TITLE I
THE STATE AND ITS GOVERNMENT

Chapter 21-R
DEPARTMENT OF INFORMATION TECHNOLOGY

Section 21-R:1

    21-R:1 Definitions. –
In this chapter:
I. "Commissioner" means the commissioner of the department of information technology.
II. "Department" means the department of information technology.

Source. 2008, 335:1, eff. Sept. 5, 2008.

Section 21-R:2

    21-R:2 Department of Information Technology Established. – There is established the department of information technology, an agency of the state, under the executive direction of a commissioner of the department of information technology, who shall also be known as the chief information officer. The department of information technology, through its officials, shall be responsible for managing and coordinating all technology resources in the executive branch of government, developing and implementing strategies to enhance state services, and creating statewide efficiencies through the use of information and other technologies.

Source. 2008, 335:1, eff. Sept. 5, 2008.

Section 21-R:3

    21-R:3 Commissioner; Deputy Commissioner; Directors; Compensation. –
I. The commissioner of the department of information technology shall be appointed by the governor, with the advice and consent of the council, and shall serve for a term of 4 years. The commissioner shall be academically and technically qualified to hold the position, and shall be known as the chief information officer. A vacancy shall be filled for the remainder of the unexpired term in the same manner as the original appointment.
I-a. The commissioner of the department of information technology shall nominate for appointment by the governor, with the consent of the executive council, a deputy commissioner of the department of information technology, who shall serve for a term of 4 years and shall be qualified to hold that position by reason of education and experience. The deputy commissioner shall perform such duties as may be assigned by the commissioner, which may include, but not be limited to, the authority and power with approval of the commissioner to direct and supervise the operation and administration of any division of the department.
I-b. The commissioner shall appoint a chief information security officer, who shall be qualified to hold that position by reason of education and experience. The chief information security officer shall perform such duties described in RSA 21-R:4-a and as may be assigned by the commissioner, which may include, but not be limited to, the authority and power with approval of the commissioner to direct the formulation and implementation of cybersecurity and information security strategy, direction, policy, procedures, and standards across the executive branch of the state government.
II. The department shall consist of 4 divisions, which shall be under the direction of the commissioner. The commissioner shall nominate 4 division directors, who shall be appointed by the governor, with the consent of the council. Division directors shall serve for a term of 4 years; provided that a division director serving on the effective date of this paragraph may continue to serve in such capacity until appointed or replaced. The division directors shall be qualified to hold their respective positions by reason of education and relevant experience.
III. The salaries of the commissioner, deputy commissioner, chief information security officer, and division directors shall be as specified in RSA 94:1-a.

Source. 2008, 335:1, eff. Sept. 5, 2008. 2014, 327:77, eff. Jan. 1, 2018. 2018, 81:1, eff. May 25, 2018. 2023, 135:1, 2, eff. Aug. 29, 2023.

Section 21-R:4

    21-R:4 Duties of the Commissioner. –
In addition to the powers, duties, and functions otherwise vested in the commissioner pursuant to RSA 21-G:9, the commissioner shall be responsible for the following:
I. Providing technical information technology consultation to all executive branch agencies and to any other agency that requests it, including technical advice consistent with the principles of open government data established in RSA 21-R:11 through RSA 21-R:14 during the development or acquisition of information systems.
II. Monitoring technological trends and informing all state employees and officials about state-of-the-art information systems and management techniques.
III. Developing a formal information technology planning process for approving agency information technology plans.
IV. Preparing and maintaining a statewide information technology plan based upon agency information technology plans.
V. Reviewing, assessing, and approving the feasibility of agency information technology plans, including cost estimates and effects on other agencies and political subdivisions of the state.
VI. Developing standards and processes for collaborative stakeholder involvement to assure that hardware, software, and telecommunications systems acquired or developed by the state are as compatible among themselves and with other systems of the state and political subdivisions as are necessary and practical.
VII. Providing training and educational programs to technicians and managers.
VIII. Monitoring and reporting to the governor and general court on the effectiveness of the use of information technology resources and on statewide progress in implementing information technology plans.
IX. Coordinating information technology development efforts that affect multiple agencies.
X. Developing and implementing a data center consolidation plan, which establishes strategic data centers throughout the state for data processing operations and service responsibilities for all executive branch agencies.
XI. Developing, in concert with the commissioner of administrative services and the state budget office established in RSA 21-I:6, the capital and operating budget requests for implementing each agency's information technology plan, including, but not limited to, appropriate standards for the uniform presentation of the general budget requests.
XII. Developing, in concert with the department of administrative services, division of procurement and support services, specifications for the procurement of computer hardware, software, related licenses, media, documentation, support and maintenance services, and other related services.
XIII. Developing and implementing a strategy to increase efficiency and effectiveness in all areas of state government by using information technology to its fullest potential.
XIV. Developing and implementing a strategy to consolidate statewide shared information technology services.
XV. Developing an information technology satisfaction measurement program to ensure information technology resources and strategic plans are meeting the needs of each agency.
XVI. Developing and implementing a strategy to address cyber security risks to the state's data, information, and technology resources.
XVII. Developing and implementing a strategy to address the state's geographical information system (GIS) technology.
XVIII. Establishing as necessary, after consultation with the information technology council, established under RSA 21-R:6, statewide standards and protocols for information technology, networks, and cyber security, which shall be adhered to by all executive branch agencies unless granted a waiver by the commissioner.
XIX. Providing telecommunications services to state government.
XX. Adopting comprehensive and uniform standards, practices, procedures, instructions, and funding processes relative to statewide telephony services applicable to all state agencies. The comprehensive and uniform requirements shall be in the form of a manual and shall be subject to the approval of the governor and council, but shall not be subject to the rulemaking requirements of RSA 541-A.
XXI. Establish and maintain within the department a cybersecurity integration center to serve as the unified state center for coordinating cybersecurity monitoring, sharing information, distributing cybersecurity threat analysis, and enabling situational awareness between and among executive branch agencies and departments.

Source. 2008, 335:1, eff. Sept. 5, 2008. 2012, 5:3, eff. May 11, 2012; 192:1, eff. July 1, 2012; 265:4, 6, 7, eff. June 18, 2012. 2014, 327:49, eff. Aug. 2, 2014. 2015, 276:30, eff. July 1, 2015. 2016, 147:2, eff. July 1, 2016. 2021, 202:2, Pt. III, Sec. 9, eff. July 1, 2021. 2023, 135:3, eff. Aug. 29, 2023.

Section 21-R:4-a

    21-R:4-a Duties of the Chief Information Security Officer. –
The chief information security officer shall be responsible for the following:
I. Chairing the cybersecurity advisory committee.
II. Developing, publishing, maintaining, and interpreting the statewide information security manual's policies and standards.
III. Developing, managing, and executing the statewide cyber disruption plan and an information security event response process.
IV. Staffing and training members of ESF-17 under the state emergency operations plan.
V. Identifying security requirements to limit the risks associated with identified executive branch business objectives as defined by the governor and the heads of state agencies.
VI. Providing information security subject matter expertise to the executive branch of the New Hampshire state government.
VII. Drafting and implementing an information security awareness and training program to be used by all state agencies.
VIII. Providing security metrics to track the performance of the information security program.
IX. Developing an information security governance and risk program, including, but not limited to:
(a) Coordinating and conducting risk assessments of agencies and their information assets.
(b) Conducting and managing vulnerability assessments of agency networks, applications, databases, and systems.
(c) Conducting penetration tests of agency networks, applications, databases, and systems.
(d) Conducting information security risk assessments of third parties with access to state of New Hampshire information assets.
X. Serving as the chief of the New Hampshire cyber integration center.

Source. 2023, 135:4, eff. Aug. 29, 2023.

Section 21-R:5

    21-R:5 Divisions Established. – The commissioner shall establish 4 divisions, business relationship management, user experience, infrastructure and operations, and user services, which shall be in alignment with the department's statewide strategic plan. Each division shall be under the supervision of a division director appointed pursuant to RSA 21-R:3.

Source. 2008, 335:1, eff. Sept. 5, 2008. 2018, 81:2, eff. May 25, 2018. 2023, 79:1, eff. July 1, 2023.

Section 21-R:6

    21-R:6 Information Technology Council. –
I. There is hereby established the information technology council. The council shall advise the commissioner on the following:
(a) Statewide strategic technology plans.
(b) Outsourcing relationships, including the purchase of technology equipment and contracts with technology vendors.
(c) Computer systems consolidation.
(d) Implementation of centralized services.
(e) Information technology resource changes, including changes in quantity of resources allocated to executive branch agencies, location of information technology resources, and allocation of information technology personnel.
(f) Statewide information technology policies and standards.
(g) Information technology budgeting and resource allocation.
(h) The security of data shared with the federal government, methods to improve state data security practices, and suggested legislation, policies, and procedures to limit data sharing when its confidentiality cannot be assured.
II. The information technology council shall consist of the following members:
(a) The commissioner of administrative services, or designee.
(b) The commissioner of transportation, or designee.
(c) The commissioner of health and human services, or designee.
(d) The commissioner of safety, or designee.
(e) The commissioner of revenue administration, or designee.
(f) Two heads of other departments, or their designees, appointed by the governor.
(g) The commissioner of the department of education, or designee.
(h) Two state representatives, appointed by the speaker of the house of representatives for the duration of their legislative term.
(i) One representative of municipal government, appointed by the governor for a 3-year term.
(j) One representative of county government, nominated by the New Hampshire Association of Counties and appointed by the governor for a 3-year term.
(k) One representative of academia, appointed by the governor for a 3-year term.
(l) One representative of the business community, appointed by the governor for a 3-year term.
(m) One person appointed by the governor for a 3-year term, who shall serve as the chairperson of the council.
(n) The secretary of state, or designee.
(o) One representative of the administrative office of the courts, appointed by the chief justice of the supreme court.
(p) One state senator, appointed by the president of the senate, for the duration of the legislative term.
III. Six members of the council shall constitute a quorum. Qualified members who have served one or more terms shall be eligible for reappointment to the council.

Source. 2008, 335:1, eff. Sept. 5, 2008. 2012, 265:2, 3, 9, 10, eff. June 18, 2012. 2014, 22:1, eff. May 23, 2014; 68:2, eff. July 1, 2014. 2018, 81:3, eff. May 25, 2018. 2022, 323:6, eff. Sept. 6, 2022.

Section 21-R:7

    21-R:7 Technical Committees. –
The commissioner may establish technical committees to advise him or her on technical issues. Each technical committee shall include personnel from all 3 branches of government who have experience in the specific issue that is the focus of the committee. These issues may include but are not limited to:
I. Hardware, software, and telecommunications standards.
II. Information technology planning process.
III. Development of statewide policies and procedures.
IV. Emerging Internet and "intranet," or limited network, technologies.
V. E-government strategy and deployment.
VI. Wide area network efficiencies.
VII. Cybersecurity.
VIII. Cloud technologies or strategies.

Source. 2008, 335:1, eff. Sept. 5, 2008. 2021, 72:1, eff. July 1, 2021.

Section 21-R:8

    21-R:8 Agency Satisfaction Metrics. – The commissioner shall use a system of agency satisfaction metrics, a measurement and communication system to track the satisfaction of delivery of information technology solutions. The department of information technology may use surveys, web tools, and special processes to ensure that vehicles exist for agency heads to get the quality of information technology solutions they require to operate their agencies. The commissioner shall set satisfaction benchmarks to meet or exceed expectations.

Source. 2008, 335:1, eff. Sept. 5, 2008.

Section 21-R:8-a

    21-R:8-a Purchasing Policy. –
I. The department shall, in collaboration with the department of administrative services, establish standards for computer hardware, software, related licenses, media, documentation, support and maintenance services, and other related services. Agencies may purchase directly using contracts established by administrative services without approval from the chief information officer, or designee, subject to any limitations established by the chief information officer.
II. Prior to an agency's issuance of a solicitation for the purchase of computer hardware, software, related licenses, media, documentation, support and maintenance services, and other related services including a request for proposal, request for purchase, or other procurement documentation, the agency shall consult with and seek approval from the department of information technology.
III. The department of information technology, in consultation with the information technology council, shall annually review and set dollar, or other, limits for purchases and contracts that require approval from the chief information officer before proceeding.
IV. For purposes of this section, "agency" shall have the meaning defined in RSA 21-I:11, II(b), but shall not include those agencies exempt under RSA 21-I:18 from the provisions of RSA 21-I.

Source. 2009, 149:1, eff. Sept. 6, 2009. 2012, 192:2, eff. July 1, 2012. 2014, 327:50, eff. Aug. 2, 2014. 2015, 276:31, eff. July 1, 2015.

Section 21-R:9

    21-R:9 Repealed by 2022, 323:1, II, eff. Sept. 6, 2022. –

Section 21-R:9-a

    21-R:9-a Statewide Telecommunications Fund. – There is hereby established in the office of the state treasurer a statewide telecommunications fund. Moneys received by the department from state agencies for telecommunications services shall be deposited in the fund. The fund shall be nonlapsing and continually appropriated to the department of information technology for the purpose of providing telecommunications services to state agencies.

Source. 2019, 134:4, eff. June 25, 2019.

Open Standards

Section 21-R:10

    21-R:10 Definitions. –
In this subdivision:
I. "Open data format" means the organization of digital data within a computer file in a manner that makes it accessible for all to implement and use in perpetuity, with no royalty or fee. The published specification for the open data format is usually maintained by a standards organization.
I-a. "Open source software" means software that guarantees the user:
(a) Unrestricted use of the software for any purpose;
(b) Unrestricted access to the respective source code;
(c) Unlimited inspection of the working mechanisms of the software;
(d) Use of the internal mechanisms and arbitrary portions of the software, to adapt them to the needs of the user;
(e) The right to make and distribute copies of the software; and
(f) The right to modify the software and to distribute modifications of the new resulting software, under the same license as the original software.
II. "Open standards" means specifications for the encoding and transfer of computer data that:
(a) Is free for all to implement and use in perpetuity, with no royalty or fee;
(b) Has no restrictions on the use of data stored in the format;
(c) Has no restrictions on the creation of software that stores, transmits, receives, or accesses data codified in such way;
(d) Has a specification available for all to read, in a human-readable format, written in commonly accepted technical language;
(e) Is documented, so that anyone can write software that can read and interpret the complete semantics of any data file stored in the data format;
(f) If it allows extensions, ensures that all extensions of the data format used by the state are themselves documented and have the other characteristics of an open data format;
(g) Allows any file written in that format to be identified as adhering or not adhering to the format; and
(h) If it includes any use of encryption or other means of data obfuscation, provides that the encryption or obfuscation algorithms are usable in a royalty-free, nondiscriminatory manner in perpetuity, and are documented so that anyone in possession of the appropriate encryption key or keys or other data necessary to recover the original data is able to write software to access the data.
III. "Proprietary software" means software that does not fulfill all of the guarantees provided by open source software.
IV. "State agency" means any department, commission, board, institution, bureau, office, or other entity, by whatever name called, established in the state constitution, statutes, or executive orders. The judicial branch and the legislative branch of state government are explicitly exempted from this definition.

Source. 2012, 5:2, eff. May 11, 2012. 2013, 118:1, 7, eff. June 25, 2013.

Section 21-R:11

    21-R:11 Use of Technology Solutions by State Agencies. –
I. For all technology acquisitions, each state agency, in consultation with the department of information technology, shall:
(a) Consider whether technology solutions containing proprietary or open source software offer the most cost effective solution for the agency, based on consideration of all associated acquisition, support, maintenance, and training costs;
(b) Except as provided in subparagraphs (d) and (e), acquire technology solutions primarily on a value-for-money basis, based on consideration of the cost factors as described in subparagraph (a);
(c) Provide a brief analysis of the purchase decision, including consideration of the cost factors in subparagraph (a), to the chief information officer;
(d) Avoid the acquisition of products that do not comply with open standards for interoperability or data storage; and
(e) Avoid the acquisition of products that are known to make unauthorized transfers of information to, or permit unauthorized control of or modification of a state agency's computer.
II. All state procurement documents related to technology acquisitions shall include language that requires adherence to this section.

Source. 2012, 5:2, eff. May 11, 2012. 2012, 265:8, eff. June 18, 2012. 2013, 118:8, eff. June 25, 2013. 2018, 81:4, eff. May 25, 2018. 2022, 44:1, eff. July 2, 2022.

Section 21-R:12

    21-R:12 Repealed by 2018, 81:8, eff. May 25, 2018. –

Section 21-R:13

    21-R:13 Use of Open Standards and Open Data Formats by State Agencies. –
I. The commissioner shall assist state agencies in the purchase or creation of technology solutions that comply with open standards for the accessing, storing, or transferring of data. The commissioner shall:
(a) Ensure that any new data standards which the state of New Hampshire defines and to which it owns all rights are open standards compliant.
(b) Use open standards unless specific project requirements, or excessive cost, preclude use of an open data format.
(c) Reexamine existing data stored in a restricted format to which the state of New Hampshire does not own the rights during re-procurement cycles to determine if the format has become open and, if not, whether an appropriate open standard exists.
(d) Make readily accessible, on the state website, documentation on open data formats used by the state of New Hampshire. When data in open format is made available through the state's website, a link shall be provided to the corresponding data format documentation.

Source. 2012, 5:2, eff. May 11, 2012. 2013, 118:3, eff. June 25, 2013. 2018, 81:5, 6, eff. May 25, 2018.

Section 21-R:14

    21-R:14 Statewide Information Policy on Open Government Data Standards. –
I. The commissioner shall develop a statewide information policy based on the following principles of open government data. According to these principles, open data is data that is:
(a) Complete. All public data is made available, unless subject to valid privacy, security, or privilege limitations.
(b) Primary. Data is collected at the source, with the highest possible level of granularity, rather than in aggregate or modified forms.
(c) Timely. Data is made available as quickly as necessary to preserve the value of the data.
(d) Accessible. Data is available to the widest range of users for the widest range of purposes.
(e) Machine processable. Data is reasonably structured to allow automated processing.
(f) Nondiscriminatory. Data is available to anyone, with no requirement of registration.
(g) Nonproprietary. Data is available in a format over which no entity has exclusive control, with the exception of national or international published standards.
(h) License-free. Data is not subject to any copyright, patent, trademark, or trade secret regulation. Reasonable privacy, security, and privilege restrictions may be allowed.
II. The information policy developed under paragraph I shall include a mechanism for adoption and review by each state agency. Each agency that adopts the policy shall designate a contact person responsible for oversight and implementation of open government data standards for that agency. The contact shall act as a liaison between the department, the implementing agency, and the public in matters related to open government data standards.
III. In developing the open data standards policy, the commissioner shall solicit information from the secretary of state relative to state archiving practices and the collection of data for historical purposes.

Source. 2012, 5:2, eff. May 11, 2012. 2022, 323:3, eff. Sept. 6, 2022.

Cybersecurity Software

Section 21-R:15

    21-R:15 Use of Kaspersky Software Prohibited. –
I. No state agency shall use any software platform developed, in whole or in part, by Kaspersky Lab or any entity of which Kaspersky Lab has a majority ownership.
II. In this section, "state agency" means any department, commission, board, institution, bureau, office, or other entity, by whatever name called, including the legislative and judicial branches of state government, established in the state constitution, statutes, session laws or executive orders.

Source. 2018, 63:1, eff. July 24, 2018.

Section 21-R:16

    21-R:16 Cybersecurity Advisory Committee. –
I. There is hereby established the cybersecurity advisory committee (CAC) which shall be chaired by the chief information security officer.
II. The committee shall advise the commissioner or the commissioner's designee on cybersecurity concerns, promote awareness, develop effective policies and solutions, and obtain consensus on enterprise-wide initiatives that advance the cybersecurity of information assets and technology resources.
III. All executive departments and agencies shall identify and appoint an employee with cybersecurity responsibilities to spearhead agency cybersecurity matters including information security, confidentiality, privacy, and regulatory compliance, and to represent the agency on the CAC. Contributors to the CAC may include representatives with cybersecurity responsibilities from the New Hampshire National Guard, New Hampshire political subdivisions, academic institutions, and select private industry representatives as identified by the CAC.

Source. 2021, 72:2, eff. July 1, 2021.