(1) The office must evaluate the extent to which the state is building upon its existing expertise in information technology to become a national leader in cybersecurity, as described in *section 1(6) of this act, by periodically evaluating the state's performance in achieving the following objectives:
(a) High levels of compliance with the state's information technology security policy and standards, as demonstrated by the attestation that state agencies make annually to the office in which they report their implementation of best practices identified by the office;
(b) Achieving recognition from the federal government as a leader in cybersecurity, as evidenced by federal dollars received for ongoing efforts or for piloting cybersecurity programs;
(c) Developing future leaders in cybersecurity, as evidenced by an increase in the number of students trained, and cybersecurity programs enlarged in educational settings from a January 1, 2016, baseline;
(d) Broad participation in cybersecurity trainings and exercises or outreach, as evidenced by the number of events and the number of participants;
(e) Full coverage and protection of state information technology assets by a centralized cybersecurity protocol; and
(f) Adherence by state agencies to recovery and resilience plans post cyber attack.
(2) The office is encouraged to collaborate with community colleges, universities, the department of commerce, and other stakeholders in obtaining the information necessary to measure its progress in achieving these objectives.
(3) Before December 1, 2020, the office must report to the legislature:
(a) Its performance in achieving the objectives described in subsection (1) of this section; and
(b) Its recommendations, if any, for additional or different metrics that would improve measurement of the effectiveness of the state's efforts to maintain leadership in cybersecurity.
(4) This section expires October 1, 2021.
[ 2016 c 237 § 4.]
NOTES:
*Reviser's note: Section 1 of this act was vetoed.
Short title—2016 c 237: "This act may be known and cited as the cybersecurity jobs act of 2016." [ 2016 c 237 § 5.]