143B-1377. State CIO approval of security standards and risk assessments.
(a) Notwithstanding G.S. 143-48.3, 143B-1320(b), or 143B-1320(c), or any other provision of law, and except as otherwise provided by this Article, all information technology security goods, software, or services purchased using State funds, or for use by a State agency or in a State facility, shall be subject to approval by the State CIO in accordance with security standards adopted under this Part.
(b) The State CIO shall conduct risk assessments to identify compliance, operational, and strategic risks to the enterprise network. These assessments may include methods such as penetration testing or similar assessment methodologies. The State CIO may contract with another party or parties to perform the assessments. Detailed reports of the risk and security issues identified shall be kept confidential as provided in G.S. 132-6.1(c).
(c) If the legislative branch or the judicial branch develop their own security standards, taking into consideration the mission and functions of that entity, that are comparable to or exceed those set by the State CIO under this section, then those entities may elect to be governed by their own respective security standards. In these instances, approval of the State CIO shall not be required before the purchase of information technology security devices and services. If requested, the State CIO shall consult with the legislative branch and the judicial branch in reviewing the security standards adopted by those entities.
(d) Before a State agency may enter into any contract with another party for an assessment of network vulnerability, the State agency shall notify the State CIO and obtain approval of the request. If the State agency enters into a contract with another party for assessment and testing, after approval of the State CIO, the State agency shall issue public reports on the general results of the reviews. The contractor shall provide the State agency with detailed reports of the security issues identified that shall not be disclosed as provided in G.S. 132-6.1(c). The State agency shall provide the State CIO with copies of the detailed reports that shall not be disclosed as provided in G.S. 132-6.1(c).
(e) Nothing in this section shall be construed to preclude the Office of the State Auditor from assessing the security practices of State information technology systems as part of its statutory duties and responsibilities. (2015-241, s. 7A.2.)
Structure North Carolina General Statutes
North Carolina General Statutes
Chapter 143B - Executive Organization Act of 1973
Article 15 - Department of Information Technology.
§ 143B-1320 - Definitions; scope; exemptions.
§ 143B-1321 - Powers and duties of the Department; cost-sharing with exempt entities.
§ 143B-1322 - State CIO duties; Departmental personnel and administration.
§ 143B-1323 - Departmental organization; divisions and units; education community of practice.
§ 143B-1324 - State agency information technology management; deviations for State agencies.
§ 143B-1325 - State information technology consolidated under Department of Information Technology.
§ 143B-1330 - Planning and financing State information technology resources.
§ 143B-1331 - Business continuity planning.
§ 143B-1332 - Information Technology Fund.
§ 143B-1333 - Internal Service Fund.
§ 143B-1336 - Information technology human resources.
§ 143B-1337 - Information Technology Strategy Board.
§ 143B-1340 - Project management.
§ 143B-1341 - Project management standards.
§ 143B-1342 - Dispute resolution.
§ 143B-1343 - Standardization.
§ 143B-1344 - Legacy applications.
§ 143B-1350 - Procurement of information technology.
§ 143B-1354 - Certification that information technology bid submitted without collusion.
§ 143B-1356 - Multiyear contracts; Attorney General assistance.
§ 143B-1358 - Refurbished computer equipment purchasing program.
§ 143B-1359 - Configuration and specification requirements same as for new computers.
§ 143B-1360 - Data on reliability and other issues; report.
§ 143B-1361 - Information technology procurement policy; reporting requirements.
§ 143B-1362 - Personal services contracts subject to Article.
§ 143B-1370 - Communications services.
§ 143B-1371 - Communications services for local governmental entities and other entities.
§ 143B-1372 - Statewide electronic web presence; annual report.
§ 143B-1373 - Growing Rural Economies with Access to Technology (GREAT) program.
§ 143B-1373.1 - Completing Access to Broadband program.
§ 143B-1373.2 - G.R.E.A.Tprogram fixed wireless and satellite broadband grants.
§ 143B-1373.3 - Wireless broadband grants.
§ 143B-1374 - Satellite-Based Broadband Grant Program.
§ 143B-1376 - Statewide security and privacy standards.
§ 143B-1377 - State CIO approval of security standards and risk assessments.
§ 143B-1378 - Assessment of agency compliance with cybersecurity standards.
§ 143B-1385 - Government Data Analytics Center.
§ 143B-1402 - Powers and duties of the 911 Board.
§ 143B-1403 - Service charge for 911 service.
§ 143B-1405 - Fund distribution to CMRS providers.
§ 143B-1406 - Fund distribution to PSAPs.
§ 143B-1407 - PSAP Grant and Statewide 911 Projects Account; Next Generation 911 Reserve Fund.
§ 143B-1408 - Recovery of unauthorized use of funds.
§ 143B-1409 - Conditions for providing enhanced 911 service.
§ 143B-1411 - Subscriber records.
§ 143B-1412 - Proprietary information.
§ 143B-1413 - Limitation of liability.
§ 143B-1415 - Limitation of liability, prepaid wireless.
§ 143B-1416 - Exclusivity of 911 service charge for prepaid wireless telecommunications service.
§ 143B-1420 - Council established; role of the Center for Geographic Information and Analysis.
§ 143B-1421 - Council membership; organization.
§ 143B-1422 - Compensation and expenses of Council members; travel reimbursements.