Section 4-13.1-4-8 - [Effective 7/1/2025] Requirements for connection to state technology infrastructure(a) A public entity that connects to the technology infrastructure of the state after July 1, 2027, must: (1) have completed a cybersecurity assessment within the three (3) year period immediately preceding the first date after July 1, 2027, on which the public entity connects to the technology infrastructure of the state;(2) complete a cybersecurity assessment at least once every three (3) years after the first date after July 1, 2027, on which the public entity connects to the technology infrastructure of the state;(3) provide proof to the office of the public entity's compliance with subdivisions (1) and (2) upon request by the office;(4) if the public entity is a state agency or political subdivision, have an "in.gov" or ".gov" domain name; and(5) have a secondary end user authentication mechanism.(b) An entity that is not a public entity and that connects to the technology infrastructure of the state after July 1, 2026, must:(1) have completed a cybersecurity assessment within the two (2) year period immediately preceding the first date after July 1, 2026, on which the entity connects to the technology infrastructure of the state;(2) complete a cybersecurity assessment:(A) at least once every two (2) years after the first date after July 1, 2026, on which the entity connects to the technology infrastructure of the state; and(B) biennially for as long as the entity connects to the technology infrastructure of the state;(3) provide proof to the office of the entity's compliance with subdivisions (1) and (2) upon request by the office; and(4) have a secondary end user authentication mechanism.(c) At the discretion of the office: (1) a public entity that is not in compliance with subsection (a); or(2) an entity that is not in compliance with subsection (b); may be disconnected from the technology infrastructure of the state.
Added by P.L. 108-2024,SEC. 2, eff. 7/1/2025.