By: Paxton S.B. No. 1779
(Parker)
A BILL TO BE ENTITLED
AN ACT
relating to security for state agency information and information
technologies.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Subtitle B, Title 10, Government Code, is
amended by adding Chapter 2061, and a heading is added to that
chapter to read as follows:
CHAPTER 2061. INFORMATION SECURITY
SECTION 2. Chapter 2061, Government Code, as added by this
Act, is amended by adding Subchapter A to read as follows:
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 2061.0001. DEFINITIONS. In this chapter:
(1) "Breach of system security" has the meaning
assigned by Section 521.053(a), Business & Commerce Code.
(2) "Computer," "computer network," "computer
program," "computer system," and "computer software" have the
meanings assigned by Section 33.01, Penal Code.
(3) "Confidential information" means information that
is required to be protected from unauthorized disclosure or public
release under state or federal law or a legal agreement.
(4) "Cybersecurity" means the measures taken to
protect a computer or computer system against unauthorized use or
access.
(5) "Data" has the meaning assigned by Section 33.01,
Penal Code.
(6) "Department" means the Department of Information
Resources.
(7) "Information resources" has the meaning assigned
by Section 2054.003.
(8) "Information security" means the protection of
information and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction to maintain
the confidentiality, integrity, and availability of the
information.
(9) "Risk management" means the process of aligning
information resources risk exposure with the organization's risk
tolerance by accepting, transferring, or mitigating risk
exposures.
(10) "Security incident" means an event that results
in the accidental or deliberate unauthorized access, loss,
disclosure, disruption, modification, or destruction of
information or information resources.
(11) "Sensitive personal information" has the meaning
assigned by Section 521.002, Business & Commerce Code.
(12) "State agency" has the meaning assigned by
Section 2054.003.
(13) "Vulnerability" means a weakness in a system,
application, or network that is subject to exploitation or misuse.
Sec. 2061.0002. GENERAL POWERS OF DEPARTMENT. (a) The
department may adopt rules as necessary to implement its
responsibilities under this chapter.
(b) The department may require each state agency to report
to the department:
(1) each agency's use of information security and
cybersecurity technologies;
(2) the effect of those technologies on the duties and
functions of the agency;
(3) the costs incurred by the agency in the
acquisition and use of those technologies;
(4) the procedures followed in obtaining those
technologies; and
(5) other information relating to information
security and cybersecurity management that in the judgment of the
department should be reported.
(c) At the request of a state agency, the department may
provide technical and managerial assistance relating to
information security and cybersecurity management and
technologies.
(d) The department may report to the governor and to the
presiding officer of each house of the legislature any factors that
in the opinion of the department are outside the duties of the
department but that inhibit or promote effective communication
about and the use of information security and cybersecurity in
state government.
SECTION 3. Chapter 2061, Government Code, as added by this
Act, is amended by adding Subchapter B, and a heading is added to
that subchapter to read as follows:
SUBCHAPTER B. GENERAL DUTIES RELATED TO CYBERSECURITY
SECTION 4. Sections 2054.059, 2054.0591, 2054.0592, and
2054.0594, Government Code, are transferred to Subchapter B,
Chapter 2061, Government Code, as added by this Act, and
redesignated as Sections 2061.0051, 2061.0052, 2061.0053, and
2061.0054, Government Code, respectively, and amended to read as
follows:
Sec. 2061.0051 [2054.059]. CYBERSECURITY. From available
funds, the department shall:
(1) establish and administer a clearinghouse for
information relating to all aspects of protecting the cybersecurity
of state agency information;
(2) develop strategies and a framework for:
(A) the securing of cyberinfrastructure by state
agencies, including critical infrastructure; and
(B) cybersecurity risk assessment and mitigation
planning;
(3) develop and provide training to state agencies on
cybersecurity measures and awareness;
(4) provide assistance to state agencies on request
regarding the strategies and framework developed under Subdivision
(2); and
(5) promote public awareness of cybersecurity issues.
Sec. 2061.0052 [2054.0591]. CYBERSECURITY REPORT.
(a) Not later than November 15 of each even-numbered year, the
department shall submit to the governor, the lieutenant governor,
the speaker of the house of representatives, and the standing
committee of each house of the legislature with primary
jurisdiction over state government operations a report identifying
preventive and recovery efforts the state can undertake to improve
cybersecurity in this state. The report must include:
(1) an assessment of the resources available to
address the operational and financial impacts of a cybersecurity
event;
(2) a review of existing statutes regarding
cybersecurity and information resources technologies;
(3) recommendations for legislative action to
increase the state's cybersecurity and protect against adverse
impacts from a cybersecurity event; and
(4) an evaluation of a program that provides an
information security officer to assist small state agencies and
local governments that are unable to justify hiring a full-time
information security officer [the costs and benefits of
cybersecurity insurance; and
[(5) an evaluation of tertiary disaster recovery
options].
(b) The department or a recipient of a report under this
section may redact or withhold information confidential under
Chapter 552, including Section 552.139, or other state or federal
law that is contained in the report in response to a request under
Chapter 552 without the necessity of requesting a decision from the
attorney general under Subchapter G, Chapter 552.
Sec. 2061.0053 [2054.0592]. CYBERSECURITY EMERGENCY
FUNDING. If a cybersecurity event creates a need for emergency
funding, the department may request that the governor or
Legislative Budget Board make a proposal under Chapter 317 to
provide funding to manage the operational and financial impacts
from the cybersecurity event.
Sec. 2061.0054 [2054.0594]. INFORMATION SHARING AND
ANALYSIS ORGANIZATION [CENTER]. (a) The department shall
establish an information sharing and analysis organization
[center] to provide a forum for state agencies, local governments,
public and private institutions of higher education, and the
private sector to share information regarding cybersecurity
threats, best practices, and remediation strategies.
(b) [The department shall appoint persons from appropriate
state agencies to serve as representatives to the information
sharing and analysis center.
[(c)] The department[, using funds other than funds
appropriated to the department in a general appropriations act,]
shall provide administrative support to the information sharing and
analysis organization [center].
(c) A participant in the information sharing and analysis
organization shall assert any exception available under state or
federal law, including Section 552.139, in response to a request
for public disclosure of information shared through the
organization.
(d) A participant described by Subsection (c) may not make a
voluntary disclosure under Section 552.007.
SECTION 5. Chapter 2061, Government Code, as added by this
Act, is amended by adding Subchapter C, and a heading is added to
that subchapter to read as follows:
SUBCHAPTER C. INFORMATION SECURITY OFFICER; INFORMATION SECURITY
TRAINING AND REPORTS
SECTION 6. Section 2054.136, Government Code, is
transferred to Subchapter C, Chapter 2061, Government Code, as
added by this Act, redesignated as Section 2061.0101, Government
Code, and amended to read as follows:
Sec. 2061.0101 [2054.136]. DESIGNATION OF [DESIGNATED]
INFORMATION SECURITY OFFICER. (a) Each state agency shall
designate an information security officer who:
(1) reports to the agency's executive-level
management;
(2) has authority over information security for the
entire agency;
(3) possesses the training and experience required to
perform the duties required by department rules; and
(4) to the extent feasible, has information security
duties as the officer's primary duties.
(b) On the department's approval, two or more state agencies
may jointly designate an information security officer under
Subsection (a) to serve as the information security officer for
each agency.
SECTION 7. Subchapter C, Chapter 2061, Government Code, as
added by this Act, is amended by adding Section 2061.0102 to read as
follows:
Sec. 2061.0102. INFORMATION SECURITY TRAINING. The
department may provide information security training for appointed
board members, agency heads, and executive management of state
agencies that is consistent with the cybersecurity awareness
training provided in Section 2061.0108.
SECTION 8. Section 2054.1125, Government Code, is
transferred to Subchapter C, Chapter 2061, Government Code, as
added by this Act, redesignated as Section 2061.0103, Government
Code, and amended to read as follows:
Sec. 2061.0103 [2054.1125]. SECURITY BREACH NOTIFICATION
BY STATE AGENCY. (a) The information security officer of a [In
this section:
[(1) "Breach of system security" has the meaning
assigned by Section 521.053, Business & Commerce Code.
[(2) "Sensitive personal information" has the meaning
assigned by Section 521.002, Business & Commerce Code.
[(b) A] state agency that owns, licenses, or maintains
computerized data that includes sensitive personal information,
confidential information, or information the disclosure of which is
regulated by law shall, in the event of a breach or suspected breach
of system security or an unauthorized exposure of that information:
(1) comply with the notification requirements of
Section 521.053, Business & Commerce Code, to the same extent as a
person who conducts business in this state; and
(2) not later than 48 hours after the discovery of the
breach, suspected breach, or unauthorized exposure, notify:
(A) the department, including the chief
information security officer [and the state cybersecurity
coordinator]; or
(B) if the breach, suspected breach, or
unauthorized exposure involves election data, the secretary of
state.
(b) Not later than the 10th business day after the date of
the eradication, closure, and recovery from a breach, suspected
breach, or unauthorized exposure, a state agency shall notify the
department, including the chief information security officer, of
the details of the event.
SECTION 9. Sections 2054.077, 2054.133, and 2054.515,
Government Code, are transferred to Subchapter C, Chapter 2061,
Government Code, as added by this Act, redesignated as Sections
2061.0104, 2061.0105, and 2061.0106, Government Code,
respectively, and amended to read as follows:
Sec. 2061.0104 [2054.077]. VULNERABILITY REPORTS.
(a) [In this section, a term defined by Section 33.01, Penal Code,
has the meaning assigned by that section.
[(b)] The information security officer [resources manager]
of a state agency shall prepare or have prepared a report, including
an executive summary of the findings of the biennial report, not
later than October 15 of each even-numbered year, assessing the
extent to which a computer, a computer program, a computer network,
a computer system, a printer, an interface to a computer system,
including mobile and peripheral devices, computer software, or data
processing of the agency or of a contractor of the agency is
vulnerable to unauthorized access or harm, including the extent to
which the agency's or contractor's electronically stored
information is vulnerable to alteration, damage, erasure, or
inappropriate use.
(b) [(c)] Except as provided by this section, a
vulnerability report and any information or communication prepared
or maintained for use in the preparation of a vulnerability report
is confidential and is not subject to disclosure under Chapter 552.
(c) [(d)] The information security officer of a state
agency [resources manager] shall provide an electronic copy of the
vulnerability report on its completion to:
(1) the department;
(2) the state auditor;
(3) the agency's executive director; [and]
(4) the agency's designated information resources
manager; and
(5) any other information technology security
oversight group specifically authorized by the legislature to
receive the report.
(d) [(e)] Separate from the executive summary described by
Subsection (a) [(b)], the information security officer of a state
agency shall prepare a summary of the agency's vulnerability report
that does not contain any information the release of which might
compromise the security of the state agency's or state agency
contractor's computers, computer programs, computer networks,
computer systems, printers, interfaces to computer systems,
including mobile and peripheral devices, computer software, data
processing, or electronically stored information. The summary is
available to the public on request.
Sec. 2061.0105 [2054.133]. INFORMATION SECURITY PLAN.
(a) Each state agency shall develop, and periodically update, an
information security plan for protecting the security of the
agency's information.
(b) In developing the plan, the state agency shall:
(1) consider any vulnerability report prepared under
Section 2061.0104 [2054.077] for the agency;
(2) incorporate the network security services
provided by the department to the agency under Chapter 2059;
(3) identify and define the responsibilities of agency
staff who produce, access, use, or serve as custodians of the
agency's information;
(4) identify risk management and other measures taken
to protect the agency's information from unauthorized access,
disclosure, modification, or destruction;
(5) include:
(A) the best practices for information security
developed by the department; or
(B) a written explanation of why the best
practices are not sufficient for the agency's security; and
(6) omit from any written copies of the plan
information that could expose vulnerabilities in the agency's
network or online systems.
(c) Not later than October 15 of each even-numbered year,
each state agency shall submit a copy of the agency's information
security plan to the department. Subject to available resources,
the department may select a portion of the submitted security plans
to be assessed by the department in accordance with department
rules.
(d) Each state agency's information security plan is
confidential and exempt from disclosure under Chapter 552.
(e) Each state agency shall include in the agency's
information security plan a written document that is signed by
[acknowledgment that] the [executive director or other] head of the
agency, the chief financial officer, and each executive manager
[as] designated by the state agency and that states that those
persons have been made aware of the risks revealed during the
preparation of the agency's information security plan.
(f) Not later than January 13 of each odd-numbered year, the
department shall submit a written report to the governor, the
lieutenant governor, and the legislature evaluating information
security for this state's information resources. In preparing the
report, the department shall consider the information security
plans submitted by state agencies under this section, any
vulnerability reports submitted under Section 2061.0104
[2054.077], and other available information regarding the security
of this state's information resources. The department shall omit
from any written copies of the report information that could expose
specific vulnerabilities in the security of this state's
information resources.
Sec. 2061.0106 [2054.515]. STATE AGENCY INFORMATION
SECURITY ASSESSMENT AND REPORT. (a) At least once every two
years, each state agency shall conduct an information security
assessment of the agency's information resources systems, network
systems, digital data storage systems, digital data security
measures, and information resources vulnerabilities.
(b) Not later than December 1 of the year in which a state
agency conducts the assessment under Subsection (a), the agency
shall report the results of the assessment to the department. The[,
the] governor, the lieutenant governor, and the speaker of the
house of representatives may obtain the report upon request to the
department.
(c) The department by rule shall [may] establish the
requirements for the information security assessment and report
required by this section.
SECTION 10. Section 2054.516, Government Code, as added by
Chapters 683 (H.B. 8) and 955 (S.B. 1910), Acts of the 85th
Legislature, Regular Session, 2017, is reenacted, transferred to
Subchapter C, Chapter 2061, Government Code, as added by this Act,
redesignated as Section 2061.0107, Government Code, and amended to
read as follows:
Sec. 2061.0107 [2054.516]. DATA SECURITY PLAN FOR ONLINE
AND MOBILE APPLICATIONS OF STATE AGENCIES. (a) Each state
agency[, other than an institution of higher education subject to
Section 2054.517,] implementing an Internet website or mobile
application that processes any sensitive [personal] personally
identifiable information or confidential information must:
(1) submit a biennial data security plan to the
department not later than October 15 of each even-numbered year to
establish planned beta testing for the website or application; and
(2) subject the website or application to a
vulnerability and penetration test and address any vulnerability
identified in the test.
(b) The department shall review each data security plan
submitted under Subsection (a) and make any recommendations for
changes to the plan to the state agency as soon as practicable after
the department reviews the plan.
SECTION 11. Section 2054.135, Government Code, is
transferred to Subchapter C, Chapter 2061, Government Code, as
added by this Act, and redesignated as Section 2061.0108,
Government Code, to read as follows:
Sec. 2061.0108 [2054.135]. DATA USE AGREEMENT. (a) Each
state agency shall develop a data use agreement for use by the
agency that meets the particular needs of the agency and is
consistent with rules adopted by the department that relate to
information security standards for state agencies.
(b) A state agency shall update the data use agreement at
least biennially, but may update the agreement at any time as
necessary to accommodate best practices in data management.
(c) A state agency shall distribute the data use agreement
developed under this section, and each update to that agreement, to
employees of the agency who handle sensitive information, including
financial, medical, personnel, or student data. The employee shall
sign the data use agreement distributed and each update to the
agreement.
(d) To the extent possible, a state agency shall provide
employees described by Subsection (c) with cybersecurity awareness
training to coincide with the distribution of:
(1) the data use agreement required under this
section; and
(2) each biennial update to that agreement.
SECTION 12. Subchapter C, Chapter 2061, Government Code, as
added by this Act, is amended by adding Section 2061.0109 to read as
follows:
Sec. 2061.0109. BIENNIAL INFORMATION SECURITY REPORT. Not
later than October 15 of each even-numbered year, the information
security officer of each state agency shall submit an information
security report for the agency. The report must include:
(1) the vulnerability report required under Section
2061.0104;
(2) the information security plan developed under
Section 2061.0105;
(3) the information security assessment developed
under Section 2061.0106;
(4) the data security plan for online and mobile
applications required under Section 2061.0107; and
(5) the recommendations for cybersecurity and
information resources and technology security training established
under Section 2061.0155.
SECTION 13. Chapter 2061, Government Code, as added by this
Act, is amended by adding Subchapter D, and a heading is added to
that subchapter to read as follows:
SUBCHAPTER D. STATE CYBERSECURITY AND STATE CYBERSECURITY
COORDINATOR
SECTION 14. Sections 2054.511 and 2054.518, Government
Code, are transferred to Subchapter D, Chapter 2061, Government
Code, as added by this Act, redesignated as Sections 2061.0151 and
2061.0154, Government Code, respectively, and amended to read as
follows:
Sec. 2061.0151 [2054.511]. DESIGNATION OF STATE
CYBERSECURITY COORDINATOR. The executive director of the
department shall designate an employee of the department as the
state cybersecurity coordinator to oversee cybersecurity matters
for this state.
Sec. 2061.0154 [2054.518]. CYBERSECURITY RISKS AND
INCIDENTS. (a) The department shall develop a plan to address
cybersecurity risks and incidents in this state. The department
may enter into an agreement with a national organization, including
the National Cybersecurity Preparedness Consortium, to support the
department's efforts in implementing the components of the plan for
which the department lacks resources to address internally. The
agreement may include provisions for:
(1) providing fee reimbursement for appropriate
industry-recognized certification examinations for and training to
state agency personnel [agencies] preparing for and responding to
cybersecurity risks and incidents;
(2) developing and maintaining a cybersecurity risks
and incidents curriculum using existing programs and models for
training state agency personnel [agencies];
(3) delivering to state agency personnel with access
to state agency networks routine training related to appropriately
protecting and maintaining information technology systems and
devices, implementing cybersecurity best practices, and mitigating
cybersecurity risks and vulnerabilities;
(4) providing technical assistance services to
support preparedness for and response to cybersecurity risks and
incidents;
(5) conducting cybersecurity training and simulation
exercises for state agency personnel [agencies] to encourage
coordination in defending against and responding to cybersecurity
risks and incidents;
(6) assisting state agencies in developing
cybersecurity information-sharing programs to disseminate
information related to cybersecurity risks and incidents; and
(7) incorporating cybersecurity risk and incident
prevention and response methods into existing state emergency
plans, including continuity of operation plans and incident
response plans.
(b) In implementing the provisions of the agreement
prescribed by Subsection (a), the department shall seek to prevent
unnecessary duplication of existing programs or efforts of the
department or another state agency.
(c) In selecting an organization under Subsection (a), the
department shall consider the organization's previous experience
in conducting cybersecurity training and exercises for state
agencies and political subdivisions.
(d) The department shall consult with institutions of
higher education in this state when appropriate based on an
institution's expertise in addressing specific cybersecurity risks
and incidents.
SECTION 15. Sections 2054.512 and 2054.513, Government
Code, are transferred to Subchapter D, Chapter 2061, Government
Code, as added by this Act, and redesignated as Sections 2061.0152
and 2061.0153, Government Code, respectively, to read as follows:
Sec. 2061.0152 [2054.512]. CYBERSECURITY COUNCIL.
(a) The state cybersecurity coordinator shall establish and lead a
cybersecurity council that includes public and private sector
leaders and cybersecurity practitioners to collaborate on matters
of cybersecurity concerning this state.
(b) The cybersecurity council must include:
(1) one member who is an employee of the office of the
governor;
(2) one member of the senate appointed by the
lieutenant governor;
(3) one member of the house of representatives
appointed by the speaker of the house of representatives; and
(4) additional members appointed by the state
cybersecurity coordinator, including representatives of
institutions of higher education and private sector leaders.
(c) In appointing representatives from institutions of
higher education to the cybersecurity council, the state
cybersecurity coordinator shall consider appointing members of the
Information Technology Council for Higher Education.
(d) The cybersecurity council shall:
(1) consider the costs and benefits of establishing a
computer emergency readiness team to address cyber attacks
occurring in this state during routine and emergency situations;
(2) establish criteria and priorities for addressing
cybersecurity threats to critical state installations;
(3) consolidate and synthesize best practices to
assist state agencies in understanding and implementing
cybersecurity measures that are most beneficial to this state; and
(4) assess the knowledge, skills, and capabilities of
the existing information technology and cybersecurity workforce to
mitigate and respond to cyber threats and develop recommendations
for addressing immediate workforce deficiencies and ensuring a
long-term pool of qualified applicants.
(e) The cybersecurity council shall provide recommendations
to the legislature on any legislation necessary to implement
cybersecurity best practices and remediation strategies for this
state.
Sec. 2061.0153 [2054.513]. CYBERSECURITY APPROVAL SEAL.
The state cybersecurity coordinator may establish a voluntary
program that recognizes private and public entities functioning
with exemplary cybersecurity practices.
SECTION 16. Subchapter D, Chapter 2061, Government Code, as
added by this Act, is amended by adding Section 2061.0155 to read as
follows:
Sec. 2061.0155. RECOMMENDATIONS FOR CYBERSECURITY AND
INFORMATION RESOURCES AND TECHNOLOGY SECURITY TRAINING. The
department shall develop recommendations for cybersecurity and
information resources and technology security training for state
agency personnel and post those recommendations on the department's
Internet website.
SECTION 17. Section 815.103, Government Code, is amended by
adding Subsection (g) to read as follows:
(g) The retirement system shall comply with cybersecurity
and information security standards established by the Department of
Information Resources under Chapter 2061.
SECTION 18. Section 825.103, Government Code, is amended by
amending Subsection (e) and adding Subsection (e-1) to read as
follows:
(e) Except as provided by Subsection (e-1), Chapters 2054,
[and] 2055, and 2061 do not apply to the retirement system. The
board of trustees shall control all aspects of information
technology and associated resources relating to the retirement
system, including computer, data management, and telecommunication
operations, procurement of hardware, software, and middleware, and
telecommunication equipment and systems, location, operation, and
replacement of computers, computer systems, and telecommunication
systems, data processing, security, disaster recovery, and
storage. The Department of Information Resources shall assist the
retirement system at the request of the retirement system, and the
retirement system may use any service that is available through
that department.
(e-1) The retirement system shall comply with cybersecurity
and information security standards established by the Department of
Information Resources under Chapter 2061.
SECTION 19. The following provisions of the Government Code
are repealed:
(1) Section 2054.076(b-1);
(2) Section 2054.514;
(3) Section 2054.517; and
(4) the heading to Subchapter N-1, Chapter 2054.
SECTION 20. (a) As soon as practicable after the effective
date of this Act, but not later than August 31, 2020, the Department
of Information Resources shall adopt rules necessary to implement
the changes in law made by this Act.
(b) A rule adopted by the Department of Information
Resources under Chapter 2054, Government Code, related to
information security and cybersecurity continues in effect under
Chapter 2061, Government Code, as added by this Act.
SECTION 21. To the extent of any conflict, this Act prevails
over another Act of the 86th Legislature, Regular Session, 2019,
relating to nonsubstantive additions to and corrections in enacted
codes.
SECTION 22. This Act takes effect September 1, 2019.