§5A-6B-4. Responsibilities of agencies for cybersecurity.
State agencies and other entities subject to the provisions of this article shall:
(1) Undergo an appropriate cyber risk assessment as required by the cybersecurity framework or as directed by the Chief Information Security Officer;
(2) Adhere to the cybersecurity standard established by the Chief Information Security Officer in the use of information technology infrastructure;
(3) Adhere to enterprise cybersecurity policies and standards;
(4) Manage cybersecurity policies and procedures where more restricted security controls are deemed appropriate;
(5) Submit all cybersecurity policy and standard exception requests to the Chief Information Security Officer for approval;
(6) Complete and submit a cyber risk self-assessment report to the Chief Information Security Officer by December 31, 2020; and
(7) Manage a plan of action and milestones based on the findings of the cyber risk assessment and business needs.