Section NEW-NEW - [Newly enacted section not yet numbered] [Expires 7/1/2026] [Legislative branch chief information security officer](a) There is hereby established the position of legislative branch chief information security officer. The legislative chief information security officer shall be in the unclassified service under the Kansas civil service act, shall be appointed by the legislative coordinating council and shall receive compensation determined by the legislative coordinating council.(b) The legislative chief information security officer shall: (1) Report to the legislative chief information technology officer;(2) establish security standards and policies to protect the branch's information technology systems and infrastructure in accordance with subsection (c);(3) ensure the confidentiality, availability and integrity of the information transacted, stored or processed in the branch's information technology systems and infrastructure;(4) develop a centralized cybersecurity protocol for protecting and managing legislative branch information technology assets and infrastructure;(5) detect and respond to security incidents consistent with information security standards and policies;(6) be responsible for the cybersecurity of all legislative branch data and information resources and obtain approval from the revisor of statutes prior to taking any action on any matter that involves a legal issue related to the security of information technology;(7) collaborate with the chief information security officers of the other branches of state government to respond to cybersecurity incidents;(8) ensure that all legislators and legislative branch employees complete cybersecurity awareness training annually and if an employee does not complete the required training, such employee's access to any state-issued hardware or the state network is revoked;(9) review all contracts related to information technology entered into by a person or entity within the legislative branch to make efforts to reduce the risk of security vulnerabilities within the supply chain or product and ensure each contract contains standard security language; and(10) coordinate with the United States cybersecurity and infrastructure security agency to perform annual audits of legislative branch agencies for compliance with applicable state and federal laws, rules and regulations and legislative branch policies and standards. The legislative chief information security officer shall make an audit request to such agency annually, regardless of whether or not such agency has the capacity to perform the requested audit.(c) The legislative chief information security officer shall develop a cybersecurity program of each legislative agency that complies with the national institute of standards and technology cybersecurity framework (CSF) 2.0, as in effect on July 1, 2024. The legislative chief information security officer shall ensure that such programs achieve a CSF tier of 3.0 prior to July 1, 2028, and a CSF tier of 4.0 prior to July 1, 2030. The agency head of each legislative agency shall coordinate with the legislative chief information security officer to achieve such standards.(d)(1) If an audit conducted pursuant to subsection (b)(10) results in a failure, the legislative chief information security officer shall report such failure to the speaker and minority leader of the house of representatives and the president and minority leader of the senate within 30 days of receiving notice of such failure. Such report shall contain a plan to mitigate any security risks identified in the audit. The legislative chief information security officer shall coordinate for an additional audit after the mitigation plan is implemented and report the results of such audit to the speaker and minority leader of the house of representatives and the president and minority leader of the senate.(2) Results of audits conducted pursuant to subsection (b)(10) and the reports described in subsection (d)(1) shall be confidential and shall not be subject to discovery or disclosure pursuant to the open records act, K.S.A. 45-215 et seq., and amendments thereto.(e) This section shall expire on July 1, 2026.Added by L. 2024, ch. 95,§ 3, eff. 7/1/2024.