| 1 | 1 | | 85R23797 YDB-D |
|---|
| 2 | 2 | | By: Blanco, Elkins, Capriglione, H.B. No. 1604 |
|---|
| 3 | 3 | | Gonzales of Williamson, Lucio III |
|---|
| 4 | 4 | | Substitute the following for H.B. No. 1604: |
|---|
| 5 | 5 | | By: Elkins C.S.H.B. No. 1604 |
|---|
| 6 | 6 | | |
|---|
| 7 | 7 | | |
|---|
| 8 | 8 | | A BILL TO BE ENTITLED |
|---|
| 9 | 9 | | AN ACT |
|---|
| 10 | 10 | | relating to the requirements for and approval of a state agency's |
|---|
| 11 | 11 | | information security plan. |
|---|
| 12 | 12 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 13 | 13 | | SECTION 1. Section 2054.133, Government Code, is amended by |
|---|
| 14 | 14 | | adding Subsections (b-1), (b-2), (b-3), and (b-4) to read as |
|---|
| 15 | 15 | | follows: |
|---|
| 16 | 16 | | (b-1) The executive head and chief information security |
|---|
| 17 | 17 | | officer of each state agency shall annually review and approve in |
|---|
| 18 | 18 | | writing the agency's information security plan and strategies for |
|---|
| 19 | 19 | | addressing the agency's information resources systems that are at |
|---|
| 20 | 20 | | highest risk for security breaches. If a state agency does not have |
|---|
| 21 | 21 | | a chief information security officer, the highest ranking |
|---|
| 22 | 22 | | information security employee for the agency shall review and |
|---|
| 23 | 23 | | approve the plan and strategies. The executive head retains full |
|---|
| 24 | 24 | | responsibility for the agency's information security and any risks |
|---|
| 25 | 25 | | to that security. |
|---|
| 26 | 26 | | (b-2) Before submitting to the Legislative Budget Board a |
|---|
| 27 | 27 | | legislative appropriation request for a state fiscal biennium, a |
|---|
| 28 | 28 | | state agency must file with the board the written approval required |
|---|
| 29 | 29 | | under Subsection (b-1) for each year of the current state fiscal |
|---|
| 30 | 30 | | biennium. |
|---|
| 31 | 31 | | (b-3) Each state agency shall include in the agency's |
|---|
| 32 | 32 | | information security plan the actions the agency is taking to |
|---|
| 33 | 33 | | incorporate into the plan the core functions of "identify, protect, |
|---|
| 34 | 34 | | detect, respond, and recover" as recommended in the "Framework for |
|---|
| 35 | 35 | | Improving Critical Infrastructure Cybersecurity" of the United |
|---|
| 36 | 36 | | States Department of Commerce National Institute of Standards and |
|---|
| 37 | 37 | | Technology. The agency shall, at a minimum, identify any |
|---|
| 38 | 38 | | information the agency requires individuals to provide to the |
|---|
| 39 | 39 | | agency or the agency retains that is not necessary for the agency's |
|---|
| 40 | 40 | | operations. The agency may incorporate the core functions over a |
|---|
| 41 | 41 | | period of years. |
|---|
| 42 | 42 | | (b-4) A state agency's information security plan must |
|---|
| 43 | 43 | | include appropriate privacy and security standards that, at a |
|---|
| 44 | 44 | | minimum, require a vendor who offers cloud computing services or |
|---|
| 45 | 45 | | other software, applications, online services, or information |
|---|
| 46 | 46 | | technology solutions to any state agency to demonstrate that data |
|---|
| 47 | 47 | | provided by the state to the vendor will be maintained in compliance |
|---|
| 48 | 48 | | with all applicable state and federal laws and rules. |
|---|
| 49 | 49 | | SECTION 2. Section 2054.133, Government Code, as amended by |
|---|
| 50 | 50 | | this Act, applies only to an information security plan submitted on |
|---|
| 51 | 51 | | or after the effective date of this Act. |
|---|
| 52 | 52 | | SECTION 3. This Act takes effect September 1, 2017. |
|---|