Citizen Portal
Sign In

Committee advances cybersecurity bill, narrows NIST reference and adds oversight

Committee on Legislative Modernization · February 17, 2026

Get AI-powered insights, summaries, and transcripts

Subscribe
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

The Committee on Legislative Modernization amended and passed House Bill 25-74 to extend cybersecurity requirements, create a judicial technology oversight council, require agency compliance assessments, make certain assessments confidential and direct additional reporting to the Joint Committee on Information Technology.

House Bill 25-74, a bill to extend and refine state cybersecurity requirements, advanced from the Committee on Legislative Modernization after members adopted several technical and policy amendments and voted to pass the measure.

Reviser Scott summarized the bill to the committee, saying, “House bill 25 74 removes the expiration of certain cybersecurity requirements that you guys put in place with senate bill 2 91,” and that the measure also “modifies the duties of the chief information security officers” and creates a judicial branch technology oversight council. The bill requires assessments of executive-branch agency compliance and provides for legislative consideration of that compliance during budgeting.

Committee members approved a technical amendment to correct statutory terms and numbering. Lawmakers also replaced a direct citation to “National Institute for Standards and Technology, version 2” with broader language referencing a “nationally recognized standard for government entities,” a change proponents said would allow flexibility as standards evolve.

John Godfrey, chief information security officer for the executive branch, told the committee that NIST is widely used and “a consensus driven process,” adding that NIST standards are commonly adopted for state government cybersecurity work and align with federal practice. James Fisher of the Kansas Legislative Research Department noted the Center for Internet Security (CIS) is another reference used by smaller entities in tandem with NIST.

Members also adopted language clarifying that audits and assessments should evaluate an agency’s compliance with the cybersecurity program rather than auditing only the program text. The committee added confidentiality protections for executive-branch assessments, stating they would not be subject to CORA, with sponsors saying the aim is to keep identified technical weaknesses private while the agency remediates them. The committee added required reporting of assessment results to the Joint Committee on Information Technology (JCIT).

The committee approved the amendments by voice vote and then moved the bill forward: Representative Esau moved passage "favorably for passage" and Representative Simmons seconded; the motion passed by voice vote.

The bill now moves to the next step of the legislative process.