H.B. No. 1830
AN ACT
relating to information technology security practices of state
agencies.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 411.081(i), Government Code, is amended
to read as follows:
(i) A criminal justice agency may disclose criminal history
record information that is the subject of an order of nondisclosure
to the following noncriminal justice agencies or entities only:
(1) the State Board for Educator Certification;
(2) a school district, charter school, private school,
regional education service center, commercial transportation
company, or education shared service arrangement;
(3) the Texas Medical Board;
(4) the Texas School for the Blind and Visually
Impaired;
(5) the Board of Law Examiners;
(6) the State Bar of Texas;
(7) a district court regarding a petition for name
change under Subchapter B, Chapter 45, Family Code;
(8) the Texas School for the Deaf;
(9) the Department of Family and Protective Services;
(10) the Texas Youth Commission;
(11) the Department of Assistive and Rehabilitative
Services;
(12) the Department of State Health Services, a local
mental health service, a local mental retardation authority, or a
community center providing services to persons with mental illness
or retardation;
(13) the Texas Private Security Board;
(14) a municipal or volunteer fire department;
(15) the Texas Board of Nursing;
(16) a safe house providing shelter to children in
harmful situations;
(17) a public or nonprofit hospital or hospital
district;
(18) the Texas Juvenile Probation Commission;
(19) the securities commissioner, the banking
commissioner, the savings and mortgage lending commissioner, or the
credit union commissioner;
(20) the Texas State Board of Public Accountancy;
(21) the Texas Department of Licensing and Regulation;
(22) the Health and Human Services Commission;
(23) the Department of Aging and Disability Services;
[and]
(24) the Texas Education Agency; and
(25) the Department of Information Resources but only
regarding an employee, applicant for employment, contractor,
subcontractor, intern, or volunteer who provides network security
services under Chapter 2059 to:
(A) the Department of Information Resources; or
(B) a contractor or subcontractor of the
Department of Information Resources.
SECTION 2. Subchapter F, Chapter 411, Government Code, is
amended by adding Section 411.1404 to read as follows:
Sec. 411.1404. ACCESS TO CRIMINAL HISTORY RECORD
INFORMATION: DEPARTMENT OF INFORMATION RESOURCES. (a) The
Department of Information Resources is entitled to obtain from the
department or the identification division of the Federal Bureau of
Investigation the criminal history record information maintained
by the department or division that relates to a person who is an
employee, applicant for employment, contractor, subcontractor,
intern, or other volunteer with the Department of Information
Resources or with a contractor or subcontractor for the Department
of Information Resources.
(b) Criminal history record information obtained by the
Department of Information Resources under this section may not be
released or disclosed except:
(1) by court order; or
(2) with the consent of the person who is the subject
of the information.
(c) The Department of Information Resources shall destroy
criminal history record information obtained under this section
that relates to a person after the information is used to make an
employment decision or to take a personnel action relating to the
person who is the subject of the information.
(d) The Department of Information Resources may not obtain
criminal history record information under this section unless the
Department of Information Resources first adopts policies and
procedures that provide that evidence of a criminal conviction or
other relevant information obtained from the criminal history
record information does not automatically disqualify an individual
from employment. The policies and procedures adopted under this
subsection must provide that the hiring official will determine, on
a case-by-case basis, whether the individual is qualified for
employment based on factors that include:
(1) the specific duties of the position;
(2) the number of offenses committed by the
individual;
(3) the nature and seriousness of each offense;
(4) the length of time between the offense and the
employment decision;
(5) the efforts by the individual at rehabilitation;
and
(6) the accuracy of the information on the
individual's employment application.
SECTION 3. Subchapter D, Chapter 551, Government Code, is
amended by adding Section 551.089 to read as follows:
Sec. 551.089. DEPARTMENT OF INFORMATION RESOURCES. This
chapter does not require the governing board of the Department of
Information Resources to conduct an open meeting to deliberate:
(1) security assessments or deployments relating to
information resources technology;
(2) network security information as described by
Section 2059.055(b); or
(3) the deployment, or specific occasions for
implementation, of security personnel, critical infrastructure, or
security devices.
SECTION 4. Section 552.139, Government Code, is amended to
read as follows:
Sec. 552.139. EXCEPTION: GOVERNMENT INFORMATION RELATED TO
SECURITY OR INFRASTRUCTURE ISSUES FOR COMPUTERS. (a) Information
is excepted from the requirements of Section 552.021 if it is
information that relates to computer network security, to
restricted information under Section 2059.055, or to the design,
operation, or defense of a computer network.
(b) The following information is confidential:
(1) a computer network vulnerability report; and
(2) any other assessment of the extent to which data
processing operations, a computer, [or] a computer program,
network, system, or system interface, or software of a governmental
body or of a contractor of a governmental body is vulnerable to
unauthorized access or harm, including an assessment of the extent
to which the governmental body's or contractor's electronically
stored information containing sensitive or critical information is
vulnerable to alteration, damage, [or] erasure, or inappropriate
use.
(c) Notwithstanding the confidential nature of the
information described in this section, the information may be
disclosed to a bidder if the governmental body determines that
providing the information is necessary for the bidder to provide an
accurate bid. A disclosure under this subsection is not a voluntary
disclosure for purposes of Section 552.007.
SECTION 5. Sections 2054.077(b), (d), and (e), Government
Code, are amended to read as follows:
(b) The information resources manager of a state agency may
prepare or have prepared a report, including an executive summary
of the findings of the report, assessing the extent to which a
computer, a computer program, a computer network, a computer
system, an interface to a computer system, computer software, or
data processing of the agency or of a contractor of the agency is
vulnerable to unauthorized access or harm, including the extent to
which the agency's or contractor's electronically stored
information is vulnerable to alteration, damage, [or] erasure, or
inappropriate use.
(d) The [On request, the] information resources manager
shall provide an electronic [a] copy of the vulnerability report on
its completion to:
(1) the department;
(2) the state auditor; [and]
(3) the agency's executive director; and
(4) any other information technology security
oversight group specifically authorized by the legislature to
receive the report.
(e) Separate from the executive summary described by
Subsection (b), a [A] state agency whose information resources
manager has prepared or has had prepared a vulnerability report
shall prepare a summary of the report that does not contain any
information the release of which might compromise the security of
the state agency's or state agency contractor's computers, computer
programs, computer networks, computer systems, computer software,
data processing, or electronically stored information. The summary
is available to the public on request.
SECTION 6. Section 2054.100(b), Government Code, is amended
to read as follows:
(b) The plan must describe the agency's current and proposed
projects for the biennium, including how the projects will:
(1) benefit individuals in this state and benefit the
state as a whole;
(2) use, to the fullest extent, technology owned or
adapted by other state agencies;
(3) employ, to the fullest extent, the department's
information technology standards, including Internet-based
technology standards;
(4) expand, to the fullest extent, to serve residents
of this state or to serve other state agencies;
(5) develop on time and on budget;
(6) produce quantifiable returns on investment; and
(7) meet any other criteria developed by the
department or the quality assurance team.
SECTION 7. Subchapter B, Chapter 2059, Government Code, is
amended by adding Section 2059.060 to read as follows:
Sec. 2059.060. VULNERABILITY TESTING OF NETWORK HARDWARE
AND SOFTWARE. (a) The department shall adopt rules requiring, in
state agency contracts for network hardware and software, a
statement by the vendor certifying that the network hardware or
software, as applicable, has undergone independent certification
testing for known and relevant vulnerabilities.
(b) Rules adopted under Subsection (a) may:
(1) provide for vendor exemptions; and
(2) establish certification standards for testing
network hardware and software for known and relevant
vulnerabilities.
(c) Unless otherwise provided by rule, the required
certification testing must be conducted under maximum load
conditions in accordance with published performance claims of a
hardware or software manufacturer, as applicable.
SECTION 8. (a) The Department of Information Resources
shall adopt the rules required by Section 2059.060, Government
Code, as added by this Act, not later than September 1, 2010.
(b) The change in law made by Section 2059.060, Government
Code, as added by this Act, applies only to a contract entered into
on or after December 1, 2010.
SECTION 9. This Act takes effect September 1, 2009.
______________________________ ______________________________
President of the Senate Speaker of the House
I certify that H.B. No. 1830 was passed by the House on April
2, 2009, by the following vote: Yeas 144, Nays 0, 1 present, not
voting; and that the House concurred in Senate amendments to H.B.
No. 1830 on May 14, 2009, by the following vote: Yeas 142, Nays 0,
1 present, not voting.
______________________________
Chief Clerk of the House
I certify that H.B. No. 1830 was passed by the Senate, with
amendments, on May 7, 2009, by the following vote: Yeas 31, Nays 0.
______________________________
Secretary of the Senate
APPROVED: __________________
Date
__________________
Governor