SB 373 — An Act amending Title 71 (State Government) of the Pennsylvania Consolidated Statutes, in boards and offices, providing for information technology and security.
Congress · introduced 2025-03-06
Latest action: — Referred to COMMUNICATIONS AND TECHNOLOGY, March 6, 2025
Sponsors
- Kristin Phillips-Hill (R, PA-28) — sponsor · 2025-03-06
- Rosemary M. Brown (R, PA-40) — cosponsor · 2025-03-06
- Patrick J. Stefano (R, PA-32) — cosponsor · 2025-03-06
- Lynda Schlegel Culver (R, PA-27) — cosponsor · 2025-03-06
- Cris Dush (R, PA-25) — cosponsor · 2025-03-06
- Daniel Laughlin (R, PA-49) — cosponsor · 2025-03-06
Action timeline
- · senate — Referred to COMMUNICATIONS AND TECHNOLOGY, March 6, 2025
Text versions
No text versions on file yet — same ingest as the action timeline populates these. Each version has direct links to the XML / HTML / PDF at govinfo.gov.
Bill text
Printer's No. 0321 · 15,769 characters · source document
Read the full text
PRINTER'S NO. 321
THE GENERAL ASSEMBLY OF PENNSYLVANIA
SENATE BILL
No. 373
Session of
2025
INTRODUCED BY PHILLIPS-HILL, BROWN, STEFANO, CULVER, DUSH AND
LAUGHLIN, MARCH 6, 2025
REFERRED TO COMMUNICATIONS AND TECHNOLOGY, MARCH 6, 2025
AN ACT
1 Amending Title 71 (State Government) of the Pennsylvania
2 Consolidated Statutes, in boards and offices, providing for
3 information technology and security.
4 The General Assembly of the Commonwealth of Pennsylvania
5 hereby enacts as follows:
6 Section 1. Part V of Title 71 of the Pennsylvania
7 Consolidated Statutes is amended by adding a chapter to read:
8 CHAPTER 43
9 INFORMATION TECHNOLOGY
10 Subchapter
11 A. General Provisions (Reserved)
12 C. Security
13 SUBCHAPTER A
14 GENERAL PROVISIONS
15 (Reserved)
16 SUBCHAPTER C
17 SECURITY
18 Sec.
1 4351. Statewide security standards.
2 4352. Security standards and risk assessments.
3 4353. Assessment of compliance with security standards.
4 4354. Joint Cybersecurity Oversight Committee.
5 § 4351. Statewide security standards.
6 (a) Establishment.--
7 (1) The Chief Information Officer within the Office of
8 Administration shall establish a Statewide set of standards
9 for information technology security to maximize the
10 functionality, security and interoperability of the
11 Commonwealth's distributed information technology assets,
12 including:
13 (i) Data classification.
14 (ii) Management.
15 (iii) Communications.
16 (iv) Encryption technologies.
17 (2) The standards under this subsection shall conform to
18 the industry's best practices and standards regarding
19 information technology security.
20 (b) Review and revision.--The Chief Information Officer
21 shall review and revise the security standards annually as
22 necessary. As part of this function, the Chief Information
23 Officer shall review periodically existing security standards
24 and practices in place among the various State agencies to
25 determine whether those standards and practices meet Statewide
26 security and encryption requirements.
27 (c) Assumption of responsibilities.--The Chief Information
28 Officer may assume the direct responsibility of providing for
29 the information technology security of a State agency that fails
30 to adhere to security standards adopted under this chapter.
20250SB0373PN0321 - 2 -
1 § 4352. Security standards and risk assessments.
2 (a) Authorization to operate.--Notwithstanding any other
3 provision of law and except as otherwise provided by this
4 chapter, all information technology security goods, software or
5 services purchased using taxpayer money, or for use by a State
6 agency or in a public facility, shall require an authorization
7 to operate by the head of the State agency in accordance with
8 security standards under this chapter. No information technology
9 system or service may be operated by, or in support of, a State
10 agency without an authorization to operate.
11 (b) Standards.--The Chief Information Officer within the
12 Office of Administration shall define a risk-based set of
13 control standards that identify specific security and privacy
14 protections for all information technology and information
15 technology services in line with the specific threats and risks
16 to the residents of this Commonwealth and State agency
17 operations.
18 (c) Assessments.--
19 (1) The Chief Information Officer shall conduct risk
20 assessments to identify compliance and operational and
21 strategic risks to the information technology network and
22 agency operations.
23 (2) The assessments may include methods such as
24 penetration testing, social-engineered security threats or
25 similar assessment methodologies.
26 (3) The Chief Information Officer may contract with
27 another party to perform the assessments.
28 (4) The following assessment reviews shall be performed
29 prior to the information security audit under subsection (e)
30 and the assessment shall be performed consistent with the
20250SB0373PN0321 - 3 -
1 Federal information processing standards:
2 (i) Identity management.
3 (ii) Security incident management.
4 (iii) Network perimeter security.
5 (iv) Systems development.
6 (v) Project management.
7 (vi) Information technology risk management.
8 (vii) Data management.
9 (viii) Vulnerability management.
10 (5) Detailed reports of the risk and security issues
11 identified in the assessments shall be reported to the Chief
12 Information Officer and shall be kept confidential.
13 (6) The agency head, in consultation with the Office of
14 Administration, shall identify corrective or mitigating
15 actions as needed.
16 (d) Interim authority to operate.--If the agency head
17 determines that the information technology system or service is
18 needed, the agency head may seek authorization from the Chief
19 Information Officer for a period not longer than 180 days to
20 implement the corrective or mitigating actions.
21 (e) Security audit.--
22 (1) The Chief Information Officer shall contract with an
23 independent certified information security auditor or entity
24 to perform an information security audit of State agencies.
25 (2) The Chief Information Officer shall determine a
26 schedule for continuous State agency information security
27 audits.
28 (f) Notification and audits.--
29 (1) The party conducting the assessment or audit shall
30 provide the Chief Information Officer and head of the
20250SB0373PN0321 - 4 -
1 reviewed State agency with a detailed report of the security
2 issues identified, which shall not be publicly disclosed.
3 (2) The State agency, in cooperation with the Office of
4 Administration, shall provide the Chief Information Officer
5 with a corrective action plan that remediates issues
6 identified in the detailed report under paragraph (1), which
7 may not be publicly disclosed.
8 (3) The Chief Information Officer shall issue a public
9 report on the general results of the assessment that shall be
10 accessible on the Office of Administration's publicly
11 accessible Internet website.
12 (g) Effect of section.--Nothing in this section shall be
13 construed to preclude the Auditor General or the General
14 Assembly from assessing the security practices of State
15 information technology systems as part of its statutory duties
16 and responsibilities.
17 § 4353. Assessment of compliance with security standards.
18 (a) Frequency.--The Chief Information Officer within the
19 Office of Administration shall biannually assess the ability of
20 each State agency's contracted vendors to comply with the
21 current security standards established under this chapter.
22 (b) Contents.--The Chief Information Officer shall establish
23 a quantifiable objective metric that measures the degree of
24 compliance with current security standards. The assessment under
25 this section shall, at a minimum:
26 (1) Quantify the degree of compliance with the current
27 security standards using the metric.
28 (2) Include security organization, security practices,
29 security information standards, network security
30 architecture, systems development and lifecycle management
20250SB0373PN0321 - 5 -
1 and current expenditures of State funds for information
2 security.
3 (3) Include an estimate of the cost to implement the
4 security measures needed for State agencies to fully comply
5 with the established standards.
6 (c) Submittal of information.--A State agency shall submit
7 information required by the Chief Information Officer for the
8 assessments under this section.
9 § 4354. Joint Cybersecurity Oversight Committee.
10 (a) Establishment and membership.--The Joint Cybersecurity
11 Oversight Committee is established and shall consist of the
12 following members:
13 (1) The director.
14 (2) The following individuals appointed by the President
15 pro tempore of the Senate:
16 (i) Two members of the Senate.
17 (ii) A representative of the Chief Clerk of the
18 Senate.
19 (iii) A representative from the Information
20 Technology Office of the majority caucus of the Senate.
21 (3) The following individuals appointed by the Minority
22 Leader of the Senate:
23 (i) One member of the Senate.
24 (ii) A representative from the Information
25 Technology Office of the minority caucus of the Senate.
26 (4) The following individuals appointed by the Speaker
27 of the House of Representatives:
28 (i) Two members of the House of Representatives.
29 (ii) A representative of the Chief Clerk of the
30 House of Representatives.
20250SB0373PN0321 - 6 -
1 (iii) A representative from the Information
2 Technology Office of the majority caucus of the House of
3 Representatives.
4 (5) The following individuals appointed by the Minority
5 Leader of the House of Representatives:
6 (i) One member of the House of Representatives.
7 (ii) A representative from the Information
8 Technology Office of the minority caucus of the House of
9 Representatives.
10 (6) The Attorney General or a designee of the Attorney
11 General.
12 (7) The Chief Information Officer of:
13 (i) The Department of the Auditor General.
14 (ii) The Treasury Department.
15 (iii) The Office of Attorney General.
16 (iv) The Administrative Office of Pennsylvania
17 Courts.
18 (v) The Pennsylvania Public Utility Commission.
19 (8) Four private citizens appointed by the Governor with
20 professional cybersecurity experience.
21 (9) The Commissioner of Pennsylvania State Police or a
22 designee of the commissioner.
23 (10) A member of the National Guard experienced in
24 cybersecurity, as appointed by the Adjutant General.
25 (11) The president of the County Commissioners
26 Association of Pennsylvania or a designee of the president.
27 (b) Chairperson and vice chairperson.--The chairperson of
28 the committee shall be appointed by the Governor, and the vice
29 chairperson of the committee shall be appointed by the
30 chairperson.
20250SB0373PN0321 - 7 -
1 (c) Staffing.--
2 (1) The committee shall be staffed by the Office of
3 Administration, which shall support and assist the committee.
4 (2) Costs incurred for mileage for a member shall be
5 reimbursed by the individual or entity appointing the member.
6 (d) Service of members.--Each member of the committee shall
7 serve at the pleasure of the individual who appointed the
8 member.
9 (e) Vacancies.--A vacancy in the membership of the committee
10 shall be filled by the appointing authority in the same manner
11 as the original appointment.
12 (f) Meetings.--
13 (1) The committee shall meet at least on a quarterly
14 basis and no later than the first Thursday of each quarter.
15 (2) The chairperson of the committee, with the consent
16 of the vice chairperson of the committee, may schedule
17 additional meetings of the committee.
18 (3) The chairperson of the committee shall provide the
19 members of the committee with notice of the time and location
20 of each meeting of the committee no later than one week prior
21 to the meeting. Notice shall also be provided to the
22 Governor, the President pro tempore of the Senate and the
23 Speaker of the House of Representatives.
24 (4) Notice of the meetings of the committee shall be
25 provided by regular mail and email.
26 (5) A member of the committee may participate in a
27 meeting of the committee in person, by teleconference, by
28 video conference or by other means as agreed to by the
29 chairperson and vice chairperson of the committee.
30 (6) A meeting of the committee shall be subject to 65
20250SB0373PN0321 - 8 -
1 Pa.C.S. Ch. 7 (relating to open meetings).
2 (7) Executive sessions may be held in accordance with 65
3 Pa.C.S. § 708 (relating to executive sessions) and may be
4 held to discuss, plan or review matters and records that are
5 deemed necessary for emergency preparedness, protection of
6 public safety and security of all property in a manner that,
7 if disclosed, would be reasonably likely to jeopardize or
8 threaten public safety or preparedness or public protection.
9 (g) Duties.--
10 (1) The committee shall review and coordinate
11 cybersecurity policies and discuss emerging cybersecurity
12 threats, recommended policy changes and assess current
13 cybersecurity within this Commonwealth.
14 (2) The committee shall prepare a report of its
15 activities, which shall be transmitted to the following:
16 (i) The Governor.
17 (ii) The President pro tempore of the Senate.
18 (iii) The Speaker of the House of Representatives.
19 (iv) The Majority Leader and the Minority Leader of
20 the Senate.
21 (v) The Majority Leader and the Minority Leader of
22 the House of Representatives.
23 (vi) The Court Administrator of Pennsylvania.
24 (h) Definitions.--As used in this section, the following
25 words and phrases shall have the meanings given to them in this
26 subsection unless the context clearly indicates otherwise:
27 "Committee." The Joint Cybersecurity Oversight Committee
28 established under this section.
29 Section 2. This act shall take effect immediately.
20250SB0373PN0321 - 9 -Connected on the graph
Outbound (1)
| date | type | to | amount | role | source |
|---|---|---|---|---|---|
| — | referred_to_committee | Pennsylvania Senate Communications And Technology Committee | — | pa-leg |
The full graph
Every typed relationship touching this entity — 1 edge across 1 category. Grouped by what the connection is; the heaviest few are shown, with a link to the full list.
Committees
→ Referred to committee 1 edge
Who matters
Members ranked by combined influence on this bill: role (sponsor 5 / cosponsor 1), capped speech count from the Congressional Record, and recorded-vote engagement.
| # | Member | Role | Speeches | Voted | Score |
|---|---|---|---|---|---|
| 1 | Kristin Phillips-Hill (R, state_upper PA-28) | sponsor | 0 | — | 5 |
| 2 | Cris Dush (R, state_upper PA-25) | cosponsor | 0 | — | 1 |
| 3 | Daniel Laughlin (R, state_upper PA-49) | cosponsor | 0 | — | 1 |
| 4 | Lynda Schlegel Culver (R, state_upper PA-27) | cosponsor | 0 | — | 1 |
| 5 | Patrick J. Stefano (R, state_upper PA-32) | cosponsor | 0 | — | 1 |
| 6 | Rosemary M. Brown (R, state_upper PA-40) | cosponsor | 0 | — | 1 |
Predicted vote
Aggregated from: actual roll-call votes (when present) → sponsor → cosponsor → party median (predicts YES when ≥25% of the caucus sponsored/cosponsored). Each row labels its confidence tier so you can see why a position was predicted.
0 predicted yes (0%) · 543 predicted no (100%) · 0 unknown (0%)
By party: · R: 0 yes / 277 no · D: 0 yes / 263 no · I: 0 yes / 3 no
Activity
Every typed-graph event involving this entity, newest first. Each row is one edge in the influence graph; click the date to jump to its provenance.
- 2026-05-20 · was referred to Pennsylvania Senate Communications And Technology Committee · pa-leg