87R5826 YDB-F
By: Shaheen H.B. No. 4071
A BILL TO BE ENTITLED
AN ACT
relating to the requirements for the purchase of endpoint devices
by a state agency.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Subchapter N-1, Chapter 2054, Government Code,
is amended by adding Section 2054.5193 to read as follows:
Sec. 2054.5193. ENDPOINT DEVICE CYBERSECURITY. (a) In
this section, "endpoint device" has the meaning assigned by Section
2157.201.
(b) The department may compile a list of endpoint devices
that are approved for purchase by a state agency. An approved
endpoint device must meet the:
(1) guidelines and best practices for computer
security issued by the National Institute of Standards and
Technology of the United States Department of Commerce;
(2) cybersecurity framework established by the
National Institute of Standards and Technology of the United States
Department of Commerce; and
(3) supply chain risk management guidelines developed
by the United States Department of Homeland Security.
(c) The department shall update any list of approved
endpoint devices the department issues under Subsection (b) not
later than the first anniversary of the date of an amendment to a
security standard described by Subsection (b).
(d) The department may adopt rules to implement this
section.
SECTION 2. Chapter 2157, Government Code, is amended by
adding Subchapter E to read as follows:
SUBCHAPTER E. ENDPOINT SECURITY DEVICE
Sec. 2157.201. DEFINITIONS. In this subchapter:
(1) "Endpoint device" means personal computing goods
and multi-functional devices.
(2) "Multi-functional device" includes computer
imaging devices that perform at least two of the following
functions:
(A) printing;
(B) copying;
(C) scanning; or
(D) faxing.
(3) "Personal computing goods" includes desktop
computers, laptop computers, all-in-one computers, tablet
computers, thin client computers, and computer monitors.
(4) "State agency" means a board, commission,
department, office, or other agency in the executive, legislative,
or judicial branch of state government that is created by the
constitution or a statute of this state.
Sec. 2157.202. ENDPOINT DEVICE STANDARDS. (a) A state
agency may purchase or lease an endpoint device only if the device
meets the:
(1) guidelines and best practices for computer
security issued by the National Institute of Standards and
Technology of the United States Department of Commerce;
(2) cybersecurity framework established by the
National Institute of Standards and Technology of the United States
Department of Commerce; and
(3) supply chain risk management guidelines developed
by the United States Department of Homeland Security.
(b) An endpoint device included on a list of approved
endpoint security devices compiled under Section 2054.5193
satisfies the requirements of Subsection (a).
SECTION 3. This Act takes effect immediately if it receives
a vote of two-thirds of all the members elected to each house, as
provided by Section 39, Article III, Texas Constitution. If this
Act does not receive the vote necessary for immediate effect, this
Act takes effect September 1, 2021.