agency Request for Review. - In any instance where the State CIO has denied or suspended the approval of an information technology project, or has denied an agency's request for deviation pursuant to G.S. 147-33.84, the agency may request a committee review of the State CIO's decision. The agency shall submit a written request for review to the State Controller within 10 working days following the agency's receipt of the State CIO's written grounds for denial or suspension. The agency's request for review shall specify the grounds for its disagreement with the State CIO's determination. The agency shall include with its request for review a copy of the State CIO's written grounds for denial or suspension.

(b)       Review Process. - The review committee shall consist of the State Controller, the State Budget Officer, and the Secretary of Administration. The State Controller shall serve as the chair of the review committee. If the chair or one of the members of the review committee is an official of the agency that has requested the review, that person is deemed to have a conflict of interest and is ineligible to participate in the consideration of the matter, and the two remaining members of the review committee shall select an alternate official to serve as a member of the review committee for that specific matter. Within 10 business days following receipt of an agency's request for review, the committee shall meet to consider the matter. The committee shall review the information provided, and may request additional information from either the agency or the State CIO. The committee may affirm, reverse, or modify the decision of the State CIO, or may remand the matter back to the State CIO for additional findings. Within 30 days after initial receipt of the agency's request for review, the committee shall notify the agency and the State CIO of its decision in the matter. The notification shall be in writing, and shall specify the grounds for the committee's decision. The committee may reverse or modify a decision of the State CIO when the committee finds at least one of the following:

(1)       The decision of the State CIO is unsupported by substantial evidence that the agency project fails to meet one or more standards of efficiency and quality of State government information technology as required under this Article.

(2)       The State CIO did not have the requisite statutory authority or jurisdiction to render the decision.

(3)       The decision of the State CIO was rendered in a manner that was arbitrary, capricious, or indicative of an abuse of discretion.

"§ 147-33.72E.  Project management standards.

(a)       Agency Responsibilities. - Each agency shall provide for a project manager who meets the applicable quality assurance standards for each information technology project that is subject to approval under G.S. 143-33.72C(a). The project manager shall be subject to the review and approval of the State Chief Information Officer.

The agency project manager shall provide periodic reports to the project management assistant assigned to the project by the State CIO under subsection (b) of this section. The reports shall include information regarding project costs, issues related to hardware, software, or training, projected and actual completion dates, and any other information related to the implementation of the information technology project.

(b)       State Chief Information Officer Responsibilities. - The State Chief Information Officer shall designate a project management assistant from the Office of Information Technology Services for projects that receive approval under G.S. 147-33.72C(a). The State Chief Information Officer may designate a project management assistant for any other information technology project.

The project management assistant shall advise the agency with the initial planning of a project, the content and design of any request for proposals, contract development, procurement, and architectural and other technical reviews. The project management assistant shall also monitor agency progress in the development and implementation of the project and shall provide status reports to the State Chief Information Officer, including recommendations regarding continued approval of the project.

"§ 147-33.72F.  Procurement procedures; cost savings.

Pursuant to Part 4 of this Article, the Office of State Technology Services shall establish procedures for the procurement of information technology. The procedures may include aggregation of hardware purchases, the use of formal bid procedures, restrictions on supplemental staffing, enterprise software licensing, hosting, and multiyear maintenance agreements. The procedures may require agencies to submit information technology procurement requests to the Office of State Technology Services on October 1, January 1, and June 1 of each fiscal year in order to allow for bulk purchasing.

"§ 147-33.72G.  Information Technology Advisory Board.

(a)       Creation; Membership. - The Information Technology Advisory Board is established and shall be located within the Office of Information Technology Services for organizational, budgetary, and administrative purposes. The Board shall consist of 12 members, four appointed by the Governor, four appointed by the President Pro Tempore of the Senate, and four appointed by the Speaker of the House of Representatives. All appointments shall be from among persons knowledgeable in the subject area and having experience with State government or information technology deployment within large organizations. Each member shall serve at the pleasure of the officer who appointed the member. The Governor shall designate a chair from among the membership.

(b)       Conflicts of Interest. -  Members of the Advisory Board shall not serve on the board of directors or other governing body of, be employed by, or receive any remuneration of any kind from any information systems, computer hardware, computer software, or telecommunications vendor of goods and services to the State of North Carolina.

No member of the Advisory Board shall vote on an action affecting solely that person's State agency.

(c)       Powers and Duties. - The Board shall:

(1)       Review and comment on the State Information Technology Plan developed by the State Chief Information Officer under G.S. 147-33.72B(b).

(2)       Review and comment on the information technology plans of the executive agencies prepared under G.S. 147-33.72B(c).

(3)       Review and comment on the statewide technology initiatives developed by the State Chief Information Officer.

(d)       Meetings. - The Information Technology Advisory Board shall adopt bylaws containing rules governing its meeting procedures. The Board shall meet at least quarterly. The Office of Information Technology Services shall provide administrative staff and facilities for Advisory Board meetings. The expenses of the Board shall be paid from receipts available to the Office of Information Technology Services as requested by the Board. Advisory Board members shall receive per diem, subsistence, and travel allowances as follows:

(1)       Commission members who are officials or employees of the State or of local government agencies, at the rate established in G.S. 138-6; and

(2)       All other commission members, at the rate established in G.S. 138-5.

"§ 147-33.72H.  Information Technology Fund.

There is established a special revenue fund to be known as the Information Technology Fund, which may receive transfers or other credits as authorized by the General Assembly. Money may be appropriated from the Information Technology Fund to meet statewide requirements, including planning, project management, security, electronic mail, State portal operations, and the administration of systemwide procurement procedures. Expenditures involving funds appropriated to the Office of Information Technology Services from the Information Technology Fund shall be made by the State CIO in consultation with the Information Technology Advisory Board. By October 1 of each year, the State CIO shall submit to the Joint Legislative Oversight Committee on Information Technology a report on all expenditures involving funds appropriated to the Office of Information Technology Services from the Information Technology Fund for the preceding fiscal year. Interest earnings on the Information Technology Fund balance shall be credited to the Information Technology Fund."

SECTION 3.  G.S. 147-33.76 reads as rewritten:

"§ 147-33.76.  Head of the Office of Information Technology Services; qualification and appointmentQualification, appointment, and duties of the State Chief Information Officer.

(a)       The Office of Information Technology Services shall be managed and administered by the State Chief Information Officer. Officer ('State CIO'). The State Chief Information Officer shall be qualified by education and experience for the office and shall be appointed by the Governor after consultation with the Senate Committee on Information Technology and the House Committee on Technology meeting jointly (or by similar committees designated by the rules of each house). and serve at the pleasure of the Governor.

(b)       The Governor shall submit the name of the person to be appointed for review by the entities specified in subsection (a) of this section.

(b1)     The State CIO shall be responsible for developing and administering a comprehensive long-range plan to ensure the proper management of the State's information technology resources. The State CIO shall set technical standards for information technology, review and approve major information technology projects, review and approve State agency information technology budget requests, establish information technology security standards, provide for the procurement of information technology resources, and develop a schedule for the replacement or modification of major systems. The State CIO is authorized to adopt rules to implement this Article.

(c)       The salary of the State Chief Information Officer shall be set by the General Assembly in the Current Operations Appropriations Act. The State Chief Information Officer shall receive longevity pay on the same basis as is provided to employees of the State who are subject to the State Personnel Act."

SECTION 4.  G.S. 147-33.78 is repealed.

SECTION 5.  G.S. 147-33.79 is repealed.

SECTION 6.  All (i) records, (ii) personnel positions and salaries, (iii) property, and (iv) unexpended balances of appropriations, allocations, reserves, support costs, and other funds of the Information Resources Management Commission are transferred to and vested in the Office of Information Technology Services authorized by Article 3D of Chapter 147 of the General Statutes.

SECTION 7.(a)  On June 30, 2004, the State Controller shall transfer the sum of seven million five hundred thousand dollars ($7,500,000) from the Information Technology Services Internal Service Fund to the Information Technology Fund.

SECTION 7.(b)  For the fiscal year 2004-2005 appropriations are made from the Information Technology Fund as follows:

(1)       The sum of two million seven hundred thousand dollars ($2,700,000) to the Office of State Controller to implement the recommendations of the statewide Business Infrastructure Study; and

(2)       The sum of four million eight hundred thousand dollars ($4,800,000) to the Office of Information Technology Services for the following purposes:

Security Assessment and Remediation              $3,000,000

Project Management Office Expansion                $600,000

Legacy Systems Study                                         $1,000,000

Legal Services                                                         $100,000

ITS Management Staff                                             $100,000

SECTION 7A.(a)  The heading for Article 26 of Chapter 120 of the General Statutes reads as rewritten:

"Article 26.

Joint Select  Legislative Oversight Committee on Information Technology."

SECTION 7A.(b)  G.S. 120-230 reads as rewritten:

"§ 120-230.  Creation and purpose of the Joint Select Legislative Oversight Committee on Information Technology.

There is established the Joint Select Legislative Oversight Committee on Information Technology. The Committee shall review current information technology that impacts public policy, including electronic data processing and telecommunications, software technology, and information processing. The goals and objectives of the Committee shall be to develop electronic commerce in the State and to coordinate the use of information technology by State agencies in a manner that assures that the citizens of the State receive quality services from all State agencies and that the needs of the citizens are met in an efficient and effective manner. The Committee shall examine, on a continuing basis, systemwide issues affecting State government information technology, including, but not limited to, State information technology operations, infrastructure, development, financing, administration, and service delivery. The Committee may examine State agency or enterprise-specific information technology issues. The Committee shall make ongoing recommendations to the General Assembly on ways to improve the effectiveness, efficiency, and quality of State government information technology."

SECTION 7A.(c)  G.S. 120-231 reads as rewritten:

"§ 120-231.  Committee duties; reports.

(a)       The Joint Select  Legislative Oversight Committee on Information Technology may:

(1)       Evaluate the current technological infrastructure of State government and information systems use and needs in State government and determine potential demands for additional information staff, equipment, software, data communications, and consulting services in State government during the next 10 years. The evaluation may include an assessment of ways technological infrastructure and information systems use may be leveraged to improve State efficiency and services to the citizens of the State, including an enterprise-wide infrastructure and data architecture.

(2)       Evaluate information technology governance, policy, and management practices, including policies and practices related to personnel and acquisition issues, on both a statewide and project level.

(3)       Study, evaluate, and recommend changes to the North Carolina General Statutes relating to electronic commerce.

(4)       Study, evaluate, and recommend action regarding reports received by the Committee.

(5)       Study, evaluate, and recommend any changes proposed for future development of the information highway system of the State.

(b)       The Committee may consult with the Information Resource Management Commission  State Chief Information Officer on statewide technology strategies and initiatives and review all legislative proposals and other recommendations of the Information Resource Management Commission Office of Information Technology Services.

(c)       The Committee shall report by March 1 of each year to the Appropriations Committees of the Senate and the House of Representatives concerning the Committee's activities and findings and any recommendations for statutory changes. submit annual reports to the General Assembly on or before the convening of the regular session of the General Assembly each year. The Committee may submit interim reports at any time it deems appropriate."

SECTION 7A.(d)  G.S. 120-232 reads as rewritten:

"§ 120-232.  Committee membership; terms; organization; vacancies.

(a)       The Committee shall consist of 16 members as follows:

(1)       Five Eight members of the Senate at the time of their appointment, appointed by the President Pro Tempore of the Senate. At least two appointees shall be members of the Senate Appropriations Committee.

(2)       Five Eight members of the House of Representatives at the time of their appointment, appointed by the Speaker of the House of Representatives. At least two appointees shall be members of the House of Representatives Appropriations Committee.

(3)       Three members of the public, appointed by the President Pro Tempore of the Senate.

(4)       Three members of the public, appointed by the Speaker of the House of Representatives.

The members appointed to the Committee from the public shall be chosen from among individuals who have the ability and commitment to promote and fulfill the purposes of the Committee, including individuals who have expertise in the field of computer technology or commercial transactions.

(b)       Members of the Committee shall serve terms of two years beginning on August 15 of  at the convening of the General Assembly in each odd-numbered year, with no prohibition against being reappointed, except initial appointments shall begin on appointment and end on the day of convening of the 2005 General Assembly. be for terms as follows:

(1)       The public members shall serve terms of three years.

(2)       The members who are members of the General Assembly shall serve terms of two years.

Initial terms shall commence on August 15, 1999.

(c)       Members who are elected officials may complete a term of service on the Committee even if they do not seek reelection or are not reelected, but resignation or removal from service constitutes resignation or removal from service on the Committee.

(d)       The President Pro Tempore of the Senate and the Speaker of the House of Representatives shall each select a legislative member from their appointees to serve as cochair of the Committee.

(e)       The Committee shall meet at least once a quarter and may meet at other times upon the call of the cochairs. A majority of the members of the Committee shall constitute a quorum for the transaction of business. The affirmative vote of a majority of the members present at meetings of the Committee shall be necessary for action to be taken by the Committee.

(f)        All members shall serve at the will of their appointing officer. A member continues to serve until the member's successor is appointed. A vacancy shall be filled within 30 days by the officer who made the original appointment."

PART II. CONFORMING CHANGES IN ARTICLE 3D OF CHAPTER 147.

SECTION 8.  The heading of Part 1A of Article 3D of Chapter 147 of the General Statutes, as redesignated under Section 1 of this act, reads as rewritten:

"Part 1A. Transfer and Organization of Office of Information Technology Services."

SECTION 9.  G.S. 147-33.75 reads as rewritten:

"§ 147-33.75.  Transfer to Office located in the Office of the Governor.

(a)       The Office of Information Technology Services ("Office") of the Department of Commerce and the Information Resource Management Commission are hereby transferred to shall be housed in the Office of the Governor.

(b)       The Governor has the authority, powers, and duties over the Office that are assigned to the Governor and the head of department pursuant to Article 1 of Chapter 143B of the General Statutes, G.S. 143A-6(b), and the Constitution and other laws of this State."

SECTION 10.  G.S. 147-33.82(d)(2) is repealed.

SECTION 11.  G.S. 147-33.82(e) is repealed.

SECTION 12.  G.S. 147-33.82(c), G.S. 147-33.82(d) as amended by Section 10 of this act, G.S. 147-33.82(e1), and G.S. 147-33.82(f), are recodified as separate sections as Part 5 of Article 3D of Chapter 147 of the General Statutes, G.S. 147-33.110 through G.S. 147-33.113 respectively.

SECTION 13.  G.S. 147-33.82(a) reads as rewritten:

"§ 147-33.82.  Powers and duties Functions of the State Chief Information Officer and the Office of Information Technology Services.

(a)       The In addition to any other functions required by this Article, the Office of Information Technology Services shall:

(1)       Procure all information technology for State agencies, as provided in Part 4 of this Article.

(2)       Submit for approval of the Information Resources Management CommissionOffice of State Budget and Management all rates and fees for common, shared State government-wide technology services provided by the Office. Office on a fee-for-service basis and not covered by another fund.

(3)       Conduct an annual assessment of State agencies for compliance with statewide policies for information technology and Submit submit for approval review of the Information Resources Management CommissionTechnology Advisory Board recommended State government-wide, enterprise-level policies statewide policies for information technology.

(4)       Develop standards, procedures, and processes to implement policies approved by the Information Resources Management Commission. State CIO.

(5)       Assure that Review State agencies implement and manage agency information technology portfolio-based management of State information technology resources, in accordance resources for compliance with the direction set by the State Chief Information Officer.this Article.

(6)       Assure Review that State agencies implement and manage agency implementation of statewide information technology enterprise management efforts of State government, in accordance government for compliance with the direction set by the State Chief Information Officer.this Article.

(7)       Provide recommendations to the Information Resources Management Commission for its biennial technology strategy and to develop State government-wide technology initiatives to be approved by the Information Resources Management Commission.

(8)       Develop a project management, quality assurance, and architectural review process that adheres to the Information Resources Management Commission's certification program and portfolio-based management initiative.for projects that require review and approval under G.S. 147-33.72C(a).

(9)       Establish and utilize the Information Technology Management Advisory Council to consist of representatives from other State agencies to advise the Office on information technology business management and technology matters."

SECTION 14.  Part 5 of Article 3D of Chapter 147 of the General Statutes, as recodified by Section 12 of this act, reads as rewritten:

"Part 5. Security for Information Technology Services.

"§ 147-33.110.  Statewide security standards.

The State Chief Information Officer shall establish an enterprise-wide a statewide set of standards for information technology security to maximize the functionality, security, and interoperability of the State's distributed information technology assets, including communications and encryption technologies. The State CIO shall review and revise the security standards annually. As part of this function, the State Chief Information Officer shall review periodically existing security standards and practices in place among the various State agencies to determine whether those standards and practices meet enterprise-wide statewide security and encryption requirements. The State Chief Information Officer may assume the direct responsibility of providing for the information technology security of any State agency that fails to adhere to security standards adopted pursuant to this section.under this Article. Any actions taken by the State Chief Information Officer under this subsection section shall be reported to the Information Resources Management Commission Information Technology Advisory Board at its next scheduled meeting.

"§ 147-33.111.  State CIO approval of security standards and security assessments.

(a)       Notwithstanding G.S. 143-48.3 or any other provision of law, and except as otherwise provided by this subsection, section, all information technology security purchased using State funds, or for use by a State agency or in a State facility, shall be subject to approval by the State Chief Information Officer in accordance with security standards adopted under this section.Article.

(1)(b)  If the legislative branch, the judicial branch, The University of North Carolina and its constituent institutions, local school administrative units as defined by G.S. 115C-5, or the North Carolina Community Colleges System develop their own security standards, taking into consideration the mission and functions of that entity, that are comparable to or exceed those set by the State Chief Information Officer under this section, then these entities may elect to be governed by their own respective security standards, and approval of the State Chief Information Officer shall not be required before the purchase of information technology security. The State Chief Information Officer shall consult with the legislative branch, the judicial branch, The University of North Carolina and its constituent institutions, local school administrative units, and the North Carolina Community Colleges System in reviewing the security standards adopted by those entities.

(2)       Repealed.

(3)(c)  Before a State agency may enter into any contract with another party for an assessment of network vulnerability, including network penetration or any similar procedure, the State agency shall notify the State Chief Information Officer and obtain approval of the request. The State Chief Information Officer shall refer the request to the State Auditor for a determination of whether the Auditor's office can perform the assessment and testing. If the State Auditor determines that he the Auditor's office can perform the assessment and testing, then the State Chief Information Officer shall authorize the assessment and testing by the Auditor. If the State Auditor determines that his the Auditor's office cannot perform the assessment and testing, then with the approval of the State Chief Information Officer and State Auditor, the State agency may enter into a contract with another party for the assessment and testing. If the State agency enters into a contract with another party for assessment and testing, the State agency shall issue public reports on the general results of the reviews undertaken pursuant to this subdivision, but the reviews. The contractor must shall provide the State agency with detailed reports of the security issues identified pursuant to this subdivision that shall not be disclosed as provided in G.S. 132-6.1(c). The State agency shall provide the State Chief Information Officer and the State Auditor with copies of the detailed reports.reports that shall not be disclosed as provided in G.S. 132-6.1(c).

"§ 147-33.112.  Assessment of agency compliance with security standards.

The State Chief Information Officer shall assess the ability of each agency to comply with the current security enterprise-wide set of standards established pursuant to this section. The assessment shall include, at a minimum, the rate of compliance with the standards in each agency and an assessment of each agency's security organization, network security architecture, and current expenditures for information technology security. The assessment shall also estimate the cost to implement the security measures needed for agencies to fully comply with the standards. Each agency subject to the standards shall submit information required by the State Chief Information Officer for purposes of this assessment. Not later than May 4, 2004, the Information Resources Management Commission and the The State Chief Information Officer shall submit a public report that summarizes the status of the assessment, including the available estimates of additional funding needed to bring agencies into compliance, to the Joint Legislative Commission on Governmental Operations and shall provide updated assessment information by January 15 of each subsequent year.include the information obtained from the assessment in the State Information Technology Plan required under G.S. 147-33.72B.

"§ 147-33.113.  State agency cooperation.

(a)       The head of each State agency shall cooperate with the State Chief Information Officer in the discharge of his or her duties by:

(1)       Providing the full details of the agency's information technology and operational requirements and of all the agency's information technology security incidents within 24 hours of confirmation.

(2)       Providing comprehensive information concerning the information technology security employed to protect the agency's information technology.

(3)       Forecasting the parameters of the agency's projected future information technology security needs and capabilities.

(4)       Designating an agency liaison in the information technology area to coordinate with the State Chief Information Officer. The liaison shall be subject to a criminal background report from the State Repository of Criminal Histories, which shall be provided by the State Bureau of Investigation upon its receiving fingerprints from the liaison. If the liaison has been a resident of this State for less than five years, the background report shall include a review of criminal information from both the State and National Repositories of Criminal Histories. The criminal background report shall be provided to the State Chief Information Officer and the head of the agency. In addition, all personnel in the Office of State Auditor who are responsible for information technology security reviews pursuant to G.S. 147-64.6(c)(18) shall be subject to a criminal background report from the State Repository of Criminal Histories, which shall be provided by the State Bureau of Investigation upon receiving fingerprints from the personnel designated by the State Auditor. For designated personnel who have been residents of this State for less than five years, the background report shall include a review of criminal information from both the State and National Repositories of Criminal Histories. The criminal background reports shall be provided to the State Auditor.

(b)       The information provided by State agencies to the State Chief Information Officer under this subsection section is protected from public disclosure pursuant to G.S. 132-6.1(c)."

SECTION 15.  G.S. 147-33.83 reads as rewritten:

"§ 147-33.83.  Information resources centers and services.

(a)       With respect to all executive departments and agencies of State government, except the Department of Justice if they do not elect at their option to participate, the Office of Information Technology Services shall have all of the following powers and duties:

(1)       To establish and operate information resource centers and services to serve two or more departments on a cost-sharing basis, if the Information Resources Management Commission State CIO, after consultation with the Office of State Budget and Management, decides it is advisable from the standpoint of efficiency and economy to establish these centers and services.

(2)       With the approval of the Information Resources Management Commission, Office of State Budget and Management, to charge each department for which services are performed its proportionate part of the cost of maintaining and operating the shared centers and services.

(3)       With the approval of the Information Resources Management Commission, to To require any department served to transfer to the Office ownership, custody, or control of information processing equipment, supplies, and positions required by the shared centers and services.

(4)       With the approval of the Information Resources Management Commission, to To adopt reasonable rules for the efficient and economical management and operation of the shared centers, services, and the integrated State telecommunications network.

(5)       With the approval of the Information Resources Management Commission, to To adopt plans, policies, procedures, and rules for the acquisition, management, and use of information technology resources in the departments affected by this section to facilitate more efficient and economic use of information technology in these departments.

(6)       To develop and promote training programs to efficiently implement, use, and manage information technology resources.

(7)       To provide cities, counties, and other local governmental units with access to the Office of Information Technology Services, information resource centers and services as authorized in this section for State agencies. Access shall be provided on the same cost basis that applies to State agencies.

(b)       No data of a confidential nature, as defined in the General Statutes or federal law, may be entered into or processed through any cost-sharing information resource center or network established under this section until safeguards for the data's security satisfactory to the department head and the State Chief Information Officer have been designed and installed and are fully operational. Nothing in this section may be construed to prescribe what programs to satisfy a department's objectives are to be undertaken, nor to remove from the control and administration of the departments the responsibility for program efforts, regardless whether these efforts are specifically required by statute or are administered under the general program authority and responsibility of the department. This section does not affect the provisions of G.S. 147-64.6, 147-64.7, or 147-33.91.

(c)       Notwithstanding any other provision of law, the Office of Information Technology Services shall provide information technology services on a cost-sharing basis to the General Assembly and its agencies as requested by the Legislative Services Commission."

SECTION 16.  G.S. 147-33.84 reads as rewritten:

"§ 147-33.84.  Deviations authorized for Department of Revenue. Revenue; agency requests for deviations.

(a)       The Department of Revenue is authorized to deviate from any provision in G.S. 147-33.83(a) that requires departments or agencies to consolidate information processing functions on equipment owned, controlled, or under custody of the Office of Information Technology Services. All deviations by the Department of Revenue pursuant to this section shall be reported in writing within 15 days by the Department of Revenue to the Information Resources Management Commission State CIO and shall be consistent with available funding. Any State agency may apply in writing to the State CIO for authority to deviate. If granted, any deviation shall be consistent with available funding and shall be subject to such terms and conditions as may be specified by the State CIO. If the agency's request for deviation is denied by the State CIO, the agency may request a review of the decision pursuant to G.S. 147-33.72D.

(b)       The Department of Revenue is authorized to adopt and shall adopt plans, policies, procedures, requirements, and rules for the acquisition, management, and use of information processing equipment, information processing programs, data communications capabilities, and information systems personnel in the Department of Revenue. If the plans, policies, procedures, requirements, rules, or standards adopted by the Department of Revenue deviate from the policies, procedures, or guidelines adopted by the Office of Information Technology Services or the Information Resources Management Commission, Services, those deviations shall be allowed and shall be reported in writing within 15 days by the Department of Revenue to the Information Resources Management Commission. State CIO. The Department of Revenue and the Office of Information Technology Services shall develop data communications capabilities between the two computer centers utilizing the North Carolina Integrated Network, subject to a security review by the Secretary of Revenue.

(c)       The Department of Revenue shall prepare a plan to allow for substantial recovery and operation of major, critical computer applications. The plan shall include the names of the computer programs, databases, and data communications capabilities, identify the maximum amount of outage that can occur prior to the initiation of the plan and resumption of operation. The plan shall be consistent with commonly accepted practices for disaster recovery in the information processing industry. The plan shall be tested as soon as practical, but not later than six months, after the establishment of the Department of Revenue information processing capability.

(d)       Notwithstanding the provisions of subsections (a) and (b) of this section, the Department of Revenue shall review and evaluate any deviations and shall, in consultation with the Office of Information Technology Services, adopt a plan to phase out any deviations that are not determined to be necessary in carrying out functions and responsibilities unique to the Department. The plan adopted by the Department shall include a strategy to coordinate its general information processing functions with the Office of Information Technology Services in the manner prescribed by G.S. 147-33.83(a) and provide for its compliance with policies, procedures, and guidelines adopted by the Office of Information Technology Services. The Department of Revenue shall submit its plan to the Office of State Budget and Management by January 15, 2005."

SECTION 17.  G.S. 147-33.85 is repealed.

SECTION 18.  G.S. 147-33.86 is repealed.

SECTION 19.  G.S. 147-33.87 reads as rewritten:

"§ 147-33.87.  Financial reporting and accountability for information technology investments and expenditures.

The Office of Information Technology Services, the Office of State Budget and Management, and the Office of the State Controller shall jointly develop a system for budgeting and accounting of expenditures for information technology operations, services, projects, infrastructure, and assets. The system shall include hardware, software, personnel, training, contractual services, and other items relevant to information technology, and the sources of funding for each. This system must integrate seamlessly with the enterprise portfolio management system. Annual reports regarding information technology shall be coordinated by the Office with the Office of State Budget and Management and the Office of the State Controller, and submitted to the Governor, General Assembly, and the Information Resources Management Commission Governor and the General Assembly on or before October 1 of each year."

SECTION 20.  G.S. 147-33.88 reads as rewritten:

"§ 147-33.88.  Information technology reports.

(a)       The Office shall develop an annual budget for review and approval by the Information Resources Management Commission  Office of State Budget and Management prior to April 1 of each year. A copy of the approved budget shall be submitted to the Joint Select Committee on Information Technology and the Fiscal Research Division.

(b)       The Office shall report to the Joint Select Legislative Oversight Committee on Information Technology and the Fiscal Research Division on the Office's Internal Service Fund on a quarterly basis, no later than the first day of the second month following the end of the quarter. The report shall include current cash balances, line-item detail on expenditures from the previous quarter, and anticipated expenditures and revenues. The Office shall report to the Joint Legislative Oversight Committee on Information Technology and the Fiscal Research Division on expenditures for the upcoming quarter, projected year-end balance, and the status report on personnel position changes including new positions created and existing positions eliminated. The Office spending reports shall comply with the State Accounting System object codes."

SECTION 21.  G.S. 147-33.89(b) reads as rewritten:

"(b)      Each State agency shall submit its disaster recovery plan on an annual basis to the Information Resource Management Commission and the State Chief Information Officer."

SECTION 22.  G.S. 147-33.90 reads as rewritten:

"§ 147-33.90.  Analysis of State agency legacy systems.

(a)       The Office of Information Technology Services, in conjunction with the Information Resources Management Commission, Services shall analyze the State's legacy information technology systems and develop a plan to ascertain the needs, costs, and time frame required for State agencies to progress to more modern information technology systems.

(b)       In conducting the legacy system assessment phase of the analysis, the Office shall:

(1)       Examine the hierarchical structure and interrelated relationships within and between State agency legacy systems.

(2)       Catalog and analyze the portfolio of legacy applications in use in State agencies and consider the extent to which new applications could be used concurrently with, or should replace, legacy systems.

(3)       Consider issues related to migration from legacy environments to Internet-based and client/server environments, and related to the availability of programmers and other information technology professionals with the skills to migrate legacy applications to other environments.

(4)       Study any other issue relative to the assessment of legacy information technology systems in State agencies.

By March 1, 2004, the Office shall complete the assessment phase of the analysis and shall make a report of the assessment to the Joint Legislative Commission on Governmental Operations (Commission). Thereafter, the Office shall make an ongoing annual report on these matters to the Commission by March 1 of each year.

(c)       Upon completion of the legacy system assessment phase of the analysis, the Office shall ascertain the needs, costs, and time frame required to modernize State agency information technology. The Office shall complete this phase of the assessment by January 31, 2005, and shall report its findings and recommendations to the 2005 General Assembly. The findings and recommendations shall include a cost estimate and time line for modernization of legacy information technology systems in State agencies. The Office shall submit an ongoing, updated report on modernization needs, costs, and time lines to the General Assembly on the opening day of each biennial session."

SECTION 23.  G.S. 147-33.91 reads as rewritten:

"§ 147-33.91.  Telecommunications services; duties of State Chief Information Officer with respect to State agencies.

(a)       With respect to State agencies, the State Chief Information Officer shall exercise general coordinating authority for all telecommunications matters relating to the internal management and operations of those agencies. In discharging that responsibility, the State Chief Information Officer may Officer, in cooperation with affected State agency heads, do such of the following things as the State Chief Information Officer deems necessary and advisable:may:

(1)       Provide for the establishment, management, and operation, through either State ownership ownership, contract, or commercial leasing, of the following systems and services as they affect the internal management and operation of State agencies:

a.         Central telephone systems and telephone networks; networks.

b.         Teleprocessing systems;

c.         Teletype and facsimile services;

d.         Satellite services;services.

e.         Closed-circuit TV systems; systems.

f.          Two-way radio systems; systems.

g.         Microwave systems; and systems.

h.         Related systems based on telecommunication technologies.

i.          The 'State Network', managed by the Office, which means any connectivity designed for the purpose of providing Internet Protocol transport of information to any building.

(2)       With the approval of the Information Resources Management Commission, coordinate Coordinate the development of cost-sharing systems for respective user agencies for their proportionate parts of the cost of maintenance and operation of the systems and services listed in subdivision (1) of this section.subsection.

(3)       Assist in the development of coordinated telecommunications services or systems within and among all State agencies and recommend, where appropriate, cooperative utilization of telecommunication facilities by aggregating users.

(4)       Perform traffic analysis and engineering for all telecommunications services and systems listed in subdivision (1) of this subsection.

(5)       Pursuant to G.S. 143-49, establish telecommunications specifications and designs so as to promote and support compatibility of the systems within State agencies.

(6)       Pursuant to G.S. 143-49 and G.S. 143-50, coordinate the review of requests by State agencies for the procurement of telecommunications systems or services.

(7)       Pursuant to G.S. 143-341 and Chapter 146 of the General Statutes, coordinate the review of requests by State agencies for State government property acquisition, disposition, or construction for telecommunications systems requirements.

(8)       Provide a periodic inventory of telecommunications costs, facilities, systems, and personnel within State agencies.

(9)       Promote, coordinate, and assist in the design and engineering of emergency telecommunications systems, including, but not limited to, the 911 emergency telephone number program, Emergency Medical Services, and other emergency telecommunications services.

(10)     Perform frequency coordination and management for State agencies and local governments, including all public safety radio service frequencies, in accordance with the rules and regulations of the Federal Communications Commission or any successor federal agency.

(11)     Advise all State agencies on telecommunications management planning and related matters and provide through the State Personnel Training Center or the Office of Information Technology Services training to users within State agencies in telecommunications technology and systems.

(12)     Assist and coordinate the development of policies and long-range plans, consistent with the protection of citizens' rights to privacy and access to information, for the acquisition and use of telecommunications systems, and base such policies and plans on current information about State telecommunications activities in relation to the full range of emerging technologies.

(13)     Work cooperatively with the North Carolina Agency for Public Telecommunications in furthering the purpose of this section.

(b)       The provisions of this section shall not apply to the Criminal Information Division of the Department of Justice or to the Judicial Information System in the Judicial Department."

SECTION 24.  G.S. 147-33.95 reads as rewritten:

"(a)      Notwithstanding any other provision of law, the Office of Information Technology Services shall procure all information technology for State agencies. For purposes of this section, agency means any department, institution, commission, committee, board, division, bureau, office, officer, or official of the State, unless specifically exempted in this Article. The Office shall integrate technological review, cost analysis, and procurement for all information technology needs of those State agencies in order to make procurement and implementation of technology more responsive, efficient, and cost-effective. All contract information shall be made a matter of public record after the award of contract. Provided, that trade Trade secrets, test data, similar proprietary information, and security information protected under G.S. 132-6.1(c) may remain confidential.

(b)       The Office shall have the authority and responsibility, subject to the provisions of this Part, to:

(1)       Purchase or to contract for, by suitable means, including, but not limited to, negotiations, reverse auctions, and the solicitation, offer, and acceptance of electronic bids, and in conformity with G.S. 143-135.9,  for all information technology in the State government, or any of its departments, institutions, or agencies covered by this Part, or to Part. The Office may authorize any department, institution, or State agency covered by this Part to purchase or contract for such information technology. The Office or a State agency may use any authorized means, including negotiations, reverse auctions, and the solicitation, offer, and acceptance of electronic bids. G.S. 143-135.9 shall apply to these procedures.

(2)       Establish processes, specifications, and standards which that shall apply to all information technology to be purchased, licensed, or leased in the State government or any of its departments, institutions, or agencies covered by this Part.

(3)       Comply with the State government-wide technical architecture, as required by the Information Resources Management CommissionState CIO.

(c)       For purposes of this section, "reverse auction" means a real-time purchasing process in which vendors compete to provide goods or services at the lowest selling price in an open and interactive electronic environment. The vendor's price may be revealed during the reverse auction. The Office may contract with a third-party vendor to conduct the reverse auction.

(d)       For purposes of this section, "electronic bidding" means the electronic solicitation and receipt of offers to contract. Offers may be accepted and contracts may be entered by use of electronic bidding.

(e)       The Office may use the electronic procurement system established by G.S. 143-48.3 to conduct reverse auctions and electronic bidding. All requirements relating to formal and competitive bids, including advertisement, seal, and signature, are satisfied when a procurement is conducted or a contract is entered in compliance with the reverse auction or electronic bidding requirements established by the Office.

(f)        The Office may shall adopt rules consistent with this section."

SECTION 25.  G.S. 147-33.101(b) reads as rewritten:

"(b)      Prior to submission of any contract for review by the Board of Awards pursuant to this section for any contract for information technology being acquired for the benefit of the Office and not on behalf of any other State agency, the Director of the Budget shall review and approve the procurement to ensure compliance with the established processes, specifications, and standards applicable to all information technology purchased, licensed, or leased in State government, including established procurement processes, and compliance with the State government-wide technical architecture as established by the Information Resources Management Commission.State CIO."

SECTION 26.  G.S. 147-33.103(b) is repealed.

PART III. OTHER CONFORMING CHANGES.

SECTION 27.  G.S. 66-58.12(c) reads as rewritten:

"(c)      The fee imposed under subsection (b) of this section must be approved by the Information Resource Management Commission, State Chief Information Officer, in consultation with the Joint Legislative Commission on Governmental Operations. The revenue derived from the fee must be credited to a nonreverting agency reserve account. The funds in the account may be expended only for e-commerce initiatives and projects approved by the Information Resource Management Commission, State Chief Information Officer, in consultation with the Joint Select Legislative Oversight Committee on Information Technology. For purposes of this subsection, the term 'public agencies' does not include a county, unit, special district, or other political subdivision of government."

SECTION 28.  G.S. 66-58.20 reads as rewritten:

"§ 66-58.20.  Development and implementation of Web portals; public agency links.

(a)       The Office of Information Technology Services (ITS) shall develop the architecture, requirements, and standards for the development, implementation and operation of one or more centralized Web portals that will allow persons to access State government services on a 24-hour basis. ITS shall submit its plan for the implementation of the Web portals to the Information Resource Management Commission (IRMC) State Chief Information Officer for its review and approval. When the plan is approved by the IRMC, State Chief Information Officer, ITS shall move forward with development and implementation of the statewide Web Portal system.

(b)       Each State department, agency, and institution under the review of the IRMC State Chief Information Officer shall functionally link its Internet or electronic services to a centralized Web portal system established pursuant to subsection (a) of this section."

SECTION 29.  G.S. 115C-102.6B reads as rewritten:

"§ 115C-102.6B.  Approval of State school technology plan.

(a)       The Commission shall present the State school technology plan it develops to the Joint Legislative Commission on Governmental Operations and the Joint Legislative Education Oversight Committee for their comments prior to January 1, 1995. At least every two years thereafter, the Commission shall develop any necessary modifications to the State school technology plan and present them to the Joint Legislative Commission on Governmental Operations and the Joint Legislative Education Oversight Committee.

(b)       After presenting the plan or any proposed modifications to the plan to the Joint Legislative Commission on Governmental Operations and the Joint Legislative Education Oversight Committee, the Commission shall submit the plan or any proposed modifications to (i) the Information Resources Management Commission for its State Chief Information Officer for approval of the technical components of the plan set out in G.S. 115C-102.6A(1) through (4), and (ii) the State Board of Education for information purposes only. The State Board shall adopt a plan that includes the components of a plan set out in G.S. 115C-103.6A(1) through (16).

At least one-fourth of the members of any technical committee that reviews the plan for the Information Resources Management Commission State Chief Information Officer shall be people actively involved in primary or secondary education.

(c)       If no changes are made to the plan or the proposed modifications to the plan after the submission to the Information Resources Management Commission State Chief Information Officer and the State Board of Education, the plan or the proposed modifications shall take effect upon approval by the Information Resources Management Commission  State Chief Information Officer and the State Board of Education."

SECTION 30.  G.S. 115C-102.6C(a) reads as rewritten:

"§ 115C-102.6C.  Approval of local school system technology plans.

(a)       Each local board of education shall develop a local school system technology plan that meets the requirements of the State school technology plan. In developing a local school system technology plan, a local board of education is encouraged to coordinate its planning with other agencies of State and local government, including other local school administrative units.

The Information Resources Management Commission Office of Information Technology Services shall assist the local boards of education in developing the parts of the plan related to its technological aspects, to the extent that resources are available to do so. The Department of Public Instruction shall assist the local boards of education in developing the instructional and technological aspects of the plan.

Each local board of education shall submit the local plan it develops to the Information Resources Management Commission Office of Information Technology Services for its evaluation of the parts of the plan related to its technological aspects and to the Department of Public Instruction for its evaluation of the instructional aspects of the plan. The State Board of Education, after consideration of the evaluations of the Information Resources Management Commission Office of Information Technology Services and the Department of Public Instruction, shall approve all local plans that comply with the requirements of the State school technology plan."

SECTION 31.  G.S. 115C-102.7(b) reads as rewritten:

"(b)      The Commission shall provide notice of meetings, copies of minutes, and periodic briefings to the chair of the Information Resources Management Commission and the chair of the Technical Committee of the Information Resources Management Commission.Office of Information Technology Services."

SECTION 32.  G.S. 115C-102.15(b)(16) reads as rewritten:

"(b)      The Business and Education Technology Alliance shall be composed of 27 members who have knowledge and interest in ensuring that the effective use of technology is built into the North Carolina School System for the purpose of preparing a globally competitive workforce and citizenry for the 21st century. These members shall be appointed as follows:

(16)     One representative of the Information Resource Management Commission appointed by the Commission's Chair.Office of Information Technology Services appointed by the State Chief Information Officer."

SECTION 33.  G.S. 115C-472.5(d) reads as rewritten:

"(d)      The Department of Public Instruction shall report to the Information Resource Management Commission State Chief Information Officer on an annual basis on all loans made from the fund."

SECTION 34.  G.S. 115C-529 reads as rewritten:

"§ 115C-529.  Useful life guidelines.

The Information Resource Management Commission State Office of Information Technology Services shall develop and annually revise guidelines for determining the useful life of computers purchased under G.S. 115C-528. The Division of Purchase and Contract shall develop and periodically revise guidelines for determining the useful life of automobiles, school buses, and photocopiers purchased under G.S. 115C-528. The Local Government Commission shall develop and periodically revise guidelines for determining the useful life of mobile classroom units purchased under G.S. 115C-528. Guidelines for computers and photocopiers shall include provisions for upgrades during the term of the contract. The Information Resource Management Commission, State Office of Information Technology Services, the Division of Purchase and Contract, and the Local Government Commission shall provide their respective guidelines to the State Board of Education by November 1, 1996. The State Board of Education shall provide the guidelines to local boards of education by January 1, 1997."

SECTION 35.  G.S. 120-123(57) is repealed.

SECTION 36.  G.S. 120-231(b) reads as rewritten:

"(b)      The Committee may consult with the Information Resource Management Commission State Chief Information Officer on statewide technology strategies and initiatives and review all legislative proposals and other recommendations of the Information Resource Management Commission. State Chief Information Officer."

SECTION 37.  G.S. 126-5(c1)(17) is repealed.

SECTION 38.  G.S. 132-6.2(b) reads as rewritten:

"(b)      Persons requesting copies of public records may request that the copies be certified or uncertified. The fees for certifying copies of public records shall be as provided by law. Except as otherwise provided by law, no public agency shall charge a fee for an uncertified copy of a public record that exceeds the actual cost to the public agency of making the copy. For purposes of this subsection, "actual cost" is limited to direct, chargeable costs related to the reproduction of a public record as determined by generally accepted accounting principles and does not include costs that would have been incurred by the public agency if a request to reproduce a public record had not been made. Notwithstanding the provisions of this subsection, if the request is such as to require extensive use of information technology resources or extensive clerical or supervisory assistance by personnel of the agency involved, or if producing the record in the medium requested results in a greater use of information technology resources than that established by the agency for reproduction of the volume of information requested, then the agency may charge, in addition to the actual cost of duplication, a special service charge, which shall be reasonable and shall be based on the actual cost incurred for such extensive use of information technology resources or the labor costs of the personnel providing the services, or for a greater use of information technology resources that is actually incurred by the agency or attributable to the agency. If anyone requesting public information from any public agency is charged a fee that the requester believes to be unfair or unreasonable, the requester may ask the Information Resource Management Commission State Chief Information Officer or his designee to mediate the dispute."

SECTION 39.  G.S. 143-6 reads as rewritten:

"(b2)    Any department, bureau, division, officer, board, commission, institution, or other State agency or undertaking desiring to request financial aid from the State for the purpose of acquiring or maintaining information technology as defined by G.S. 147-33.81(2) shall, before making the request for State financial aid, submit to the State Chief Information Officer (CIO)(State CIO) a statement of its needs in terms of information technology and other related requirements and shall furnish the State CIO with any additional information requested by the State CIO. The CIO shall then review the statement of needs submitted by the requesting department, bureau, division, officer, board, commission, institution, or other State agency or undertaking and perform additional analysis, as necessary, to comply with G.S. 147-33.82. Article 3D of Chapter 147 of the General Statutes. All requests for financial aid for the purpose of acquiring or maintaining information technology shall be accompanied by a certification from the State CIO deeming the request for financial aid to be consistent with Article 3D of Chapter 147 of the General Statutes. The State CIO shall make recommendations to the Governor regarding the merits of requests for financial aid for the purpose of acquiring or maintaining information technology. This subsection shall not apply to requests for appropriations of less than one hundred thousand dollars ($100,000)."

SECTION 40.  G.S. 143-48.3(a1) reads as rewritten:

"(a1)    The Department of Administration shall comply with the State government-wide technical architecture for information technology, as required by the Information Resources Management Commission State Chief Information Officer."

SECTION 40A.  G.S. 143-48.3(e) reads as rewritten:

"(e)      The Board of Governors of The University of North Carolina shall exempt North Carolina State University and The University of North Carolina at Chapel Hill from the electronic procurement system authorized by this Article until May 1, 2003. Each exemption shall be subject to the Board of Governors' annual review and reconsideration. Exempted constituent institutions shall continue working with the North Carolina E-Procurement Service as that system evolves and shall ensure that their proposed procurement systems are compatible with the North Carolina E-Procurement Service so that they may take advantage of this service to the greatest degree possible. Before an exempted institution expands any electronic procurement system, that institution shall consult with the Joint Legislative Commission on Governmental Operations and the Joint Select Legislative Oversight Committee on Information Technology. By May 1, 2003, the General Assembly shall evaluate the efficacy of the State's electronic procurement system and the inclusion and participation of entities in the system."

SECTION 41.  G.S. 143-48.3(f) reads as rewritten:

"(f)      Any State entity, local school administrative unit, or community college operating a functional electronic procurement system established prior to September 1, 2001, may until May 1, 2003, continue to operate that system independently or may opt into the North Carolina E-Procurement Service. Each entity subject to this section shall notify the Office of Information Technology Services Information Resources Management Commission by January 1, 2002, and annually thereafter, of by January 1 of each year of its intent to participate in the North Carolina E-Procurement Service."

SECTION 41A.  G.S. 143-52.1(e) reads as rewritten:

"(e)      Reports on recommendations made by the Board on matters presented by the State Chief Information Officer to the Board shall be reported monthly by the Board to the chairs of the Joint Select Legislative Oversight Committee on Information Technology."

SECTION 42.  G.S. 143-661(b)(5) reads as rewritten:

"(b)      The Board shall consist of 21 members, appointed as follows:

(5)       One member appointed by the Chair of the Information Resource Management Commission, who is the Chair or a member of that Commission, for a term to begin on September 1, 1996 and to expire on June 30, 1999.State Chief Information Officer."

SECTION 43.  G.S. 143-663(a)(2) reads as rewritten:

"§ 143-663.  Powers and duties.

(a)       The Board shall have the following powers and duties:

(2)       To develop and adopt uniform standards and cost-effective information technology, after thorough evaluation of the capacity of information technology to meet the present and future needs of the State and, in consultation with the Information Resource Management Commission, Office of Information Technology Services, to develop and adopt standards for entering, storing, and transmitting information in criminal justice databases and for achieving maximum compatibility among user technologies."

SECTION 44.  G.S. 143-725(a) reads as rewritten:

"§ 143-725.  Council established; role of the Center for Geographic Information and Analysis.

(a)       Council Established. - The North Carolina Geographic Information Coordinating Council ("Council") is established to develop policies regarding the utilization of geographic information, GIS systems, and other related technologies. The Council shall be responsible for the following:

(1)       Strategic planning.

(2)       Resolution of policy and technology issues.

(3)       Coordination, direction, and oversight of State, local, and private GIS efforts.

(4)       Advising the Governor, the General Assembly, and the Information Resource Management Commission (IRMC) State Chief Information Officer as to needed directions, responsibilities, and funding regarding geographic information.

The purpose of this statewide geographic information coordination effort shall be to further cooperation among State, federal, and local government agencies; academic institutions; and the private sector to improve the quality, access, cost-effectiveness, and utility of North Carolina's geographic information and to promote geographic information as a strategic resource in the State. The Council shall be located in the Office of the Governor for organizational, budgetary, and administrative purposes."

SECTION 45.  G.S. 143B-146.13 reads as rewritten:

"§ 143B-146.13.  School technology plan.

(a)       No later than December 15, 1998, the Secretary shall develop a school technology plan for the residential schools that meets the requirements of the State school technology plan. In developing a school technology plan, the Secretary is encouraged to coordinate its planning with other agencies of State and local government, including local school administrative units.

The Information Resources Management Commission Office of Information Technology Services shall assist the Secretary in developing the parts of the plan related to its technological aspects, to the extent that resources are available to do so. The Department of Public Instruction shall assist the Secretary in developing the instructional and technological aspects of the plan.

The Secretary shall submit the plan that is developed to the Information Resources Management Commission Office of Information Technology Services for its evaluation of the parts of the plan related to its technological aspects and to the Department of Public Instruction for its evaluation of the instructional aspects of the plan. The State Board of Education, after consideration of the evaluations of the Information Resources Management Commission Office of Information Technology Services and the Department of Public Instruction, shall approve all plans that comply with the requirements of the State school technology plan."

SECTION 45A.  G.S. 143B-437.47(e) reads as rewritten:

"(e)      Reports. - The Authority shall submit quarterly reports to the Governor, the Joint Select Legislative Oversight Committee on Information Technology, and the Joint Legislative Commission on Governmental Operations. The reports shall summarize the Authority's activities during the quarter and contain any information about the Authority's activities that is requested by the Governor, the Committee, or the Commission."

SECTION 46.  G.S. 147-64.6(b)(18) reads as rewritten:

"(b)      The Auditor shall be responsible for the following acts and activities:

(18)     The Auditor shall, after consultation and in coordination with the State Chief Information Officer, assess, confirm, and report on the security practices of information technology systems. If an agency has adopted standards pursuant to G.S. 147-33.82(d)(1) or (2), G.S. 147-33.111(a), the audit shall be in accordance with those standards. The Auditor's assessment of information security practices shall include an assessment of network vulnerability. The Auditor may conduct network penetration or any similar procedure as the Auditor may deem necessary. The Auditor may enter into a contract with a State agency under G.S. 147-33.82(d)(3) G.S. 147-33.111(c) for an assessment of network vulnerability, including network penetration or any similar procedure. Any contract with the Auditor for the assessment and testing shall be on a cost-reimbursement basis. The Auditor may investigate reported information technology security breaches, cyber attacks, and cyber fraud in State government. The Auditor shall issue public reports on the general results of the reviews undertaken pursuant to this subdivision but may provide agencies with detailed reports of the security issues identified pursuant to this subdivision which shall not be disclosed as provided in G.S. 132-6.1(c). The Auditor shall provide the State Chief Information Officer with detailed reports of the security issues identified pursuant to this subdivision. For the purposes of this subdivision only, the Auditor is exempt from the provisions of Article 3 of Chapter 143 of the General Statutes in retaining contractors."

SECTION 46A.  G.S. 147-68(d2) reads as rewritten:

"(d2)    After consulting with the Select Committee on Information Technology and the Joint Legislative Commission on Governmental Operations and after consultation with and approval of the Information Resources Management Commission, the Department of State Treasurer may spend departmental receipts for the 2000-2001 fiscal year to continue improvement of the Department's investment banking operations system, retirement payroll systems, and other information technology infrastructure needs. The Department of State Treasurer shall report by January 1, 2001, and annually thereafter to the following regarding the amount and use of the departmental receipts: the Joint Legislative Commission on Governmental Operations, the Chairs of the General Government Appropriations Subcommittees of both the House of Representatives and the Senate, and the Select Joint Legislative Committee on Information Technology."

PART IV. STUDIES.

SECTION 47.(a)  Each State agency, with the exception of The University of North Carolina and its constituent institutions, the Administrative Office of the Courts, and the General Assembly shall conduct a thorough, agencywide examination and analysis of its Information Technology (IT) infrastructure, including IT expenditures and management functions. The purpose of the examination is to enable the General Assembly, the State CIO, the Office of State Budget and Management, and the State Controller to readily determine the amount of State funds being expended annually on each and all IT functions. As part of this examination, each agency shall review IT contracts with outside vendors, including the adequacy of contract management, and shall consider the implementation of performance measures in the development of future IT contracts. Each agency shall also identify IT functions that could be performed more economically through statewide approach across all agencies. Each agency shall report its plan in a format developed and approved by the State CIO and the Office of State Budget and Management. Reports shall be submitted to the Office of State Budget and Management and the State CIO on or before March 1, 2005.

SECTION 47.(b)  The Office of State Budget and Management, in conjunction with the State CIO, the Information Technology Advisory Board, and the State Controller, shall develop a plan to consolidate information technology infrastructure, staffing, and expenditures where a statewide approach would be more economical. The plan shall not include The University of North Carolina and its constituent institutions, the Administrative Office of the Courts, and the General Assembly. The plan shall consider agency-specific program needs. The plan shall include specific recommendations to convert contractor FTE to State positions for recurring activities where the contractor positions have been filled for 12 months, beginning July 1, 2003. In developing the recommendations for converting contractor positions, the OSBM shall consider the nature of the work being performed by the contractors, the level of technical expertise required for the work, and whether the use of State positions would be more economical. The plan also shall identify agencies that lack the budgetary and technical resources to operate modern, secure information technology systems, and propose a method of consolidating those information technology systems under a centralized authority, with the approval of the agency. The OSBM shall use reports compiled by each State agency, as required by subsection (a) of this section, in the development of the plan. The office shall report the plan to the Joint Legislative Commission on Governmental Operations on or before January 1, 2006.

PART V. APPLICABILITY AND EFFECTIVE DATE.

SECTION 48.  Nothing in this act shall be construed to require a State agency that has issued a request for proposals for an information technology project approved by the Information Resources Management Commission to seek approval of the information technology project by the State Chief Information Officer under G.S. 147-33.72C or otherwise revise the request for proposals.

SECTION 49.  This act becomes effective July 1, 2004.

In the General Assembly read three times and ratified this the 17th day of July, 2004.

 

 

                                                                    s/ Beverly E. Perdue

                                                                         President of the Senate

 

 

                                                                    s/ James B. Black

                                                                         Speaker of the House of Representatives

 

 

                                                                    s/ Michael F. Easley

                                                                         Governor

 

 

Approved 10:31 a.m. this 27th day of July, 2004