TX
Texas House Bill HB3892

Texas 2021 - 87th Regular

Texas House Bill HB3892 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 By: Capriglione H.B. No. 3892
22
33
44 A BILL TO BE ENTITLED
55 AN ACT
66 relating to matters concerning governmental entities, including
77 cybersecurity, governmental efficiencies, information resources,
88 and emergency planning.
99 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1010 SECTION 1. Section 37.108(b), Education Code, is amended to
1111 read as follows:
1212 (b) At least once every three years, each school district or
1313 public junior college district shall conduct a safety and security
1414 audit of the district's facilities, including an information
1515 technology cybersecurity assessment. To the extent possible, a
1616 district shall follow safety and security audit procedures
1717 developed by the Texas School Safety Center or a person included in
1818 the registry established by the Texas School Safety Center under
1919 Section 37.2091.
2020 SECTION 2. Subchapter A, Chapter 31, Election Code, is
2121 amended by adding Section 31.017 to read as follows:
2222 Sec. 31.017. STUDY ON USE OF ARTIFICIAL INTELLIGENCE FOR
2323 SIGNATURE VERIFICATION. (a) The secretary of state shall conduct a
2424 study on the use of artificial intelligence to verify signatures on
2525 carrier envelope certificates for early voting ballots voted by
2626 mail. In conducting the study, the secretary of state must consider
2727 other states' experiences using that method of signature
2828 verification, as well as other studies published on the subject.
2929 (b) Not later than September 1, 2022, the secretary of state
3030 shall prepare and deliver a report on the study's findings to the
3131 committees of each house of the legislature with primary
3232 jurisdiction over elections.
3333 (c) This section expires December 1, 2022.
3434 SECTION 3. Subchapter B, Chapter 421, Government Code, is
3535 amended by adding Section 421.027 to read as follows:
3636 Sec. 421.027. CYBER INCIDENT STUDY AND RESPONSE PLAN. (a)
3737 In this section:
3838 (1) "Cyber incident" means an event occurring on or
3939 conducted through a computer network that actually or imminently
4040 jeopardizes the integrity, confidentiality, or availability of
4141 computers, information or communications systems or networks,
4242 physical or virtual infrastructure controlled by computers or
4343 information systems, or information on the computers or systems.
4444 The term includes a vulnerability in implementation or in an
4545 information system, system security procedure, or internal control
4646 that could be exploited by a threat source.
4747 (2) "Significant cyber incident" means a cyber
4848 incident, or a group of related cyber incidents, likely to result in
4949 demonstrable harm to state security interests, foreign relations,
5050 or the economy of this state or to the public confidence, civil
5151 liberties, or public health and safety of the residents of this
5252 state.
5353 (b) The council, in cooperation with the Department of
5454 Information Resources, shall:
5555 (1) conduct a study regarding cyber incidents and
5656 significant cyber incidents affecting state agencies and critical
5757 infrastructure that is owned, operated, or controlled by agencies;
5858 and
5959 (2) develop a comprehensive state response plan to
6060 provide a format for each state agency to develop an
6161 agency-specific response plan and to implement the plan into the
6262 agency's information security plan required under Section 2054.133
6363 to be implemented by the agency in the event of a cyber incident or
6464 significant cyber incident affecting the agency or critical
6565 infrastructure that is owned, operated, or controlled by the
6666 agency.
6767 (c) Not later than September 1, 2022, the council shall
6868 deliver the response plan and a report on the findings of the study
6969 to:
7070 (1) the public safety director of the Department of
7171 Public Safety;
7272 (2) the governor;
7373 (3) the lieutenant governor;
7474 (4) the speaker of the house of representatives;
7575 (5) the chair of the committee of the senate having
7676 primary jurisdiction over homeland security matters; and
7777 (6) the chair of the committee of the house of
7878 representatives having primary jurisdiction over homeland security
7979 matters.
8080 (d) The response plan required by Subsection (b) and the
8181 report required by Subsection (c) are not public information for
8282 purposes of Chapter 552.
8383 (e) This section expires December 1, 2022.
8484 SECTION 4. Subchapter L, Chapter 441, Government Code, is
8585 amended by adding Sections 441.1825 and 441.1856 to read as
8686 follows:
8787 Sec. 441.1825. STATE INFORMATION GOVERNANCE COORDINATOR.
8888 (a) The director and librarian shall employ a state information
8989 governance coordinator in the commission's records management
9090 division.
9191 (b) The state information governance coordinator shall:
9292 (1) ensure records management programs are
9393 implemented by state agencies for all media types;
9494 (2) assist state agencies in complying with the
9595 agencies' records management programs; and
9696 (3) increase overall awareness and outreach for state
9797 agency records management programs.
9898 Sec. 441.1856. TEXAS DIGITAL ARCHIVE. (a) The commission
9999 shall maintain and operate a digital repository for the
100100 preservation of and access to permanently valuable archival state
101101 records, reports, and publications.
102102 (b) The commission, in collaboration with the Department of
103103 Information Resources, shall develop a strategy, consistent with
104104 state records management and archival practices, for state agencies
105105 to transfer appropriate archival state records that are in
106106 electronic format to the commission for inclusion in the digital
107107 repository described by Subsection (a).
108108 SECTION 5. Section 441.183, Government Code, is amended to
109109 read as follows:
110110 Sec. 441.183. RECORDS MANAGEMENT PROGRAMS IN STATE
111111 AGENCIES. (a) The agency head of each state agency shall:
112112 (1) establish and maintain a records management
113113 program on a continuing and active basis;
114114 (2) create and maintain records containing adequate
115115 and proper documentation of the organization, functions, policies,
116116 decisions, procedures, and essential transactions of the agency
117117 designed to furnish information to protect the financial and legal
118118 rights of the state and any person affected by the activities of the
119119 agency;
120120 (3) make certain that all records of the agency are
121121 passed to the agency head's successor in the position of agency
122122 head;
123123 (4) identify and take adequate steps to protect
124124 confidential and vital state records;
125125 (5) cooperate with the commission in the conduct of
126126 state agency records management surveys; and
127127 (6) cooperate with the commission, the director and
128128 librarian, and any other authorized designee of the director and
129129 librarian in fulfilling their duties under this subchapter.
130130 (b) This subsection applies only to a state agency that is a
131131 department, commission, board, office, or other agency in the
132132 executive branch of state government. This subsection does not
133133 apply to an institution of higher education, as defined by Section
134134 61.003, Education Code. As part of a records management program
135135 established under Subsection (a), the agency head of a state agency
136136 to which this subsection applies shall require training for agency
137137 employees, annually and on employment with the agency, regarding
138138 the records management program, including the agency's approved
139139 records retention schedule.
140140 SECTION 6. Subchapter C, Chapter 2054, Government Code, is
141141 amended by adding Section 2054.0695 to read as follows:
142142 Sec. 2054.0695. SECURITY PROGRAM FOR INTERNET CONNECTIVITY
143143 OF CERTAIN OBJECTS. (a) The department, in consultation with
144144 representatives of the information technology industry and
145145 voluntary standards organizations and the 10 state agencies that
146146 received the most state appropriations for that state fiscal year
147147 as determined by the Legislative Budget Board, shall develop a
148148 comprehensive risk management program that identifies baseline
149149 security features for the Internet connectivity of computing
150150 devices embedded in objects used or purchased by state agencies.
151151 (b) In developing the program under Subsection (a), the
152152 department shall identify and use existing international security
153153 standards and best practices and any known security gaps for a range
154154 of deployments, including critical systems and consumer usage.
155155 SECTION 7. Section 2054.512(d), Government Code, is amended
156156 to read as follows:
157157 (d) The cybersecurity council shall:
158158 (1) consider the costs and benefits of establishing a
159159 computer emergency readiness team to address cyber attacks
160160 occurring in this state during routine and emergency situations;
161161 (2) establish criteria and priorities for addressing
162162 cybersecurity threats to critical state installations;
163163 (3) consolidate and synthesize best practices to
164164 assist state agencies in understanding and implementing
165165 cybersecurity measures that are most beneficial to this state;
166166 [and]
167167 (4) assess the knowledge, skills, and capabilities of
168168 the existing information technology and cybersecurity workforce to
169169 mitigate and respond to cyber threats and develop recommendations
170170 for addressing immediate workforce deficiencies and ensuring a
171171 long-term pool of qualified applicants; and
172172 (5) ensure all middle and high schools have knowledge
173173 of and access to:
174174 (A) free cybersecurity courses and curriculum
175175 approved by the Texas Education Agency;
176176 (B) state and regional information sharing and
177177 analysis centers; and
178178 (C) contracting benefits, including as provided
179179 by Section 2054.0565.
180180 SECTION 8. Subchapter N-1, Chapter 2054, Government Code,
181181 is amended by adding Sections 2054.517 and 2054.5172 to read as
182182 follows:
183183 Sec. 2054.517. VENDOR RESPONSIBILITY FOR CYBERSECURITY. A
184184 vendor that contracts with this state to provide information
185185 resources technology for a state agency at a cost to the agency of
186186 $1 million or more is responsible for addressing known
187187 cybersecurity risks associated with the technology and is
188188 responsible for any cost associated with addressing the identified
189189 cybersecurity risks. For a major information resources project,
190190 the vendor shall provide to state agency contracting personnel:
191191 (1) a written attestation that:
192192 (A) the vendor has a cybersecurity risk
193193 management program consistent with:
194194 (i) the cybersecurity framework
195195 established by the National Institute of Standards and Technology;
196196 (ii) the 27000 series standards for
197197 information security published by the International Organization
198198 for Standardization; or
199199 (iii) other widely accepted security risk
200200 management frameworks;
201201 (B) the vendor's cybersecurity risk management
202202 program includes appropriate training and certifications for the
203203 employees performing work under the contract; and
204204 (C) the vendor has a vulnerability management
205205 program that addresses vulnerability identification, mitigation,
206206 and responsible disclosure, as appropriate; and
207207 (2) an initial summary of any costs associated with
208208 addressing or remediating the identified technology or
209209 personnel-related cybersecurity risks as identified in
210210 collaboration with this state following a risk assessment.
211211 Sec. 2054.5172. ENCRYPTED SECURE LAYER SERVICES REQUIRED.
212212 Each state agency that maintains a publicly accessible Internet
213213 website that requires the submission of sensitive personally
214214 identifiable information shall use an encrypted secure
215215 communication protocol, including a secure hypertext transfer
216216 protocol.
217217 SECTION 9. Subchapter B, Chapter 2155, Government Code, is
218218 amended by adding Section 2155.092 to read as follows:
219219 Sec. 2155.092. VENDOR CERTIFICATION FOR CERTAIN GOODS. (a)
220220 This section does not apply to a good provided as part of a major
221221 information resources project as defined by Section 2054.003.
222222 (b) A vendor offering to sell to the state a good embedded
223223 with a computing device capable of Internet connectivity must
224224 include with each bid, offer, proposal, or other expression of
225225 interest a written certification providing that the good does not
226226 contain, at the time of submitting the bid, offer, proposal, or
227227 expression of interest, a hardware, software, or firmware component
228228 with any known security vulnerability or defect.
229229 SECTION 10. Section 205.010(b), Local Government Code, is
230230 amended to read as follows:
231231 (b) A local government that owns, licenses, or maintains
232232 computerized data that includes sensitive personal information
233233 shall comply, in the event of a breach of system security, with the
234234 notification requirements of:
235235 (1) Sections 364.0051 and 364.0102 of this code; and
236236 (2) Section 521.053, Business & Commerce Code, to the
237237 same extent as a person who conducts business in this state.
238238 SECTION 11. Subtitle C, Title 11, Local Government Code, is
239239 amended by adding Chapter 364 to read as follows:
240240 CHAPTER 364. LOCAL GOVERNMENT CYBERSECURITY AND EMERGENCY PLANNING
241241 AND RESPONSE
242242 SUBCHAPTER A. GENERAL PROVISIONS
243243 Sec. 364.0001. DEFINITIONS. In this chapter:
244244 (1) "Breach of system security" has the meaning
245245 assigned by Section 521.053, Business & Commerce Code.
246246 (2) "Cybersecurity coordinator" means the state
247247 cybersecurity coordinator designated under Section 2054.511,
248248 Government Code.
249249 (3) "Cybersecurity council" means the council
250250 established by the cybersecurity coordinator under Section
251251 2054.512, Government Code.
252252 (4) "Sensitive personal information" has the meaning
253253 assigned by Section 521.002, Business & Commerce Code.
254254 SUBCHAPTER B. SECURITY BREACH NOTIFICATION
255255 Sec. 364.0051. NOTICE TO CYBERSECURITY COORDINATOR. Not
256256 later than 48 hours after a political subdivision discovers a
257257 breach or suspected breach of system security or an unauthorized
258258 exposure of sensitive personal information, the political
259259 subdivision shall notify the cybersecurity coordinator of the
260260 breach. The notification must describe the breach, suspected
261261 breach, or unauthorized exposure.
262262 Sec. 364.0052. REPORT TO DEPARTMENT OF INFORMATION
263263 RESOURCES. The cybersecurity coordinator shall report to the
264264 Department of Information Resources any breach of system security
265265 reported by a political subdivision in which the person responsible
266266 for the breach:
267267 (1) obtained or modified specific critical or
268268 sensitive personal information;
269269 (2) established access to the political subdivision's
270270 information systems or infrastructure; or
271271 (3) undermined, severely disrupted, or destroyed a
272272 core service, program, or function of the political subdivision, or
273273 placed the person in a position to do so in the future.
274274 Sec. 364.0053. RULEMAKING. The cybersecurity coordinator
275275 may adopt rules necessary to implement this subchapter.
276276 SUBCHAPTER C. EMERGENCY PLANNING AND RESPONSE
277277 Sec. 364.0101. MULTIHAZARD EMERGENCY OPERATIONS PLAN;
278278 SAFETY AND SECURITY AUDIT. (a) This section applies to a
279279 municipality or county with a population of more than 100,000.
280280 (b) Each municipality and county shall adopt and implement a
281281 multihazard emergency operations plan for use in the municipality's
282282 and county's facilities. The plan must address mitigation,
283283 preparedness, response, and recovery as determined by the
284284 cybersecurity council and the governor's public safety office. The
285285 plan must provide for:
286286 (1) municipal or county employee training in
287287 responding to an emergency;
288288 (2) measures to ensure coordination with the
289289 Department of State Health Services, Department of Information
290290 Resources, local emergency management agencies, law enforcement
291291 agencies, local health departments, and fire departments in the
292292 event of an emergency; and
293293 (3) the implementation of a safety and security audit
294294 as required by Subsection (c).
295295 (c) At least once every three years, each municipality and
296296 county shall conduct a safety and security audit of the
297297 municipality's or county's information technology infrastructure.
298298 To the extent possible, a municipality or county shall follow
299299 safety and security audit procedures developed by the cybersecurity
300300 council or a comparable public or private entity.
301301 (d) A municipality or county shall report the results of the
302302 safety and security audit conducted under Subsection (c):
303303 (1) to the municipality's or county's governing body;
304304 and
305305 (2) in the manner required by the cybersecurity
306306 council, to the cybersecurity council.
307307 (e) Except as provided by Subsection (f), any document or
308308 information collected, developed, or produced during a safety and
309309 security audit conducted under Subsection (c) is not subject to
310310 disclosure under Chapter 552, Government Code.
311311 (f) A document relating to a municipality's or county's
312312 multihazard emergency operations plan is subject to disclosure if
313313 the document enables a person to:
314314 (1) verify that the municipality or county has
315315 established a plan and determine the agencies involved in the
316316 development of the plan and the agencies coordinating with the
317317 municipality or county to respond to an emergency;
318318 (2) verify that the municipality's or county's plan
319319 was reviewed within the last 12 months and determine the specific
320320 review dates;
321321 (3) verify that the plan addresses the phases of
322322 emergency management under Subsection (b);
323323 (4) verify that municipal or county employees have
324324 been trained to respond to an emergency and determine the types of
325325 training, the number of employees trained, and the person
326326 conducting the training;
327327 (5) verify that the municipality or county has
328328 completed a safety and security audit under Subsection (c) and
329329 determine the date the audit was conducted, the person conducting
330330 the audit, and the date the municipality or county presented the
331331 results of the audit to the municipality's or county's governing
332332 body; and
333333 (6) verify that the municipality or county has
334334 addressed any recommendations by the municipality's or county's
335335 governing body for improvement of the plan and determine the
336336 municipality's or county's progress within the last 12 months.
337337 Sec. 364.0102. RANSOMWARE PAYMENTS PROHIBITED. (a) In
338338 this section, "ransomware" has the meaning assigned by Section
339339 33.023, Penal Code.
340340 (b) A political subdivision may not make a ransomware
341341 payment related to a ransomware cyber attack.
342342 (c) As soon as practicable after discovering a ransomware
343343 cyber attack, a political subdivision shall report the attack to
344344 the office of the attorney general and to the information sharing
345345 and analysis organization established by the Department of
346346 Information Resources under Sec. 2054.0594, Government Code.
347347 SECTION 12. Section 2155.092, Government Code, as added by
348348 this Act, applies only in relation to a contract for which a state
349349 agency first advertises or otherwise solicits bids, offers,
350350 proposals, or other expressions of interest on or after the
351351 effective date of this Act.
352352 SECTION 13. (a) Except as provided by Subsection (b) of
353353 this section, this Act takes effect September 1, 2021.
354354 (b) Section 364.0102, Local Government Code, as added by
355355 this Act, takes effect September 1, 2022.