| 4 | 12 | | AN ACT |
|---|
| 5 | 13 | | relating to state agency and local government compliance with |
|---|
| 6 | 14 | | cybersecurity training requirements. |
|---|
| 7 | 15 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 8 | 16 | | SECTION 1. Subchapter A, Chapter 772, Government Code, is |
|---|
| 9 | 17 | | amended by adding Section 772.012 to read as follows: |
|---|
| 10 | 18 | | Sec. 772.012. COMPLIANCE WITH CYBERSECURITY TRAINING |
|---|
| 11 | 19 | | REQUIREMENTS. (a) In this section, "local government" has the |
|---|
| 12 | 20 | | meaning assigned by Section 2054.003. |
|---|
| 13 | 21 | | (b) To apply for a grant under this chapter, a local |
|---|
| 14 | 22 | | government must submit with the grant application a written |
|---|
| 15 | 23 | | certification of the local government's compliance with the |
|---|
| 16 | 24 | | cybersecurity training required by Section 2054.5191. |
|---|
| 17 | 25 | | (c) On a determination by the criminal justice division |
|---|
| 18 | 26 | | established under Section 772.006 that a local government awarded a |
|---|
| 19 | 27 | | grant under this chapter has not complied with the cybersecurity |
|---|
| 20 | 28 | | training required by Section 2054.5191, the local government shall |
|---|
| 21 | 29 | | pay to this state an amount equal to the amount of the grant award. |
|---|
| 22 | 30 | | A local government that is the subject of a determination described |
|---|
| 23 | 31 | | by this subsection is ineligible for another grant under this |
|---|
| 24 | 32 | | chapter until the second anniversary of the date the local |
|---|
| 25 | 33 | | government is determined ineligible. |
|---|
| 26 | 34 | | SECTION 2. The heading to Section 2054.5191, Government |
|---|
| 27 | 35 | | Code, is amended to read as follows: |
|---|
| 28 | 36 | | Sec. 2054.5191. CYBERSECURITY TRAINING REQUIRED: CERTAIN |
|---|
| 29 | 37 | | EMPLOYEES AND OFFICIALS. |
|---|
| 30 | 38 | | SECTION 3. Section 2054.5191, Government Code, is amended |
|---|
| 31 | 39 | | by amending Subsections (a-1) and (b) and adding Subsections (a-2), |
|---|
| 32 | 40 | | (e), and (f) to read as follows: |
|---|
| 33 | 41 | | (a-1) At least once each year, a local government shall: |
|---|
| 34 | 42 | | (1) identify local government employees and elected |
|---|
| 35 | 43 | | and appointed officials who have access to a local government |
|---|
| 36 | 44 | | computer system or database and use a computer to perform at least |
|---|
| 37 | 45 | | 25 percent of the employee's or official's required duties; and |
|---|
| 38 | 46 | | (2) require the [those] employees and [elected] |
|---|
| 39 | 47 | | officials identified under Subdivision (1) [of the local |
|---|
| 40 | 48 | | government] to complete a cybersecurity training program certified |
|---|
| 41 | 49 | | under Section 2054.519 [or offered under Section 2054.519(f)]. |
|---|
| 42 | 50 | | (a-2) The governing body of a local government or the |
|---|
| 43 | 51 | | governing body's designee may deny access to the local government's |
|---|
| 44 | 52 | | computer system or database to an individual described by |
|---|
| 45 | 53 | | Subsection (a-1)(1) who the governing body or the governing body's |
|---|
| 46 | 54 | | designee determines is noncompliant with the requirements of |
|---|
| 47 | 55 | | Subsection (a-1)(2). |
|---|
| 48 | 56 | | (b) The governing body of a local government may select the |
|---|
| 49 | 57 | | most appropriate cybersecurity training program certified under |
|---|
| 50 | 58 | | Section 2054.519 [or offered under Section 2054.519(f)] for |
|---|
| 51 | 59 | | employees and officials of the local government to complete. The |
|---|
| 52 | 60 | | governing body shall: |
|---|
| 53 | 61 | | (1) verify and report on the completion of a |
|---|
| 54 | 62 | | cybersecurity training program by employees and officials of the |
|---|
| 55 | 63 | | local government to the department; and |
|---|
| 56 | 64 | | (2) require periodic audits to ensure compliance with |
|---|
| 57 | 65 | | this section. |
|---|
| 58 | 66 | | (e) The department shall develop a form for use by state |
|---|
| 59 | 67 | | agencies and local governments in verifying completion of |
|---|
| 60 | 68 | | cybersecurity training program requirements under this section. |
|---|
| 61 | 69 | | The form must allow the state agency and local government to |
|---|
| 62 | 70 | | indicate the percentage of employee completion. |
|---|
| 63 | 71 | | (f) The requirements of Subsections (a) and (a-1) do not |
|---|
| 64 | 72 | | apply to employees and officials who have been: |
|---|
| 65 | 73 | | (1) granted military leave; |
|---|
| 66 | 74 | | (2) granted leave under the federal Family and Medical |
|---|
| 67 | 75 | | Leave Act of 1993 (29 U.S.C. Section 2601 et seq.); |
|---|
| 68 | 76 | | (3) granted leave related to a sickness or disability |
|---|
| 69 | 77 | | covered by workers' compensation benefits, if that employee no |
|---|
| 70 | 78 | | longer has access to the state agency's or local government's |
|---|
| 71 | 79 | | database and systems; |
|---|
| 72 | 80 | | (4) granted any other type of extended leave or |
|---|
| 73 | 81 | | authorization to work from an alternative work site if that |
|---|
| 74 | 82 | | employee no longer has access to the state agency's or local |
|---|
| 75 | 83 | | government's database and systems; or |
|---|
| 76 | 84 | | (5) denied access to a local government's computer |
|---|
| 77 | 85 | | system or database by the governing body of the local government or |
|---|
| 78 | 86 | | the governing body's designee under Subsection (a-2) for |
|---|
| 79 | 87 | | noncompliance with the requirements of Subsection (a-1)(2). |
|---|
| 80 | 88 | | SECTION 4. Section 2056.002(b), Government Code, is amended |
|---|
| 81 | 89 | | to read as follows: |
|---|
| 82 | 90 | | (b) The Legislative Budget Board and the governor's office |
|---|
| 83 | 91 | | shall determine the elements required to be included in each |
|---|
| 84 | 92 | | agency's strategic plan. Unless modified by the Legislative Budget |
|---|
| 85 | 93 | | Board and the governor's office, and except as provided by |
|---|
| 86 | 94 | | Subsection (c), a plan must include: |
|---|
| 87 | 95 | | (1) a statement of the mission and goals of the state |
|---|
| 88 | 96 | | agency; |
|---|
| 89 | 97 | | (2) a description of the indicators developed under |
|---|
| 90 | 98 | | this chapter and used to measure the output and outcome of the |
|---|
| 91 | 99 | | agency; |
|---|
| 92 | 100 | | (3) identification of the groups of people served by |
|---|
| 93 | 101 | | the agency, including those having service priorities, or other |
|---|
| 94 | 102 | | service measures established by law, and estimates of changes in |
|---|
| 95 | 103 | | those groups expected during the term of the plan; |
|---|
| 96 | 104 | | (4) an analysis of the use of the agency's resources to |
|---|
| 97 | 105 | | meet the agency's needs, including future needs, and an estimate of |
|---|
| 98 | 106 | | additional resources that may be necessary to meet future needs; |
|---|
| 99 | 107 | | (5) an analysis of expected changes in the services |
|---|
| 100 | 108 | | provided by the agency because of changes in state or federal law; |
|---|
| 101 | 109 | | (6) a description of the means and strategies for |
|---|
| 102 | 110 | | meeting the agency's needs, including future needs, and achieving |
|---|
| 103 | 111 | | the goals established under Section 2056.006 for each area of state |
|---|
| 104 | 112 | | government for which the agency provides services; |
|---|
| 105 | 113 | | (7) a description of the capital improvement needs of |
|---|
| 106 | 114 | | the agency during the term of the plan and a statement, if |
|---|
| 107 | 115 | | appropriate, of the priority of those needs; |
|---|
| 108 | 116 | | (8) identification of each geographic region of this |
|---|
| 109 | 117 | | state, including the Texas-Louisiana border region and the |
|---|
| 110 | 118 | | Texas-Mexico border region, served by the agency, and if |
|---|
| 111 | 119 | | appropriate the agency's means and strategies for serving each |
|---|
| 112 | 120 | | region; |
|---|
| 113 | 121 | | (9) a description of the training of the agency's |
|---|
| 114 | 122 | | contract managers under Section 656.052; |
|---|
| 115 | 123 | | (10) an analysis of the agency's expected expenditures |
|---|
| 116 | 124 | | that relate to federally owned or operated military installations |
|---|
| 117 | 125 | | or facilities, or communities where a federally owned or operated |
|---|
| 118 | 126 | | military installation or facility is located; |
|---|
| 119 | 127 | | (11) an analysis of the strategic use of information |
|---|
| 120 | 128 | | resources as provided by the instructions prepared under Section |
|---|
| 121 | 129 | | 2054.095; [and] |
|---|
| 122 | 130 | | (12) a written certification of the agency's |
|---|
| 123 | 131 | | compliance with the cybersecurity training required under Sections |
|---|
| 124 | 132 | | 2054.5191 and 2054.5192; and |
|---|
| 125 | 133 | | (13) other information that may be required. |
|---|
| 126 | 134 | | SECTION 5. Section 2054.519(f), Government Code, as added |
|---|
| 127 | 135 | | by Chapter 1308 (H.B. 3834), Acts of the 86th Legislature, Regular |
|---|
| 128 | 136 | | Session, 2019, is repealed. |
|---|
| 129 | 137 | | SECTION 6. (a) Section 772.012, Government Code, as added |
|---|
| 130 | 138 | | by this Act, applies only to a grant application submitted by a |
|---|
| 131 | 139 | | local government on or after September 1, 2021. |
|---|
| 132 | 140 | | (b) Section 2056.002(b), Government Code, as amended by |
|---|
| 133 | 141 | | this Act, applies only to a strategic plan submitted by a state |
|---|
| 134 | 142 | | agency on or after January 1, 2022. |
|---|
| 135 | 143 | | SECTION 7. This Act takes effect immediately if it receives |
|---|
| 136 | 144 | | a vote of two-thirds of all the members elected to each house, as |
|---|
| 137 | 145 | | provided by Section 39, Article III, Texas Constitution. If this |
|---|
| 138 | 146 | | Act does not receive the vote necessary for immediate effect, this |
|---|
| 139 | 147 | | Act takes effect September 1, 2021. |
|---|