MISSISSIPPI LEGISLATURE

2023 Regular Session

To: Technology

By: Senator(s) Carter, Tate

Senate Bill 2140

(As Sent to Governor)

AN ACT TO CREATE A NEW SECTION WITHIN TITLE 25, CHAPTER 53, MISSISSIPPI CODE OF 1972, TO CREATE THE NATIONAL SECURITY ON STATE DEVICES AND NETWORKS ACT; TO AMEND SECTION 25-53-191, MISSISSIPPI CODE OF 1972, TO CONFORM; AND FOR RELATED PURPOSES.

     BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI:

     SECTION 1.  (1)  This section shall be known and may be cited as the "National Security on State Devices and Networks Act."

     (2)  For the purposes of this section, the following words and phrases shall have the meanings ascribed in this section unless the context clearly indicates otherwise:

          (a)  "Prohibited technology" means any information technology deemed to pose an unacceptable risk to the security of the United States and/or the State of Mississippi by Mississippi and/or federal law, regulation, or guidance.

          (b)  "State-issued devices" means any desktop computer, laptop computer, cell phone, tablet or any other device capable of internet connectivity that is issued to a state employee pursuant to his or her employment and for use in carrying out his or her professional duties.

          (c)  "State-operated networks" means any telecommunications network, including, but not limited to, wireless local area networks, wireless guest networks, virtual private networks, or other information technology network systems owned or operated by the Mississippi Department of Information Technology Services or any other state agency.

          (d)  "State agency" means any agency, department, commission, board, bureau, institution or other instrumentality of the state.

          (e)  "State employee" means an employee or agent complying with and performing duties on behalf of the state.

     (3)  No state employee shall download, access, or use a prohibited technology on a state-issued device or a state-operated network.

     (4)  The Mississippi Department of Information Technology Services, or any other appropriate state agency, shall restrict the download, access or use of prohibited technologies on state-operated networks.  The Mississippi Department of Information Technology Services shall maintain and timely update a publicly available list of such prohibited technologies on its website.

     (5)  The provisions of this section shall not apply to law enforcement agencies of the state or its political subdivisions when downloading, accessing, or using a prohibited technology is necessary to carry out their official duties for bona fide law enforcement, investigative or public safety purposes.

     SECTION 2.  Section 25-53-191, Mississippi Code of 1972, is amended as follows:

     25-53-191.  (1)  For the purposes of this section, the following terms shall have the meanings ascribed to them in this section unless the context otherwise clearly requires:

          (a)  "Department" means the Mississippi Department of Information Technology.

          (b)  "State agency" means any agency, department, commission, board, bureau, institution or other instrumentality of the state.

          (c)  "Wireless communication device" means a cellular telephone, pager or a personal digital assistant device having wireless communication capability.

     (2)  Before a wireless communication device may be assigned, issued or made available to an agency officer or employee, the agency head, or his designee, shall sign a statement certifying the need or reason for issuing the device.  No officer or employee of any state agency, except for an officer or employee of the Mississippi Emergency Management Agency, shall be assigned or issued more than one (1) such wireless communication device.  No officer or employee of any state agency to whom has been assigned, issued or made available the use of a wireless communication device, the cost of which is paid through the use of public funds, shall use such device for personal use.

     (3)  A state agency shall not reimburse any officer or employee for use of his or her personal wireless communication device.

     (4)  Every state agency that, at the expense of the state agency, assigns, issues or makes available to any of its officers or employees a wireless communication device shall obtain and maintain detailed billing for every wireless communication device account.  A list of approved vendors for the procurement of wireless communication devices and the delivery of wireless communication device services shall be developed for all state agencies by the Mississippi Department of Information Technology Services * * *in conjunction with the Wireless Communication Commission created in Section 25‑53‑171.  The department * * *, in conjunction with the Wireless Communication Commission, shall exercise the option of selecting one (1) vendor from which to procure wireless communication devices and to provide wireless communication device services, or if it deems such to be most advantageous to the state agencies, it may select multiple vendors.  The department * * *, in conjunction with the Wireless Communication Commission, shall select a vendor or vendors on the basis of lowest and best bid proposals.  A state agency may not procure a wireless communication device from any vendor or contract for wireless communication device services with any vendor unless the vendor appears on the list approved by the department * * *, in conjunction with the Wireless Communication Commission.  A contract entered into in violation of this section shall be void and unenforceable.

     (5)  The department shall promulgate a model acceptable use policy defining the appropriate use of all wireless communication devices.  The department shall include in its definition of appropriate use a prohibition on the downloading, accessing, or using of a prohibited technology pursuant to the National Security on State Devices and Networks Act.  The acceptable use policy should specify that these resources, including both devices and services, are provided at the state agency's expense as tools for accomplishing the business missions of the state agency; that all those resources are for business use; and that more than incidental personal use of those resources is prohibited.  The acceptable use policy should require that each official and employee issued one (1) of the above devices or authorized to access one (1) of the above services sign the policy and that the signed copy be placed in the personnel file of the official or employee.  The acceptable use policy should also require that the use of these resources be tracked, verified and signed by the official or employee and the supervisor of the official or employee at each billing cycle or other appropriate interval.  All state agencies shall adopt the model policy or adopt a policy that is, at minimum, as stringent as the model policy and shall provide a copy of the policy to the department.

     (6)  All state agencies shall purchase or acquire only the lowest cost cellular telephone, pager or personal digital assistance device which will carry out its intended use.

     (7)  The University of Mississippi Medical Center and its employees, the Mississippi State University Extension Service and its agents and faculty members, the Mississippi State University Agricultural and Forestry Experiment Station and its faculty members, the Mississippi State University Forestry and Wildlife Research Center and its faculty members, and the Mississippi State University College of Veterinary Medicine and its faculty members shall be exempt from the application of this section.

     (8)  Employees of State Institutions of Higher Learning shall be exempt from the provisions of this section when incurring international usage charges for the business-related use of their personal wireless communication devices during business-related international travel.  Such exemption shall only apply after a determination by the employer-institution that reimbursement to the employee for the use of his or her personal wireless communication device is the lowest-cost option to prevent business interruption during such travel.

     (9)  The State Auditor shall conduct necessary audits to ensure compliance with the provisions of this section.

     SECTION 3.  Section 1 of this act shall be codified as a new section in Title 25, Chapter 53, Mississippi Code of 1972.

     SECTION 4.  This act shall take effect and be in force from and after July 1, 2023.