HB 1219 — An Act amending Title 71 (State Government) of the Pennsylvania Consolidated Statutes, in boards and offices, providing for information technology; establishing the Office of Information Technology and the Information Technology Fund; providing for administrative and procurement procedures and for the Joint Cybersecurity Oversight Committee; imposing duties on the Office of Information Technology; providing for administration of Pennsylvania Statewide Radio Network; and imposing penalties.

PRINTER'S NO.   1367

                     THE GENERAL ASSEMBLY OF PENNSYLVANIA



                         HOUSE BILL
                         No. 1219
                                                Session of
                                                  2025

     INTRODUCED BY GROVE, CUTLER, STENDER AND GAYDOS, APRIL 15, 2025

     REFERRED TO COMMITTEE ON COMMUNICATIONS AND TECHNOLOGY,
        APRIL 15, 2025


                                     AN ACT
 1   Amending Title 71 (State Government) of the Pennsylvania
 2      Consolidated Statutes, in boards and offices, providing for
 3      information technology; establishing the Office of
 4      Information Technology and the Information Technology Fund;
 5      providing for administrative and procurement procedures and
 6      for the Joint Cybersecurity Oversight Committee; imposing
 7      duties on the Office of Information Technology; providing for
 8      administration of Pennsylvania Statewide Radio Network; and
 9      imposing penalties.
10      The General Assembly of the Commonwealth of Pennsylvania
11   hereby enacts as follows:
12      Section 1.    Part V of Title 71 of the Pennsylvania
13   Consolidated Statutes is amended by adding a chapter to read:
14                                 CHAPTER 43
15                          INFORMATION TECHNOLOGY
16   Subchapter
17      A.   General Provisions
18      B.   Office of Information Technology
19      C.   Business Operations
20      D.   Procurement of Information Technology
21      E.   Security
 1      F.     Enforcement and Penalties
 2      G.     Pennsylvania Statewide Radio Network
 3                                  SUBCHAPTER A
 4                              GENERAL PROVISIONS
 5   Sec.
 6   4301.   Scope of chapter.
 7   4302.   Findings and declarations.
 8   4303.   Definitions.
 9   § 4301.    Scope of chapter.
10      This chapter relates to administrative procedures and
11   procurement regarding information technology.
12   § 4302.    Findings and declarations.
13      The General Assembly finds and declares the following:
14             (1)   The Commonwealth has struggled to keep information
15      technology costs under control, including failing to include
16      as part of overall costs, time spent by Commonwealth staff
17      for development, implementation and use of information
18      technology.
19             (2)   Many of the Commonwealth's information technology
20      contracts extend well beyond their anticipated date of
21      completion.
22             (3)   The Commonwealth can begin to reduce information
23      technology costs by the consolidation of information
24      technology functions and resources within the executive
25      branch.
26             (4)   Consolidation of information technology services
27      will not only reduce costs but create more efficient
28      information technology operations.
29             (5)   By reforming the Commonwealth's outdated approach to
30      information technology, the Commonwealth can improve data and

20250HB1219PN1367                      - 2 -
 1      analytic capabilities and improve cybersecurity.
 2             (6)   The improvement of operations will enhance taxpayer
 3      satisfaction and make it easier for residents to navigate.
 4             (7)   Consolidation of information technology services
 5      must be designed to improve accountability and transparency
 6      to taxpayers and enhance the Commonwealth's data and
 7      analytics capabilities.
 8             (8)   The Commonwealth shall, as part of its information
 9      technology and cybersecurity efforts:
10                   (i)    Reduce redundancy and align information
11             technology spending in a manner that reduces costs and
12             measurably improves Commonwealth agency mission
13             effectiveness.
14                   (ii)    Improve quality, transparency and
15             accountability in the procurement and use of information
16             technology.
17                   (iii)    Achieve five-year budget limits, within
18             limited variance, for all administrative agencies for
19             projects above a de minimis threshold.
20                   (iv)    Achieve measurable protection for Commonwealth
21             data, including identifying and mitigating risks for
22             personal identifiable information and other valuable,
23             nonpublic mission critical data.
24   § 4303.    Definitions.
25      The following words and phrases when used in this chapter
26   shall have the meanings given to them in this section unless the
27   context clearly indicates otherwise:
28      "Architecture."        The overall design of a computing system and
29   the logical and physical interrelationships between its
30   components.

20250HB1219PN1367                        - 3 -
 1      "Authorization to operate."     A formal declaration by the head
 2   of the State agency that:
 3          (1)     authorizes operation of a product and explicitly
 4      accepts the risk to agency operations; and
 5          (2)     is signed after the system has met and passed all
 6      requirements to become operational.
 7      "Business case."    A statement specifying the needs of the
 8   State agency for information technology, services and related
 9   resources, including expected improvements to programmatic or
10   business operations, and the requirements for State resources
11   and funding, together with an evaluation of those requirements
12   by the chief information officer assigned to the State agency
13   which takes into consideration:
14          (1)     The State's current technology.
15          (2)     The opportunities for technology sharing.
16          (3)     Any other factors relevant to the analysis by the
17      director.
18      "Director."    The administrative head of the office and chief
19   information officer of the Commonwealth.
20      "Distributed information technology assets."    Hardware,
21   software and communications equipment not classified as
22   traditional mainframe-based items, including personal computers,
23   local area networks, servers, mobile computers, peripheral
24   equipment and other related hardware and software items.
25      "Electronic bidding."    The electronic solicitation and
26   receipt of offers to contract.
27      "Fund."   The Information Technology Fund established under
28   section 4316 (relating to Information Technology Fund).
29      "Independent agency."    As follows:
30          (1)     A board, commission, authority or other agency of

20250HB1219PN1367                    - 4 -
 1      the Commonwealth that is not subject to the policy
 2      supervision and control of the Governor.
 3          (2)    The term does not include:
 4                 (i)    A court or agency of the unified judicial
 5          system.
 6                 (ii)    The General Assembly or an agency of the
 7          General Assembly.
 8      "Independent department."      Any of the following:
 9          (1)    The Department of the Auditor General.
10          (2)    The Treasury Department.
11          (3)    The Office of Attorney General.
12          (4)    A board or commission of an entity under paragraph
13      (1), (2) or (3).
14      "Information technology."      Hardware, software and
15   telecommunications equipment, including the following:
16          (1)    Personal computers.
17          (2)    Servers.
18          (3)    Mainframes.
19          (4)    Wired or wireless wide and local area networks.
20          (5)    Broadband.
21          (6)    Mobile or portable computers.
22          (7)    Peripheral equipment.
23          (8)    Telephones.
24          (9)    Wireless communications.
25          (10)    Handheld devices.
26          (11)    Facsimile machines.
27          (12)    Technology facilities, including data centers,
28      dedicated training facilities or switching facilities.
29          (13)    Electronic payment processing services.
30          (14)    Other relevant hardware and software items or

20250HB1219PN1367                      - 5 -
 1      personnel tasked with the planning, implementation or support
 2      of technology, including hosting or vendor-managed service
 3      solutions.
 4      "Information technology budget."     As follows:
 5          (1)     All information technology expenditures listed by
 6      project and amount of expenditure for planning, development,
 7      modernization, operations and maintenance.
 8          (2)     The term includes all software, hardware,
 9      Commonwealth and vendor staff and service costs.
10      "Information technology security incident."     A computer-based
11   activity, network-based activity or paper-based activity that
12   results directly or indirectly in misuse, damage, denial of
13   service, compromise of integrity or loss of confidentiality of a
14   network, computer, application or data.
15      "Office."    The Office of Information Technology established
16   under Subchapter B (relating to Office of Information
17   Technology).
18      "Open data."    Government data sets and documents that are
19   considered publicly available under the act of February 14, 2008
20   (P.L.6, No.3), known as the Right-to-Know Law, or other
21   Commonwealth transparency initiatives to use and republish
22   without restriction from copyright, patents or other
23   restrictions on control.
24      "Portal."    A publicly accessible Internet website.
25      "Reverse auction."    A real-time purchasing process in which
26   vendors compete to provide goods or services at the lowest
27   selling price in an open and interactive electronic environment.
28      "Secretary."    The Secretary of Administration of the
29   Commonwealth.
30      "State agency."    Any of the following:

20250HB1219PN1367                    - 6 -
 1             (1)   The Governor's Office.
 2             (2)   A department, board, commission, authority or other
 3      agency of the Commonwealth that is subject to the policy
 4      supervision and control of the Governor.
 5             (3)   The office of Lieutenant Governor.
 6             (4)   An independent agency.
 7                                   SUBCHAPTER B
 8                        OFFICE OF INFORMATION TECHNOLOGY
 9   Sec.
10   4311.    Establishment of office.
11   4312.    Duties of office.
12   4313.    Director.
13   4314.    Transfer of additional duties and personnel.
14   4315.    Planning and financing information technology resources.
15   4316.    Information Technology Fund.
16   4317.    Financial accountability and information technology.
17   4318.    Commonwealth portal.
18   4319.    Statewide information technology transparency portal.
19   4320.    State agency requests for information technology and
20                   services.
21   4321.    Status of information technology projects and corrective
22                   action plans.
23   § 4311.    Establishment of office.
24      The Office of Information Technology is established within
25   the Governor's Office of Administration to oversee and achieve
26   information technology consolidation and other findings of this
27   chapter.
28   § 4312.    Duties of office.
29      (a)     Duties generally.--The office shall:
30             (1)   Consolidate information technology functions,

20250HB1219PN1367                       - 7 -
 1    powers, duties, obligations, infrastructure and support
 2    services vested in State agencies.
 3        (2)    Provide, operate and manage the information
 4    technology services for each State agency under the
 5    Governor's jurisdiction, including the following:
 6               (i)    The development of priorities and strategic
 7        plans.
 8               (ii)    The management of information technology
 9        investments, procurement and policy.
10               (iii)    Compliance with the provisions of this chapter
11        through consultation and engagement with the secretary of
12        each agency.
13        (3)    Notwithstanding any other provisions of law, procure
14    all information technology and information technology as a
15    service for State agencies utilizing the processes under 62
16    Pa.C.S. Ch. 5 (relating to source selection and contract
17    formation). The office shall integrate technological review,
18    cost analysis and procurement for all information technology
19    needs of State agencies to make procurement and
20    implementation of technology more responsive, efficient and
21    cost effective.
22        (4)    Determine any changes to staffing or operations
23    regarding information technology.
24        (5)    Provide documentation and training to achieve
25    development in the functional responsibilities that shall
26    include:
27               (i)    Defining an information technology strategy
28        plan.
29               (ii)    Defining enterprise architecture.
30               (iii)    Determining technological direction.

20250HB1219PN1367                    - 8 -
 1             (iv)    Defining information technology organization
 2        and relationships.
 3             (v)    Managing information technology investment.
 4             (vi)    Communicating management aims and direction.
 5             (vii)    Managing information technology human
 6        resources.
 7             (viii)    Managing quality.
 8             (ix)    Assessing risks.
 9             (x)    Managing projects.
10             (xi)    Identifying automated solutions.
11             (xii)    Acquiring and maintaining application
12        software.
13             (xiii)    Acquiring and maintaining technology
14        infrastructure.
15             (xiv)    Enabling operation and use.
16             (xv)    Procuring information technology resources.
17             (xvi)    Managing changes.
18             (xvii)    Installing and accrediting solutions and
19        changes.
20             (xviii)    Defining and managing service levels.
21             (xix)    Managing third-party services.
22             (xx)    Managing performance and capacity.
23             (xxi)    Ensuring continuous service.
24             (xxii)    Ensuring system security.
25             (xxiii)    Identifying and allocating costs.
26             (xxiv)    Educating and training users.
27             (xxv)    Managing service desk and incidents.
28             (xxvi)    Managing the configuration.
29             (xxvii)    Managing problems.
30             (xxviii)    Managing data.

20250HB1219PN1367                  - 9 -
 1                  (xxix)    Managing physical environment.
 2                  (xxx)    Managing operations.
 3                  (xxxi)    Monitoring and evaluating information
 4            technology performance.
 5                  (xxxii)    Monitoring and evaluating internal controls.
 6                  (xxxiii)    Ensuring compliance with external
 7            requirements.
 8                  (xxxiv)    Providing improved information technology
 9            governance.
10      (b)   Specific duties.--As part of the general duties under
11   subsection (a), the office shall:
12            (1)   Develop and administer a comprehensive long-range
13      plan to ensure the proper management of the information
14      technology resources of the Commonwealth.
15            (2)   Set technical standards for information technology
16      and review and approve information technology projects and
17      budgets.
18            (3)   Establish information technology security standards.
19            (4)   Provide for the procurement of information
20      technology resources.
21            (5)   Develop a schedule for the replacement or
22      modification of information technology systems.
23            (6)   Prescribe the manner in which information technology
24      assets, systems and personnel shall be provided and
25      distributed among State agencies.
26            (7)   Prescribe the manner of inspecting or testing
27      information technology assets, systems or personnel to
28      determine compliance with information technology plans,
29      specifications and requirements.
30            (8)   Develop an annual information technology strategic

20250HB1219PN1367                       - 10 -
 1    plan that aligns information technology expenditures with
 2    each State agency's strategic initiatives and ongoing mission
 3    needs, including priorities resource use and expenditures,
 4    performance review measures, procurement and other governance
 5    and planning measures.
 6        (9)    Provide guidance, review and approve the information
 7    technology plans for each State agency.
 8        (10)   Obtain guidance and consult with the Office of the
 9    Budget on budgetary matters regarding information technology
10    spending and procurement plans.
11        (11)   Obtain advice on matters involving overall
12    technology and data governance from academia, private sector
13    and other leading government institutions.
14        (12)   Establish and maintain an information technology
15    portfolio management process to prepare and manage the
16    information technology budget, including overall monitoring
17    of information technology program objectives and alignment
18    with administrative priorities, budgets and expenditures.
19        (13)   Identify common information technology business
20    functions within each State agency.
21        (14)   Make recommendations for consolidation, integration
22    and investment.
23        (15)   Facilitate the use of common technology, as
24    appropriate.
25        (16)   Ensure the proper use of project management
26    methodologies and principles on information technology
27    projects, including measures to review project delivery and
28    quality.
29        (17)   Ensure compliance by each State agency with
30    required business process reviews.

20250HB1219PN1367                 - 11 -
 1        (18)    Audit the information technology assets of each
 2    State agency no later than 547 days after the effective date
 3    of this paragraph.
 4        (19)    Serve as a liaison between State agencies and
 5    contracted information technology vendors.
 6        (20)    Align the appropriate technology and procurement
 7    methods with the service strategy.
 8        (21)    Establish and maintain an information technology
 9    architecture that ensures a modern operating environment for
10    agencies and aligns all information technology investments to
11    the information technology strategic plan. This architecture
12    shall include the following, as appropriate:
13               (i)    The development of standards, policies,
14        processes and strategic technology roadmaps.
15               (ii)    The performance of technical reviews and
16        capability assessments of services, technologies and
17        State agency systems.
18               (iii)    The evaluation of requests for information
19        technology policy exceptions.
20               (iv)    The ability to incorporate emerging
21        technologies in a cost-effective and timely manner.
22        (22)    Develop and implement efforts to standardize data
23    elements and determine data ownership assignments.
24        (23)    Establish and operate centers of expertise for
25    specific information technologies and services to serve two
26    or more State agencies on a cost-sharing basis, if the
27    director, after consultation with the Office of the Budget,
28    decides it is advisable from the standpoint of the
29    information technology strategic plan, efficiency and economy
30    to establish these centers and services.

20250HB1219PN1367                    - 12 -
 1        (24)   Require a State agency served to transfer to the
 2    office ownership, custody or control of information
 3    processing equipment, supplies and positions required to
 4    implement the information technology strategic plan.
 5        (25)   Develop and promote training programs to
 6    efficiently implement, use and manage information technology
 7    resources throughout State government.
 8        (26)   Develop and maintain a comprehensive information
 9    technology inventory.
10        (27)   Monitor compliance with information technology
11    policy and standards through investment, budgeting and
12    architectural review processes.
13        (28)   Maintain and strengthen the Commonwealth's
14    cybersecurity posture through security governance.
15        (29)   Develop security solutions, services and programs
16    to protect data and infrastructure.
17        (30)   Identify and remediate security risks and maintain
18    citizen trust in securing computerized personal information.
19        (31)   Implement programs, processes and solutions to
20    maintain cybersecurity situational awareness and effectively
21    respond to cybersecurity attacks and information technology
22    security incidents.
23        (32)   Create a process identifying risks to the success
24    of information technology programs and projects, developing
25    mitigations, incorporating mitigating actions in budgeting
26    and investment and review processes.
27        (33)   Conduct evaluations and compliance audits of State
28    agency security infrastructure.
29        (34)   Develop and produce cost, risk and quality
30    initiatives that consolidate State agency information

20250HB1219PN1367                - 13 -
 1    technology services, including infrastructure, personnel,
 2    investments, operations and support services necessary to
 3    achieve the findings of this chapter.
 4        (35)     Establish and facilitate a process for the
 5    identification, evaluation and optimization of information
 6    technology shared services.
 7        (36)     Establish a process for the following:
 8               (i)    Developing and implementing telecommunications
 9        policies, services and infrastructure.
10               (ii)   Reviewing and authorizing State agency requests
11        for enhanced services.
12        (37)     Identify opportunities for convergence and
13    leveraging existing assets to reduce or eliminate duplicative
14    telecommunication networks.
15        (38)     Establish, maintain and continuously optimize cost
16    and performance of an information technology service
17    management process library and services catalog to govern the
18    services provided to each State agency.
19        (39)     Establish a formal operational testing environment
20    to enable the rapid evaluation and introduction of new
21    information technology services and the retiring of existing
22    information technology services.
23        (40)     Establish metrics to monitor the health of the
24    services provided and make appropriate corrections as
25    necessary.
26        (41)     Establish information technology data management
27    and development policy frameworks throughout each State
28    agency that include policies, processes and standards that
29    adhere to commonly accepted principles for, among other
30    things, data governance, data development and the quality,

20250HB1219PN1367                    - 14 -
 1    sourcing, use, accessibility, content, ownership and
 2    licensing of open data.
 3        (42)    Create and maintain a comprehensive open data
 4    portal for public accessibility.
 5        (43)    Provide guidance regarding the procurement of
 6    supplies and services related to the subject matter of this
 7    chapter.
 8        (44)    Facilitate communication with the public by
 9    publishing open data plans and policies and by soliciting or
10    allowing for public input on the subject matter of this
11    chapter.
12        (45)    Ensure the internal examination of Commonwealth
13    data sets for business, confidentiality, privacy and security
14    issues and the reasonable mitigation of those issues, prior
15    to the data's release for open data purposes.
16        (46)    Develop and facilitate the engagement with private
17    and other public stakeholders, including arranging for and
18    expediting data-sharing agreements and encouraging and
19    facilitating cooperation and substantive and administrative
20    efficiencies.
21        (47)    Develop and facilitate data sharing and data
22    analytics to minimize redundancy and align information
23    technology spending in a manner that reduces costs and
24    measurably improves Commonwealth agency mission
25    effectiveness.
26        (48)    Oversee the information technology contracts of
27    each State agency. The following shall apply:
28               (i)   The office shall obtain, review and maintain, on
29        an ongoing basis, records of the appropriations,
30        allotments, expenditures and revenues of each State

20250HB1219PN1367                   - 15 -
 1             agency for information technology.
 2                   (ii)    The office shall identify opportunities for
 3             consolidation of redundant expenditures that could be
 4             more cost effectively provided through multiagency shared
 5             services.
 6                   (iii)    The office shall conduct annual reviews of
 7             agency programs and contract cost estimates to ensure
 8             accuracy and quality in budgetary estimates.
 9      (c)    Discretionary duties.--The office may provide
10   information technology services on a cost-sharing basis to the
11   following:
12             (1)   An independent department as requested by the head
13      of the independent department.
14             (2)   The General Assembly and its agencies as requested
15      by the President pro tempore of the Senate and the Speaker of
16      the House of Representatives.
17             (3)   The judicial branch as requested by the Chief
18      Justice of Pennsylvania.
19   § 4313.    Director.
20      (a)    Appointment and salary.--The secretary shall appoint the
21   director and set the starting salary of the director.
22      (b)    Qualifications.--The director must be qualified by
23   experience for the office and have at least five years of
24   experience dealing with public sector information systems in a
25   State government agency or an equivalent entity. The
26   qualifications shall include verifying that an individual has
27   the proper industry certifications necessary to perform the
28   duties under this chapter.
29      (c)    Duties.--In addition to other duties specified under
30   this chapter, the director shall:

20250HB1219PN1367                        - 16 -
 1            (1)   Manage the operations of the office in a manner
 2      conducive to achieving the findings of this chapter.
 3            (2)   Review and approve reports by each State agency
 4      concerning information technology assets, systems, personnel
 5      and projects and prescribe the form of the reports.
 6            (3)   Hire personnel as necessary to perform the functions
 7      of the office.
 8            (4)   Provide written determination to the Secretary of
 9      the Budget of findings, remediation plan and restructuring
10      actions for programs designated as the color red in
11      accordance with section 4319 (relating to Statewide
12      information technology transparency portal).
13            (5)   Notify the Treasury Department in order to suspend
14      funding for a program that has been designated as the color
15      red in accordance with section 4321 (relating to status of
16      information technology projects and corrective action plans).
17      (d)     Oversight.--The director shall oversee the manner and
18   means by which information technology business and disaster
19   recovery plans for State agencies are created, reviewed and
20   updated.
21      (e)     Disaster recovery plan.--
22            (1)   The director shall ensure that each State agency
23      establish a disaster recovery planning team and work with the
24      office to develop a disaster recovery plan and administer and
25      implement the plan.
26            (2)   In developing a disaster recovery plan, all of the
27      following shall be completed:
28                  (i)   Consideration of the organizational, managerial
29            and technical environments in which the plan must be
30            implemented.

20250HB1219PN1367                      - 17 -
 1                   (ii)    An assessment of the types and likely
 2             parameters of disasters most likely to occur and the
 3             resultant impacts on the State agency's ability to
 4             perform its mission.
 5                   (iii)    The listing of the protective measures to be
 6             implemented in anticipation of a natural or manmade
 7             disaster.
 8                   (iv)    A determination whether the plan is adequate to
 9             address information technology security incidents.
10             (3)   Each State agency shall submit its disaster recovery
11      plan to the director on an annual basis and as otherwise
12      requested by the director.
13   § 4314.    Transfer of additional duties and personnel.
14      Upon the effective date of this section, information
15   technology functions, powers, duties, obligations and services
16   shall be transferred to and organized to the maximum extent
17   practicable into centers that provide shared services to State
18   agencies in accordance with the following:
19             (1)   The chief information officer of each State agency
20      or shared service center shall:
21                   (i)    Report directly to the director.
22                   (ii)    Work within the chief information officer's
23             respective State agency or shared service center on
24             behalf of the office as an employee of the office.
25             (2)   An employee of a State agency who handles or
26      otherwise has responsibility for the State agency's
27      information technology services shall be transferred to the
28      office and operate in the physical location of the State
29      agency or the shared services center supporting that agency,
30      but the employee shall report matters to the office and be

20250HB1219PN1367                        - 18 -
 1      supervised by the chief information officer of the State
 2      agency or head of the shared services center.
 3             (3)   The chief information officer of each agency or
 4      shared service center shall be responsible for identifying
 5      and implementing actions and milestones as required to
 6      fulfill the remediation plan determined by the director under
 7      section 4313(c)(4) (relating to director).
 8             (4)   Each State agency shall provide personnel if
 9      necessary to participate in project management,
10      implementation, testing, shared services and other activities
11      for an information technology project.
12   § 4315.    Planning and financing information technology
13                   resources.
14      (a)    Development of policies.--The director shall issue
15   necessary policies for State agency information technology
16   planning and financing consistent with the findings under
17   section 4302 (relating to findings and declarations).
18      (b)    Development of plan.--
19             (1)   The director shall analyze the needs for information
20      and information technology systems and develop a plan to
21      ascertain the needs, costs and time frame required for State
22      agencies to efficiently use information technology systems,
23      resources, security and data management to achieve the
24      purposes of this chapter. The plan may include current
25      applications and infrastructure, migration from current
26      environments and other information necessary for fiscal or
27      technology planning and shall include a budget for all
28      information technology expenditures.
29             (2)   In consultation with the Secretary of the Budget,
30      the office shall develop and implement a plan to manage all

20250HB1219PN1367                     - 19 -
 1    information technology funding, including Commonwealth and
 2    other receipts, as soon as practicable. As part of the
 3    development and implementation, the following shall apply:
 4                (i)    Funding for information technology resources,
 5          projects and contracts shall be allocated to each
 6          Commonwealth agency by the office based on approved
 7          business case submissions.
 8                (ii)    Information technology budget codes and fund
 9          codes shall be created as required.
10          (3)   The director shall develop strategic plans for
11    information technology as necessary.
12    (c)   Consultation and cooperation.--
13          (1)   In determining whether a strategic plan is necessary
14    for a State agency, the director shall consider the State
15    agency's operational needs, functions and performance
16    capabilities.
17          (2)   The director shall consult with and assist State
18    agencies in the preparation of plans under this subsection.
19          (3)   Each State agency shall actively participate in
20    preparing, testing and implementing an information technology
21    plan as determined by the director. A State agency shall
22    provide all financial information to the director necessary
23    to determine full costs and expenditures for information
24    technology assets, including resources provided by the State
25    agency or through contracts or grants.
26          (4)   Each State agency shall prepare and submit plans as
27    required by the director.
28          (5)   A plan by a State agency shall be submitted to the
29    director no later than October 1 of each even-numbered year.
30    (d)   Biennial plan.--

20250HB1219PN1367                     - 20 -
 1             (1)   The director shall develop a biennial State
 2      Information Technology Plan, which shall be transmitted to
 3      the General Assembly in conjunction with the Governor's
 4      budget submission that year.
 5             (2)   The biennial plan shall include:
 6                   (i)    An inventory of current information technology
 7             assets and major projects.
 8                   (ii)    An inventory of significant unmet needs for
 9             information technology resources over a five-year time
10             period, along with a ranking of the unmet needs in
11             priority order according to their urgency.
12                   (iii)    A statement of the financial requirements,
13             together with a recommended funding schedule for major
14             projects in progress or anticipated for approval during
15             the upcoming fiscal biennium.
16                   (iv)    An analysis of opportunities for Statewide
17             initiatives that would yield significant efficiencies or
18             improve effectiveness in State programs.
19             (3)   As used in this subsection, the term "major project"
20      includes a project costing more than $500,000 to implement.
21   § 4316.    Information Technology Fund.
22      (a)    Establishment.--An account is established in the General
23   Fund to be known as the Information Technology Fund.
24      (b)    Receipt of money.--The fund shall receive money for the
25   operations of the office and to fulfill the duties of the office
26   under this chapter by the following methods:
27             (1)   The transfer of encumbered funds from each State
28      agency which were designated for information technology
29      purposes prior to the effective date of this section.
30             (2)   Transfers as authorized by the General Assembly that

20250HB1219PN1367                        - 21 -
 1      are not already provided for under this section.
 2             (3)   The transfer of a portion of a State agency's funds
 3      regarding general government operations for information
 4      technology employees.
 5      (c)    Use of fund money.--
 6             (1)   Subject to paragraph (2), the director shall approve
 7      the disbursement of money from the fund, which shall be used
 8      for the following purposes and other legitimate purposes:
 9                   (i)    Project management.
10                   (ii)    Security.
11                   (iii)    Email operations for State agencies under the
12             policy supervision and jurisdiction of the Governor.
13                   (iv)    State portal operations.
14                   (v)    State agencies' annual information technology
15             budget.
16                   (vi)    Operations of the office, including salaries
17             and expenses of all State agency information technology
18             personnel.
19             (2)   Expenditures for the operations of the office made
20      from the fund that involve money appropriated from the
21      General Fund shall be approved by the director.
22   § 4317.    Financial accountability and information technology.
23      (a)    Development of processes.--Subject to subsection (b),
24   the office, along with the Secretary of the Budget and the State
25   Treasurer, shall develop processes for budgeting and accounting
26   of expenditures for information technology operations, including
27   all Commonwealth personnel, services, projects, infrastructure
28   and assets across all State agencies.
29      (b)    Included information.--The budgeting and accounting
30   processes under subsection (a) shall include information

20250HB1219PN1367                        - 22 -
 1   regarding the following:
 2            (1)   Hardware.
 3            (2)   Software.
 4            (3)   Personnel.
 5            (4)   Training.
 6            (5)   Contractual services, including cloud service
 7      providers.
 8            (6)   Other items relevant to information technology.
 9      (c)   Significant resources.--State agency requests for
10   significant resources shall provide the information required in
11   section 4320 (relating to State agency requests for information
12   technology and services).
13      (d)   Reports generally.--Subject to subsections (e) and (f),
14   by February 1 of each year, the director shall report to the
15   General Assembly the following information:
16            (1)   Services currently provided and associated
17      transaction volumes or other relevant indicators of
18      utilization by user type.
19            (2)   New services added during the previous year.
20            (3)   The total appropriation for each service.
21            (4)   The total amount remitted to the vendor for each
22      service.
23            (5)   Any other use of State data by the vendor and the
24      total amount of revenue collected per use and in total.
25            (6)   User satisfaction with each service.
26            (7)   Any other issues associated with the provision of
27      each service.
28      (e)   Financial information.--The director shall, at a
29   minimum, include in the report under subsection (d) the
30   following financial information:

20250HB1219PN1367                    - 23 -
 1             (1)   Current budgetary balances for the fund and each
 2      information technology project.
 3             (2)   Line-item details on expenditures.
 4             (3)   Anticipated expenditures for the next four years.
 5             (4)   Cybersecurity expenditures for the previous and next
 6      four years by each agency.
 7             (5)   The financial activities of the fund, including fund
 8      expenditures, during the immediately prior fiscal year.
 9      (f)    Issuance.--In addition to the General Assembly, a report
10   under subsection (d) shall be submitted to the following:
11             (1)   The Secretary of the Budget.
12             (2)   The Independent Fiscal Office.
13   § 4318.    Commonwealth portal.
14      The office shall establish a single point of service
15   accessible electronically by means in use by residents of this
16   Commonwealth in accordance with the following:
17             (1)   Each State agency shall functionally link its
18      Internet or electronic services to a centralized web portal
19      system established under this chapter.
20             (2)   The office shall ensure the portal facilitates
21      Commonwealth residents' ease in conducting online
22      transactions with and obtaining information from State
23      government.
24             (3)   The portal shall be designed to facilitate and
25      improve public interactions along with communications between
26      State agencies.
27   § 4319.    Statewide information technology transparency portal.
28      (a)    Implementation.--Within one year of the effective date
29   of this chapter, the office shall develop, operate and update
30   regularly a web-based portal detailing the status of each of the

20250HB1219PN1367                      - 24 -
 1   Commonwealth's information technology projects, to increase the
 2   transparency and convenience for the public in obtaining
 3   information regarding State information technology activity as
 4   contained in section 4317 (relating to financial accountability
 5   and information technology).
 6      (b)   Contents.--The portal shall include the following:
 7            (1)   A brief summary of each information technology
 8      project.
 9            (2)   The approved budget of each project.
10            (3)   The total and percent of the project's approved
11      budget that has been expended by the agency based on the end
12      balance from the prior business day along with a color
13      designation as follows:
14                  (i)    If an information technology project is under
15            the project's approved budget, the project shall be
16            designated as the color green.
17                  (ii)    If an information technology project is over
18            the project's approved budget, the project shall be
19            designated as the color red.
20            (4)   The completion date in the original contract along
21      with the total percent of work for the project that has been
22      completed, along with a color designation as follows:
23                  (i)    If an information technology project has not
24            exceeded the completion date in the original contract,
25            the project shall be designated as the color green.
26                  (ii)    If an information technology project has
27            exceeded the completion date in the original contract,
28            the project shall be designated as the color red.
29            (5)   A summary of the scope of work along with a color
30      designation as follows:

20250HB1219PN1367                       - 25 -
 1                    (i)    If an information technology project is meeting
 2             the scope of work in the original contract, the project
 3             shall be designated as the color green.
 4                    (ii)   If an information technology project is not
 5             meeting the scope of work in the original contract, the
 6             project shall be designated as the color red.
 7             (6)    A summary of the performance requirements of the
 8      contract, along with a color designation as follows:
 9                    (i)    If an information technology project is meeting
10             the performance requirements in the original contract,
11             the project shall be designated as the color green.
12                    (ii)   If an information technology project is not
13             meeting the performance measures in the original
14             contract, the project shall be designated as the color
15             red.
16      (c)     Posting.--Posting of draft and final policy documents
17   shall be made within 90 days of the effective date of this
18   section.
19             (1)    The office shall make available all proposed and
20      existing information technology related policies and laws by
21      an intranet accessible to all State employees.
22             (2)    The policy intranet documents shall be made
23      available via the web-based portal when deployed.
24   § 4320.    State agency requests for information technology and
25                    services.
26      A State agency shall submit a business case to the office,
27   requesting significant resources as defined by the director, for
28   the purpose of acquiring, operating or maintaining information
29   technology or services for the State agency. The office shall
30   supply sufficient staff support for agency business case

20250HB1219PN1367                         - 26 -
 1   development. The following shall apply regarding the business
 2   case:
 3             (1)   A review and evaluation shall be made of the
 4      business case that is prepared by the chief information
 5      officer assigned to the State agency that includes an
 6      assessment of risk and ensures that the cost and schedule
 7      estimates incorporate the risk assessment.
 8             (2)   In cases of an acquisition, there shall be an
 9      explanation of the method by which the acquisition is to be
10      financed.
11             (3)   A statement shall be made by the chief information
12      officer assigned to the State agency that specifies viable
13      alternatives, if any, for meeting the State agency needs in
14      an economical and efficient manner. The statement shall
15      include an analysis of alternatives that identifies the best
16      approach for achieving mission improvement or program results
17      within available funding and that takes into consideration
18      the following:
19                   (i)    Organization, process and technology options.
20                   (ii)    At least three alternatives, including the
21             status quo, a shared service or external service option
22             and any other alternatives consistent with the
23             architecture and strategy developed by the office.
24             (4)   An assessment of and plan for ensuring cybersecurity
25      and privacy issues shall be incorporated and funded in the
26      request for resources.
27   § 4321.    Status of information technology projects and
28                   corrective action plans.
29      (a)    Designation.--With respect to a business case under
30   section 4320 (relating to State agency requests for information

20250HB1219PN1367                        - 27 -
 1   technology and services), the office shall designate as red, as
 2   specified under section 4319 (relating to Statewide information
 3   technology transparency portal), and identify a remediation
 4   plan, including contract and program restructuring, for programs
 5   experiencing cost or schedule overruns or performance shortfall
 6   exceeding the business case as funded in accordance with the
 7   following:
 8            (1)   The remediation plan and restructuring actions shall
 9      address root causes of the program and contract cost,
10      performance or schedule overruns.
11            (2)   The office shall ensure the business case is updated
12      to establish a new baseline of cost, schedule and performance
13      objectives that reflect the remediation plan and
14      restructuring action.
15            (3)   Upon determining that an information technology
16      project has been designated red, the office shall notify the
17      Governor's Office, the Auditor General and the General
18      Assembly.
19            (4)   The remediation plan and restructuring action shall
20      be finalized within 60 days from notification.
21      (b)   Transmittal.--The finalized corrective action plan shall
22   be sent to the General Assembly and the Auditor General.
23      (c)   Additional requirements.--
24            (1)   The director shall notify the State Treasurer to
25      suspend future expenditure of funds for any technology
26      project that is designated as red under this section and that
27      fails to adopt a remediation plan within the time outlined
28      under this section.
29            (2)   If a State agency adopts within the time allowed
30      under this section a remediation plan, but the project's

20250HB1219PN1367                    - 28 -
 1      designation remains red following implementation of the plan,
 2      the director shall require the agency to adopt a new
 3      remediation plan or may, at the director's discretion,
 4      suspend or terminate the project.
 5             (3)   To implement this section, the director and each
 6      State agency shall include as part of contract provisions
 7      necessary to suspend payment for the failure of a contractor
 8      or vendor to complete the requirements of the contract on
 9      time or on budget.
10                                  SUBCHAPTER C
11                             BUSINESS OPERATIONS
12   Sec.
13   4331.    Reporting requirements regarding procurement.
14   4332.    Communications services.
15   4333.    Project approval standards.
16   4334.    Project management standards.
17   4335.    Dispute resolution.
18   4336.    Purchase of certain equipment prohibited.
19   4337.    Refurbished computer equipment purchasing program.
20   4338.    Data on reliability and other matters.
21   § 4331.    Reporting requirements regarding procurement.
22      (a)    Bids.--A vendor submitting a bid or proposal shall
23   disclose in a statement, provided contemporaneously with the bid
24   or proposal, where services will be performed under the contract
25   sought, including any subcontracts, and whether any services
26   under that contract, including any subcontracts, are anticipated
27   to be performed outside the United States.
28      (b)    Retention and reports.--The director shall:
29             (1)   Retain the statements required by this section
30      regardless of the State agency that awards the contract.

20250HB1219PN1367                     - 29 -
 1             (2)   Report annually to the secretary on the number of
 2      contracts.
 3      (c)    Records of purchases.--Each State agency that makes a
 4   purchase of information technology through the office shall
 5   report directly to the director, who shall keep annual records
 6   of information technology purchases.
 7      (d)    Effect of section.--Nothing in this section is intended
 8   to contravene any existing treaty, law, agreement or regulation
 9   of the United States.
10   § 4332.    Communications services.
11      Except as otherwise provided under Subchapter G (relating to
12   Pennsylvania Statewide Radio Network), the director shall
13   exercise authority for telecommunications and other
14   communications included in information technology relating to
15   the internal management and operations of a State agency. In
16   discharging this responsibility, the director shall:
17             (1)   Ensure that no data of a confidential nature shall
18      be entered into or processed through an information
19      technology system or network established under this chapter
20      until appropriate safeguards and other security measures are
21      approved by the director and installed and fully operational.
22             (2)   Provide for the establishment, management and
23      operation, through State ownership, by contract or through
24      commercial leasing, of the following systems and services as
25      they affect the internal management and operation of State
26      agencies:
27                   (i)    Central telephone systems and telephone
28             networks, including Voice over Internet Protocol and
29             commercial mobile radio systems.
30                   (ii)    Satellite services.

20250HB1219PN1367                        - 30 -
 1               (iii)    Closed-circuit television systems.
 2               (iv)    Two-way radio systems.
 3               (v)    Microwave systems.
 4               (vi)    Related systems based on telecommunication
 5        technologies.
 6               (vii)    Broadband.
 7        (3)    Coordinate the development of cost-sharing systems
 8    for respective State agencies for their proportionate parts
 9    of the cost of maintenance and operation of the systems and
10    services listed in this section.
11        (4)    Assist in the development of coordinated
12    telecommunications services or systems within and among all
13    State agencies and recommend, where appropriate, cooperative
14    utilization of telecommunication facilities by aggregating
15    users.
16        (5)    Perform traffic analysis and engineering for all
17    telecommunications services and systems listed in this
18    section.
19        (6)    Establish telecommunications specifications and
20    designs so as to promote and support compatibility of the
21    systems within State agencies.
22        (7)    Provide every three years an inventory of
23    telecommunications costs, facilities, systems and personnel
24    within State agencies.
25        (8)    Promote, coordinate and assist in the design and
26    engineering of emergency telecommunications systems,
27    including the 911 emergency telephone number program,
28    emergency medical services and other emergency
29    telecommunications services.
30        (9)    Perform frequency coordination and management for

20250HB1219PN1367                      - 31 -
 1      State agencies and municipalities, in accordance with the
 2      rules and regulations of the Federal Communications
 3      Commission or any successor Federal agency.
 4             (10)    Advise all State agencies on telecommunications
 5      management planning and related matters and provide
 6      opportunities for training to users within State agencies in
 7      telecommunications technology and systems.
 8             (11)    Assist and coordinate the development of policies
 9      and long-range plans, consistent with the protection of
10      residents' rights to privacy and access to information, for
11      the acquisition and use of telecommunications systems. All
12      policies and plans shall be based on current information
13      about the Commonwealth's telecommunications activities in
14      relation to the full range of emerging technologies.
15   § 4333.    Project approval standards.
16      (a)    Review and approval.--The director shall review all
17   proposed information technology projects for each State agency
18   and make a determination of approval or disapproval within 15
19   business days of receipt. Project approval may be granted upon
20   the director's determination that:
21             (1)    the project conforms to project management
22      procedures and policies and to procurement rules and
23      policies; and
24             (2)    sufficient funds are available for implementation.
25      (b)    Implementation.--Unless expressly exempt within this
26   chapter, a State agency may not proceed with an information
27   technology project until the director approves the project.
28      (c)    Disapproval.--If a project is not approved, the director
29   shall specify in writing the grounds for the disapproval after
30   making the determination. The director shall provide notice of

20250HB1219PN1367                      - 32 -
 1   the disapproval, along with the grounds for the disapproval, to
 2   all of the following:
 3            (1)   The State agency.
 4            (2)   The Secretary of the Budget.
 5            (3)   The State Treasurer.
 6            (4)   The Auditor General.
 7            (5)   The General Assembly.
 8      (d)   Suspension.--
 9            (1)   The director may suspend an information technology
10      project if the project:
11                  (i)    fails to meet the applicable quality assurance
12            standards;
13                  (ii)    has exceeded its projected costs; or
14                  (iii)    has failed to meet its projected completion
15            date.
16            (2)   If the director suspends a project for a reason
17      under paragraph (1), the director shall specify in writing
18      the grounds for suspending the project no later than five
19      business days after making the determination. The director
20      shall provide notice of the suspension, along with the
21      grounds for suspension, to all of the following:
22                  (i)    The State agency.
23                  (ii)    The Secretary of the Budget.
24                  (iii)    The State Treasurer.
25                  (iv)    The Auditor General.
26                  (v)    The General Assembly.
27                  (vi)    A vendor or organization contracted by the
28            respective State agency for work on the suspended
29            project.
30            (3)   After a project has been suspended, the State

20250HB1219PN1367                       - 33 -
 1      Treasurer may not allow the transfer of money from the State
 2      agency to support additional work under the project unless
 3      the director approves an amended version of the plan for the
 4      project.
 5             (4)   If a State agency attempts to continue to implement
 6      a project that is no longer approved by the director and
 7      expend additional money for the project, the State Treasurer
 8      shall prevent the transfer of funds and remit the intended
 9      expenditures into the fund. After remitting the unauthorized
10      expenditure, the State Treasurer shall immediately notify the
11      following:
12                   (i)    The director.
13                   (ii)    The Governor.
14                   (iii)    The Secretary of the Budget.
15                   (iv)    The General Assembly.
16   § 4334.    Project management standards.
17      (a)     Personnel.--Each State agency shall provide personnel if
18   necessary to participate in project management, implementation,
19   testing and other activities for an information technology
20   project.
21      (b)     Policies.--The director shall develop office policies
22   for implementing an approved project, whether the project is
23   undertaken in single or multiple phases or components.
24      (c)     Project management assistant.--
25             (1)   The director may designate a project management
26      assistant to implement an information technology project of a
27      State agency.
28             (2)   A project management assistant for a State agency
29      shall:
30                   (i)    Advise the State agency regarding the initial

20250HB1219PN1367                           - 34 -
 1             planning of an information technology project, the
 2             content and design of a request for proposals, contract
 3             development, procurement and architectural and other
 4             technical reviews.
 5                   (ii)    Monitor progress in the development and
 6             implementation of an information tech

…  [truncated — open the source document for the complete text]