85R23797 YDB-D
By: Blanco, Elkins, Capriglione, H.B. No. 1604
Gonzales of Williamson, Lucio III
Substitute the following for H.B. No. 1604:
By: Elkins C.S.H.B. No. 1604
A BILL TO BE ENTITLED
AN ACT
relating to the requirements for and approval of a state agency's
information security plan.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 2054.133, Government Code, is amended by
adding Subsections (b-1), (b-2), (b-3), and (b-4) to read as
follows:
(b-1) The executive head and chief information security
officer of each state agency shall annually review and approve in
writing the agency's information security plan and strategies for
addressing the agency's information resources systems that are at
highest risk for security breaches. If a state agency does not have
a chief information security officer, the highest ranking
information security employee for the agency shall review and
approve the plan and strategies. The executive head retains full
responsibility for the agency's information security and any risks
to that security.
(b-2) Before submitting to the Legislative Budget Board a
legislative appropriation request for a state fiscal biennium, a
state agency must file with the board the written approval required
under Subsection (b-1) for each year of the current state fiscal
biennium.
(b-3) Each state agency shall include in the agency's
information security plan the actions the agency is taking to
incorporate into the plan the core functions of "identify, protect,
detect, respond, and recover" as recommended in the "Framework for
Improving Critical Infrastructure Cybersecurity" of the United
States Department of Commerce National Institute of Standards and
Technology. The agency shall, at a minimum, identify any
information the agency requires individuals to provide to the
agency or the agency retains that is not necessary for the agency's
operations. The agency may incorporate the core functions over a
period of years.
(b-4) A state agency's information security plan must
include appropriate privacy and security standards that, at a
minimum, require a vendor who offers cloud computing services or
other software, applications, online services, or information
technology solutions to any state agency to demonstrate that data
provided by the state to the vendor will be maintained in compliance
with all applicable state and federal laws and rules.
SECTION 2. Section 2054.133, Government Code, as amended by
this Act, applies only to an information security plan submitted on
or after the effective date of this Act.
SECTION 3. This Act takes effect September 1, 2017.