PENNSYLVANIA, March 6 - reviewed State agency with a detailed report of the security

issues identified, which shall not be publicly disclosed.

(2) The State agency, in cooperation with the Office of

Administration, shall provide the Chief Information Officer

with a corrective action plan that remediates issues

identified in the detailed report under paragraph (1), which

may not be publicly disclosed.

(3) The Chief Information Officer shall issue a public

report on the general results of the assessment that shall be

accessible on the Office of Administration's publicly

accessible Internet website.

(g) Effect of section.--Nothing in this section shall be

construed to preclude the Auditor General or the General

Assembly from assessing the security practices of State

information technology systems as part of its statutory duties

and responsibilities.

§ 4353. Assessment of compliance with security standards.

(a) Frequency.--The Chief Information Officer within the

Office of Administration shall biannually assess the ability of

each State agency's contracted vendors to comply with the

current security standards established under this chapter.

(b) Contents.--The Chief Information Officer shall establish

a quantifiable objective metric that measures the degree of

compliance with current security standards. The assessment under

this section shall, at a minimum:

(1) Quantify the degree of compliance with the current

security standards using the metric.

(2) Include security organization, security practices,

security information standards, network security

architecture, systems development and lifecycle management

20250SB0373PN0321 - 5 -

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30