Washington State SB 6281 (2025–26 biennium) includes proposed language that would require an assessment prior to purchase of third-party commercial cloud computing services, including evaluation of cybersecurity and regulatory compliance criteria tied to the 'Washington state cybersecurity program policy' (SEC-01) and any subsequent amendments. This is not an amendment to SEC-01 itself, but it would elevate SEC-01 as a statutory reference point for procurement/compliance assessments if enacted.
Washington Technology Solutions (WaTech) published the SEC-01 Washington State Cybersecurity Program Policy, adopted by the State CIO and approved by the Technology Services Board on Dec. 10, 2024. The policy replaces legacy statewide security artifacts (IT Policy 141 and specified sections of IT Standard 141.10) and establishes core agency obligations including maintaining an agency cybersecurity program with at least annual review and providing annual agency head/CIO attestation of compliance to WaTech, plus requirements to align vendor/partner contract language with state and agency security requirements.