Executive Order 2022-08

WHEREAS, the State of Illinois recognizes that Information Technology is central to national and state security, the economy, and public health and safety; and,
WHEREAS, businesses, governments, academia, and individuals are all increasingly dependent upon Information Technology systems, including information systems, networks and critical infrastructure, for essential services and daily life; and,
WHEREAS, it is the expectation of the general public, as well as the public and private sectors, that these Information Technology systems remain secure and resilient in the face of increasing threats from sophisticated cyber-attacks that pose personal, professional, and financial risks to the citizens of the State of Illinois and threaten the security and economy of our State; and,
WHEREAS, securing Information Technology systems within Illinois is beyond the reach of any single entity, and requires a collaborative public-private partnership that encourages unity of effort; and,
WHEREAS, in order to protect the security and economy of the State, it is appropriate and necessary for state government to establish and lead a collaborative effort involving government, private sector, military, research, and academic stakeholders to develop and recommend a whole-of-state approach to enhancing Illinois’ cybersecurity;
THEREFORE, I, JB Pritzker, Governor of Illinois, by virtue of the executive authority vested in me by Article V of the Constitution of the State of Illinois, hereby order as follows:

1. Illinois Cybersecurity Commission
   1. The Illinois Cybersecurity Commission (“Commission”) is hereby created and established, in accordance with the terms of this Executive Order.
   2. The Commission shall be composed of Voting Members and Non-Voting Members appointed by the Governor, as follows:
      1. Voting Members:
         1. The Governor’s Homeland Security Advisor, or designee;
         2. The Director of the Illinois Emergency Management Agency, or designee;
         3. The Chief Information Security Officer of the Illinois Department of Innovation and Technology, or designee;
         4. The Illinois Attorney General, or designee, with the permission and approval of the Illinois Attorney General;
         5. The Adjutant General of the Illinois National Guard, or designee;
         6. The Director of the Illinois State Police, or designee;
         7. The Chairman of the Illinois Commerce Commission, or designee, with the permission and approval of said Chairman;
         8. The Director of the Illinois Department of Commerce and Economic Opportunity, or designee;
         9. The Director of the Illinois Department of Revenue, or designee; and
         10. A representative of the Office of the Governor.
      2. Non-Voting Members:
         1. One representative of an association representing the Information Technology Sector;
         2. One representative of an association representing the Communications Sector;
         3. One representative of an association representing the Defense Industrial Base Sector;
         4. One representative of an association representing the Energy Sector;
         5. One representative of an association representing the Financial Services Sector;
         6. One representative of an association representing the Healthcare and Public Health Sector; and
         7. One representative of an association representing the Water and Wastewater Systems Sector.
   3. The Commission may also include Non-Voting Members, as selected by the relevant federal agency with the permission and approval of said agency:
      1. A cybersecurity expert from the Chicago or Springfield field office of the Federal Bureau of Investigation.
      2. Two cybersecurity experts from the United States Department of Homeland Security, as follows:
         1. One cybersecurity advisor from the Region 5 Office of the Cybersecurity and Infrastructure Security Agency; and
         2. One cybersecurity expert from the Chicago field office of the United States Secret Service.
   4. The Commission shall include a representative of the Statewide Terrorism and Intelligence Center (STIC) as an Advisory Member.  The Commission also may appoint other Advisory Members representing both public and private sector interests.  With the exception of the representative of the STIC, who will be designated by the Director of the Illinois State Police, Advisory Members shall be selected and approved by a majority of Voting Members of the Commission.  The purpose of Advisory Members is to support Commission decision-making by providing subject-matter expertise and specialized insight.
   5. The Governor’s Homeland Security Advisor, or designee, shall serve as chairperson of the Commission.
   6. The Commission shall develop and recommend an implementation plan for accomplishing the following objectives:
      1. Building and enhancing cyber awareness and training for private sector critical infrastructure entities, including educating stakeholders on ways to prevent cybersecurity attacks and protect personal information; and conducting, supporting, and attending cyber security trainings to improve technical capabilities;
      2. Developing practices, processes and the overall planning required to protect valuable information, resources, and services, including by identifying and disrupting cyber-attacks to minimize adverse impact; improving and expanding statewide security incident response capabilities; and promoting and facilitating cross sector and community training and exercise scenarios for private sector critical infrastructure partners to secure critical systems that serve the public;
      3. Maturing cyber competencies through the utilization of best practices to help private sector critical infrastructure organizations make risk-based decisions for improving cybersecurity, including by promoting a risk-based approach to cybersecurity; establishing regional critical infrastructure cyber response teams; and developing and disseminating best practices and tools to advance cyber maturity; and
      4. Creating and expanding partnerships to foster continual learning and information sharing to ensure the safety and resiliency of digital infrastructure, including by forging and nurturing partnerships with critical infrastructure sectors to ensure the resiliency of critical systems; and identifying, evaluating, and sharing information on the threats and vulnerabilities impacting the state.
   7. The Commission may adopt a charter, consistent with the provisions of this Executive Order and applicable law, setting forth how the Commission shall conduct itself and carry out the responsibilities provided in this Executive Order.  The charter may address such matters as Commission meetings, creation of committees and working groups, and other matters as the Commission deems appropriate.
   8. The Illinois Emergency Management Agency shall provide administrative support for, and maintain the records of, the Commission.
2. Report to the Governor

The chairperson of the Commission shall submit a report to the Governor by December 31, 2022. The report shall detail the activities, accomplishments and recommendations of the Commission.  Upon submission of the report, the Commission shall disband.

3. Ethical and Other Requirements

The Commission shall be subject to the provisions of applicable law, including without limitation the Illinois Open Meetings Act, 5 ILCS 120/, and the Illinois Freedom of Information Act, 5 ILCS 140/.  Members of the Commission shall be subject to the provisions of applicable law, including without limitation the Illinois State Officials and Employees Ethics Act, 5 ILCS 430/. 

4. Savings Clause

Nothing in this Executive Order shall be construed to contravene any federal or State law or regulation. Nothing in this Executive Order shall affect or alter existing statutory powers of any State agency or be construed as a reassignment or reorganization of any State agency.

5. Prior Executive Orders

This Executive Order supersedes any contrary provision of any other prior Executive Order.

6. Severability Clause

If any part of this Executive Order is found to be invalid by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect. The provisions of this Executive Order are severable.

7. Effective Date

This Executive Order shall take effect upon filing with the Secretary of State.

                                                                                    _______________________

                                                                                      JB Pritzker, Governor

Issued by the Governor March 25, 2022

Filed with the Secretary of State March 25, 2022