63C-27 - Cybersecurity Commission
Title 63C > 63C-27
Sections (7)
General Provisions
63C-27-101 - Definitions.
As used in this chapter: 63C-27-101(1) “Commission” means the Cybersecurity Commission created in this chapter. 63C-27-101(2) “Critical infrastructure” includes the following sectors the United States Department of Homeland Security identifies as critical:
chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, nuclear materials, and nuclear waste; transportation systems; and water and wastewater systems.
Cybersecurity Commission
63C-27-201 - Cybersecurity Commission created.
63C-27-201(1) There is created the Cybersecurity Commission. 63C-27-201(2) The commission shall be composed of 24 members:
one member the governor designates to serve as the governor’s designee; the commissioner of the Department of Public Safety; the lieutenant governor, or an election officer, as that term is defined in Section 20A-1-102, the lieutenant governor designates to serve as the lieutenant governor’s designee; the chief information officer of the Division of Technology Services; the chief information security officer, as described in Section 63A-16-210; the chairman of the Public Service Commission shall designate a representative with professional experience in information technology or cybersecurity; the executive director of the Utah Department of Transportation shall designate a representative with professional experience in information technology or cybersecurity; the director of the Division of Finance shall designate a representative with professional experience in information technology or cybersecurity; the executive director of the Department of Health and Human Services shall designate a representative with professional experience in information technology or cybersecurity; the director of the Division of Indian Affairs shall designate a representative with professional experience in information technology or cybersecurity; the Utah League of Cities and Towns shall designate a representative with professional experience in information technology or cybersecurity; the Utah Association of Counties shall designate a representative with professional experience in information technology or cybersecurity; the attorney general, or the attorney general’s designee; the commissioner of financial institutions, or the commissioner’s designee; the executive director of the Department of Environmental Quality shall designate a representative with professional experience in information technology or cybersecurity; the executive director of the Department of Natural Resources shall designate a representative with professional experience in information technology or cybersecurity; the highest ranking information technology official, or the official’s designee, from each of: the Judicial Council; the Utah Board of Higher Education; the State Board of Education; and the State Tax Commission; the governor shall appoint: one representative from the Utah National Guard; and one representative from the Governor’s Office of Economic Opportunity; the president of the Senate shall appoint one member of the Senate; and the speaker of the House of Representatives shall appoint one member of the House of Representatives. 63C-27-201(3) The governor’s designee shall serve as cochair of the commission. The commissioner of the Department of Public Safety shall serve as cochair of the commission. 63C-27-201(4) The members described in Subsection (2) shall represent urban, rural, and suburban population areas. No fewer than half of the members described in Subsection (2) shall have professional experience in cybersecurity or in information technology. 63C-27-201(5) In addition to the membership described in Subsection (2), the commission shall seek information and advice from state and private entities with expertise in critical infrastructure. 63C-27-201(6) As necessary to improve information and protect potential vulnerabilities, the commission shall seek information and advice from federal entities including:
the Cybersecurity and Infrastructure Security Agency; the Federal Energy Regulatory Commission; the Federal Bureau of Investigation; and the United States Department of Transportation. 63C-27-201(7) Except as provided in Subsections (7)(b) and (c), a member is appointed for a term of four years. A member shall serve until the member’s successor is appointed and qualified. Notwithstanding the requirements of Subsection (7)(a), the governor shall, at the time of appointment or reappointment, adjust the length of terms to ensure that the terms of commission members are staggered so that approximately half of the commission members appointed under Subsection (2)(r) are appointed every two years. 63C-27-201(8) If a vacancy occurs in the membership of the commission, the member shall be replaced in the same manner in which the original appointment was made. An individual may be appointed to more than one term. When a vacancy occurs in the membership for any reason, the replacement shall be appointed for the unexpired term. 63C-27-201(9) A majority of the members of the commission is a quorum. The action of a majority of a quorum constitutes an action of the commission. 63C-27-201(10) The commission shall meet at least two times a year.
63C-27-202 - Commission duties.
The commission shall: 63C-27-202(1) identify and inform the governor of:
cyber threats and vulnerabilities towards Utah’s critical infrastructure; cybersecurity assets and resources; an analysis of: current cyber incident response capabilities; potential cyber threats; and areas of significant concern with respect to:
vulnerability to cyber attack; or seriousness of consequences in the event of a cyber attack; 63C-27-202(2) provide resources with respect to cyber attacks in both the public and private sector, including:
best practices; education; and mitigation; 63C-27-202(3) promote cyber security awareness; 63C-27-202(4) share information; 63C-27-202(5) promote best practices to prevent and mitigate cyber attacks; 63C-27-202(6) enhance cyber capabilities and response for all Utahns; 63C-27-202(7) provide consistent outreach and collaboration with private and public sector organizations; and 63C-27-202(8) share cyber threat intelligence to operators and overseers of Utah’s critical infrastructure.
63C-27-203 - Compensation of members.
63C-27-203(1) A member who is not a legislator may not receive compensation or benefits for the member’s service, but may receive per diem and travel expenses incurred as a member of the commission at the rates established by the Division of Finance under:
Sections 63A-3-106 and 63A-3-107; and rules made by the Division of Finance in accordance with Sections 63A-3-106 and 63A-3-107. 63C-27-203(2) Compensation and expenses of a member who is a legislator are governed by Section 36-2-2 and Legislative Joint Rules, Title 5, Legislative Compensation and Expenses.
63C-27-204 - Staffing.
The Department of Public Safety shall provide staff and support to the commission.
63C-27-205 - Reporting requirement.
On or before November 30, the commission shall report to the Public Utilities, Energy, and Technology Interim Committee: 63C-27-205(1) an assessment of cyber threats to Utah; 63C-27-205(2) recommendations for legislation that would reduce the state’s vulnerability to attack; and 63C-27-205(3) recommendations for best practices for state government with respect to cybersecurity.
63C-27-206 - Closure of meetings.
The commission may, in accordance with Section 52-4-204 , close to the public a meeting to discuss an item described in Subsections 63C-27-202(1) and (8) .