11546.45. (a) (1) The Department of Technology shall identify, assess, and prioritize high-risk, critical information technology services and systems across state government, as determined by the Department of Technology, for modernization, stabilization, or remediation.
(2) The Department of Technology shall submit an annual report to the Legislature that includes all of the following:
(A) An explanation of how the Department of Technology is prioritizing these efforts across state government.
(B) The impediments and risks that could, or issues that already have, led to changes in how the Department of Technology identifies, assesses, and prioritizes these efforts.
(3) In accordance with Section 7929.210, this section shall not be construed to require the disclosure of information relating to high-risk, critical information technology services and systems by the Department of Technology, if, on the facts of the particular case, disclosure of that record would reveal vulnerabilities to, or otherwise increase the potential for an attack on, an information technology system of a public agency.
(b) (1) Notwithstanding any other law, all state agencies and state entities shall submit information relating to their information technology service contracts, as defined, to the Department of Technology before February 1, 2022, and annually thereafter, in a manner determined by the Department of Technology.
(2) The Department of Technology shall analyze the information submitted pursuant to subparagraph (1).
(3) After completing the analysis, the Department of Technology shall submit a report to the Legislature, as part of its annual information technology report submitted pursuant to subdivision (e) of Section 11545, that does all of the following:
(A) Identifies each service that the Department of Technology believes would be appropriately centralized as shared services contracts.
(B) Summarizes market research the department would conduct to estimate the one-time and ongoing costs to the state of each service.
(C) Calculates potential offsetting savings to the state from reduced overlap and redundancy of services.
(4) After submitting the report, the Department of Technology shall create a plan, coordinate with, and assist state agencies and state entities in, the implementation of a plan to establish centralized contracts for identified shared services, as defined. The plan may include, but is not limited to, a list of existing service contracts of state agencies and state entities that may be replaced with centralized service contracts managed by the Department of Technology and a proposed strategy and timeline for the transition from existing service contracts to centralized service contracts. The Department of Technology shall submit the plan to the Joint Legislative Budget Committee no later than February 1, 2023.
(c) For purposes of this section, the following definitions apply:
(1) “Information technology services and systems contracts” means contracts for services and systems, including, but not limited to, cloud services, including “Software as a Service,” “Infrastructure as a Service,” and “Platform as a Service,” on-premises services and systems, information technology personal services, and information technology consulting services for not less than five hundred thousand dollars ($500,000) annually, or such amounts determined by the Department of Technology pursuant to its policy.
(2) “Shared services” means information technology services commonly used across state agencies that may be consolidated under a single contract to achieve cost savings and process efficiencies.
(Amended by Stats. 2022, Ch. 28, Sec. 61. (SB 1380) Effective January 1, 2023.)