2005 North Carolina Code - General Statutes Article 3D - State Information Technology Services.

Article 3D.

State Information Technology Services.

Part 1. State Information Technology Management.

§ 147‑33.72A.  Purpose.

The purposes of this Article are to:

(1)       Establish a systematic process for planning and financing the State's information technology resources.

(2)       Develop standards and accountability measures for information technology projects, including criteria for adequate project management.

(3)       Implement procurement procedures that will result in cost savings on information technology purchases.

(4)       Create an Information Technology Advisory Board.

(5)       Create the Information Technology Fund for statewide information technology efforts. (2004‑129, s. 2.)

 

§ 147‑33.72B.  Planning and financing State information technology resources.

(a)       In order to provide a systematic process for meeting the State's technology needs, the State Chief Information Officer shall develop a biennial State Information Technology Plan (Plan). The Plan shall be transmitted to the General Assembly by February 1 of each regular session.

(b)       The Plan shall include the following elements:

(1)       An inventory of current information technology assets and major projects currently in progress. As used in this subdivision, the term "major project" includes projects subject to review and approval under G.S. 147‑33.72C, or that cost more than five hundred thousand dollars ($500,000) to implement.

(2)       An evaluation and estimation of the significant unmet needs for information technology resources over a five‑year time period. The Plan shall rank the unmet needs in priority order according to their urgency.

(3)       A statement of the financial requirements posed by the significant unmet needs, together with a recommended funding schedule for each major project currently in progress or recommended for initiation during the upcoming fiscal biennium.

(4)       An analysis of opportunities for statewide initiatives that would yield significant efficiencies or improve effectiveness in State programs.

(c)       Each executive agency shall biennially develop an agency information technology plan that includes the information required under subsection (b) of this section. The Office of Information Technology Services shall consult with and assist agencies in the preparation of these plans. Each agency shall submit its plan to the State Chief Information Officer by October 1 of each even‑numbered year. (2004‑129, s. 2.)

 

§ 147‑33.72C.  Project approval standards.

(a)       Project Review and Approval. – The State Chief Information Officer shall:

(1)       Review all State agency information technology projects that cost or are expected to cost more than five hundred thousand dollars ($500,000), whether the project is undertaken in a single phase or component or in multiple phases or components. If the State Chief Information Officer determines a project meets the quality assurance requirements established under this Article, the State Chief Information Officer shall approve the project.

(2)       Establish thresholds for determining which information technology projects costing or expected to cost five hundred thousand dollars ($500,000) or less shall be subject to review and approval under subdivision (a)(1) of this section. When establishing the thresholds, the State Chief Information Officer shall consider factors such as project cost, potential project risk, agency size, and projected budget.

(b)       Project Implementation. – No State agency shall proceed with an information technology project that is subject to review and approval under subsection (a) of this section until the State CIO approves the project. If a project is not approved, the State CIO shall specify in writing to the agency the grounds for denying the approval. The State CIO shall provide this information to the agency within five business days of the denial.

(c)       Suspension of Approval. – The State Chief Information Officer may suspend the approval of any information technology project that does not continue to meet the applicable quality assurance standards. This authority extends to any information technology project that costs more than five hundred thousand dollars ($500,000) to implement regardless of whether the project was originally subject to review and approval under subsection (a) of this section. If the State CIO suspends approval of a project, the State CIO shall specify in writing to the agency the grounds for suspending the approval. The State CIO shall provide this information to the agency within five business days of the suspension.

The Office of Information Technology Services shall report any suspension immediately to the Office of the State Controller and the Office of State Budget and Management. The Office of State Budget and Management shall not allow any additional expenditure of funds for a project that is no longer approved by the State Chief Information Officer.

(d)       General Quality Assurance. – Information technology projects that are not subject to review and approval under subsection (a) of this section shall meet all other standards established under this Article.

(e)       Performance Contracting. – All contracts between a State agency and a private party for information technology projects shall include provisions for vendor performance review and accountability. The State CIO may require that these contract provisions include monetary penalties for projects that are not completed within the specified time period or that involve costs in excess of those specified in the contract. The State CIO may require contract provisions requiring a vendor to provide a performance bond. (2004‑129, s. 2.)

 

§ 147‑33.72D.  Agency/State CIO Dispute Resolution.

(a)       Agency Request for Review. – In any instance where the State CIO has denied or suspended the approval of an information technology project, or has denied an agency's request for deviation pursuant to G.S. 147‑33.84, the agency may request a committee review of the State CIO's decision. The agency shall submit a written request for review to the State Controller within 10 working days following the agency's receipt of the State CIO's written grounds for denial or suspension. The agency's request for review shall specify the grounds for its disagreement with the State CIO's determination. The agency shall include with its request for review a copy of the State CIO's written grounds for denial or suspension.

(b)       Review Process. – The review committee shall consist of the State Controller, the State Budget Officer, and the Secretary of Administration. The State Controller shall serve as the chair of the review committee. If the chair or one of the members of the review committee is an official of the agency that has requested the review, that person is deemed to have a conflict of interest and is ineligible to participate in the consideration of the matter, and the two remaining members of the review committee shall select an alternate official to serve as a member of the review committee for that specific matter. Within 10 business days following receipt of an agency's request for review, the committee shall meet to consider the matter. The committee shall review the information provided, and may request additional information from either the agency or the State CIO. The committee may affirm, reverse, or modify the decision of the State CIO, or may remand the matter back to the State CIO for additional findings. Within 30 days after initial receipt of the agency's request for review, the committee shall notify the agency and the State CIO of its decision in the matter. The notification shall be in writing, and shall specify the grounds for the committee's decision. The committee may reverse or modify a decision of the State CIO when the committee finds at least one of the following:

(1)       The decision of the State CIO is unsupported by substantial evidence that the agency project fails to meet one or more standards of efficiency and quality of State government information technology as required under this Article.

(2)       The State CIO did not have the requisite statutory authority or jurisdiction to render the decision.

(3)       The decision of the State CIO was rendered in a manner that was arbitrary, capricious, or indicative of an abuse of discretion. (2004‑129, s. 2.)

 

§ 147‑33.72E.  Project management standards.

(a)       Agency Responsibilities. – Each agency shall provide for a project manager who meets the applicable quality assurance standards for each information technology project that is subject to approval under G.S. 143‑33.72C(a). The project manager shall be subject to the review and approval of the State Chief Information Officer.

The agency project manager shall provide periodic reports to the project management assistant assigned to the project by the State CIO under subsection (b) of this section. The reports shall include information regarding project costs, issues related to hardware, software, or training, projected and actual completion dates, and any other information related to the implementation of the information technology project.

(b)       State Chief Information Officer Responsibilities. – The State Chief Information Officer shall designate a project management assistant from the Office of Information Technology Services for projects that receive approval under G.S. 147‑33.72C(a). The State Chief Information Officer may designate a project management assistant for any other information technology project.

The project management assistant shall advise the agency with the initial planning of a project, the content and design of any request for proposals, contract development, procurement, and architectural and other technical reviews. The project management assistant shall also monitor agency progress in the development and implementation of the project and shall provide status reports to the State Chief Information Officer, including recommendations regarding continued approval of the project. (2004‑129, s. 2.)

 

§ 147‑33.72F.  Procurement procedures; cost savings.

Pursuant to Part 4 of this Article, the Office of State Technology Services shall establish procedures for the procurement of information technology. The procedures may include aggregation of hardware purchases, the use of formal bid procedures, restrictions on supplemental staffing, enterprise software licensing, hosting, and multiyear maintenance agreements. The procedures may require agencies to submit information technology procurement requests to the Office of State Technology Services on October 1, January 1, and June 1 of each fiscal year in order to allow for bulk purchasing. (2004‑129, s. 2.)

 

§ 147‑33.72G.  Information Technology Advisory Board.

(a)       Creation; Membership. – The Information Technology Advisory Board is established and shall be located within the Office of Information Technology Services for organizational, budgetary, and administrative purposes. The Board shall consist of 12 members, four appointed by the Governor, four appointed by the President Pro Tempore of the Senate, and four appointed by the Speaker of the House of Representatives. All appointments shall be from among persons knowledgeable in the subject area and having experience with State government or information technology deployment within large organizations. Each member shall serve at the pleasure of the officer who appointed the member. The Governor shall designate a chair from among the membership.

(b)       Conflicts of Interest. – Members of the Advisory Board shall not serve on the board of directors or other governing body of, be employed by, or receive any remuneration of any kind from any information systems, computer hardware, computer software, or telecommunications vendor of goods and services to the State of North Carolina.

No member of the Advisory Board shall vote on an action affecting solely that person's State agency.

(c)       Powers and Duties. – The Board shall:

(1)       Review and comment on the State Information Technology Plan developed by the State Chief Information Officer under G.S. 147‑33.72B(b).

(2)       Review and comment on the information technology plans of the executive agencies prepared under G.S. 147‑33.72B(c).

(3)       Review and comment on the statewide technology initiatives developed by the State Chief Information Officer.

(d)       Meetings. – The Information Technology Advisory Board shall adopt bylaws containing rules governing its meeting procedures. The Board shall meet at least quarterly. The Office of Information Technology Services shall provide administrative staff and facilities for Advisory Board meetings. The expenses of the Board shall be paid from receipts available to the Office of Information Technology Services as requested by the Board. Advisory Board members shall receive per diem, subsistence, and travel allowances as follows:

(1)       Commission members who are officials or employees of the State or of local government agencies, at the rate established in G.S. 138‑6; and

(2)       All other commission members, at the rate established in G.S. 138‑5. (2004‑129, s. 2.)

 

§ 147‑33.72H.  Information Technology Fund.

There is established a special revenue fund to be known as the Information Technology Fund, which may receive transfers or other credits as authorized by the General Assembly. Money may be appropriated from the Information Technology Fund to meet statewide requirements, including planning, project management, security, electronic mail, State portal operations, and the administration of systemwide procurement procedures. Expenditures involving funds appropriated to the Office of Information Technology Services from the Information Technology Fund shall be made by the State CIO in consultation with the Information Technology Advisory Board. By October 1 of each year, the State CIO shall submit to the Joint Legislative Oversight Committee on Information Technology a report on all expenditures involving funds appropriated to the Office of Information Technology Services from the Information Technology Fund for the preceding fiscal year. Interest earnings on the Information Technology Fund balance shall be credited to the Information Technology Fund. (2004‑129, s. 2.)

 

§ 147‑33.73:  Reserved for future codification purposes.

 

§ 147‑33.74:  Reserved for future codification purposes.

 

Part 1A. Organization of Office of Information Technology Services.

§ 147‑33.75.  Office located in the Office of the Governor.

(a)       The Office of Information Technology Services ("Office") shall be housed in the Office of the Governor.

(b)       The Governor has the authority, powers, and duties over the Office that are assigned to the Governor and the head of department pursuant to Article 1 of Chapter 143B of the General Statutes, G.S. 143A‑6(b), and the Constitution and other laws of this State. (1999‑434, s. 9; 2000‑174, s. 2; 2004‑129, ss. 1, 9.)

 

§ 147‑33.76.  Qualification, appointment, and duties of the State Chief Information Officer.

(a)       The Office of Information Technology Services shall be managed and administered by the State Chief Information Officer ("State CIO"). The State Chief Information Officer shall be qualified by education and experience for the office and shall be appointed by and serve at the pleasure of the Governor.

(b)       Repealed by Session Laws 2004‑129, s. 3.

(b1)     The State CIO shall be responsible for developing and administering a comprehensive long‑range plan to ensure the proper management of the State's information technology resources. The State CIO shall set technical standards for information technology, review and approve major information technology projects, review and approve State agency information technology budget requests, establish information technology security standards, provide for the procurement of information technology resources, and develop a schedule for the replacement or modification of major systems. The State CIO is authorized to adopt rules to implement this Article.

(c)       The salary of the State Chief Information Officer shall be set by the General Assembly in the Current Operations Appropriations Act. The State Chief Information Officer shall receive longevity pay on the same basis as is provided to employees of the State who are subject to the State Personnel Act. (1999‑434, s. 10; 2000‑174, s. 2; 2004‑129, ss. 1, 3.)

 

§ 147‑33.77.  Office of Information Technology Services; organization and operation.

(a)       The State Chief Information Officer may appoint a Chief Deputy Information Officer. The salary of the Chief Deputy Information Officer shall be set by the State Chief Information Officer. The State Chief Information Officer may appoint all employees, including legal counsel, necessary to carry out the powers and duties of the office. These employees shall be subject to the State Personnel Act.

(b)       All employees of the office shall be under the supervision, direction, and control of the State Chief Information Officer. Except as otherwise provided by this Article, the State Chief Information Officer may assign any function vested in the State Chief Information Officer or the Office of Information Technology Services to any subordinate officer or employee of the office.

(c)       The State Chief Information Officer may, subject to the provisions of G.S. 147‑64.7(b)(2), obtain the services of independent public accountants, qualified management consultants, and other professional persons or experts to carry out powers and duties of the office.

(d)       The State Chief Information Officer shall have legal custody of all books, papers, documents, and other records of the office.

(e)       The State Chief Information Officer shall be responsible for the preparation of and the presentation of the office budget request, including all funds requested and all receipts expected for all elements of the budget.

(f)        The State Chief Information Officer may adopt regulations for the administration of the office, the conduct of employees of the office, the distribution and performance of business, the performance of the functions assigned to the State Chief Information Officer and the Office of Information Technology Services, and the custody, use, and preservation of the records, documents, and property pertaining to the business of the office. (1989, c. 239, s. 5; c. 770, s. 60; 1989 (Reg. Sess., 1990), c. 1024, s. 36; 1991 (Reg. Sess., 1992), c. 900, s. 14(g); c. 1030, s. 51.14; ; 1997‑148, ss. 5, 6; 1999‑347, s. 2; 1999‑434, s. 27; 2000‑174, s. 2.)

 

§ 147‑33.78:  Repealed by Session Laws 2004‑129, ss. 4, 5.

 

§ 147‑33.79.  Repealed by Session Laws 2004‑129, ss. 4, 5.

 

Part 2.  General Powers and Duties.

§ 147‑33.80.  Exempt agencies.

Except as otherwise specifically provided by law, this Article shall not apply to the General Assembly, the Judicial Department, or The University of North Carolina and its constituent institutions. These agencies may elect to participate in the information technology programs, services, or contracts offered by the Office, including information technology procurement, in accordance with the statutes, policies, and rules of the Office. (1999‑434, s. 10; 2000‑174, s. 2.)

 

§ 147‑33.81.  Definitions.

As used in this Article:

(1)       "Distributed information technology assets" means hardware, software, and communications equipment not classified as traditional mainframe‑based items, including personal computers, local area networks (LANs), servers, mobile computers, peripheral equipment, and other related hardware and software items.

(2)       "Information technology" means electronic data processing goods and services, telecommunications goods and services, security goods and services, microprocessors, software, information processing, office systems, any services related to the foregoing, and consulting or other services for design or redesign of information technology supporting business processes.

(3)       "Information technology enterprise management" means a method for managing distributed information technology assets from acquisition through retirement so that total ownership costs (purchase, operation, maintenance, disposal, etc.) are minimized while maximum benefits are realized.

(4)       "Information technology portfolio management" means a business‑based approach for analyzing and ranking potential technology investments and selecting those investments that are the most cost‑effective in supporting the strategic business and program objectives of the agency.

(5)       "Office" means the Office of Information Technology Services as established in this Article.

(6)       "State agency" means any department, institution, commission, committee, board, division, bureau, office, officer, or official of the State. The term does not include any State entity excluded from coverage under this Article by G.S. 147‑33.80, unless otherwise expressly provided. (1999‑434, s. 9; 2000‑174, s. 2; 2001‑424, s. 15.2(a).)

 

§ 147‑33.82.  Functions of the Office of Information Technology Services.

(a)       In addition to any other functions required by this Article, the Office of Information Technology Services shall:

(1)       Procure all information technology for State agencies, as provided in Part 4 of this Article.

(2)       Submit for approval of the Office of State Budget and Management all rates and fees for common, shared State government‑wide technology services provided by the Office on a fee‑for‑service basis and not covered by another fund.

(3)       Conduct an annual assessment of State agencies for compliance with statewide policies for information technology and  submit for review of the Information Technology Advisory Board recommended statewide policies for information technology.

(4)       Develop standards, procedures, and processes to implement policies approved by the State CIO.

(5)       Review State agency management of State information technology resources for compliance with this Article.

(6)       Review State agency implementation of statewide information technology management efforts of State government for compliance with this Article.

(7)       Repealed by Session Laws 2004‑129, s. 13, effective July 1, 2004.

(8)       Develop a project management, quality assurance, and architectural review process for projects that require review and approval under G.S. 147‑33.72C(a).

(9)       Repealed by Session Laws 2004‑129, s. 13, effective July 1, 2004.

(b)       Notwithstanding any other provision of law, local governmental entities may use the information technology programs, services, or contracts offered by the Office, including information technology procurement, in accordance with the statutes, policies, and rules of the Office. For purposes of this subsection, "local governmental entities" includes local school administrative units, as defined in G.S. 115C‑5, and community colleges. Local governmental entities are not required to comply with otherwise applicable competitive bidding requirements when using contracts established by the Office. Any other State entities may also use the information technology programs, services, or contracts offered by the Office, including information technology procurement, in accordance with the statutes, policies, and rules of the Office.

(c)       Recodified as G.S. 147‑33.110 by Session Laws 2004‑129, s. 12, effective July 1, 2004.

(d)       Recodified as G.S. 147‑33.111 by Session Laws 2004‑129, s. 12, effective July 1, 2004.

(e)       Repealed by Session Laws 2004‑129, s. 11, effective July 1, 2004.

(e1)     Recodified as G.S. 147‑33.112 by Session Laws 2004‑129, s. 12, effective July 1, 2004.

(f)        Recodified as G.S. 147‑33.113 by Session Laws 2004‑129, s. 12, effective July 1, 2004. (1999‑434, s. 10; 2000‑174, s. 2; 2001‑424, s. 15.2(b); 2002‑126, s. 27.2(a); 2003‑153, ss. 1(a), 1(b); 2004‑129, ss. 10, 11, 12, 13.)

 

§ 147‑33.83.  Information resources centers and services.

(a)       With respect to all executive departments and agencies of State government, except the Department of Justice if they do not elect at their option to participate, the Office of Information Technology Services shall have all of the following powers and duties:

(1)       To establish and operate information resource centers and services to serve two or more departments on a cost‑sharing basis, if the State CIO, after consultation with the Office of State Budget and Management, decides it is advisable from the standpoint of efficiency and economy to establish these centers and services.

(2)       With the approval of the Office of State Budget and Management, to charge each department for which services are performed its proportionate part of the cost of maintaining and operating the shared centers and services.

(3)       To require any department served to transfer to the Office ownership, custody, or control of information processing equipment, supplies, and positions required by the shared centers and services.

(4)       To adopt reasonable rules for the efficient and economical management and operation of the shared centers, services, and the integrated State telecommunications network.

(5)       To adopt plans, policies, procedures, and rules for the acquisition, management, and use of information technology resources in the departments affected by this section to facilitate more efficient and economic use of information technology in these departments.

(6)       To develop and promote training programs to efficiently implement, use, and manage information technology resources.

(7)       To provide cities, counties, and other local governmental units with access to the Office of Information Technology Services, information resource centers and services as authorized in this section for State agencies. Access shall be provided on the same cost basis that applies to State agencies.

(b)       No data of a confidential nature, as defined in the General Statutes or federal law, may be entered into or processed through any cost‑sharing information resource center or network established under this section until safeguards for the data's security satisfactory to the department head and the State Chief Information Officer have been designed and installed and are fully operational. Nothing in this section may be construed to prescribe what programs to satisfy a department's objectives are to be undertaken, nor to remove from the control and administration of the departments the responsibility for program efforts, regardless whether these efforts are specifically required by statute or are administered under the general program authority and responsibility of the department. This section does not affect the provisions of G.S. 147‑64.6, 147‑64.7, or 147‑33.91.

(c)       Notwithstanding any other provision of law, the Office of Information Technology Services shall provide information technology services on a cost‑sharing basis to the General Assembly and its agencies as requested by the Legislative Services Commission. (1989, c. 239, s. 5; c. 770, s. 60; 1989 (Reg. Sess., 1990), c. 1024, s. 36; 1991 (Reg. Sess., 1992), c. 900, s. 14(g); c. 1030, s. 51.14; 1997‑148, ss. 5, 6; 1999‑347, s. 2; 1999‑434, s. 27; 2000‑174, s. 2; 2004‑129, s. 15.)

 

§ 147‑33.84.  Deviations authorized for Department of Revenue; agency requests for deviations.

(a)       The Department of Revenue is authorized to deviate from any provision in G.S. 147‑33.83(a) that requires departments or agencies to consolidate information processing functions on equipment owned, controlled, or under custody of the Office of Information Technology Services. All deviations by the Department of Revenue pursuant to this section shall be reported in writing within 15 days by the Department of Revenue to the State CIO and shall be consistent with available funding. Any State agency may apply in writing to the State CIO for authority to deviate. If granted, any deviation shall be consistent with available funding and shall be subject to such terms and conditions as may be specified by the State CIO. If the agency's request for deviation is denied by the State CIO, the agency may request a review of the decision pursuant to G.S. 147‑33.72D.

(b)       The Department of Revenue is authorized to adopt and shall adopt plans, policies, procedures, requirements, and rules for the acquisition, management, and use of information processing equipment, information processing programs, data communications capabilities, and information systems personnel in the Department of Revenue. If the plans, policies, procedures, requirements, rules, or standards adopted by the Department of Revenue deviate from the policies, procedures, or guidelines adopted by the Office of Information Technology Services, those deviations shall be allowed and shall be reported in writing within 15 days by the Department of Revenue to the State CIO. The Department of Revenue and the Office of Information Technology Services shall develop data communications capabilities between the two computer centers utilizing the North Carolina Integrated Network, subject to a security review by the Secretary of Revenue.

(c)       The Department of Revenue shall prepare a plan to allow for substantial recovery and operation of major, critical computer applications. The plan shall include the names of the computer programs, databases, and data communications capabilities, identify the maximum amount of outage that can occur prior to the initiation of the plan and resumption of operation. The plan shall be consistent with commonly accepted practices for disaster recovery in the information processing industry. The plan shall be tested as soon as practical, but not later than six months, after the establishment of the Department of Revenue information processing capability.

(d)       Notwithstanding the provisions of subsections (a) and (b) of this section, the Department of Revenue shall review and evaluate any deviations and shall, in consultation with the Office of Information Technology Services, adopt a plan to phase out any deviations that are not determined to be necessary in carrying out functions and responsibilities unique to the Department. The plan adopted by the Department shall include a strategy to coordinate its general information processing functions with the Office of Information Technology Services in the manner prescribed by G.S. 147‑33.83(a) and provide for its compliance with policies, procedures, and guidelines adopted by the Office of Information Technology Services. The Department of Revenue shall submit its plan to the Office of State Budget and Management by January 15, 2005. (1989, c. 239, s. 5; c. 770, s. 60; 1989 (Reg. Sess., 1990), c. 1024, s. 36; 1991 (Reg. Sess., 1992), c. 900, s. 14(g); c. 1030, s. 51.14; 1997‑148, ss. 5, 6; 1999‑347, s. 2; 1999‑434, s. 27; 2000‑174, s. 2; 2004‑129, s. 16.)

 

§ 147‑33.85:  Repealed by Session Laws 2004‑129, ss. 17, 18, effective July 1, 2004.

 

§147‑33.86:  Repealed by Session Laws 2004‑129, ss. 17, 18, effective July 1, 2004.

 

§ 147‑33.87.  Financial reporting and accountability for information technology investments and expenditures.

The Office of Information Technology Services, the Office of State Budget and Management, and the Office of the State Controller shall jointly develop a system for budgeting and accounting of expenditures for information technology operations, services, projects, infrastructure, and assets. The system shall include hardware, software, personnel, training, contractual services, and other items relevant to information technology, and the sources of funding for each. Annual reports regarding information technology shall be coordinated by the Office with the Office of State Budget and Management and the Office of the State Controller, and submitted to the Governor and the General Assembly on or before October 1 of each year. (1999‑434, s. 10; 2000‑140, s. 93.1(i); 2000‑174, s. 2; 2001‑424, s. 12.2(b); 2004‑129, s. 19.)

 

§ 147‑33.88.  Information technology reports.

(a)       The Office shall develop an annual budget for review and approval by the Office of State Budget and Management prior to April 1 of each year.

(b)       The Office shall report to the Joint Legislative Oversight Committee on Information Technology and the Fiscal Research Division on the Office's Internal Service Fund on a quarterly basis, no later than the first day of the second month following the end of the quarter. The report shall include current cash balances, line‑item detail on expenditures from the previous quarter, and anticipated expenditures and revenues. The Office shall report to the Joint Legislative Oversight Committee on Information Technology and the Fiscal Research Division on expenditures for the upcoming quarter, projected year‑end balance, and the status report on personnel position changes including new positions created and existing positions eliminated. The Office spending reports shall comply with the State Accounting System object codes. (1999‑434, s. 10; 2000‑174, s. 2; 2004‑129, s. 20.)

 

§ 147‑33.89.  Business continuity planning.

(a)       Each State agency shall develop and continually review and update as necessary a business and disaster recovery plan with respect to information technology. Each agency shall establish a disaster recovery planning team to develop the disaster recovery plan and to administer implementation of the plan. In developing the plan, the disaster recovery planning team shall do all of the following:

(1)       Consider the organizational, managerial, and technical environments in which the disaster recovery plan must be implemented.

(2)       Assess the types and likely parameters of disasters most likely to occur and the resultant impacts on the agency's ability to perform its mission.

(3)       List protective measures to be implemented in anticipation of a natural or man‑made disaster.

(b)       Each State agency shall submit its disaster recovery plan on an annual basis to the State Chief Information Officer. (2003‑153, s. 2; 2004‑129, s. 21.)

 

§ 147‑33.90.  Analysis of State agency legacy systems.

(a)       The Office of Information Technology Services shall analyze the State's legacy information technology systems and develop a plan to ascertain the needs, costs, and time frame required for State agencies to progress to more modern information technology systems.

(b)       In conducting the legacy system assessment phase of the analysis, the Office shall:

(1)       Examine the hierarchical structure and interrelated relationships within and between State agency legacy systems.

(2)       Catalog and analyze the portfolio of legacy applications in use in State agencies and consider the extent to which new applications could be used concurrently with, or should replace, legacy systems.

(3)       Consider issues related to migration from legacy environments to Internet‑based and client/server environments, and related to the availability of programmers and other information technology professionals with the skills to migrate legacy applications to other environments.

(4)       Study any other issue relative to the assessment of legacy information technology systems in State agencies.

(c)       Upon completion of the legacy system assessment phase of the analysis, the Office shall ascertain the needs, costs, and time frame required to modernize State agency information technology. The Office shall complete this phase of the assessment by January 31, 2005, and shall report its findings and recommendations to the 2005 General Assembly. The findings and recommendations shall include a cost estimate and time line for modernization of legacy information technology systems in State agencies. The Office shall submit an ongoing, updated report on modernization needs, costs, and time lines to the General Assembly on the opening day of each biennial session. (2003‑172, s. 1; 2004‑129, s. 22.)

 

Part 3. Telecommunications Services.

§ 147‑33.91.  Telecommunications services; duties of State Chief Information Officer with respect to State agencies.

(a)       With respect to State agencies, the State Chief Information Officer shall exercise general coordinating authority for all telecommunications matters relating to the internal management and operations of those agencies. In discharging that responsibility, the State Chief Information Officer, in cooperation with affected State agency heads, may:

(1)       Provide for the establishment, management, and operation, through either State ownership, contract, or commercial leasing, of the following systems and services as they affect the internal management and operation of State agencies:

a.         Central telephone systems and telephone networks.

b.         Repealed by Session Laws 2004‑129, s. 23, effective July 1, 2004.

c.         Repealed by Session Laws 2004‑129, s. 23, effective July 1, 2004.

d.         Satellite services.

e.         Closed‑circuit TV systems.

f.          Two‑way radio systems.

g.         Microwave systems.

h.         Related systems based on telecommunication technologies.

i.          The "State Network", managed by the Office, which means any connectivity designed for the purpose of providing Internet Protocol transport of information to any building.

(2)       Coordinate the development of cost‑sharing systems for respective user agencies for their proportionate parts of the cost of maintenance and operation of the systems and services listed in subdivision (1) of this subsection.

(3)       Assist in the development of coordinated telecommunications services or systems within and among all State agencies and recommend, where appropriate, cooperative utilization of telecommunication facilities by aggregating users.

(4)       Perform traffic analysis and engineering for all telecommunications services and systems listed in subdivision (1) of this subsection.

(5)       Pursuant to G.S. 143‑49, establish telecommunications specifications and designs so as to promote and support compatibility of the systems within State agencies.

(6)       Pursuant to G.S. 143‑49 and G.S. 143‑50, coordinate the review of requests by State agencies for the procurement of telecommunications systems or services.

(7)       Pursuant to G.S. 143‑341 and Chapter 146 of the General Statutes, coordinate the review of requests by State agencies for State government property acquisition, disposition, or construction for telecommunications systems requirements.

(8)       Provide a periodic inventory of telecommunications costs, facilities, systems, and personnel within State agencies.

(9)       Promote, coordinate, and assist in the design and engineering of emergency telecommunications systems, including, but not limited to, the 911 emergency telephone number program, Emergency Medical Services, and other emergency telecommunications services.

(10)     Perform frequency coordination and management for State agencies and local governments, including all public safety radio service frequencies, in accordance with the rules and regulations of the Federal Communications Commission or any successor federal agency.

(11)     Advise all State agencies on telecommunications management planning and related matters and provide through the State Personnel Training Center or the Office of Information Technology Services training to users within State agencies in telecommunications technology and systems.

(12)     Assist and coordinate the development of policies and long‑range plans, consistent with the protection of citizens' rights to privacy and access to information, for the acquisition and use of telecommunications systems, and base such policies and plans on current information about State telecommunications activities in relation to the full range of emerging technologies.

(13)     Work cooperatively with the North Carolina Agency for Public Telecommunications in furthering the purpose of this section.

(b)       The provisions of this section shall not apply to the Criminal Information Division of the Department of Justice or to the Judicial Information System in the Judicial Department. (1985 (Reg. Sess., 1986), c. 1024, s. 1; 1987, c. 738, s. 59(a)(2); 1989, c. 239, s. 4; 1989 (Reg. Sess., 1990), c. 1024, s. 37; 1991, c. 542, s. 14; 1993, c. 512, s. 2; 1993 (Reg. Sess., 1994), c. 777, s. 1(a); 1997‑148, ss. 3, 6; 1999‑347, s. 4; 1999‑434, s. 29; 2000‑174, s. 2; 2004‑129, s. 23.)

 

§ 147‑33.92.  Telecommunications services for local governmental entities and other entities.

(a)       The State Chief Information Officer shall provide cities, counties, and other local governmental entities with access to a central telecommunications system or service established under G.S. 147‑33.91 for State agencies. Access shall be provided on the same cost basis that applies to State agencies.

(b)       The State Chief Information Officer shall establish switched broadband telecommunications services and permit, in addition to State agencies, cities, counties, and other local government entities, the following organizations and entities to share on a not‑for‑profit basis:

(1)       Nonprofit educational institutions.

(2)       MCNC.

(3)       Research affiliates of MCNC for use only in connection with research activities sponsored or funded, in whole or in part, by MCNC, if such research activities relate to health care or education in North Carolina.

(4)       Agencies of the United States government operating in North Carolina for use only in connection with activities that relate to health care or education in North Carolina.

(5)       Hospitals, clinics, and other health care facilities for use only in connection with activities that relate to health care or education in North Carolina.

Provided, however, that sharing of the switched broadband telecommunications services by State agencies with entities or organizations in the categories set forth in this subsection shall not cause the State, the Office of Information Technology Services, or the MCNC to be classified as a public utility as that term is defined in G.S. 62‑3(23) a.6. Nor shall the State, the Office of Information Technology Services, or the MCNC engage in any activities that may cause those entities to be classified as a common carrier as that term is defined in the Communications Act of 1934, 47 U.S.C. § 153(10). Provided further, authority to share the switched broadband telecommunications services with the non‑State agencies set forth in subdivisions (1) through (5) of this subsection shall terminate one year from the effective date of a tariff that makes the broadband services available to any customer. (1985 (Reg. Sess., 1986), c. 1024, s. 1; 1987, c. 738, s. 59(a)(2); 1989, c. 239, s. 4; 1989 (Reg. Sess., 1990), c. 1024, s. 37; 1991, c. 542, s. 14; 1993, c. 512, s. 2; 1993 (Reg. Sess., 1994), c. 777, s. 1(a); 1997‑148, ss. 3, 6; 1999‑347, s. 4; 1999‑434, s. 29; 2000‑174, s. 2; 2004‑203, s. 37(b).)

 

§ 147‑33.93.  Fees; dispute resolution panel.

In addition to the powers granted pursuant to Article 6B of this Chapter or by any other provision of law, the Office of Information Technology Services may go before a panel consisting of the State Auditor, the State Controller, and the State Budget Officer, or their designees, to resolve disputes concerning services, fees, and charges incurred by State government agencies receiving information technology services from the Office. The State Auditor shall adopt rules for the dispute resolution process pursuant to G.S. 147‑64.9. The decisions of the panel shall be final in the settlement of all fee disputes that come before it. (2001‑142, s. 1.)

 

§ 147‑33.94.  Reserved for future codification purposes.

 

Part 4. Procurement of Information Technology.

§ 147‑33.95.  Procurement of information technology.

(a)       Notwithstanding any other provision of law, the Office of Information Technology Services shall procure all information technology for State agencies. The Office shall integrate technological review, cost analysis, and procurement for all information technology needs of those State agencies in order to make procurement and implementation of technology more responsive, efficient, and cost‑effective. All contract information shall be made a matter of public record after the award of contract. Trade secrets, test data, similar proprietary information, and security information protected under G.S. 132‑6.1(c) may remain confidential.

(b)       The Office shall have the authority and responsibility, subject to the provisions of this Part, to:

(1)       Purchase or contract for all information technology in the State government, or any of its departments, institutions, or agencies covered by this Part. The Office may authorize any State agency covered by this Part to purchase or contract for information technology. The Office or a State agency may use any authorized means, including negotiations, reverse auctions, and the solicitation, offer, and acceptance of electronic bids. G.S. 143‑135.9 shall apply to these procedures.

(2)       Establish processes, specifications, and standards that shall apply to all information technology to be purchased, licensed, or leased in the State government or any of its departments, institutions, or agencies covered by this Part.

(3)       Comply with the State government‑wide technical architecture, as required by the State CIO.

(c)       For purposes of this section, "reverse auction" means a real‑time purchasing process in which vendors compete to provide goods or services at the lowest selling price in an open and interactive electronic environment. The vendor's price may be revealed during the reverse auction. The Office may contract with a third‑party vendor to conduct the reverse auction.

(d)       For purposes of this section, "electronic bidding" means the electronic solicitation and receipt of offers to contract. Offers may be accepted and contracts may be entered by use of electronic bidding.

(e)       The Office may use the electronic procurement system established by G.S. 143‑48.3 to conduct reverse auctions and electronic bidding. All requirements relating to formal and competitive bids, including advertisement, seal, and signature, are satisfied when a procurement is conducted or a contract is entered in compliance with the reverse auction or electronic bidding requirements established by the Office.

(f)        The Office shall adopt rules consistent with this section. (1999‑434, s. 10; 2000‑174, s. 2; 2002‑107, s. 4; 2002‑159, s. 64(a); 2004‑129, s. 24.)

 

§ 147‑33.96.  Restriction on State agency contractual authority with regard to information technology; local governments.

(a)       All State agencies covered by this Part shall use contracts for information technology acquired by the Office for any information technology required by the State agency that is provided by these contracts. Notwithstanding any other statute, the authority of State agencies to procure or obtain information technology shall be subject to compliance with the provisions of this Part. The Office shall have the authority to exercise the authority of State agencies to procure or obtain information technology as otherwise provided by statute.

(b)       Local governmental entities are not required to comply with otherwise applicable competitive bidding requirements when using contracts offered by the Office. (1999‑434, s. 10; 2000‑174, s. 210‑241.)

 

§ 147‑33.97.  Information technology procurement policy; reporting requirements.

(a)       Policy. – In order to further the policy of the State to encourage and promote the use of small, minority, physically handicapped, and women contractors in State purchasing of goods and services, all State agencies covered by this Part shall cooperate with the Office in efforts to encourage the use of small, minority, physically handicapped, and women contractors in achieving the purpose of this Part, which is to provide for the effective and economical acquisition, management, and disposition of information technology.

(b)       Reporting. – Every State agency that makes a direct purchase of information technology using the services of the Office shall report directly to the Department of Administration all information required by G.S. 143‑48(b).

(c)       The Department of Administration shall collect and compile the data described in this section and report it annually to the Office. (1999‑434, s. 10; 2000‑174, s. 2.)

 

§ 147‑33.98.  Unauthorized use of public purchase or contract procedures for private benefit prohibited.

(a)       It shall be unlawful for any person, by the use of the powers, policies, or procedures described in this Part or established hereunder, to purchase, attempt to purchase, procure, or attempt to procure any property or services for private use or benefit.

(b)       This prohibition shall not apply if:

(1)       The department, institution, or agency through which the property or services are procured had theretofore established policies and procedures permitting such purchases or procurement by a class or classes of persons in order to provide for the mutual benefit of such persons and the department, institution, or agency involved, or the public benefit or convenience; and

(2)       Such policies and procedures, including any reimbursement policies, are complied with by the person permitted thereunder to use the purchasing or procurement procedures described in this Part or established thereunder.

(c)       Any violation of this section is a Class 1 misdemeanor. (1999‑434, s. 10; 2000‑174, s. 2.)

 

§ 147‑33.99.  Financial interest of officers in sources of supply; acceptance of bribes.

Neither the State Chief Information Officer nor the Chief Deputy State Information Officer shall be financially interested, or have any personal beneficial interest, either directly or indirectly, in the purchase of, or contract for, any information technology, nor in any firm, corporation, partnership, or association furnishing any information technology to the State government, or any of its departments, institutions, or agencies, nor shall either of these persons or any other Office employee accept or receive, directly or indirectly, from any person, firm, or corporation to whom any contract may be awarded, by rebate, gifts, or otherwise, any money or anything of value whatsoever, or any promise, obligation, or contract for future reward or compensation. Violation of this section is a Class F felony, and any person found guilty of a violation of this section shall, upon conviction, be removed from State office or employment. (1999‑434, s. 10; 2000‑174, s. 2.)

 

§ 147‑33.100.  Certification that information technology bid submitted without collusion.

The Office shall require bidders to certify that each bid on information technology contracts overseen by the Office is submitted competitively and without collusion. False certification is a Class I felony. (1999‑434, s. 10; 2000‑174, s. 2.)

 

§ 147‑33.101.  Board of Awards review.

(a)       When the dollar value of a contract for the procurement of information technology equipment, materials, and supplies exceeds the benchmark established by the Chief State Information Officer, the contract shall be reviewed by the Board of Awards pursuant to G.S. 143‑52.1 prior to the contract being awarded.

(b)       Prior to submission of any contract for review by the Board of Awards pursuant to this section for any contract for information technology being acquired for the benefit of the Office and not on behalf of any other State agency, the Director of the Budget shall review and approve the procurement to ensure compliance with the established processes, specifications, and standards applicable to all information technology purchased, licensed, or leased in State government, including established procurement processes, and compliance with the State government‑wide technical architecture as established by the State CIO. (1999‑434, s. 10; 2000‑174, s. 2; 2004‑129, s. 25.)

 

§ 147‑33.102.  Penalty for violations; costs.

Any employee or official of the State who violates this Part shall be liable to the State to repay any amount expended in violation of this Part, together with any court costs. (1999‑434, s. 10; 2000‑174, s. 2.)

 

§ 147‑33.103.  Attorney General contract assistance; rule‑making authority.

(a)       At the request of the State Chief Information Officer, the Attorney General shall provide legal advice and services necessary to implement this Part.

(b)       Repealed by Session Laws 2004‑129, s. 26, effective July 1, 2004. (1999‑434, s. 10; 2000‑174, s. 2; 2004‑129, s. 26.)

 

§ 147‑33.104:  Reserved for future codification purposes.

 

§ 147‑33.105:  Reserved for future codification purposes.

 

§ 147‑33.106:  Reserved for future codification purposes.

 

§ 147‑33.107:  Reserved for future codification purposes.

 

§ 147‑33.108:  Reserved for future codification purposes.

 

§ 147‑33.109:  Reserved for future codification purposes.

 

Part 5. Security for Information Technology Services.

§ 147‑33.110.  Statewide security standards.

The State Chief Information Officer shall establish a statewide set of standards for information technology security to maximize the functionality, security, and interoperability of the State's distributed information technology assets, including communications and encryption technologies. The State CIO shall review and revise the security standards annually. As part of this function, the State Chief Information Officer shall review periodically existing security standards and practices in place among the various State agencies to determine whether those standards and practices meet statewide security and encryption requirements. The State Chief Information Officer may assume the direct responsibility of providing for the information technology security of any State agency that fails to adhere to security standards adopted under this Article. Any actions taken by the State Chief Information Officer under this section shall be reported to the Information Technology Advisory Board at its next scheduled meeting. (2001‑424, s. 15.2(b); 2004‑129, ss. 12, 14.)

 

§ 147‑33.111.  State CIO approval of security standards and security assessments.

(a)       Notwithstanding G.S. 143‑48.3 or any other provision of law, and except as otherwise provided by this section, all information technology security purchased using State funds, or for use by a State agency or in a State facility, shall be subject to approval by the State Chief Information Officer in accordance with security standards adopted under this Article.

(b)       If the legislative branch, the judicial branch, The University of North Carolina and its constituent institutions, local school administrative units as defined by G.S. 115C‑5, or the North Carolina Community Colleges System develop their own security standards, taking into consideration the mission and functions of that entity, that are comparable to or exceed those set by the State Chief Information Officer under this section, then these entities may elect to be governed by their own respective security standards, and approval of the State Chief Information Officer shall not be required before the purchase of information technology security. The State Chief Information Officer shall consult with the legislative branch, the judicial branch, The University of North Carolina and its constituent institutions, local school administrative units, and the North Carolina Community Colleges System in reviewing the security standards adopted by those entities.

(c)       Before a State agency may enter into any contract with another party for an assessment of network vulnerability, including network penetration or any similar procedure, the State agency shall notify the State Chief Information Officer and obtain approval of the request. The State Chief Information Officer shall refer the request to the State Auditor for a determination of whether the Auditor's office can perform the assessment and testing. If the State Auditor determines that the Auditor's office can perform the assessment and testing, then the State Chief Information Officer shall authorize the assessment and testing by the Auditor. If the State Auditor determines that the Auditor's office cannot perform the assessment and testing, then with the approval of the State Chief Information Officer and State Auditor, the State agency may enter into a contract with another party for the assessment and testing. If the State agency enters into a contract with another party for assessment and testing, the State agency shall issue public reports on the general results of the reviews. The contractor shall provide the State agency with detailed reports of the security issues identified that shall not be disclosed as provided in G.S. 132‑6.1(c). The State agency shall provide the State Chief Information Officer and the State Auditor with copies of the detailed reports that shall not be disclosed as provided in G.S. 132‑6.1(c). (2001‑424, s. 15.2(b); 2004‑129, ss. 10, 12, 14.)

 

§ 147‑33.112.  Assessment of agency compliance with security standards.

The State Chief Information Officer shall assess the ability of each agency to comply with the current security enterprise‑wide set of standards established pursuant to this section. The assessment shall include, at a minimum, the rate of compliance with the standards in each agency and an assessment of each agency's security organization, network security architecture, and current expenditures for information technology security. The assessment shall also estimate the cost to implement the security measures needed for agencies to fully comply with the standards. Each agency subject to the standards shall submit information required by the State Chief Information Officer for purposes of this assessment. The State Chief Information Officer shall include the information obtained from the assessment in the State Information Technology Plan required under G.S. 147‑33.72B. (2003‑153, s. 1(a); 2004‑129, ss. 12, 14.)

 

§ 147‑33.113.  State agency cooperation.

(a)       The head of each State agency shall cooperate with the State Chief Information Officer in the discharge of his or her duties by:

(1)       Providing the full details of the agency's information technology and operational requirements and of all the agency's information technology security incidents within 24 hours of confirmation.

(2)       Providing comprehensive information concerning the information technology security employed to protect the agency's information technology.

(3)       Forecasting the parameters of the agency's projected future information technology security needs and capabilities.

(4)       Designating an agency liaison in the information technology area to coordinate with the State Chief Information Officer. The liaison shall be subject to a criminal background report from the State Repository of Criminal Histories, which shall be provided by the State Bureau of Investigation upon its receiving fingerprints from the liaison. If the liaison has been a resident of this State for less than five years, the background report shall include a review of criminal information from both the State and National Repositories of Criminal Histories. The criminal background report shall be provided to the State Chief Information Officer and the head of the agency. In addition, all personnel in the Office of State Auditor who are responsible for information technology security reviews pursuant to G.S. 147‑64.6(c)(18) shall be subject to a criminal background report from the State Repository of Criminal Histories, which shall be provided by the State Bureau of Investigation upon receiving fingerprints from the personnel designated by the State Auditor. For designated personnel who have been residents of this State for less than five years, the background report shall include a review of criminal information from both the State and National Repositories of Criminal Histories. The criminal background reports shall be provided to the State Auditor.

(b)       The information provided by State agencies to the State Chief Information Officer under this section is protected from public disclosure pursuant to G.S. 132‑6.1(c). (2001‑424, s. 15.2(b); 2003‑153, s. 1(a); 2004‑129, ss. 12, 14.)