(a) A public entity that connects to the technology infrastructure of the state after July 1, 2027, must:
- (1) have completed a cybersecurity assessment within the three
- (3) year period immediately preceding the first date after July 1, 2027, on which the public entity connects to the technology infrastructure of the state;
- (2) complete a cybersecurity assessment at least once every three
- (3) years after the first date after July 1, 2027, on which the public entity connects to the technology infrastructure of the state;
- (3) provide proof to the office of the public entity's compliance with subdivisions (1) and (2) upon request by the office;
- (4) if the public entity is a state agency or political subdivision, have an "in.gov" or ".gov" domain name; and
- (5) have a secondary end user authentication mechanism.
(b) An entity that is not a public entity and that connects to the technology infrastructure of the state after July 1, 2026, must:
- (1) have completed a cybersecurity assessment within the two (2) year period immediately preceding the first date after July 1, 2026, on which the entity connects to the technology infrastructure of the state;
(2) complete a cybersecurity assessment:
- (A) at least once every two (2) years after the first date after July 1, 2026, on which the entity connects to the technology infrastructure of the state; and
- (B) biennially for as long as the entity connects to the technology infrastructure of the state;
- (3) provide proof to the office of the entity's compliance with subdivisions (1) and (2) upon request by the office; and
- (4) have a secondary end user authentication mechanism.
(c) At the discretion of the office:
- (1) a public entity that is not in compliance with subsection (a); or
(2) an entity that is not in compliance with subsection (b);
may be disconnected from the technology infrastructure of the state.
As added by P.L.108-2024, SEC.2.