Kansas bill SB 291 would centralize cybersecurity, set NIST targets and include a July 2026 sunset

The Joint Committee on Information Technology heard an overview of Senate Bill 291, the 2024 cybersecurity law that would change how the executive, judicial and legislative branches manage cybersecurity and information technology services.

The office of the Reviser of Statutes told the panel that the act requires each branch to appoint a chief information security officer (CISO) and to develop branchwide cybersecurity programs based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Those programs must achieve a CSF tier 3 by July 1, 2028, and tier 4 by July 1, 2030, the Reviser said.

The bill also contains operational and budgetary changes. Beginning July 1, 2025, agencies must move public-facing websites to the .gov domain. The law requires that each agency’s information-technology and cybersecurity appropriations be shown as separate line items in budgets to allow more detailed legislative review. A new Information Technology Security Fund and a $15 million appropriation to the Kansas Information Security Office (KISO) appear in the statute, along with a $250,000 allocation to the Adjutant General for fusion center personnel.

Why it matters: The law reallocates responsibilities for cybersecurity inside state branches and creates new accountability mechanisms. It also contains a sunset clause: most substantive sections revert on July 1, 2026, unless the Legislature enacts a bill to remove that sunset, the Reviser told the committee.

Key provisions and enforcement mechanics - CISOs: Sections add statutory duties for CISOs in the executive, legislative and judicial branches and require the judicial CISO to estimate hardware costs and coordinate connectivity with the Kansas CANWIN network. The Reviser said the positions must develop cybersecurity programs that conform to NIST and the CSF targets noted above. - Audits and confidentiality: The bill requires audits of branch cybersecurity programs. If an audit finds failures, the CISO would report the results and a mitigation plan to legislative leaders. Those audits are expressly exempted from the state Open Records Act in the statutory text noted by the Reviser (KSA citations in committee briefing). - Budget penalty for noncompliance: The director of the budget must determine annual compliance; for noncompliant agencies the director certifies an amount equal to 5% of the monies appropriated from the state general fund for that agency and the Appropriations and Ways & Means committees then consider lapsing that amount from the agency’s budget.

Questions from lawmakers and staff highlighted practical matters. Senators and representatives asked whether the 5% lapse is measured against an agency’s entire state-general-fund appropriation (the Reviser confirmed it is) and whether agencies have already complied with the .gov deadline (executive, legislative and judicial leaders said many but not all websites were moved and that remaining work was being tracked).

Implementation and next steps The Reviser told the committee a House-passed bill that removes the sunset is sitting in the Senate Committee on Federal and State Affairs; if the Legislature wants the bill’s changes to remain in effect it must remove the sunset before July 1, 2026. Committee members asked for follow-up information on .gov compliance across agencies, and the Reviser and branch IT officers said they would provide status updates.

What the committee heard not to conclude: the statute requires that executive-branch IT services be planned for possible integration under an executive chief technology officer, but the Reviser and branch staff emphasized the bill itself only requires a planning process and does not force immediate consolidation absent later legislative action.

Ending note: The committee asked staff to supply a concise compliance summary and a list of outstanding implementation tasks for members to review before any decision on removing the statutory sunset.