The commission shall:
(1) identify and inform the governor of:
- (a) cyber threats and vulnerabilities towards Utah's critical infrastructure;
- (b) cybersecurity assets and resources; and
(c) an analysis of:
- (i) current cyber incident response capabilities;
- (ii) potential cyber threats; and
(iii) areas of significant concern with respect to:
- (A) vulnerability to cyber attack; or
- (B) seriousness of consequences in the event of a cyber attack;
(2) provide resources with respect to cyber attacks in both the public and private sector, including:
- (a) best practices;
- (b) education; and
- (c) mitigation;
- (3) promote cyber security awareness;
- (4) share information;
- (5) promote best practices to prevent and mitigate cyber attacks;
- (6) enhance cyber capabilities and response for all Utahns;
- (7) provide consistent outreach and collaboration with private and public sector organizations;
- (8) share cyber threat intelligence to operators and overseers of Utah's critical infrastructure; and
(9) in accordance with Title 63G, Chapter 3, Utah Administrative Rulemaking Act, make rules establishing minimum cybersecurity standards for a local education agency, as that term is defined in Section 53G-3-402, that:
- (a) align with industry recognized cybersecurity frameworks and standards, including frameworks developed by the National Institute of Standards and Technology, the Center for Internet Security, or a successor organization;
- (b) take into account varying local education agency resources, capacity, and needs;
- (c) establish phased implementation timelines based on local education agency size, existing cybersecurity infrastructure, and available resources; and
(d) as appropriate based on the local education agency's size, risk profile, and available resources, shall address:
- (i) identity and access management;
- (ii) asset management and inventory of hardware, software, and data systems;
- (iii) data protection;
- (iv) security monitoring and logging capabilities;
- (v) vulnerability management, including regular security assessments and patching procedures;
- (vi) incident response and recovery planning;
- (vii) security awareness training requirements for staff and administrators;
- (viii) third-party risk management for vendors with access to local education agency systems or data;
- (ix) network security controls;
- (x) backup and disaster recovery procedures; and
- (xi) governance structures for cybersecurity oversight within a local education agency.
Amended by Chapter 170, 2026 General Session