| Old | New | Differences | |
|---|---|---|---|
| 1 | - | 87R19817 YDB-F | |
| 2 | - | By: Shaheen, Lucio III, Deshotel, Raymond, H.B. No. 4071 | |
| 3 | - | Hunter | |
| 4 | - | Substitute the following for H.B. No. 4071: | |
| 5 | - | By: Paddie C.S.H.B. No. 4071 | |
| 1 | + | 87R5826 YDB-F | |
| 2 | + | By: Shaheen H.B. No. 4071 | |
| 6 | 3 | ||
| 7 | 4 | ||
| 8 | 5 | A BILL TO BE ENTITLED | |
| 9 | 6 | AN ACT | |
| 10 | 7 | relating to the requirements for the purchase of endpoint devices | |
| 11 | 8 | by a state agency. | |
| 12 | 9 | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | |
| 13 | 10 | SECTION 1. Subchapter N-1, Chapter 2054, Government Code, | |
| 14 | 11 | is amended by adding Section 2054.5193 to read as follows: | |
| 15 | 12 | Sec. 2054.5193. ENDPOINT DEVICE CYBERSECURITY. (a) In | |
| 16 | 13 | this section, "endpoint device" has the meaning assigned by Section | |
| 17 | 14 | 2157.201. | |
| 18 | 15 | (b) The department may compile a list of endpoint devices | |
| 19 | 16 | that are approved for purchase by a state agency. An approved | |
| 20 | - | endpoint device must meet cybersecurity industry-recognized | |
| 21 | - | standards and best practices established by the department. | |
| 17 | + | endpoint device must meet the: | |
| 18 | + | (1) guidelines and best practices for computer | |
| 19 | + | security issued by the National Institute of Standards and | |
| 20 | + | Technology of the United States Department of Commerce; | |
| 21 | + | (2) cybersecurity framework established by the | |
| 22 | + | National Institute of Standards and Technology of the United States | |
| 23 | + | Department of Commerce; and | |
| 24 | + | (3) supply chain risk management guidelines developed | |
| 25 | + | by the United States Department of Homeland Security. | |
| 22 | 26 | (c) The department shall update any list of approved | |
| 23 | 27 | endpoint devices the department issues under Subsection (b) not | |
| 24 | - | later than the first anniversary of the date | |
| 25 | - | standard | |
| 28 | + | later than the first anniversary of the date of an amendment to a | |
| 29 | + | security standard described by Subsection (b). | |
| 26 | 30 | (d) The department may adopt rules to implement this | |
| 27 | 31 | section. | |
| 28 | 32 | SECTION 2. Chapter 2157, Government Code, is amended by | |
| 29 | 33 | adding Subchapter E to read as follows: | |
| 30 | 34 | SUBCHAPTER E. ENDPOINT SECURITY DEVICE | |
| 31 | 35 | Sec. 2157.201. DEFINITIONS. In this subchapter: | |
| 32 | 36 | (1) "Endpoint device" means personal computing goods | |
| 33 | 37 | and multi-functional devices. | |
| 34 | 38 | (2) "Multi-functional device" includes computer | |
| 35 | 39 | imaging devices that perform at least two of the following | |
| 36 | 40 | functions: | |
| 37 | 41 | (A) printing; | |
| 38 | 42 | (B) copying; | |
| 39 | 43 | (C) scanning; or | |
| 40 | 44 | (D) faxing. | |
| 41 | 45 | (3) "Personal computing goods" includes desktop | |
| 42 | 46 | computers, laptop computers, all-in-one computers, tablet | |
| 43 | - | computers, thin client computers, wireless communication devices, | |
| 44 | - | computer monitors, and associated software and network access | |
| 45 | - | devices. | |
| 47 | + | computers, thin client computers, and computer monitors. | |
| 46 | 48 | (4) "State agency" means a board, commission, | |
| 47 | 49 | department, office, or other agency in the executive, legislative, | |
| 48 | 50 | or judicial branch of state government that is created by the | |
| 49 | 51 | constitution or a statute of this state. | |
| 50 | 52 | Sec. 2157.202. ENDPOINT DEVICE STANDARDS. (a) A state | |
| 51 | 53 | agency may purchase or lease an endpoint device only if the device | |
| 52 | - | meets the cybersecurity industry-recognized standards and best | |
| 53 | - | practices established by the department. | |
| 54 | + | meets the: | |
| 55 | + | (1) guidelines and best practices for computer | |
| 56 | + | security issued by the National Institute of Standards and | |
| 57 | + | Technology of the United States Department of Commerce; | |
| 58 | + | (2) cybersecurity framework established by the | |
| 59 | + | National Institute of Standards and Technology of the United States | |
| 60 | + | Department of Commerce; and | |
| 61 | + | (3) supply chain risk management guidelines developed | |
| 62 | + | by the United States Department of Homeland Security. | |
| 54 | 63 | (b) An endpoint device included on a list of approved | |
| 55 | 64 | endpoint security devices compiled under Section 2054.5193 | |
| 56 | 65 | satisfies the requirements of Subsection (a). | |
| 57 | 66 | SECTION 3. This Act takes effect immediately if it receives | |
| 58 | 67 | a vote of two-thirds of all the members elected to each house, as | |
| 59 | 68 | provided by Section 39, Article III, Texas Constitution. If this | |
| 60 | 69 | Act does not receive the vote necessary for immediate effect, this | |
| 61 | 70 | Act takes effect September 1, 2021. |