TX
Texas House Bill HB4214

Texas 2019 - 86th Regular

Texas House Bill HB4214 Compare Versions

OldNewDifferences
1-By: Capriglione, Bohac, Blanco, Shaheen, H.B. No. 4214
2- Bernal, et al.
1+86R23155 AAF-D
2+ By: Capriglione, Bohac, Blanco, et al. H.B. No. 4214
3+ Substitute the following for H.B. No. 4214:
4+ By: Hernandez C.S.H.B. No. 4214
35
46
57 A BILL TO BE ENTITLED
68 AN ACT
79 relating to matters concerning governmental entities, including
810 cybersecurity, governmental efficiencies, information resources,
911 and emergency planning.
1012 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1113 SECTION 1. Section 37.108(b), Education Code, is amended to
1214 read as follows:
1315 (b) At least once every three years, each school district or
1416 public junior college district shall conduct a safety and security
1517 audit of the district's facilities, including an information
1618 technology cybersecurity assessment. To the extent possible, a
1719 district shall follow safety and security audit procedures
1820 developed by the Texas School Safety Center or a comparable public
1921 or private entity.
2022 SECTION 2. Subchapter C, Chapter 61, Education Code, is
2123 amended by adding Section 61.09092 to read as follows:
2224 Sec. 61.09092. COORDINATION OF CYBERSECURITY COURSEWORK
2325 DEVELOPMENT. (a) In this section, "lower-division institution of
2426 higher education" means a public junior college, public state
2527 college, or public technical institute.
2628 (b) The board, in consultation with the Department of
2729 Information Resources, shall coordinate with lower-division
2830 institutions of higher education and entities that administer or
2931 award postsecondary industry certifications or other workforce
3032 credentials in cybersecurity to develop certificate programs or
3133 other courses of instruction leading toward those certifications or
3234 credentials that may be offered by lower-division institutions of
3335 higher education.
3436 (c) The board may adopt rules as necessary for the
3537 administration of this section.
3638 SECTION 3. Subchapter F, Chapter 401, Government Code, is
3739 amended by adding Section 401.106 to read as follows:
3840 Sec. 401.106. CHIEF INNOVATION OFFICER. (a) The governor
3941 shall appoint a chief innovation officer.
4042 (b) The chief innovation officer shall:
4143 (1) develop procedures and processes to improve
4244 internal state government efficiency and performance;
4345 (2) develop methods to improve the experience of
4446 residents, businesses, and local governments in interacting with
4547 state government;
4648 (3) in cooperation with the Department of Information
4749 Resources, increase the use of technology by state agencies to
4850 improve services provided by the agencies and to reduce state
4951 expenses and inefficiencies;
5052 (4) provide state agency personnel with training in
5153 skills that support innovation;
5254 (5) provide state agency managers with training to
5355 support innovation and encourage creative thinking; and
5456 (6) develop and apply measures to document
5557 improvements in state government innovation and in employee skills
5658 that support innovation.
5759 (c) In performing the duties required under Subsection (b),
5860 the chief innovation officer shall:
5961 (1) use strategic innovation;
6062 (2) promote open innovation;
6163 (3) introduce and use group tools and processes that
6264 encourage creative thinking; and
6365 (4) conduct market research to determine the best
6466 practices for increasing innovation and implement those best
6567 practices.
6668 SECTION 4. Section 418.004(1), Government Code, is amended
6769 to read as follows:
6870 (1) "Disaster" means the occurrence or imminent threat
6971 of widespread or severe damage, injury, or loss of life or property
7072 resulting from any natural or man-made cause, including fire,
7173 flood, earthquake, wind, storm, wave action, oil spill or other
7274 water contamination, volcanic activity, epidemic, air
7375 contamination, blight, drought, infestation, explosion, riot,
7476 hostile military or paramilitary action, extreme heat, cyber
7577 attack, other public calamity requiring emergency action, or energy
7678 emergency.
7779 SECTION 5. Subchapter B, Chapter 421, Government Code, is
7880 amended by adding Section 421.027 to read as follows:
7981 Sec. 421.027. CYBER INCIDENT STUDY AND RESPONSE PLAN. (a)
8082 In this section:
8183 (1) "Cyber incident" means an event occurring on or
8284 conducted through a computer network that actually or imminently
8385 jeopardizes the integrity, confidentiality, or availability of
8486 computers, information or communications systems or networks,
8587 physical or virtual infrastructure controlled by computers or
8688 information systems, or information on the computers or systems.
8789 The term includes a vulnerability in implementation or in an
8890 information system, system security procedure, or internal control
8991 that could be exploited by a threat source.
9092 (2) "Significant cyber incident" means a cyber
9193 incident, or a group of related cyber incidents, likely to result in
9294 demonstrable harm to state security interests, foreign relations,
9395 or the economy of this state or to the public confidence, civil
9496 liberties, or public health and safety of the residents of this
9597 state.
9698 (b) The council, in cooperation with the Department of
97- Information Resources and the Information Technology Council for
98- Higher Education, shall:
99+ Information Resources, shall:
99100 (1) conduct a study regarding cyber incidents and
100101 significant cyber incidents affecting state agencies and critical
101102 infrastructure that is owned, operated, or controlled by agencies;
102103 and
103104 (2) develop a comprehensive state response plan to
104105 provide a format for each state agency to develop an
105106 agency-specific response plan and to implement the plan into the
106107 agency's information security plan required under Section 2054.133
107108 to be implemented by the agency in the event of a cyber incident or
108109 significant cyber incident affecting the agency or critical
109110 infrastructure that is owned, operated, or controlled by the
110111 agency.
111112 (c) Not later than September 1, 2020, the council shall
112113 deliver the response plan and a report on the findings of the study
113114 to:
114115 (1) the public safety director of the Department of
115116 Public Safety;
116117 (2) the governor;
117118 (3) the lieutenant governor;
118119 (4) the speaker of the house of representatives;
119120 (5) the chair of the committee of the senate having
120121 primary jurisdiction over homeland security matters; and
121122 (6) the chair of the committee of the house of
122123 representatives having primary jurisdiction over homeland security
123124 matters.
124125 (d) The response plan required by Subsection (b) and the
125126 report required by Subsection (c) are not public information for
126127 purposes of Chapter 552.
127128 (e) This section expires December 1, 2020.
128129 SECTION 6. Subchapter F, Chapter 437, Government Code, is
129130 amended by adding Section 437.255 to read as follows:
130131 Sec. 437.255. ASSISTING TEXAS STATE GUARD WITH CYBER
131132 OPERATIONS. To serve the state and safeguard the public from
132133 malicious cyber activity, the governor may command the Texas
133134 National Guard to assist the Texas State Guard with defending the
134135 state's cyber operations.
135- SECTION 7. Subchapter C, Chapter 531, Government Code, is
136- amended by adding Section 531.1051 to read as follows:
137- Sec. 531.1051. TECHNOLOGY FOR ELIGIBILITY FRAUD
138- PREVENTION. (a) The commission shall use technology to identify
139- the risk for fraud associated with applications for health and
140- human services program benefits to prevent fraud with respect to
141- eligibility determinations for those programs. To the extent
142- allowed by federal law, the commission shall set appropriate
143- verification and documentation requirements based on the risk
144- identified for particular applications to ensure that commission
145- resources are appropriately targeted to maximize fraud reduction
146- and accuracy of eligibility determinations.
147- (b) Enhanced eligibility screening tools the commission
148- implements for the purposes of this section must use technology
149- that provides non-modeled employment and income verification data
150- in an automated electronic format.
151- SECTION 8. The heading to Section 656.047, Government Code,
136+ SECTION 7. The heading to Section 656.047, Government Code,
152137 is amended to read as follows:
153138 Sec. 656.047. PAYMENT OF PROGRAM AND CERTIFICATION
154139 EXAMINATION EXPENSES.
155- SECTION 9. Section 656.047, Government Code, is amended by
140+ SECTION 8. Section 656.047, Government Code, is amended by
156141 adding Subsection (a-1) to read as follows:
157142 (a-1) A state agency may spend public funds as appropriate
158143 to reimburse a state agency employee or administrator who serves in
159144 an information technology, cybersecurity, or other cyber-related
160145 position for fees associated with industry-recognized
161146 certification examinations.
162- SECTION 10. Chapter 2051, Government Code, is amended by
163- adding Subchapter E to read as follows:
164- SUBCHAPTER E. UNIFORM ELECTRONIC LEGAL MATERIAL ACT
165- Sec. 2051.151. SHORT TITLE. This subchapter may be cited as
166- the Uniform Electronic Legal Material Act.
167- Sec. 2051.152. DEFINITIONS. In this subchapter:
168- (1) "Electronic" means relating to technology having
169- electrical, digital, magnetic, wireless, optical, electromagnetic,
170- or similar capabilities.
171- (2) "Legal material" means, whether or not in effect:
172- (A) the constitution of this state;
173- (B) the general or special laws passed in a
174- regular or special session of the Texas Legislature; and
175- (C) a state agency rule adopted in accordance
176- with Chapter 2001.
177- (3) "Official publisher" means:
178- (A) for legal material described by Subdivision
179- (2)(A), the Texas Legislative Council; and
180- (B) for legal material described by Subdivision
181- (2)(B) or (C), the secretary of state.
182- (4) "Publish" means displaying, presenting, or
183- releasing to the public, or causing to be displayed, presented, or
184- released to the public, legal material by the official publisher.
185- (5) "Record" means information that is inscribed on a
186- tangible medium or that is stored in an electronic or other medium
187- and is retrievable in perceivable form.
188- Sec. 2051.153. APPLICABILITY. (a) This subchapter applies
189- to all legal material in an electronic record that is:
190- (1) designated as official by the official publisher
191- under Section 2051.154; and
192- (2) first published electronically by the official
193- publisher on or after January 1, 2021.
194- (b) The official publisher is not required to publish legal
195- material on or before the date on which the legal material takes
196- effect.
197- Sec. 2051.154. LEGAL MATERIAL IN OFFICIAL ELECTRONIC
198- RECORD. (a) If the official publisher publishes legal material
199- only in an electronic record, the official publisher shall:
200- (1) designate the electronic record as official; and
201- (2) comply with Sections 2051.155, 2051.157, and
202- 2051.158.
203- (b) If the official publisher publishes legal material in an
204- electronic record and also publishes the material in a record other
205- than an electronic record, the official publisher may designate the
206- electronic record as official if the official publisher complies
207- with Sections 2051.155, 2051.157, and 2051.158.
208- Sec. 2051.155. AUTHENTICATION OF OFFICIAL ELECTRONIC
209- RECORD. (a) If the official publisher designates an electronic
210- record as official in accordance with Section 2051.154, the
211- official publisher shall authenticate the record.
212- (b) The official publisher authenticates an electronic
213- record by providing a method with which a person viewing the
214- electronic record is able to determine that the electronic record
215- is unaltered from the official record published by the official
216- publisher.
217- Sec. 2051.156. EFFECT OF AUTHENTICATION. (a) Legal
218- material in an electronic record that is authenticated as provided
219- by Section 2051.155 is presumed to be an accurate copy of the legal
220- material.
221- (b) If another state has adopted a law that is substantially
222- similar to this subchapter, legal material in an electronic record
223- that is authenticated in that state is presumed to be an accurate
224- copy of the legal material.
225- (c) A party contesting the authenticity of legal material in
226- an electronic record authenticated as provided by Section 2051.155
227- has the burden of proving by a preponderance of the evidence that
228- the record is not authentic.
229- Sec. 2051.157. PRESERVATION AND SECURITY OF LEGAL MATERIAL
230- IN OFFICIAL ELECTRONIC RECORD. (a) The official publisher of legal
231- material in an electronic record designated as official in
232- accordance with Section 2051.154 shall provide for the preservation
233- and security of the record in an electronic form or in a form that is
234- not electronic.
235- (b) If legal material is preserved under Subsection (a) in
236- an electronic record, the official publisher shall:
237- (1) ensure the integrity of the record;
238- (2) provide for backup and disaster recovery of the
239- record; and
240- (3) ensure the continuing usability of the legal
241- material in the record.
242- Sec. 2051.158. PUBLIC ACCESS. The official publisher of
243- legal material in an electronic record that is required to be
244- preserved under Section 2051.157 shall ensure that the material is
245- reasonably available for use by the public on a permanent basis.
246- Sec. 2051.159. STANDARDS. In implementing this subchapter,
247- the official publisher of legal material in an electronic record
248- shall consider:
249- (1) the standards and practices of other
250- jurisdictions;
251- (2) the most recent standards regarding
252- authentication, preservation, and security of and public access to
253- legal material in an electronic record and other electronic
254- records, as adopted by national standard-setting bodies;
255- (3) the needs of users of legal material in electronic
256- records;
257- (4) the views of governmental officials and entities
258- and other interested persons; and
259- (5) to the extent practicable, the methods and
260- technologies for the authentication, preservation, and security of
261- and public access to legal material that are compatible with the
262- methods and technologies used by official publishers in other
263- states that have adopted a law that is substantially similar to this
264- subchapter.
265- Sec. 2051.160. UNIFORMITY OF APPLICATION AND CONSTRUCTION.
266- In applying and construing this subchapter, consideration must be
267- given to the need to promote uniformity of the law with respect to
268- the subject matter of this subchapter among states that enact a law
269- similar to this subchapter.
270- Sec. 2051.161. RELATION TO ELECTRONIC SIGNATURES IN GLOBAL
271- AND NATIONAL COMMERCE ACT. This subchapter modifies, limits, and
272- supersedes the federal Electronic Signatures in Global and National
273- Commerce Act (15 U.S.C. Section 7001 et seq.) but does not modify,
274- limit, or supersede Section 101(c) of that Act (15 U.S.C. Section
275- 7001(c)) or authorize electronic delivery of any of the notices
276- described in Section 103(b) of that Act (15 U.S.C. Section
277- 7003(b)).
278- SECTION 11. Section 2054.059, Government Code, is amended
279- to read as follows:
147+ SECTION 9. Section 2054.059, Government Code, is amended to
148+ read as follows:
280149 Sec. 2054.059. CYBERSECURITY. From available funds, the
281- department, in consultation with the Information Technology
282- Council for Higher Education, shall:
150+ department shall:
283151 (1) establish and administer a clearinghouse for
284152 information relating to all aspects of protecting the cybersecurity
285153 of state agency information;
286154 (2) develop strategies and a framework for:
287155 (A) the securing of cyberinfrastructure by state
288156 agencies, including critical infrastructure; and
289157 (B) cybersecurity risk assessment and mitigation
290158 planning;
291159 (3) develop and provide training to state agencies,
292160 including training for new employees of state agencies, on
293161 cybersecurity measures and awareness;
294162 (4) provide assistance to state agencies on request
295163 regarding the strategies and framework developed under Subdivision
296164 (2); and
297165 (5) promote public awareness of cybersecurity issues.
298- SECTION 12. Subchapter C, Chapter 2054, Government Code, is
166+ SECTION 10. Subchapter C, Chapter 2054, Government Code, is
299167 amended by adding Section 2054.069 to read as follows:
300- Sec. 2054.069. SECURITY GUIDANCE FOR INTERNET CONNECTIVITY
168+ Sec. 2054.069. SECURITY PROGRAM FOR INTERNET CONNECTIVITY
301169 OF CERTAIN OBJECTS. (a) The department, in consultation with
302- representatives of the information technology industry, voluntary
303- standards organizations, the 10 state agencies that received the
304- most state appropriations for that state fiscal year as determined
305- by the Legislative Budget Board, and the Information Technology
306- Council for Higher Education, shall develop comprehensive risk
307- management guidance that identifies baseline security features for
308- the Internet connectivity of computing devices embedded in objects
309- used or purchased by state agencies.
310- (b) In developing the guidance under Subsection (a), the
170+ representatives of the information technology industry and
171+ voluntary standards organizations and the 10 state agencies that
172+ received the most state appropriations for that state fiscal year
173+ as determined by the Legislative Budget Board, shall develop a
174+ comprehensive risk management program that identifies baseline
175+ security features for the Internet connectivity of computing
176+ devices embedded in objects used or purchased by state agencies.
177+ (b) In developing the program under Subsection (a), the
311178 department shall identify and use existing international security
312179 standards and best practices and any known security gaps for a range
313180 of deployments, including critical systems and consumer usage.
314- SECTION 13. Section 2054.1184, Government Code, is amended
315- to read as follows:
316- Sec. 2054.1184. ASSESSMENT OF MAJOR INFORMATION RESOURCES
317- PROJECT. (a) A state agency proposing to spend appropriated funds
318- for a major information resources project must first conduct an
319- evidence-based execution capability assessment using a scoring
320- method delivered by an independent third party to:
321- (1) determine the agency's capability for implementing
322- the project;
323- (2) reduce the agency's financial risk in implementing
324- the project; and
325- (3) increase the probability of the agency's
326- successful implementation of the project.
327- (b) A state agency shall submit to the department, the
328- quality assurance team established under Section 2054.158, and the
329- Legislative Budget Board a detailed report that includes
330- measurement and corrective actions for [identifies] the agency's
331- operational and technical [organizational] strengths and any
332- weaknesses that will be addressed before the agency initially
333- spends appropriated funds for a major information resources
334- project.
335- (c) Based on project costs, risks, and technical
336- difficulty, the department may require a [A] state agency to [may]
337- contract with an independent third party to conduct the assessment
338- under Subsection (a) and prepare the report described by Subsection
339- (b).
340- (d) The department may allow state agencies to purchase an
341- execution capability assessment using the purchasing method
342- described by Section 2157.068 for commodity items.
343- SECTION 14. Subchapter F, Chapter 2054, Government Code, is
181+ SECTION 11. Subchapter F, Chapter 2054, Government Code, is
344182 amended by adding Sections 2054.137, 2054.138, and 2054.139 to read
345183 as follows:
346184 Sec. 2054.137. INFORMATION SECURITY CONTINUOUS MONITORING
347185 PROGRAM. (a) In this section:
348186 (1) "Common control" means a security control that is
349187 inherited by one or more information resources technologies.
350188 (2) "Program" means the information security
351189 continuous monitoring program described by this section.
352190 (b) Each state agency shall:
353191 (1) develop and maintain an information security
354192 continuous monitoring program that:
355193 (A) allows the agency to maintain ongoing
356194 awareness of the security and vulnerabilities of and threats to the
357195 agency's information resources;
358196 (B) provides a clear understanding of
359197 organizational risk and helps the agency set priorities and manage
360198 the risk consistently;
361199 (C) addresses how the agency conducts ongoing
362200 authorizations of information resources technologies and the
363201 environments in which those technologies operate, including the
364202 agency's use of common controls;
365203 (D) aligns with the continuous monitoring
366204 guidance, cybersecurity framework, and risk management framework
367205 published in Special Publications 800-137 and 800-53 by the United
368206 States Department of Commerce National Institute of Standards and
369207 Technology;
370208 (E) addresses critical security controls,
371209 including hardware asset management, software asset management,
372210 configuration management, and vulnerability management; and
373211 (F) requires the integration of cybersecurity
374212 products;
375213 (2) establish a strategy and plan to implement a
376214 program for the agency;
377215 (3) to the extent practicable, establish information
378216 security continuous monitoring as an agency-wide solution and
379217 deploy enterprise information security continuous monitoring
380218 products and services;
381- (4) submit specified summary-level security-related
382- information to the dashboard established under Subsection (c)(3);
219+ (4) submit specified security-related information to
220+ the dashboard established under Subsection (c)(3);
383221 (5) evaluate and upgrade information resources
384222 technologies and deploy new products, including agency and
385223 component information security continuous monitoring dashboards,
386224 as necessary to support information security continuous monitoring
387225 and the need to submit security-related information requested by
388226 the department;
389227 (6) require that external service providers hosting
390228 state information meet state information security requirements for
391229 information security continuous monitoring; and
392230 (7) ensure the agency has adequate staff with the
393231 necessary training to meet the objectives of the program.
394- (c) The department, in consultation with the Information
395- Technology Council for Higher Education, shall:
232+ (c) The department shall:
396233 (1) oversee the implementation of this section by each
397234 state agency;
398235 (2) monitor and assist each state agency in
399236 implementation of a program and related strategies; and
400- (3) establish a summary-level statewide dashboard for
401- information security continuous monitoring that provides:
237+ (3) establish a statewide dashboard for information
238+ security continuous monitoring that provides:
402239 (A) a government-wide view of information
403240 security continuous monitoring; and
404241 (B) technical specifications and guidance for
405242 state agencies on the requirements for submitting information for
406243 purposes of the dashboard.
407244 Sec. 2054.138. CYBERSECURITY THREAT SIMULATION EXERCISES.
408245 (a) In this section, "executive staff" means the management or
409246 senior level staff members of a state agency who directly report to
410247 the executive head of a state agency.
411248 (b) The executive head of a state agency and members of the
412249 executive staff may participate in cybersecurity threat simulation
413250 exercises with the agency's information resources technologies
414251 employees to test the cybersecurity capabilities of the agency.
415252 Sec. 2054.139. CYBERSECURITY TRAINING FOR NEW EMPLOYEES.
416253 Not later than the 30th day after the date on which a new employee
417254 begins employment with a state agency, the employee shall complete
418255 the cybersecurity training developed by the department under
419256 Section 2054.059.
420- SECTION 15. Section 2054.512(d), Government Code, is
257+ SECTION 12. Section 2054.512(d), Government Code, is
421258 amended to read as follows:
422259 (d) The cybersecurity council shall:
423260 (1) consider the costs and benefits of establishing a
424261 computer emergency readiness team to address cyber attacks
425262 occurring in this state during routine and emergency situations;
426263 (2) establish criteria and priorities for addressing
427264 cybersecurity threats to critical state installations;
428265 (3) consolidate and synthesize best practices to
429266 assist state agencies in understanding and implementing
430267 cybersecurity measures that are most beneficial to this state;
431268 [and]
432269 (4) assess the knowledge, skills, and capabilities of
433270 the existing information technology and cybersecurity workforce to
434271 mitigate and respond to cyber threats and develop recommendations
435272 for addressing immediate workforce deficiencies and ensuring a
436273 long-term pool of qualified applicants; and
437274 (5) ensure all middle and high schools have knowledge
438275 of and access to:
439276 (A) free cybersecurity courses and curriculum
440277 approved by the Texas Education Agency;
441278 (B) state and regional information sharing and
442279 analysis centers; and
443280 (C) contracting benefits, including as provided
444281 by Section 2054.0565.
445- SECTION 16. Subchapter N-1, Chapter 2054, Government Code,
282+ SECTION 13. Subchapter N-1, Chapter 2054, Government Code,
446283 is amended by adding Sections 2054.5155, 2054.519, 2054.5191, and
447284 2054.5192 to read as follows:
448285 Sec. 2054.5155. INDEPENDENT RISK ASSESSMENT. (a) At least
449286 once every five years, in accordance with department rules, each
450287 state agency shall:
451288 (1) contract with an independent third party selected
452289 from a list provided by the department to conduct an independent
453290 risk assessment of the agency's exposure to security risks in the
454291 agency's information resources systems and to conduct tests to
455292 practice securing systems and notifying all affected parties in the
456293 event of a data breach; and
457294 (2) submit the results of the independent risk
458295 assessment to the department.
459- (b) The department shall include at least one institution of
460- higher education in the list of independent third parties under
461- Subsection (a)(1).
462- (c) The department annually shall compile the results of the
296+ (b) The department annually shall compile the results of the
463297 independent risk assessments conducted in the preceding year and
464298 prepare:
465299 (1) a public report on the general security issues
466300 covered by the assessments that does not contain any information
467301 the release of which may compromise any state agency's information
468302 resources system; and
469303 (2) a confidential report on specific risks and
470304 vulnerabilities that is exempt from disclosure under Chapter 552.
471- (d) The department annually shall submit to the legislature
305+ (c) The department annually shall submit to the legislature
472306 a comprehensive report on the results of the independent risk
473307 assessments conducted under Subsection (a) during the preceding
474- year that includes the report prepared under Subsection (c)(1) and
308+ year that includes the report prepared under Subsection (b)(1) and
475309 that identifies systematic or pervasive security risk
476310 vulnerabilities across state agencies and recommendations for
477311 addressing the vulnerabilities but does not contain any information
478312 the release of which may compromise any state agency's information
479313 resources system.
480314 Sec. 2054.519. VENDOR RESPONSIBILITY FOR CYBERSECURITY. A
481315 vendor that contracts with this state to provide information
482316 resources technology for a state agency at a cost to the agency of
483317 $1 million or more is responsible for addressing known
484318 cybersecurity risks associated with the technology and is
485319 responsible for any cost associated with addressing the identified
486320 cybersecurity risks. For a major information resources project,
487321 the vendor shall provide to state agency contracting personnel:
488322 (1) a written attestation that:
489323 (A) the vendor has a cybersecurity risk
490324 management program consistent with:
491325 (i) the cybersecurity framework
492326 established by the National Institute of Standards and Technology;
493327 (ii) the 27000 series standards for
494328 information security published by the International Organization
495329 for Standardization; or
496330 (iii) other widely accepted security risk
497331 management frameworks;
498332 (B) the vendor's cybersecurity risk management
499333 program includes appropriate training and certifications for the
500334 employees performing work under the contract; and
501335 (C) the vendor has a vulnerability management
502336 program that addresses vulnerability identification, mitigation,
503337 and responsible disclosure, as appropriate; and
504338 (2) an initial summary of any costs associated with
505339 addressing or remediating the identified technology or
506340 personnel-related cybersecurity risks as identified in
507341 collaboration with this state following a risk assessment.
508342 Sec. 2054.5191. CYBERSTAR PROGRAM; CERTIFICATE OF
509343 APPROVAL. (a) The state cybersecurity coordinator, in
510344 collaboration with the cybersecurity council and public and private
511345 entities in this state, shall develop best practices for
512346 cybersecurity that include:
513347 (1) measureable, flexible, and voluntary
514348 cybersecurity risk management programs for public and private
515349 entities to adopt to prepare for and respond to cyber incidents that
516350 compromise the confidentiality, integrity, and availability of the
517351 entities' information systems;
518352 (2) appropriate training and information for
519353 employees or other individuals who are most responsible for
520354 maintaining security of the entities' information systems;
521355 (3) consistency with:
522356 (A) for a municipality or county, the multihazard
523357 emergency operations plan and the safety and security audit
524358 required under Section 364.0101, Local Government Code; and
525359 (B) the National Institute of Standards and
526360 Technology standards for cybersecurity;
527361 (4) public service announcements to encourage
528362 cybersecurity awareness; and
529363 (5) coordination with local and state governmental
530364 entities.
531365 (b) The state cybersecurity coordinator shall establish a
532366 cyberstar certificate program to recognize public and private
533367 entities that implement the best practices for cybersecurity
534368 developed in accordance with Subsection (a). The program must
535369 allow a public or private entity to submit to the department a form
536370 certifying that the entity has complied with the best practices and
537371 the department to issue a certificate of approval to the entity.
538372 The entity may include the certificate of approval in
539373 advertisements and other public communications.
540374 (c) The state cybersecurity coordinator shall conduct an
541375 annual public event to promote best practices for cybersecurity.
542376 Sec. 2054.5192. ENCRYPTED SECURE LAYER SERVICES REQUIRED.
543377 Each state agency that maintains a publicly accessible Internet
544378 website that requires the submission of sensitive personally
545379 identifiable information shall use an encrypted secure
546380 communication protocol, including a secure hypertext transfer
547381 protocol.
548- SECTION 17. Subchapter Q, Chapter 2054, Government Code, is
549- amended by adding Section 2054.577 to read as follows:
550- Sec. 2054.577. TEXAS INNOVATION FUND AND STATE AGENCY
551- TECHNOLOGY UPGRADES ACCOUNT. (a) In this section:
552- (1) "Account" means the state agency technology
553- upgrades account.
554- (2) "Board" means the Texas innovation fund board.
555- (3) "Cloud computing service" has the meaning assigned
556- by Section 2157.007.
557- (4) "Device-as-a-service" means a managed service in
558- which hardware that belongs to a managed service provider is
559- installed at a state agency and a service level agreement defines
560- the responsibilities of each party to the agreement.
561- (5) "Fund" means the Texas innovation fund.
562- (6) "Information technology system" means any
563- equipment or interconnected system or subsystem of equipment used
564- by a state agency, or a person under a contract with a state agency
565- if the contract requires use of the equipment, to acquire, store,
566- analyze, evaluate, manipulate, manage, move, control, display,
567- switch, interchange, transmit, print, copy, scan, or receive data
568- or other information. The term:
569- (A) includes a computer, a device-as-a-service
570- solution, ancillary computer equipment such as imaging, printing,
571- scanning, and copying peripherals and input, output, and storage
572- devices necessary for security and surveillance, peripheral
573- equipment designed to be controlled by the central processing unit
574- of a computer, software and firmware and similar procedures, and
575- services, including support services, and related resources; and
576- (B) does not include equipment acquired by a
577- contractor incidental to a state contract.
578- (7) "Legacy information technology system" means an
579- information technology system that is operated with obsolete or
580- inefficient hardware or software technology.
581- (8) "Qualifying information technology modernization
582- project" means a project by a state agency to:
583- (A) replace the agency's information technology
584- systems;
585- (B) transition the agency's legacy information
586- technology systems to a cloud computing service or other innovative
587- commercial platform or technology; or
588- (C) develop and implement a method to provide
589- adequate, risk-based, and cost-effective information technology
590- responses to threats to the agency's information security.
591- (9) "State agency" has the meaning assigned by Section
592- 2254.151, notwithstanding Section 2054.003.
593- (b) The Texas innovation fund board is established to
594- administer the Texas innovation fund and the state agency
595- technology upgrades account and to make awards of financial
596- assistance to state agencies from the fund or account for
597- qualifying information technology modernization projects. The
598- board is composed of:
599- (1) one member who is a representative of the
600- department, appointed by the presiding officer of the governing
601- board of the department;
602- (2) one member who is a representative of the office of
603- the governor, appointed by the governor;
604- (3) two members of the senate, appointed by the
605- lieutenant governor;
606- (4) two members of the house of representatives,
607- appointed by the presiding officer of the governing board of the
608- department from a list provided by the speaker of the house of
609- representatives; and
610- (5) one public member, appointed by the governor.
611- (c) Members of the board serve staggered six-year terms. A
612- board member is not entitled to compensation for service on the
613- board but is entitled to reimbursement of expenses incurred while
614- performing duties as a board member.
615- (d) The Texas innovation fund and the state agency
616- technology upgrades account are special funds outside the state
617- treasury to be used by the board, without further legislative
618- appropriation, as provided by this section.
619- (e) The fund consists of:
620- (1) money appropriated, credited, or transferred to
621- the fund by the legislature;
622- (2) money received by the board for the repayment of a
623- loan made from the fund; and
624- (3) interest and other earnings earned on deposits and
625- investments of money in the fund.
626- (f) The account consists of:
627- (1) money deposited to the account by the comptroller
628- in the manner prescribed by Subsection (h); and
629- (2) interest and other earnings earned on deposits and
630- investments of money in the account.
631- (g) The department by rule shall establish a loan program to
632- authorize the board to use money from the fund to provide loans to
633- state agencies for qualifying information technology modernization
634- projects. A state agency must apply to the board for a loan from the
635- fund. The application must include a description of the qualifying
636- information technology modernization project for which the state
637- agency is requesting a loan. A loan agreement entered into under
638- this subsection must require the state agency to:
639- (1) repay the loan to the board within seven years of
640- the date the loan is made to the agency; and
641- (2) make annual reports to the board identifying cost
642- savings realized by the agency as a result of the project for which
643- the agency received the loan.
644- (h) At the end of each state fiscal year, on the written
645- request of a state agency, the comptroller shall deposit to the
646- account the unexpended balance of any money appropriated to the
647- agency for that state fiscal year that is budgeted by the agency for
648- information technology services or cybersecurity purposes. A state
649- agency may request money from the account from the board at any time
650- for a qualifying information technology modernization project.
651- This subsection does not apply to the unexpended balance of any
652- money appropriated to a state agency from federal funds or from a
653- fund created by the constitution of this state.
654- (i) The comptroller shall separately account for the amount
655- of money deposited to the account at the request of each state
656- agency under Subsection (h). Money deposited to the account under
657- Subsection (h) and any interest and other earnings on that money may
658- be provided only to the state agency for which the comptroller
659- deposited the money to the account and may be used by the agency
660- only for a qualifying information technology modernization
661- project.
662- (j) Any money deposited to the account at the request of a
663- state agency under Subsection (h) that is not requested by the
664- agency within two years from the date the money is deposited shall
665- be transferred by the comptroller to the general revenue fund to be
666- used in accordance with legislative appropriation.
667- (k) A state agency that receives money from the fund or the
668- account may collaborate with one or more other state agencies that
669- also receive money from the fund or the account to purchase
670- information technology systems that may be shared between the
671- agencies.
672- (l) The department and the comptroller may adopt rules to
673- implement and administer this section.
674- SECTION 18. Chapter 2054, Government Code, is amended by
382+ SECTION 14. Chapter 2054, Government Code, is amended by
675383 adding Subchapter R to read as follows:
676384 SUBCHAPTER R. INFORMATION RESOURCES OF GOVERNMENTAL ENTITIES
677385 Sec. 2054.601. USE OF NEXT GENERATION TECHNOLOGY. Each
678386 state agency and local government shall, in the administration of
679387 the agency or local government, consider using next generation
680388 technologies, including cryptocurrency, blockchain technology, and
681389 artificial intelligence.
682390 Sec. 2054.602. LIABILITY EXEMPTION. A person who in good
683391 faith discloses to a state agency or other governmental entity
684392 information regarding a potential security issue with respect to
685393 the agency's or entity's information resources technologies is not
686394 liable for any civil damages resulting from disclosing the
687395 information unless the person stole, retained, or sold any data
688396 obtained as a result of the security issue.
689397 Sec. 2054.603. MATCHING GRANTS FOR LOCAL CYBERSECURITY
690398 PROJECTS. (a) In this section, "local governmental entity" means a
691399 political subdivision of the state, including a:
692400 (1) county;
693401 (2) municipality;
694402 (3) public school district; or
695403 (4) special-purpose district or authority.
696404 (b) Using available funds, the governor shall establish and
697405 administer a cybersecurity matching grant program to award grants
698406 to local governmental entities to defray the costs of cybersecurity
699407 projects.
700408 (c) A local governmental entity that applies to the office
701409 of the governor for a matching grant under this section must
702410 identify the source and amount of the local governmental entity's
703411 matching funds. If the office approves a grant application, the
704412 office shall award to the local governmental entity a grant amount
705413 equal to 150 percent of the amount committed by the entity.
706414 (d) The office may set a deadline for grant applications for
707415 each state fiscal year.
708416 (e) The governor shall adopt rules to implement the grant
709417 program created under this section.
710418 Sec. 2054.604. CYBERSECURITY THREAT ASSESSMENT. The
711419 department shall develop a cybersecurity threat assessment for
712420 local governments that provides best practices for preventing
713421 cybersecurity attacks.
714422 Sec. 2054.605. REPOSITORY FOR CYBERSECURITY EDUCATION AND
715423 TRAINING. The department, in conjunction with institutions of
716424 higher education as defined by Section 61.003, Education Code,
717425 shall maintain and promote a centralized repository of information
718426 on cybersecurity education and training that is available to any
719427 governmental entity in this state.
720- SECTION 19. Subchapter B, Chapter 2155, Government Code, is
428+ SECTION 15. Subchapter B, Chapter 2155, Government Code, is
721429 amended by adding Section 2155.092 to read as follows:
722- Sec. 2155.092. VENDOR STATEMENT FOR CERTAIN GOODS. (a)
430+ Sec. 2155.092. VENDOR CERTIFICATION FOR CERTAIN GOODS. (a)
723431 This section does not apply to a good provided as part of a major
724432 information resources project as defined by Section 2054.003.
725433 (b) A vendor offering to sell to the state a good embedded
726434 with a computing device capable of Internet connectivity must
727435 include with each bid, offer, proposal, or other expression of
728- interest a written statement providing whether, at the time of
729- submitting the bid, offer, proposal, or expression of interest, the
730- vendor has actual knowledge of a confirmed security vulnerability
731- or defect in the device's hardware, software, or firmware that
732- would adversely affect the security of state data and is subject to
733- an applicable notification law.
734- (c) If a security vulnerability or defect is identified by a
735- vendor under Subsection (b), the contracting state agency may
736- request additional information in order to assess:
737- (1) the potential impact of the vulnerability or
738- defect on the agency's planned use of the device; and
739- (2) whether a security patch or other means of
740- mitigation is currently available or expected within a specific
741- period of time.
742- SECTION 20. The heading to Section 2157.007, Government
436+ interest a written certification providing that the good does not
437+ contain, at the time of submitting the bid, offer, proposal, or
438+ expression of interest, a hardware, software, or firmware component
439+ with any known security vulnerability or defect.
440+ SECTION 16. The heading to Section 2157.007, Government
743441 Code, is amended to read as follows:
744442 Sec. 2157.007. [CONSIDERATION OF] CLOUD COMPUTING SERVICE
745443 [PURCHASE].
746- SECTION 21. Section 2157.007, Government Code, is amended
747- by amending Subsections (a) and (b) and adding Subsections (b-1),
748- (b-2), and (f) to read as follows:
749- (a) In this section:
750- (1) "Cloud computing service" has the meaning assigned
751- by Special Publication 800-145 issued by the United States
752- Department of Commerce National Institute of Standards and
753- Technology, as the definition existed on January 1, 2015.
754- (2) "Major information resources project" has the
755- meaning assigned by Section 2054.003.
756- (b) Except as provided by Subsection (b-1), a [A] state
757- agency shall ensure [consider cloud computing service options,
758- including any security benefits and cost savings associated with
759- purchasing those service options from a cloud computing service
760- provider and from a statewide technology center established by the
761- department], when making purchases for an automated information
762- system or a major information resources project, that the system or
763- project is capable of being deployed and run on cloud computing
764- services [under Section 2054.118].
765- (b-1) When making a purchase for an automated information
766- system or a major information resources project, a state agency may
767- determine that, due to integration limitations with legacy systems,
768- security risks, costs, or other relevant considerations, the agency
769- is unable to purchase a system or project capable of being deployed
770- and run on cloud computing services.
771- (b-2) At least 14 days before the date a state agency
772- solicits bids, proposals, offers, or other applicable expressions
773- of interest for a purchase described by Subsection (b-1), the
774- agency shall submit to the Legislative Budget Board for the
775- purchase of an automated information system or to the quality
776- assurance team as defined by Section 2054.003 for the purchase of a
777- major information resources project a report that describes the
778- purchase and the agency's reasoning for making the purchase.
444+ SECTION 17. Section 2157.007, Government Code, is amended
445+ by amending Subsection (b) and adding Subsection (f) to read as
446+ follows:
447+ (b) A state agency shall ensure [consider cloud computing
448+ service options, including any security benefits and cost savings
449+ associated with purchasing those service options from a cloud
450+ computing service provider and from a statewide technology center
451+ established by the department], when making purchases for an
452+ automated information system or a major information resources
453+ project under Section 2054.118, that the system or project is
454+ capable of being deployed and run on cloud computing services.
779455 (f) The department shall periodically review guidelines on
780456 state agency information that may be stored by a cloud computing or
781457 other storage service and the cloud computing or other storage
782458 services available to state agencies for that storage to ensure
783459 that an agency purchasing a major information resources project
784- selects the most affordable, secure, and efficient cloud computing
785- or other storage service available to the agency. The guidelines
786- must include appropriate privacy and security standards that, at a
787- minimum, require a vendor who offers cloud computing or other
788- storage services or other software, applications, online services,
789- or information technology solutions to any state agency to
790- demonstrate that data provided by the state to the vendor will be
791- maintained in compliance with all applicable state and federal laws
792- and rules.
793- SECTION 22. Section 205.010(b), Local Government Code, is
460+ under Section 2054.118 selects the most affordable, secure, and
461+ efficient cloud computing or other storage service available to the
462+ agency. The guidelines must include appropriate privacy and
463+ security standards that, at a minimum, require a vendor who offers
464+ cloud computing or other storage services or other software,
465+ applications, online services, or information technology solutions
466+ to any state agency to demonstrate that data provided by the state
467+ to the vendor will be maintained in compliance with all applicable
468+ state and federal laws and rules.
469+ SECTION 18. Section 205.010(b), Local Government Code, is
794470 amended to read as follows:
795471 (b) A local government that owns, licenses, or maintains
796472 computerized data that includes sensitive personal information
797473 shall comply, in the event of a breach of system security, with the
798474 notification requirements of:
799475 (1) Section 364.0053;
800476 (2) Section 364.0102; and
801477 (3) Section 521.053, Business & Commerce Code, to the
802478 same extent as a person who conducts business in this state.
803- SECTION 23. Subtitle C, Title 11, Local Government Code, is
479+ SECTION 19. Subtitle C, Title 11, Local Government Code, is
804480 amended by adding Chapter 364 to read as follows:
805481 CHAPTER 364. LOCAL GOVERNMENT CYBERSECURITY AND EMERGENCY PLANNING
806482 AND RESPONSE
807483 SUBCHAPTER A. GENERAL PROVISIONS
808484 Sec. 364.0001. DEFINITIONS. In this chapter:
809485 (1) "Breach of system security" has the meaning
810486 assigned by Section 521.053, Business & Commerce Code.
811487 (2) "Cybersecurity coordinator" means the state
812488 cybersecurity coordinator designated under Section 2054.511,
813489 Government Code.
814490 (3) "Cybersecurity council" means the council
815491 established by the cybersecurity coordinator under Section
816492 2054.512, Government Code.
817493 (4) "Sensitive personal information" has the meaning
818494 assigned by Section 521.002, Business & Commerce Code.
819495 SUBCHAPTER B. REGIONAL INFORMATION SHARING AND ANALYSIS CENTERS
820496 Sec. 364.0051. ESTABLISHMENT. (a) The cybersecurity
821497 coordinator shall provide for the establishment and operation of
822498 not more than 20 regional information sharing and analysis centers.
823499 (b) Regional information sharing and analysis centers shall
824500 be located throughout the state so that the boundaries for each
825501 center are coextensive with the regional education service centers
826502 established under Chapter 8, Education Code.
827503 Sec. 364.0052. MEMBERSHIP. Each municipality with a
828504 population of more than 25,000 shall join the regional information
829505 sharing and analysis center in which the municipality is
830506 predominantly located. Any other political subdivision may join
831507 the regional information sharing and analysis center in which the
832508 political subdivision is predominantly located.
833509 Sec. 364.0053. SECURITY BREACH NOTIFICATION. (a) Not
834510 later than 48 hours after a political subdivision discovers a
835511 breach or suspected breach of system security or an unauthorized
836512 exposure of sensitive personal information, the political
837513 subdivision shall notify the regional information sharing and
838514 analysis center of the breach. The notification must describe the
839515 breach, suspected breach, or unauthorized exposure.
840516 (b) A regional information sharing and analysis center
841517 shall report to the Department of Information Resources any breach
842518 of system security reported by a political subdivision in which the
843519 person responsible for the breach:
844520 (1) obtained or modified specific critical or
845521 sensitive personal information;
846522 (2) established access to the political subdivision's
847523 information systems or infrastructure; or
848524 (3) undermined, severely disrupted, or destroyed a
849525 core service, program, or function of the political subdivision, or
850526 placed the person in a position to do so in the future.
851527 Sec. 364.0054. RULEMAKING. The cybersecurity coordinator
852528 may adopt rules necessary to implement this subchapter.
853529 SUBCHAPTER C. EMERGENCY PLANNING AND RESPONSE
854530 Sec. 364.0101. MULTIHAZARD EMERGENCY OPERATIONS PLAN;
855531 SAFETY AND SECURITY AUDIT. (a) This section applies to a
856532 municipality or county with a population of more than 100,000.
857533 (b) Each municipality and county shall adopt and implement a
858534 multihazard emergency operations plan for use in the municipality's
859535 and county's facilities. The plan must address mitigation,
860536 preparedness, response, and recovery as determined by the
861537 cybersecurity council and the governor's office of homeland
862538 security. The plan must provide for:
863539 (1) municipal or county employee training in
864540 responding to an emergency;
865541 (2) measures to ensure coordination with the
866542 Department of State Health Services, Department of Information
867543 Resources, local emergency management agencies, law enforcement
868544 agencies, local health departments, and fire departments in the
869545 event of an emergency; and
870546 (3) the implementation of a safety and security audit
871547 as required by Subsection (c).
872548 (c) At least once every three years, each municipality and
873549 county shall conduct a safety and security audit of the
874550 municipality's or county's information technology infrastructure.
875551 To the extent possible, a municipality or county shall follow
876552 safety and security audit procedures developed by the cybersecurity
877553 council or a comparable public or private entity.
878554 (d) A municipality or county shall report the results of the
879555 safety and security audit conducted under Subsection (c):
880556 (1) to the municipality's or county's governing body;
881557 and
882558 (2) in the manner required by the cybersecurity
883559 council, to the cybersecurity council.
884560 (e) Except as provided by Subsection (f), any document or
885561 information collected, developed, or produced during a safety and
886562 security audit conducted under Subsection (c) is not subject to
887563 disclosure under Chapter 552, Government Code.
888564 (f) A document relating to a municipality's or county's
889565 multihazard emergency operations plan is subject to disclosure if
890566 the document enables a person to:
891567 (1) verify that the municipality or county has
892568 established a plan and determine the agencies involved in the
893569 development of the plan and the agencies coordinating with the
894570 municipality or county to respond to an emergency;
895571 (2) verify that the municipality's or county's plan
896572 was reviewed within the last 12 months and determine the specific
897573 review dates;
898574 (3) verify that the plan addresses the phases of
899575 emergency management under Subsection (b);
900576 (4) verify that municipal or county employees have
901577 been trained to respond to an emergency and determine the types of
902578 training, the number of employees trained, and the person
903579 conducting the training;
904580 (5) verify that the municipality or county has
905581 completed a safety and security audit under Subsection (c) and
906582 determine the date the audit was conducted, the person conducting
907583 the audit, and the date the municipality or county presented the
908584 results of the audit to the municipality's or county's governing
909585 body; and
910586 (6) verify that the municipality or county has
911587 addressed any recommendations by the municipality's or county's
912588 governing body for improvement of the plan and determine the
913589 municipality's or county's progress within the last 12 months.
914590 Sec. 364.0102. RANSOMWARE PAYMENT. (a) In this section,
915591 "ransomware" has the meaning assigned by Section 33.023, Penal
916592 Code.
917593 (b) Not later than 48 hours after the time a political
918594 subdivision makes a ransomware payment, the political subdivision
919595 shall notify the cybersecurity coordinator of the payment.
920- SECTION 24. Section 2054.513, Government Code, is repealed.
921- SECTION 25. The Department of Information Resources shall
596+ SECTION 20. Section 2054.513, Government Code, is repealed.
597+ SECTION 21. The Department of Information Resources shall
922598 conduct a study on the types of objects embedded with computing
923599 devices that are connected to the Internet that are purchased
924600 through the department. The Department of Information Resources
925601 shall submit a report on the study to the legislature not later than
926602 December 31, 2020.
927- SECTION 26. (a) The lieutenant governor shall establish a
603+ SECTION 22. (a) The lieutenant governor shall establish a
928604 Senate Select Committee on Cybersecurity and the speaker of the
929605 house of representatives shall establish a House Select Committee
930606 on Cybersecurity to, jointly or separately, study:
931607 (1) cybersecurity in this state;
932608 (2) the information security plans of each state
933609 agency;
934610 (3) the risks and vulnerabilities of state agency
935611 cybersecurity; and
936612 (4) information technology procurement.
937613 (b) Not later than November 30, 2019:
938614 (1) the lieutenant governor shall appoint five
939615 senators to the Senate Select Committee on Cybersecurity, one of
940616 whom shall be designated as chair; and
941617 (2) the speaker of the house of representatives shall
942618 appoint five state representatives to the House Select Committee on
943619 Cybersecurity, one of whom shall be designated as chair.
944620 (c) The committees established under this section shall
945621 convene separately at the call of the chair of the respective
946622 committees, or jointly at the call of both chairs. In joint
947623 meetings, the chairs of each committee shall act as joint chairs.
948624 (d) Following consideration of the issues listed in
949625 Subsection (a) of this section, the committees established under
950626 this section shall jointly adopt recommendations on state
951627 cybersecurity and report in writing to the legislature any findings
952628 and adopted recommendations not later than January 12, 2021.
953629 (e) This section expires September 1, 2021.
954- SECTION 27. As soon as practicable after the effective date
630+ SECTION 23. As soon as practicable after the effective date
955631 of this Act, the governor shall appoint a chief innovation officer
956632 as required by Section 401.106, Government Code, as added by this
957633 Act.
958- SECTION 28. (a) An official publisher in the executive
959- branch of state government shall comply with the applicable
960- provisions of Subchapter E, Chapter 2051, Government Code, as added
961- by this Act, in accordance with an implementation plan developed
962- under Subsection (b) of this section.
963- (b) The Texas State Library and Archives Commission and an
964- official publisher in the executive branch of state government are
965- jointly responsible for developing an implementation plan for the
966- applicable provisions of Subchapter E, Chapter 2051, Government
967- Code, as added by this Act. The implementation plan must:
968- (1) for each applicable type of legal material defined
969- by Subchapter E, Chapter 2051, Government Code, as added by this
970- Act, advise as to the method by which the legal material may be
971- authenticated, preserved, and made available on a permanent basis;
972- and
973- (2) establish a timeline for the official publisher to
974- comply with Sections 2051.154, 2051.155, 2051.157, and 2051.158,
975- Government Code, as added by this Act.
976- (c) The implementation plan developed under Subsection (b)
977- of this section may provide for compliance by an official publisher
978- in the executive branch of state government with Sections 2051.154,
979- 2051.155, 2051.157, and 2051.158, Government Code, as added by this
980- Act, to be phased in over a period of time.
981- (d) The Texas State Library and Archives Commission shall
982- provide the implementation plan developed under Subsection (b) of
983- this section to the legislature not later than September 1, 2020.
984- SECTION 29. (a) An official publisher in the legislative
985- branch of state government shall comply with the applicable
986- provisions of Subchapter E, Chapter 2051, Government Code, as added
987- by this Act, in accordance with an implementation plan developed
988- under Subsection (b) of this section.
989- (b) An official publisher in the legislative branch of state
990- government, in consultation with the lieutenant governor, the
991- speaker of the house of representatives, the Senate Committee on
992- Administration, and the House Committee on Administration, shall
993- develop an implementation plan for the applicable provisions of
994- Subchapter E, Chapter 2051, Government Code, as added by this Act.
995- The implementation plan must:
996- (1) for each applicable type of legal material defined
997- by Subchapter E, Chapter 2051, Government Code, as added by this
998- Act, recommend the method by which the legal material may be
999- authenticated, preserved, and made available on a permanent basis;
1000- and
1001- (2) establish a timeline for the official publisher to
1002- comply with Sections 2051.154, 2051.155, 2051.157, and 2051.158,
1003- Government Code, as added by this Act.
1004- (c) The implementation plan developed under Subsection (b)
1005- of this section may provide for compliance by an official publisher
1006- in the legislative branch of state government with Sections
1007- 2051.154, 2051.155, 2051.157, and 2051.158, Government Code, as
1008- added by this Act, to be phased in over a period of time.
1009- (d) An official publisher in the legislative branch of state
1010- government shall provide the implementation plan developed under
1011- Subsection (b) of this section to the lieutenant governor and
1012- speaker of the house of representatives not later than September 1,
1013- 2020.
1014- SECTION 30. Section 2054.139, Government Code, as added by
634+ SECTION 24. Section 2054.139, Government Code, as added by
1015635 this Act, requiring a new employee of a state agency to complete
1016636 cybersecurity training, applies only to an employee who begins
1017637 employment on or after the effective date of this Act.
1018- SECTION 31. Section 2155.092, Government Code, as added by
638+ SECTION 25. Section 2155.092, Government Code, as added by
1019639 this Act, applies only in relation to a contract for which a state
1020640 agency first advertises or otherwise solicits bids, offers,
1021641 proposals, or other expressions of interest on or after the
1022642 effective date of this Act.
1023- SECTION 32. Section 2157.007, Government Code, as amended
643+ SECTION 26. Section 2157.007, Government Code, as amended
1024644 by this Act, applies only with respect to a purchase made by a state
1025645 agency on or after the effective date of this Act. A purchase made
1026646 before the effective date of this Act is governed by the law in
1027647 effect on the date the purchase was made, and the former law is
1028648 continued in effect for that purpose.
1029- SECTION 33. If before implementing any provision of this
1030- Act a state agency determines that a waiver or authorization from a
1031- federal agency is necessary for implementation of that provision,
1032- the agency affected by the provision shall request the waiver or
1033- authorization and may delay implementing that provision until the
1034- waiver or authorization is granted.
1035- SECTION 34. This Act takes effect September 1, 2019.
649+ SECTION 27. This Act takes effect September 1, 2019.