CHAPTER 5A. DEPARTMENT OF ADMINISTRATION.

§5A-6B-4. Responsibilities of agencies for cybersecurity.

State agencies and other entities subject to the provisions of this article shall:

(1) Undergo an appropriate cyber risk assessment as required by the cybersecurity framework or as directed by the Chief Information Security Officer;

(2) Adhere to the cybersecurity standard established by the Chief Information Security Officer in the use of information technology infrastructure;

(3) Adhere to enterprise cybersecurity policies and standards;

(4) Manage cybersecurity policies and procedures where more restricted security controls are deemed appropriate;

(5) Submit all cybersecurity policy and standard exception requests to the Chief Information Security Officer for approval;

(6) Complete and submit a cyber risk self-assessment report to the Chief Information Security Officer by December 31, 2020; and

(7) Manage a plan of action and milestones based on the findings of the cyber risk assessment and business needs.