TX
Texas Senate Bill SB1779

Texas 2019 - 86th Regular

Texas Senate Bill SB1779 Compare Versions

OldNewDifferences
11 By: Paxton S.B. No. 1779
2- (Parker)
32
43
54 A BILL TO BE ENTITLED
65 AN ACT
76 relating to security for state agency information and information
87 technologies.
98 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
109 SECTION 1. Subtitle B, Title 10, Government Code, is
1110 amended by adding Chapter 2061, and a heading is added to that
1211 chapter to read as follows:
1312 CHAPTER 2061. INFORMATION SECURITY
1413 SECTION 2. Chapter 2061, Government Code, as added by this
1514 Act, is amended by adding Subchapter A to read as follows:
1615 SUBCHAPTER A. GENERAL PROVISIONS
1716 Sec. 2061.0001. DEFINITIONS. In this chapter:
1817 (1) "Breach of system security" has the meaning
1918 assigned by Section 521.053(a), Business & Commerce Code.
2019 (2) "Computer," "computer network," "computer
2120 program," "computer system," and "computer software" have the
2221 meanings assigned by Section 33.01, Penal Code.
2322 (3) "Confidential information" means information that
2423 is required to be protected from unauthorized disclosure or public
2524 release under state or federal law or a legal agreement.
2625 (4) "Cybersecurity" means the measures taken to
2726 protect a computer or computer system against unauthorized use or
2827 access.
2928 (5) "Data" has the meaning assigned by Section 33.01,
3029 Penal Code.
3130 (6) "Department" means the Department of Information
3231 Resources.
3332 (7) "Information resources" has the meaning assigned
3433 by Section 2054.003.
3534 (8) "Information security" means the protection of
3635 information and information systems from unauthorized access, use,
3736 disclosure, disruption, modification, or destruction to maintain
3837 the confidentiality, integrity, and availability of the
3938 information.
4039 (9) "Risk management" means the process of aligning
4140 information resources risk exposure with the organization's risk
4241 tolerance by accepting, transferring, or mitigating risk
4342 exposures.
4443 (10) "Security incident" means an event that results
4544 in the accidental or deliberate unauthorized access, loss,
4645 disclosure, disruption, modification, or destruction of
4746 information or information resources.
4847 (11) "Sensitive personal information" has the meaning
4948 assigned by Section 521.002, Business & Commerce Code.
5049 (12) "State agency" has the meaning assigned by
5150 Section 2054.003.
5251 (13) "Vulnerability" means a weakness in a system,
5352 application, or network that is subject to exploitation or misuse.
5453 Sec. 2061.0002. GENERAL POWERS OF DEPARTMENT. (a) The
5554 department may adopt rules as necessary to implement its
5655 responsibilities under this chapter.
5756 (b) The department may require each state agency to report
5857 to the department:
5958 (1) each agency's use of information security and
6059 cybersecurity technologies;
6160 (2) the effect of those technologies on the duties and
6261 functions of the agency;
6362 (3) the costs incurred by the agency in the
6463 acquisition and use of those technologies;
6564 (4) the procedures followed in obtaining those
6665 technologies; and
6766 (5) other information relating to information
6867 security and cybersecurity management that in the judgment of the
6968 department should be reported.
7069 (c) At the request of a state agency, the department may
7170 provide technical and managerial assistance relating to
7271 information security and cybersecurity management and
7372 technologies.
7473 (d) The department may report to the governor and to the
7574 presiding officer of each house of the legislature any factors that
7675 in the opinion of the department are outside the duties of the
7776 department but that inhibit or promote effective communication
7877 about and the use of information security and cybersecurity in
7978 state government.
8079 SECTION 3. Chapter 2061, Government Code, as added by this
8180 Act, is amended by adding Subchapter B, and a heading is added to
8281 that subchapter to read as follows:
8382 SUBCHAPTER B. GENERAL DUTIES RELATED TO CYBERSECURITY
8483 SECTION 4. Sections 2054.059, 2054.0591, 2054.0592, and
8584 2054.0594, Government Code, are transferred to Subchapter B,
8685 Chapter 2061, Government Code, as added by this Act, and
8786 redesignated as Sections 2061.0051, 2061.0052, 2061.0053, and
8887 2061.0054, Government Code, respectively, and amended to read as
8988 follows:
9089 Sec. 2061.0051 [2054.059]. CYBERSECURITY. From available
9190 funds, the department shall:
9291 (1) establish and administer a clearinghouse for
9392 information relating to all aspects of protecting the cybersecurity
9493 of state agency information;
9594 (2) develop strategies and a framework for:
9695 (A) the securing of cyberinfrastructure by state
9796 agencies, including critical infrastructure; and
9897 (B) cybersecurity risk assessment and mitigation
9998 planning;
10099 (3) develop and provide training to state agencies on
101100 cybersecurity measures and awareness;
102101 (4) provide assistance to state agencies on request
103102 regarding the strategies and framework developed under Subdivision
104103 (2); and
105104 (5) promote public awareness of cybersecurity issues.
106105 Sec. 2061.0052 [2054.0591]. CYBERSECURITY REPORT.
107106 (a) Not later than November 15 of each even-numbered year, the
108107 department shall submit to the governor, the lieutenant governor,
109108 the speaker of the house of representatives, and the standing
110109 committee of each house of the legislature with primary
111110 jurisdiction over state government operations a report identifying
112111 preventive and recovery efforts the state can undertake to improve
113112 cybersecurity in this state. The report must include:
114113 (1) an assessment of the resources available to
115114 address the operational and financial impacts of a cybersecurity
116115 event;
117116 (2) a review of existing statutes regarding
118117 cybersecurity and information resources technologies;
119118 (3) recommendations for legislative action to
120119 increase the state's cybersecurity and protect against adverse
121120 impacts from a cybersecurity event; and
122121 (4) an evaluation of a program that provides an
123122 information security officer to assist small state agencies and
124123 local governments that are unable to justify hiring a full-time
125124 information security officer [the costs and benefits of
126125 cybersecurity insurance; and
127126 [(5) an evaluation of tertiary disaster recovery
128127 options].
129128 (b) The department or a recipient of a report under this
130129 section may redact or withhold information confidential under
131130 Chapter 552, including Section 552.139, or other state or federal
132131 law that is contained in the report in response to a request under
133132 Chapter 552 without the necessity of requesting a decision from the
134133 attorney general under Subchapter G, Chapter 552.
135134 Sec. 2061.0053 [2054.0592]. CYBERSECURITY EMERGENCY
136135 FUNDING. If a cybersecurity event creates a need for emergency
137136 funding, the department may request that the governor or
138137 Legislative Budget Board make a proposal under Chapter 317 to
139138 provide funding to manage the operational and financial impacts
140139 from the cybersecurity event.
141140 Sec. 2061.0054 [2054.0594]. INFORMATION SHARING AND
142141 ANALYSIS ORGANIZATION [CENTER]. (a) The department shall
143142 establish an information sharing and analysis organization
144143 [center] to provide a forum for state agencies, local governments,
145144 public and private institutions of higher education, and the
146145 private sector to share information regarding cybersecurity
147146 threats, best practices, and remediation strategies.
148147 (b) [The department shall appoint persons from appropriate
149148 state agencies to serve as representatives to the information
150149 sharing and analysis center.
151150 [(c)] The department[, using funds other than funds
152151 appropriated to the department in a general appropriations act,]
153152 shall provide administrative support to the information sharing and
154153 analysis organization [center].
155154 (c) A participant in the information sharing and analysis
156155 organization shall assert any exception available under state or
157156 federal law, including Section 552.139, in response to a request
158157 for public disclosure of information shared through the
159158 organization.
160159 (d) A participant described by Subsection (c) may not make a
161160 voluntary disclosure under Section 552.007.
162161 SECTION 5. Chapter 2061, Government Code, as added by this
163162 Act, is amended by adding Subchapter C, and a heading is added to
164163 that subchapter to read as follows:
165164 SUBCHAPTER C. INFORMATION SECURITY OFFICER; INFORMATION SECURITY
166165 TRAINING AND REPORTS
167166 SECTION 6. Section 2054.136, Government Code, is
168167 transferred to Subchapter C, Chapter 2061, Government Code, as
169168 added by this Act, redesignated as Section 2061.0101, Government
170169 Code, and amended to read as follows:
171170 Sec. 2061.0101 [2054.136]. DESIGNATION OF [DESIGNATED]
172171 INFORMATION SECURITY OFFICER. (a) Each state agency shall
173172 designate an information security officer who:
174173 (1) reports to the agency's executive-level
175174 management;
176175 (2) has authority over information security for the
177176 entire agency;
178177 (3) possesses the training and experience required to
179178 perform the duties required by department rules; and
180179 (4) to the extent feasible, has information security
181180 duties as the officer's primary duties.
182181 (b) On the department's approval, two or more state agencies
183182 may jointly designate an information security officer under
184183 Subsection (a) to serve as the information security officer for
185184 each agency.
186185 SECTION 7. Subchapter C, Chapter 2061, Government Code, as
187186 added by this Act, is amended by adding Section 2061.0102 to read as
188187 follows:
189188 Sec. 2061.0102. INFORMATION SECURITY TRAINING. The
190189 department may provide information security training for appointed
191190 board members, agency heads, and executive management of state
192191 agencies that is consistent with the cybersecurity awareness
193192 training provided in Section 2061.0108.
194193 SECTION 8. Section 2054.1125, Government Code, is
195194 transferred to Subchapter C, Chapter 2061, Government Code, as
196195 added by this Act, redesignated as Section 2061.0103, Government
197196 Code, and amended to read as follows:
198197 Sec. 2061.0103 [2054.1125]. SECURITY BREACH NOTIFICATION
199198 BY STATE AGENCY. (a) The information security officer of a [In
200199 this section:
201200 [(1) "Breach of system security" has the meaning
202201 assigned by Section 521.053, Business & Commerce Code.
203202 [(2) "Sensitive personal information" has the meaning
204203 assigned by Section 521.002, Business & Commerce Code.
205204 [(b) A] state agency that owns, licenses, or maintains
206205 computerized data that includes sensitive personal information,
207206 confidential information, or information the disclosure of which is
208207 regulated by law shall, in the event of a breach or suspected breach
209208 of system security or an unauthorized exposure of that information:
210209 (1) comply with the notification requirements of
211210 Section 521.053, Business & Commerce Code, to the same extent as a
212211 person who conducts business in this state; and
213212 (2) not later than 48 hours after the discovery of the
214213 breach, suspected breach, or unauthorized exposure, notify:
215214 (A) the department, including the chief
216215 information security officer [and the state cybersecurity
217216 coordinator]; or
218217 (B) if the breach, suspected breach, or
219218 unauthorized exposure involves election data, the secretary of
220219 state.
221220 (b) Not later than the 10th business day after the date of
222221 the eradication, closure, and recovery from a breach, suspected
223222 breach, or unauthorized exposure, a state agency shall notify the
224223 department, including the chief information security officer, of
225224 the details of the event.
226225 SECTION 9. Sections 2054.077, 2054.133, and 2054.515,
227226 Government Code, are transferred to Subchapter C, Chapter 2061,
228227 Government Code, as added by this Act, redesignated as Sections
229228 2061.0104, 2061.0105, and 2061.0106, Government Code,
230229 respectively, and amended to read as follows:
231230 Sec. 2061.0104 [2054.077]. VULNERABILITY REPORTS.
232231 (a) [In this section, a term defined by Section 33.01, Penal Code,
233232 has the meaning assigned by that section.
234233 [(b)] The information security officer [resources manager]
235234 of a state agency shall prepare or have prepared a report, including
236235 an executive summary of the findings of the biennial report, not
237236 later than October 15 of each even-numbered year, assessing the
238237 extent to which a computer, a computer program, a computer network,
239238 a computer system, a printer, an interface to a computer system,
240239 including mobile and peripheral devices, computer software, or data
241240 processing of the agency or of a contractor of the agency is
242241 vulnerable to unauthorized access or harm, including the extent to
243242 which the agency's or contractor's electronically stored
244243 information is vulnerable to alteration, damage, erasure, or
245244 inappropriate use.
246245 (b) [(c)] Except as provided by this section, a
247246 vulnerability report and any information or communication prepared
248247 or maintained for use in the preparation of a vulnerability report
249248 is confidential and is not subject to disclosure under Chapter 552.
250249 (c) [(d)] The information security officer of a state
251250 agency [resources manager] shall provide an electronic copy of the
252251 vulnerability report on its completion to:
253252 (1) the department;
254253 (2) the state auditor;
255254 (3) the agency's executive director; [and]
256255 (4) the agency's designated information resources
257256 manager; and
258257 (5) any other information technology security
259258 oversight group specifically authorized by the legislature to
260259 receive the report.
261260 (d) [(e)] Separate from the executive summary described by
262261 Subsection (a) [(b)], the information security officer of a state
263262 agency shall prepare a summary of the agency's vulnerability report
264263 that does not contain any information the release of which might
265264 compromise the security of the state agency's or state agency
266265 contractor's computers, computer programs, computer networks,
267266 computer systems, printers, interfaces to computer systems,
268267 including mobile and peripheral devices, computer software, data
269268 processing, or electronically stored information. The summary is
270269 available to the public on request.
271270 Sec. 2061.0105 [2054.133]. INFORMATION SECURITY PLAN.
272271 (a) Each state agency shall develop, and periodically update, an
273272 information security plan for protecting the security of the
274273 agency's information.
275274 (b) In developing the plan, the state agency shall:
276275 (1) consider any vulnerability report prepared under
277276 Section 2061.0104 [2054.077] for the agency;
278277 (2) incorporate the network security services
279278 provided by the department to the agency under Chapter 2059;
280279 (3) identify and define the responsibilities of agency
281280 staff who produce, access, use, or serve as custodians of the
282281 agency's information;
283282 (4) identify risk management and other measures taken
284283 to protect the agency's information from unauthorized access,
285284 disclosure, modification, or destruction;
286285 (5) include:
287286 (A) the best practices for information security
288287 developed by the department; or
289288 (B) a written explanation of why the best
290289 practices are not sufficient for the agency's security; and
291290 (6) omit from any written copies of the plan
292291 information that could expose vulnerabilities in the agency's
293292 network or online systems.
294293 (c) Not later than October 15 of each even-numbered year,
295294 each state agency shall submit a copy of the agency's information
296295 security plan to the department. Subject to available resources,
297296 the department may select a portion of the submitted security plans
298297 to be assessed by the department in accordance with department
299298 rules.
300299 (d) Each state agency's information security plan is
301300 confidential and exempt from disclosure under Chapter 552.
302301 (e) Each state agency shall include in the agency's
303302 information security plan a written document that is signed by
304303 [acknowledgment that] the [executive director or other] head of the
305304 agency, the chief financial officer, and each executive manager
306305 [as] designated by the state agency and that states that those
307306 persons have been made aware of the risks revealed during the
308307 preparation of the agency's information security plan.
309308 (f) Not later than January 13 of each odd-numbered year, the
310309 department shall submit a written report to the governor, the
311310 lieutenant governor, and the legislature evaluating information
312311 security for this state's information resources. In preparing the
313312 report, the department shall consider the information security
314313 plans submitted by state agencies under this section, any
315314 vulnerability reports submitted under Section 2061.0104
316315 [2054.077], and other available information regarding the security
317316 of this state's information resources. The department shall omit
318317 from any written copies of the report information that could expose
319318 specific vulnerabilities in the security of this state's
320319 information resources.
321320 Sec. 2061.0106 [2054.515]. STATE AGENCY INFORMATION
322321 SECURITY ASSESSMENT AND REPORT. (a) At least once every two
323322 years, each state agency shall conduct an information security
324323 assessment of the agency's information resources systems, network
325324 systems, digital data storage systems, digital data security
326325 measures, and information resources vulnerabilities.
327326 (b) Not later than December 1 of the year in which a state
328327 agency conducts the assessment under Subsection (a), the agency
329328 shall report the results of the assessment to the department. The[,
330329 the] governor, the lieutenant governor, and the speaker of the
331330 house of representatives may obtain the report upon request to the
332331 department.
333332 (c) The department by rule shall [may] establish the
334333 requirements for the information security assessment and report
335334 required by this section.
336335 SECTION 10. Section 2054.516, Government Code, as added by
337336 Chapters 683 (H.B. 8) and 955 (S.B. 1910), Acts of the 85th
338337 Legislature, Regular Session, 2017, is reenacted, transferred to
339338 Subchapter C, Chapter 2061, Government Code, as added by this Act,
340339 redesignated as Section 2061.0107, Government Code, and amended to
341340 read as follows:
342341 Sec. 2061.0107 [2054.516]. DATA SECURITY PLAN FOR ONLINE
343342 AND MOBILE APPLICATIONS OF STATE AGENCIES. (a) Each state
344343 agency[, other than an institution of higher education subject to
345344 Section 2054.517,] implementing an Internet website or mobile
346345 application that processes any sensitive [personal] personally
347346 identifiable information or confidential information must:
348347 (1) submit a biennial data security plan to the
349348 department not later than October 15 of each even-numbered year to
350349 establish planned beta testing for the website or application; and
351350 (2) subject the website or application to a
352351 vulnerability and penetration test and address any vulnerability
353352 identified in the test.
354353 (b) The department shall review each data security plan
355354 submitted under Subsection (a) and make any recommendations for
356355 changes to the plan to the state agency as soon as practicable after
357356 the department reviews the plan.
358357 SECTION 11. Section 2054.135, Government Code, is
359358 transferred to Subchapter C, Chapter 2061, Government Code, as
360359 added by this Act, and redesignated as Section 2061.0108,
361360 Government Code, to read as follows:
362361 Sec. 2061.0108 [2054.135]. DATA USE AGREEMENT. (a) Each
363362 state agency shall develop a data use agreement for use by the
364363 agency that meets the particular needs of the agency and is
365364 consistent with rules adopted by the department that relate to
366365 information security standards for state agencies.
367366 (b) A state agency shall update the data use agreement at
368367 least biennially, but may update the agreement at any time as
369368 necessary to accommodate best practices in data management.
370369 (c) A state agency shall distribute the data use agreement
371370 developed under this section, and each update to that agreement, to
372371 employees of the agency who handle sensitive information, including
373372 financial, medical, personnel, or student data. The employee shall
374373 sign the data use agreement distributed and each update to the
375374 agreement.
376375 (d) To the extent possible, a state agency shall provide
377376 employees described by Subsection (c) with cybersecurity awareness
378377 training to coincide with the distribution of:
379378 (1) the data use agreement required under this
380379 section; and
381380 (2) each biennial update to that agreement.
382381 SECTION 12. Subchapter C, Chapter 2061, Government Code, as
383382 added by this Act, is amended by adding Section 2061.0109 to read as
384383 follows:
385384 Sec. 2061.0109. BIENNIAL INFORMATION SECURITY REPORT. Not
386385 later than October 15 of each even-numbered year, the information
387386 security officer of each state agency shall submit an information
388387 security report for the agency. The report must include:
389388 (1) the vulnerability report required under Section
390389 2061.0104;
391390 (2) the information security plan developed under
392391 Section 2061.0105;
393392 (3) the information security assessment developed
394393 under Section 2061.0106;
395394 (4) the data security plan for online and mobile
396395 applications required under Section 2061.0107; and
397396 (5) the recommendations for cybersecurity and
398397 information resources and technology security training established
399398 under Section 2061.0155.
400399 SECTION 13. Chapter 2061, Government Code, as added by this
401400 Act, is amended by adding Subchapter D, and a heading is added to
402401 that subchapter to read as follows:
403402 SUBCHAPTER D. STATE CYBERSECURITY AND STATE CYBERSECURITY
404403 COORDINATOR
405404 SECTION 14. Sections 2054.511 and 2054.518, Government
406405 Code, are transferred to Subchapter D, Chapter 2061, Government
407406 Code, as added by this Act, redesignated as Sections 2061.0151 and
408407 2061.0154, Government Code, respectively, and amended to read as
409408 follows:
410409 Sec. 2061.0151 [2054.511]. DESIGNATION OF STATE
411410 CYBERSECURITY COORDINATOR. The executive director of the
412411 department shall designate an employee of the department as the
413412 state cybersecurity coordinator to oversee cybersecurity matters
414413 for this state.
415414 Sec. 2061.0154 [2054.518]. CYBERSECURITY RISKS AND
416415 INCIDENTS. (a) The department shall develop a plan to address
417416 cybersecurity risks and incidents in this state. The department
418417 may enter into an agreement with a national organization, including
419418 the National Cybersecurity Preparedness Consortium, to support the
420419 department's efforts in implementing the components of the plan for
421420 which the department lacks resources to address internally. The
422421 agreement may include provisions for:
423422 (1) providing fee reimbursement for appropriate
424423 industry-recognized certification examinations for and training to
425424 state agency personnel [agencies] preparing for and responding to
426425 cybersecurity risks and incidents;
427426 (2) developing and maintaining a cybersecurity risks
428427 and incidents curriculum using existing programs and models for
429428 training state agency personnel [agencies];
430429 (3) delivering to state agency personnel with access
431430 to state agency networks routine training related to appropriately
432431 protecting and maintaining information technology systems and
433432 devices, implementing cybersecurity best practices, and mitigating
434433 cybersecurity risks and vulnerabilities;
435434 (4) providing technical assistance services to
436435 support preparedness for and response to cybersecurity risks and
437436 incidents;
438437 (5) conducting cybersecurity training and simulation
439438 exercises for state agency personnel [agencies] to encourage
440439 coordination in defending against and responding to cybersecurity
441440 risks and incidents;
442441 (6) assisting state agencies in developing
443442 cybersecurity information-sharing programs to disseminate
444443 information related to cybersecurity risks and incidents; and
445444 (7) incorporating cybersecurity risk and incident
446445 prevention and response methods into existing state emergency
447446 plans, including continuity of operation plans and incident
448447 response plans.
449448 (b) In implementing the provisions of the agreement
450449 prescribed by Subsection (a), the department shall seek to prevent
451450 unnecessary duplication of existing programs or efforts of the
452451 department or another state agency.
453452 (c) In selecting an organization under Subsection (a), the
454453 department shall consider the organization's previous experience
455454 in conducting cybersecurity training and exercises for state
456455 agencies and political subdivisions.
457456 (d) The department shall consult with institutions of
458457 higher education in this state when appropriate based on an
459458 institution's expertise in addressing specific cybersecurity risks
460459 and incidents.
461460 SECTION 15. Sections 2054.512 and 2054.513, Government
462461 Code, are transferred to Subchapter D, Chapter 2061, Government
463462 Code, as added by this Act, and redesignated as Sections 2061.0152
464463 and 2061.0153, Government Code, respectively, to read as follows:
465464 Sec. 2061.0152 [2054.512]. CYBERSECURITY COUNCIL.
466465 (a) The state cybersecurity coordinator shall establish and lead a
467466 cybersecurity council that includes public and private sector
468467 leaders and cybersecurity practitioners to collaborate on matters
469468 of cybersecurity concerning this state.
470469 (b) The cybersecurity council must include:
471470 (1) one member who is an employee of the office of the
472471 governor;
473472 (2) one member of the senate appointed by the
474473 lieutenant governor;
475474 (3) one member of the house of representatives
476475 appointed by the speaker of the house of representatives; and
477476 (4) additional members appointed by the state
478477 cybersecurity coordinator, including representatives of
479478 institutions of higher education and private sector leaders.
480479 (c) In appointing representatives from institutions of
481480 higher education to the cybersecurity council, the state
482481 cybersecurity coordinator shall consider appointing members of the
483482 Information Technology Council for Higher Education.
484483 (d) The cybersecurity council shall:
485484 (1) consider the costs and benefits of establishing a
486485 computer emergency readiness team to address cyber attacks
487486 occurring in this state during routine and emergency situations;
488487 (2) establish criteria and priorities for addressing
489488 cybersecurity threats to critical state installations;
490489 (3) consolidate and synthesize best practices to
491490 assist state agencies in understanding and implementing
492491 cybersecurity measures that are most beneficial to this state; and
493492 (4) assess the knowledge, skills, and capabilities of
494493 the existing information technology and cybersecurity workforce to
495494 mitigate and respond to cyber threats and develop recommendations
496495 for addressing immediate workforce deficiencies and ensuring a
497496 long-term pool of qualified applicants.
498497 (e) The cybersecurity council shall provide recommendations
499498 to the legislature on any legislation necessary to implement
500499 cybersecurity best practices and remediation strategies for this
501500 state.
502501 Sec. 2061.0153 [2054.513]. CYBERSECURITY APPROVAL SEAL.
503502 The state cybersecurity coordinator may establish a voluntary
504503 program that recognizes private and public entities functioning
505504 with exemplary cybersecurity practices.
506505 SECTION 16. Subchapter D, Chapter 2061, Government Code, as
507506 added by this Act, is amended by adding Section 2061.0155 to read as
508507 follows:
509508 Sec. 2061.0155. RECOMMENDATIONS FOR CYBERSECURITY AND
510509 INFORMATION RESOURCES AND TECHNOLOGY SECURITY TRAINING. The
511510 department shall develop recommendations for cybersecurity and
512511 information resources and technology security training for state
513512 agency personnel and post those recommendations on the department's
514513 Internet website.
515514 SECTION 17. Section 815.103, Government Code, is amended by
516515 adding Subsection (g) to read as follows:
517516 (g) The retirement system shall comply with cybersecurity
518517 and information security standards established by the Department of
519518 Information Resources under Chapter 2061.
520519 SECTION 18. Section 825.103, Government Code, is amended by
521520 amending Subsection (e) and adding Subsection (e-1) to read as
522521 follows:
523522 (e) Except as provided by Subsection (e-1), Chapters 2054,
524523 [and] 2055, and 2061 do not apply to the retirement system. The
525524 board of trustees shall control all aspects of information
526525 technology and associated resources relating to the retirement
527526 system, including computer, data management, and telecommunication
528527 operations, procurement of hardware, software, and middleware, and
529528 telecommunication equipment and systems, location, operation, and
530529 replacement of computers, computer systems, and telecommunication
531530 systems, data processing, security, disaster recovery, and
532531 storage. The Department of Information Resources shall assist the
533532 retirement system at the request of the retirement system, and the
534533 retirement system may use any service that is available through
535534 that department.
536535 (e-1) The retirement system shall comply with cybersecurity
537536 and information security standards established by the Department of
538537 Information Resources under Chapter 2061.
539538 SECTION 19. The following provisions of the Government Code
540539 are repealed:
541540 (1) Section 2054.076(b-1);
542541 (2) Section 2054.514;
543542 (3) Section 2054.517; and
544543 (4) the heading to Subchapter N-1, Chapter 2054.
545544 SECTION 20. (a) As soon as practicable after the effective
546545 date of this Act, but not later than August 31, 2020, the Department
547546 of Information Resources shall adopt rules necessary to implement
548547 the changes in law made by this Act.
549548 (b) A rule adopted by the Department of Information
550549 Resources under Chapter 2054, Government Code, related to
551550 information security and cybersecurity continues in effect under
552551 Chapter 2061, Government Code, as added by this Act.
553552 SECTION 21. To the extent of any conflict, this Act prevails
554553 over another Act of the 86th Legislature, Regular Session, 2019,
555554 relating to nonsubstantive additions to and corrections in enacted
556555 codes.
557556 SECTION 22. This Act takes effect September 1, 2019.