| 1 | 1 | | By: Capriglione H.B. No. 1467 |
|---|
| 2 | 2 | | |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | A BILL TO BE ENTITLED |
|---|
| 5 | 5 | | AN ACT |
|---|
| 6 | 6 | | relating to reports on and purchase of information technology by |
|---|
| 7 | 7 | | state agencies. |
|---|
| 8 | 8 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 9 | 9 | | SECTION 1. Section 552.139(b), Government Code, is amended |
|---|
| 10 | 10 | | by adding subsection (4) to read as follows: |
|---|
| 11 | 11 | | (b) The following information is confidential: |
|---|
| 12 | 12 | | (1) a computer network vulnerability report; |
|---|
| 13 | 13 | | (2) any other assessment of the extent to which data |
|---|
| 14 | 14 | | processing operations, a computer, a computer program, network, |
|---|
| 15 | 15 | | system, or system interface, or software of a governmental body or |
|---|
| 16 | 16 | | of a contractor of a governmental body is vulnerable to |
|---|
| 17 | 17 | | unauthorized access or harm, including an assessment of the extent |
|---|
| 18 | 18 | | to which the governmental body's or contractor's electronically |
|---|
| 19 | 19 | | stored information containing sensitive or critical information is |
|---|
| 20 | 20 | | vulnerable to alteration, damage, erasure, or inappropriate use; |
|---|
| 21 | 21 | | and |
|---|
| 22 | 22 | | (3) a photocopy or other copy of an identification |
|---|
| 23 | 23 | | badge issued to an official or employee of a governmental body. |
|---|
| 24 | 24 | | (4) information collected, assembled, or maintained |
|---|
| 25 | 25 | | by or for a governmental entity to prevent, detect, or investigate |
|---|
| 26 | 26 | | security incidents. |
|---|
| 27 | 27 | | SECTION 2. Subchapter C, Chapter 2054, Government Code, is |
|---|
| 28 | 28 | | amended by adding Section 2054.068 to read as follows: |
|---|
| 29 | 29 | | Sec. 2054.068. INFORMATION TECHNOLOGY INFRASTRUCTURE |
|---|
| 30 | 30 | | REPORT. (a) In this section, "information technology" includes |
|---|
| 31 | 31 | | information resources and information resources technologies. |
|---|
| 32 | 32 | | (b) The department shall collect from each state agency |
|---|
| 33 | 33 | | information on the status and condition of the agency's information |
|---|
| 34 | 34 | | technology infrastructure, including information regarding: |
|---|
| 35 | 35 | | (1) the agency's information security program; |
|---|
| 36 | 36 | | (2) an inventory of the agency's servers, mainframes, |
|---|
| 37 | 37 | | and other information technology equipment; |
|---|
| 38 | 38 | | (3) identification of vendors that operate and manage |
|---|
| 39 | 39 | | the agency's information technology infrastructure; and |
|---|
| 40 | 40 | | (4) any additional related information requested by |
|---|
| 41 | 41 | | the department. |
|---|
| 42 | 42 | | (c) A state agency shall provide the information required by |
|---|
| 43 | 43 | | Subsection (b) to the department according to a schedule determined |
|---|
| 44 | 44 | | by the department. |
|---|
| 45 | 45 | | (d) Not later than August 31 of each even-numbered year, the |
|---|
| 46 | 46 | | department shall submit to the governor, chair of the house |
|---|
| 47 | 47 | | appropriations committee, chair of the senate finance committee, |
|---|
| 48 | 48 | | speaker of the house of representatives, lieutenant governor, and |
|---|
| 49 | 49 | | staff of the Legislative Budget Board a consolidated report of the |
|---|
| 50 | 50 | | information submitted by state agencies under Subsection (b). |
|---|
| 51 | 51 | | (e) The consolidated report required by Subsection (d) |
|---|
| 52 | 52 | | must: |
|---|
| 53 | 53 | | (1) include an analysis and assessment of each state |
|---|
| 54 | 54 | | agency's security and operational risks; and |
|---|
| 55 | 55 | | (2) for a state agency found to be at higher security |
|---|
| 56 | 56 | | and operational risks, include a detailed analysis of the |
|---|
| 57 | 57 | | requirements for the agency to address the risks and related |
|---|
| 58 | 58 | | vulnerabilities and the cost estimates to implement those |
|---|
| 59 | 59 | | requirements. |
|---|
| 60 | 60 | | (f) With the exception of information that is confidential |
|---|
| 61 | 61 | | under Chapter 552, including Section 552.139, or other state or |
|---|
| 62 | 62 | | federal law, the consolidated report submitted under Subsection (d) |
|---|
| 63 | 63 | | is public information and must be released or made available to the |
|---|
| 64 | 64 | | public upon request. A governmental body as defined by Section |
|---|
| 65 | 65 | | 552.003, Government Code, may withhold information confidential |
|---|
| 66 | 66 | | under Chapter 552, including Section 552.139, or other state or |
|---|
| 67 | 67 | | federal law that is contained in a consolidated report released |
|---|
| 68 | 68 | | under this section without the necessity of requesting a decision |
|---|
| 69 | 69 | | from the attorney general under Subchapter G, Chapter 552, |
|---|
| 70 | 70 | | Government Code. |
|---|
| 71 | 71 | | (g) This section does not apply to an institution of higher |
|---|
| 72 | 72 | | education or university system, as defined by Section 61.003, |
|---|
| 73 | 73 | | Education Code. |
|---|
| 74 | 74 | | SECTION 3. Section 2054.0965(a), Government Code, is |
|---|
| 75 | 75 | | amended to read as follows: |
|---|
| 76 | 76 | | (a) Not later than March 31 [December 1] of each |
|---|
| 77 | 77 | | even-numbered [odd-numbered] year, a state agency shall complete a |
|---|
| 78 | 78 | | review of the operational aspects of the agency's information |
|---|
| 79 | 79 | | resources deployment following instructions developed by the |
|---|
| 80 | 80 | | department. |
|---|
| 81 | 81 | | SECTION 4. Section 2157.007, Government Code, is amended by |
|---|
| 82 | 82 | | amending Subsection (b) and adding Subsection (e) to read as |
|---|
| 83 | 83 | | follows: |
|---|
| 84 | 84 | | (b) A state agency shall [may] consider cloud computing |
|---|
| 85 | 85 | | service options, including any cost savings associated with |
|---|
| 86 | 86 | | purchasing those service options from a commercial cloud computing |
|---|
| 87 | 87 | | service provider and a statewide technology center established by |
|---|
| 88 | 88 | | the department, when making purchases for a major information |
|---|
| 89 | 89 | | resources project under Section 2054.118. |
|---|
| 90 | 90 | | (e) Not later than August 1 of each even-numbered year, the |
|---|
| 91 | 91 | | department, using existing resources, shall submit a report to the |
|---|
| 92 | 92 | | governor, lieutenant governor, and speaker of the house of |
|---|
| 93 | 93 | | representatives on the use of cloud computing service options by |
|---|
| 94 | 94 | | state agencies. The report must include use cases that provided |
|---|
| 95 | 95 | | cost savings and other benefits, including security enhancements. |
|---|
| 96 | 96 | | A state agency shall cooperate with the department in the creation |
|---|
| 97 | 97 | | of the report by providing timely and accurate information and any |
|---|
| 98 | 98 | | assistance required by the department. |
|---|
| 99 | 99 | | SECTION 5. This Act takes effect September 1, 2017. |
|---|