87R4582 YDB-D
By: Nelson S.B. No. 475
A BILL TO BE ENTITLED
AN ACT
relating to state agency and local government information security,
including establishment of the state risk and authorization
management program and the Texas volunteer incident response team;
authorizing fees.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Subchapter C, Chapter 2054, Government Code, is
amended by adding Sections 2054.0593 and 2054.05935 to read as
follows:
Sec. 2054.0593. CLOUD COMPUTING STATE RISK AND
AUTHORIZATION MANAGEMENT PROGRAM. (a) In this section, "cloud
computing services" has the meaning assigned by Section 2157.007.
(b) The department shall establish a state risk and
authorization management program to provide a standardized
approach for security assessment, authorization, and continuous
monitoring of cloud computing services that process the data of a
state agency.
(c) The department shall prescribe:
(1) the categories and characteristics of cloud
computing services subject to the state risk and authorization
management program; and
(2) the requirements for certification through the
program of vendors that provide cloud computing services.
(d) A state agency shall require each vendor contracting
with the agency to provide cloud computing services for the agency
to comply with the requirements of the state risk and authorization
management program. The department shall evaluate vendors to
determine whether a vendor qualifies for a certification issued by
the department reflecting compliance with program requirements.
(e) A state agency may not enter or renew a contract with a
vendor to purchase cloud computing services subject to the state
risk and authorization management program unless the vendor
demonstrates compliance with program requirements. The vendor may
demonstrate compliance by submitting documentation that shows the
vendor's compliance with the risk and authorization management
program of another state that the department approves.
(f) A state agency shall require a vendor contracting with
the agency to provide cloud computing services subject to the state
risk and authorization management program to maintain program
compliance and certification throughout the term of the contract.
Sec. 2054.05935. SECURITY CONTROLS FOR STATE AGENCY DATA.
Each state agency entering into or renewing a contract with a vendor
authorized to access, transmit, use, or store data for the agency
shall include a provision in the contract requiring the vendor to
meet the security controls the agency determines are proportionate
with the agency's risk under the contract based on the sensitivity
of the agency's data. The vendor must periodically provide to the
agency evidence that the vendor meets the security controls
required under the contract.
SECTION 2. Section 2054.0594, Government Code, is amended
by adding Subsection (d) to read as follows:
(d) The department shall establish a framework for regional
cybersecurity working groups to execute mutual aid agreements that
allow state agencies, local governments, regional planning
commissions, public and private institutions of higher education,
the private sector, and the incident response team established
under Subchapter N-2 to assist with responding to a cybersecurity
event in this state. A working group may be established within the
geographic area of a regional planning commission established under
Chapter 391, Local Government Code. The working group may establish
a list of available cybersecurity experts and share resources to
assist in responding to the cybersecurity event and recovery from
the event.
SECTION 3. Subchapter F, Chapter 2054, Government Code, is
amended by adding Section 2054.137 to read as follows:
Sec. 2054.137. DESIGNATED DATA MANAGEMENT OFFICER. (a)
Each state agency with more than 150 full-time employees shall
designate a full-time employee of the agency to serve as a data
management officer.
(b) The data management officer for a state agency shall:
(1) coordinate with the chief data officer to ensure
the agency performs the duties assigned under Section 2054.0286;
(2) in accordance with department guidelines,
establish an agency data governance program to identify the
agency's data assets, exercise authority and management over the
agency's data assets, and establish related processes and
procedures to oversee the agency's data assets; and
(3) coordinate with the agency's information security
officer, the agency's records management officer, and the Texas
State Library and Archives Commission to:
(A) implement best practices for managing and
securing data in accordance with state privacy laws and data
privacy classifications;
(B) ensure records management programs are
implemented by the agency for all types of data storage media; and
(C) increase awareness of and outreach for state
agency records management programs.
(c) In accordance with department guidelines, the data
management officer for the state agency shall post on the Texas Open
Data Portal established by the department under Section 2054.070 at
least three high-value data sets as defined by Section 2054.1265.
The high-value data sets may not include information that is
confidential or protected from disclosure under state or federal
law.
SECTION 4. Subchapter G, Chapter 2054, Government Code, is
amended by adding Section 2054.161 to read as follows:
Sec. 2054.161. DATA CLASSIFICATION, SECURITY, AND
RETENTION REQUIREMENTS. On initiation of an information resources
technology project, including an application development project
and any information resources projects described in this
subchapter, a state agency shall classify the data produced from or
used in the project and determine appropriate data security and
retention requirements for each classification.
SECTION 5. Chapter 2054, Government Code, is amended by
adding Subchapter N-2 to read as follows:
SUBCHAPTER N-2. TEXAS VOLUNTEER INCIDENT RESPONSE TEAM
Sec. 2054.52001. DEFINITIONS. In this subchapter:
(1) "Incident response team" means the Texas volunteer
incident response team established under Section 2054.52002.
(2) "Participating entity" means a state agency,
including an institution of higher education, or a local government
that receives assistance under this subchapter during a
cybersecurity event.
(3) "Volunteer" means an individual who provides rapid
response assistance during a cybersecurity event under this
subchapter.
Sec. 2054.52002. ESTABLISHMENT OF TEXAS VOLUNTEER INCIDENT
RESPONSE TEAM. (a) The department shall establish the Texas
volunteer incident response team to provide rapid response
assistance to a participating entity under the department's
direction during a cybersecurity event.
(b) The department shall prescribe eligibility criteria for
participation as a volunteer member of the incident response team,
including a requirement that each volunteer have expertise in
addressing cybersecurity events.
Sec. 2054.52003. CONTRACT WITH VOLUNTEERS. The department
shall enter into a contract with each volunteer the department
approves to provide rapid response assistance under this
subchapter. The contract must require the volunteer to:
(1) acknowledge the confidentiality of information
required by Section 2054.52010;
(2) protect all confidential information from
disclosure;
(3) avoid conflicts of interest that might arise in a
deployment under this subchapter;
(4) comply with department security policies and
procedures regarding information resources technologies;
(5) consent to background screening required by the
department; and
(6) attest to the volunteer's satisfaction of any
eligibility criteria established by the department.
Sec. 2054.52004. VOLUNTEER QUALIFICATION. (a) The
department shall require criminal history record information for
each individual who accepts an invitation to become a volunteer.
(b) The department may request other information relevant
to the individual's qualification and fitness to serve as a
volunteer.
(c) The department has sole discretion to determine whether
an individual is qualified to serve as a volunteer.
Sec. 2054.52005. DEPLOYMENT. (a) In response to a
cybersecurity event that affects multiple participating entities
or a declaration by the governor of a state of disaster caused by a
cybersecurity event, the department on request of a participating
entity may deploy volunteers and provide rapid response assistance
under the department's direction to assist with the event.
(b) A volunteer may only accept a deployment under this
subchapter in writing. A volunteer may decline to accept a
deployment for any reason.
Sec. 2054.52006. CYBERSECURITY COUNCIL DUTIES. The
cybersecurity council established under Section 2054.512 shall
review and make recommendations to the department regarding the
policies and procedures used by the department to implement this
subchapter. The department may consult with the council to
implement and administer this subchapter.
Sec. 2054.52007. DEPARTMENT POWERS AND DUTIES. (a) The
department shall:
(1) approve the incident response tools the incident
response team may use in responding to a cybersecurity event;
(2) establish the eligibility criteria an individual
must meet to become a volunteer;
(3) develop and publish guidelines for operation of
the incident response team, including the:
(A) standards and procedures the department uses
to determine whether an individual is eligible to serve as a
volunteer;
(B) process for an individual to apply for and
accept incident response team membership;
(C) requirements for a participating entity to
receive assistance from the incident response team; and
(D) process for a participating entity to request
and obtain the assistance of the incident response team; and
(4) adopt rules necessary to implement this
subchapter.
(b) The department may require a participating entity to
enter into a contract as a condition for obtaining assistance from
the incident response team. The contract must comply with the
requirements of Chapters 771 and 791.
(c) The department may provide appropriate training to
prospective and approved volunteers.
(d) In accordance with state law, the department may provide
compensation for actual and necessary travel and living expenses
incurred by a volunteer on a deployment using money available for
that purpose.
(e) The department may establish a fee schedule for
participating entities receiving incident response team
assistance. The amount of fees collected may not exceed the
department's costs to operate the incident response team.
Sec. 2054.52008. STATUS OF VOLUNTEER; LIABILITY. (a) A
volunteer is not an agent, employee, or independent contractor of
this state for any purpose and has no authority to obligate this
state to a third party.
(b) This state is not liable to a volunteer for personal
injury or property damage sustained by the volunteer that arises
from participation in the incident response team.
Sec. 2054.52009. CIVIL LIABILITY. A volunteer who in good
faith provides professional services in response to a cybersecurity
event is not liable for civil damages as a result of the volunteer's
acts or omissions in providing the services, except for wilful and
wanton misconduct. This immunity is limited to services provided
during the time of deployment for a cybersecurity event.
Sec. 2054.52010. CONFIDENTIAL INFORMATION. Information
written, produced, collected, assembled, or maintained by the
department, a participating entity, the cybersecurity council, or a
volunteer in the implementation of this subchapter is confidential
and not subject to disclosure under Chapter 552 if the information:
(1) contains the contact information for a volunteer;
(2) identifies or provides a means of identifying a
person who may, as a result of disclosure of the information, become
a victim of a cybersecurity event;
(3) consists of a participating entity's cybersecurity
plans or cybersecurity-related practices; or
(4) is obtained from a participating entity or from a
participating entity's computer system in the course of providing
assistance under this subchapter.
SECTION 6. Section 2054.515, Government Code, is amended to
read as follows:
Sec. 2054.515. AGENCY INFORMATION SECURITY ASSESSMENT AND
REPORT. (a) At least once every two years, each state agency shall
conduct an information security assessment of the agency's:
(1) information resources systems, network systems,
digital data storage systems, digital data security measures, and
information resources vulnerabilities; and
(2) data governance program in accordance with
requirements established by department rule.
(b) Not later than November 15 of each even-numbered year
[December 1 of the year in which a state agency conducts the
assessment under Subsection (a)], the agency shall report the
results of the assessment to:
(1) the department; and
(2) on request, the governor, the lieutenant governor,
and the speaker of the house of representatives.
(c) The department by rule shall [may] establish the
requirements for the information security assessment and report
required by this section.
(d) The report and all documentation related to the
information security assessment and report are confidential and not
subject to disclosure under Chapter 552. The state agency or
department may redact or withhold the information as confidential
under Chapter 552 without requesting a decision from the attorney
general under Subchapter G, Chapter 552.
SECTION 7. Chapter 2059, Government Code, is amended by
adding Subchapter E to read as follows:
SUBCHAPTER E. REGIONAL NETWORK SECURITY CENTERS
Sec. 2059.201. ELIGIBLE PARTICIPATING ENTITIES. A state
agency or an entity listed in Sections 2059.058(b)(3)-(5) is
eligible to participate in cybersecurity support and network
security provided by a regional network security center under this
subchapter.
Sec. 2059.202. ESTABLISHMENT OF REGIONAL NETWORK SECURITY
CENTERS. (a) Subject to Subsection (b), the department may
establish regional network security centers to assist in providing
cybersecurity support and network security to regional offices or
locations for state agencies and other eligible entities that elect
to participate in and receive services through the center.
(b) The department may establish more than one regional
network security center only if the department determines the first
center established by the department successfully provides to state
agencies and other eligible entities the services the center has
contracted to provide.
(c) The department shall enter into an interagency contract
in accordance with Chapter 771 or an interlocal contract in
accordance with Chapter 791, as appropriate, with an eligible
participating entity that elects to participate in and receive
services through a regional network security center.
Sec. 2059.203. REGIONAL NETWORK SECURITY CENTER LOCATIONS
AND PHYSICAL SECURITY. (a) In creating and operating a regional
network security center, the department shall partner with a
university system or institution of higher education as defined by
Section 61.003, Education Code, other than a public junior college.
The system or institution shall:
(1) serve as an education partner with the department
for the regional network security center; and
(2) enter into an interagency contract with the
department in accordance with Chapter 771.
(b) In selecting the location for a regional network
security center, the department shall select a university system or
institution of higher education that has supportive educational
capabilities.
(c) A university system or institution of higher education
selected to serve as a regional network security center shall
control and monitor all entrances to and critical areas of the
center to prevent unauthorized entry. The system or institution
shall restrict access to the center to only authorized individuals.
(d) A local law enforcement entity or any entity providing
security for a regional network security center shall monitor
security alarms at the regional network security center subject to
the availability of that service.
(e) The department and a university system or institution of
higher education selected to serve as a regional network security
center shall restrict operational information to only center
personnel, except as provided by Chapter 321.
Sec. 2059.204. REGIONAL NETWORK SECURITY CENTERS SERVICES
AND SUPPORT. The department may offer the following managed
security services through a regional network security center:
(1) real-time network security monitoring to detect
and respond to network security events that may jeopardize this
state and the residents of this state;
(2) alerts and guidance for defeating network security
threats, including firewall configuration, installation,
management, and monitoring, intelligence gathering, and protocol
analysis;
(3) immediate response to counter network security
activity that exposes this state and the residents of this state to
risk, including complete intrusion detection system installation,
management, and monitoring for participating entities;
(4) development, coordination, and execution of
statewide cybersecurity operations to isolate, contain, and
mitigate the impact of network security incidents for participating
entities; and
(5) cybersecurity educational services.
Sec. 2059.205. NETWORK SECURITY GUIDELINES AND STANDARD
OPERATING PROCEDURES. (a) The department shall adopt and provide
to each regional network security center appropriate network
security guidelines and standard operating procedures to ensure
efficient operation of the center with a maximum return on the
state's investment.
(b) The department shall revise the standard operating
procedures as necessary to confirm network security.
(c) Each eligible participating entity that elects to
participate in a regional network security center shall comply with
the network security guidelines and standard operating procedures.
SECTION 8. Subtitle B, Title 10, Government Code, is
amended by adding Chapter 2062 to read as follows:
CHAPTER 2062. RESTRICTIONS ON STATE AGENCY USE OF CERTAIN
INDIVIDUAL-IDENTIFYING INFORMATION
Sec. 2062.001. DEFINITIONS. In this chapter:
(1) "Biometric identifier" has the meaning assigned by
Section 560.001.
(2) "State agency" means a department, commission,
board, office, council, authority, or other agency in the
executive, legislative, or judicial branch of state government,
including a university system or institution of higher education as
defined by Section 61.003, Education Code, that is created by the
constitution or a statute of this state.
Sec. 2062.002. CONSENT REQUIRED BEFORE ACQUIRING,
RETAINING, OR DISSEMINATING CERTAIN INFORMATION; RECORDS. (a)
Except as provided by Subsection (b), a state agency may not:
(1) use global positioning system technology,
individual contact tracing, or technology designed to obtain
biometric identifiers to acquire information that alone or in
conjunction with other information identifies an individual or the
individual's location without the individual's written consent;
(2) retain information with respect to an individual
described by Subdivision (1) without the individual's written
consent; or
(3) disseminate to a person the information described
by Subdivision (1) with respect to an individual unless the state
agency first obtains the individual's written consent.
(b) A state agency may acquire, retain, and disseminate
information described by Subsection (a) with respect to an
individual without the individual's written consent if the
acquisition, retention, or dissemination is:
(1) required or permitted by a federal statute or by a
state statute other than Chapter 552; or
(2) made by or to a law enforcement agency for a law
enforcement purpose.
(c) A state agency shall retain the written consent of an
individual obtained as required under this section in the agency's
records until the contract or agreement under which the information
is acquired, retained, or disseminated expires.
SECTION 9. (a) Not later than December 1, 2021, the
Department of Information Resources shall:
(1) establish the state risk and authorization
management program as required by Section 2054.0593, Government
Code, as added by this Act;
(2) establish the framework for regional
cybersecurity working groups to execute mutual aid agreements as
required under Section 2054.0594(d), Government Code, as added by
this Act; and
(3) establish the Texas volunteer incident response
team as required by Subchapter N-2, Chapter 2054, Government Code,
as added by this Act.
(b) Each state agency shall ensure that:
(1) each contract for cloud computing services the
agency enters into or renews on or after January 1, 2022, complies
with Section 2054.0593, Government Code, as added by this Act; and
(2) each contract subject to Section 2054.05935,
Government Code, as added by this Act, that is executed on or after
the effective date of this Act complies with that section.
(c) Each state agency subject to Section 2054.137,
Government Code, as added by this Act, shall designate a data
management officer as soon as practicable after the effective date
of this Act.
(d) Each state agency subject to Section 2054.161,
Government Code, as added by this Act, shall ensure each
information resources technology project initiated on or after the
effective date of this Act complies with that section.
SECTION 10. Not later than October 15, 2022, the Department
of Information Resources shall submit to the standing committees of
the senate and house of representatives with primary jurisdiction
over state agency cybersecurity a report on the department's
activities and recommendations related to the Texas volunteer
incident response team established as required by Subchapter N-2,
Chapter 2054, Government Code, as added by this Act.
SECTION 11. Chapter 2062, Government Code, as added by this
Act, applies only to information acquired, retained, or
disseminated by a state agency to another person on or after the
effective date of this Act.
SECTION 12. (a) Except as provided by Subsection (b) of
this section, this Act takes effect immediately if it receives a
vote of two-thirds of all the members elected to each house, as
provided by Section 39, Article III, Texas Constitution. If this
Act does not receive the vote necessary for immediate effect, this
Act takes effect September 1, 2021.
(b) Chapter 2062, Government Code, as added by this Act,
takes effect September 1, 2021.