TX
Texas Senate Bill SB475

Texas 2021 - 87th Regular

Texas Senate Bill SB475 Compare Versions

OldNewDifferences
1-S.B. No. 475
1+87R23600 YDB-D
2+ By: Nelson, et al. S.B. No. 475
3+ (Capriglione)
4+ Substitute the following for S.B. No. 475: No.
25
36
7+ A BILL TO BE ENTITLED
48 AN ACT
59 relating to state agency and local government information
610 management and security, including establishment of the state risk
711 and authorization management program and the Texas volunteer
812 incident response team; authorizing fees.
913 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1014 SECTION 1. Subchapter B, Chapter 2054, Government Code, is
1115 amended by adding Section 2054.0332 to read as follows:
1216 Sec. 2054.0332. DATA MANAGEMENT ADVISORY COMMITTEE. (a)
1317 The board shall appoint a data management advisory committee.
1418 (b) The advisory committee is composed of each data
1519 management officer designated by a state agency under Section
1620 2054.137 and the department's chief data officer.
1721 (c) The advisory committee shall:
1822 (1) advise the board and department on establishing
1923 statewide data ethics, principles, goals, strategies, standards,
2024 and architecture;
2125 (2) provide guidance and recommendations on governing
2226 and managing state agency data and data management systems,
2327 including recommendations to assist data management officers in
2428 fulfilling the duties assigned under Section 2054.137; and
2529 (3) establish performance objectives for state
2630 agencies from this state's data-driven policy goals.
2731 (d) Sections 2110.002 and 2110.008 do not apply to the
2832 advisory committee.
2933 SECTION 2. Subchapter C, Chapter 2054, Government Code, is
3034 amended by adding Section 2054.0593 to read as follows:
3135 Sec. 2054.0593. CLOUD COMPUTING STATE RISK AND
3236 AUTHORIZATION MANAGEMENT PROGRAM. (a) In this section, "cloud
3337 computing service" has the meaning assigned by Section 2157.007.
3438 (b) The department shall establish a state risk and
3539 authorization management program to provide a standardized
3640 approach for security assessment, authorization, and continuous
3741 monitoring of cloud computing services that process the data of a
3842 state agency. The program must allow a vendor to demonstrate
3943 compliance by submitting documentation that shows the vendor's
4044 compliance with a risk and authorization management program of:
4145 (1) the federal government; or
4246 (2) another state that the department approves.
4347 (c) The department by rule shall prescribe:
4448 (1) the categories and characteristics of cloud
4549 computing services subject to the state risk and authorization
4650 management program; and
4751 (2) the requirements for certification through the
4852 program of vendors that provide cloud computing services.
4953 (d) A state agency shall require each vendor contracting
5054 with the agency to provide cloud computing services for the agency
5155 to comply with the requirements of the state risk and authorization
5256 management program. The department shall evaluate vendors to
5357 determine whether a vendor qualifies for a certification issued by
5458 the department reflecting compliance with program requirements.
5559 (e) A state agency may not enter or renew a contract with a
5660 vendor to purchase cloud computing services for the agency that are
5761 subject to the state risk and authorization management program
5862 unless the vendor demonstrates compliance with program
5963 requirements.
6064 (f) A state agency shall require a vendor contracting with
6165 the agency to provide cloud computing services for the agency that
6266 are subject to the state risk and authorization management program
6367 to maintain program compliance and certification throughout the
6468 term of the contract.
6569 SECTION 3. Section 2054.0594, Government Code, is amended
6670 by adding Subsection (d) to read as follows:
6771 (d) The department shall establish a framework for regional
6872 cybersecurity working groups to execute mutual aid agreements that
6973 allow state agencies, local governments, regional planning
7074 commissions, public and private institutions of higher education,
7175 the private sector, and the incident response team established
7276 under Subchapter N-2 to assist with responding to a cybersecurity
7377 event in this state. A working group may be established within the
7478 geographic area of a regional planning commission established under
75- Chapter 391, Local Government Code. The working group may
76- establish a list of available cybersecurity experts and share
77- resources to assist in responding to the cybersecurity event and
78- recovery from the event.
79+ Chapter 391, Local Government Code. The working group may establish
80+ a list of available cybersecurity experts and share resources to
81+ assist in responding to the cybersecurity event and recovery from
82+ the event.
7983 SECTION 4. Subchapter F, Chapter 2054, Government Code, is
8084 amended by adding Sections 2054.137 and 2054.138 to read as
8185 follows:
8286 Sec. 2054.137. DESIGNATED DATA MANAGEMENT OFFICER. (a)
8387 Each state agency with more than 150 full-time employees shall
8488 designate a full-time employee of the agency to serve as a data
8589 management officer.
8690 (b) The data management officer for a state agency shall:
8791 (1) coordinate with the chief data officer to ensure
8892 the agency performs the duties assigned under Section 2054.0286;
8993 (2) in accordance with department guidelines,
9094 establish an agency data governance program to identify the
9195 agency's data assets, exercise authority and management over the
9296 agency's data assets, and establish related processes and
9397 procedures to oversee the agency's data assets; and
9498 (3) coordinate with the agency's information security
9599 officer, the agency's records management officer, and the Texas
96100 State Library and Archives Commission to:
97101 (A) implement best practices for managing and
98102 securing data in accordance with state privacy laws and data
99103 privacy classifications;
100104 (B) ensure the agency's records management
101105 programs apply to all types of data storage media;
102106 (C) increase awareness of and outreach for the
103107 agency's records management programs within the agency; and
104108 (D) conduct a data maturity assessment of the
105109 agency's data governance program in accordance with the
106110 requirements established by department rule.
107111 (c) In accordance with department guidelines, the data
108112 management officer for a state agency shall post on the Texas Open
109113 Data Portal established by the department under Section 2054.070 at
110114 least three high-value data sets as defined by Section 2054.1265.
111115 The high-value data sets may not include information that is
112116 confidential or protected from disclosure under state or federal
113117 law.
114118 (d) The data management officer for a state agency may
115119 delegate in writing to another agency employee the duty to:
116120 (1) implement a specific requirement of Subsection (b)
117121 or (c); or
118122 (2) participate in the advisory committee established
119123 under Section 2054.0332.
120124 Sec. 2054.138. SECURITY CONTROLS FOR STATE AGENCY DATA.
121125 Each state agency entering into or renewing a contract with a vendor
122126 authorized to access, transmit, use, or store data for the agency
123127 shall include a provision in the contract requiring the vendor to
124128 meet the security controls the agency determines are proportionate
125129 with the agency's risk under the contract based on the sensitivity
126130 of the agency's data. The vendor must periodically provide to the
127131 agency evidence that the vendor meets the security controls
128132 required under the contract.
129133 SECTION 5. Subchapter G, Chapter 2054, Government Code, is
130134 amended by adding Section 2054.161 to read as follows:
131135 Sec. 2054.161. DATA CLASSIFICATION, SECURITY, AND
132136 RETENTION REQUIREMENTS. On initiation of an information resources
133137 technology project, including an application development project
134138 and any information resources projects described in this
135139 subchapter, a state agency shall classify the data produced from or
136140 used in the project and determine appropriate data security and
137141 applicable retention requirements under Section 441.185 for each
138142 classification.
139143 SECTION 6. Chapter 2054, Government Code, is amended by
140144 adding Subchapter N-2 to read as follows:
141145 SUBCHAPTER N-2. TEXAS VOLUNTEER INCIDENT RESPONSE TEAM
142146 Sec. 2054.52001. DEFINITIONS. In this subchapter:
143147 (1) "Incident response team" means the Texas volunteer
144148 incident response team established under Section 2054.52002.
145149 (2) "Participating entity" means a state agency,
146150 including an institution of higher education, or a local government
147151 that receives assistance under this subchapter during a
148152 cybersecurity event.
149153 (3) "Volunteer" means an individual who provides rapid
150154 response assistance during a cybersecurity event under this
151155 subchapter.
152156 Sec. 2054.52002. ESTABLISHMENT OF TEXAS VOLUNTEER INCIDENT
153157 RESPONSE TEAM. (a) The department shall establish the Texas
154158 volunteer incident response team to provide rapid response
155159 assistance to a participating entity under the department's
156160 direction during a cybersecurity event.
157161 (b) The department shall prescribe eligibility criteria for
158162 participation as a volunteer member of the incident response team,
159163 including a requirement that each volunteer have expertise in
160164 addressing cybersecurity events.
161165 Sec. 2054.52003. CONTRACT WITH VOLUNTEERS. The department
162166 shall enter into a contract with each volunteer the department
163167 approves to provide rapid response assistance under this
164168 subchapter. The contract must require the volunteer to:
165169 (1) acknowledge the confidentiality of information
166170 required by Section 2054.52010;
167171 (2) protect all confidential information from
168172 disclosure;
169173 (3) avoid conflicts of interest that might arise in a
170174 deployment under this subchapter;
171175 (4) comply with department security policies and
172176 procedures regarding information resources technologies;
173177 (5) consent to background screening required by the
174178 department; and
175179 (6) attest to the volunteer's satisfaction of any
176180 eligibility criteria established by the department.
177181 Sec. 2054.52004. VOLUNTEER QUALIFICATION. (a) The
178182 department shall require criminal history record information for
179183 each individual who accepts an invitation to become a volunteer.
180184 (b) The department may request other information relevant
181185 to the individual's qualification and fitness to serve as a
182186 volunteer.
183187 (c) The department has sole discretion to determine whether
184188 an individual is qualified to serve as a volunteer.
185189 Sec. 2054.52005. DEPLOYMENT. (a) In response to a
186190 cybersecurity event that affects multiple participating entities
187191 or a declaration by the governor of a state of disaster caused by a
188192 cybersecurity event, the department on request of a participating
189193 entity may deploy volunteers and provide rapid response assistance
190194 under the department's direction and the managed security services
191195 framework established under Section 2054.0594(d) to assist with the
192196 event.
193197 (b) A volunteer may only accept a deployment under this
194198 subchapter in writing. A volunteer may decline to accept a
195199 deployment for any reason.
196200 Sec. 2054.52006. CYBERSECURITY COUNCIL DUTIES. The
197201 cybersecurity council established under Section 2054.512 shall
198202 review and make recommendations to the department regarding the
199203 policies and procedures used by the department to implement this
200204 subchapter. The department may consult with the council to
201205 implement and administer this subchapter.
202206 Sec. 2054.52007. DEPARTMENT POWERS AND DUTIES. (a) The
203207 department shall:
204208 (1) approve the incident response tools the incident
205209 response team may use in responding to a cybersecurity event;
206210 (2) establish the eligibility criteria an individual
207211 must meet to become a volunteer;
208212 (3) develop and publish guidelines for operation of
209213 the incident response team, including the:
210214 (A) standards and procedures the department uses
211215 to determine whether an individual is eligible to serve as a
212216 volunteer;
213217 (B) process for an individual to apply for and
214218 accept incident response team membership;
215219 (C) requirements for a participating entity to
216220 receive assistance from the incident response team; and
217221 (D) process for a participating entity to request
218222 and obtain the assistance of the incident response team; and
219223 (4) adopt rules necessary to implement this
220224 subchapter.
221225 (b) The department may require a participating entity to
222226 enter into a contract as a condition for obtaining assistance from
223227 the incident response team. The contract must comply with the
224228 requirements of Chapters 771 and 791.
225229 (c) The department may provide appropriate training to
226230 prospective and approved volunteers.
227231 (d) In accordance with state law, the department may provide
228232 compensation for actual and necessary travel and living expenses
229233 incurred by a volunteer on a deployment using money available for
230234 that purpose.
231235 (e) The department may establish a fee schedule for
232236 participating entities receiving incident response team
233237 assistance. The amount of fees collected may not exceed the
234238 department's costs to operate the incident response team.
235239 Sec. 2054.52008. STATUS OF VOLUNTEER; LIABILITY. (a) A
236240 volunteer is not an agent, employee, or independent contractor of
237241 this state for any purpose and has no authority to obligate this
238242 state to a third party.
239243 (b) This state is not liable to a volunteer for personal
240244 injury or property damage sustained by the volunteer that arises
241245 from participation in the incident response team.
242246 Sec. 2054.52009. CIVIL LIABILITY. A volunteer who in good
243247 faith provides professional services in response to a cybersecurity
244248 event is not liable for civil damages as a result of the volunteer's
245249 acts or omissions in providing the services, except for wilful and
246250 wanton misconduct. This immunity is limited to services provided
247251 during the time of deployment for a cybersecurity event.
248252 Sec. 2054.52010. CONFIDENTIAL INFORMATION. Information
249253 written, produced, collected, assembled, or maintained by the
250254 department, a participating entity, the cybersecurity council, or a
251255 volunteer in the implementation of this subchapter is confidential
252256 and not subject to disclosure under Chapter 552 if the information:
253257 (1) contains the contact information for a volunteer;
254258 (2) identifies or provides a means of identifying a
255259 person who may, as a result of disclosure of the information, become
256260 a victim of a cybersecurity event;
257261 (3) consists of a participating entity's cybersecurity
258262 plans or cybersecurity-related practices; or
259263 (4) is obtained from a participating entity or from a
260264 participating entity's computer system in the course of providing
261265 assistance under this subchapter.
262266 SECTION 7. Section 2054.515, Government Code, is amended to
263267 read as follows:
264268 Sec. 2054.515. AGENCY INFORMATION SECURITY ASSESSMENT AND
265269 REPORT. (a) At least once every two years, each state agency shall
266270 conduct an information security assessment of the agency's:
267271 (1) information resources systems, network systems,
268272 digital data storage systems, digital data security measures, and
269273 information resources vulnerabilities; and
270274 (2) data governance program with participation from
271275 the agency's data management officer, if applicable, and in
272276 accordance with requirements established by department rule.
273277 (b) Not later than November 15 of each even-numbered year
274278 [December 1 of the year in which a state agency conducts the
275279 assessment under Subsection (a)], the agency shall report the
276280 results of the assessment to:
277281 (1) the department; and
278282 (2) on request, the governor, the lieutenant governor,
279283 and the speaker of the house of representatives.
280284 (c) The department by rule shall [may] establish the
281285 requirements for the information security assessment and report
282286 required by this section.
283287 (d) The report and all documentation related to the
284288 information security assessment and report are confidential and not
285289 subject to disclosure under Chapter 552. The state agency or
286290 department may redact or withhold the information as confidential
287291 under Chapter 552 without requesting a decision from the attorney
288292 general under Subchapter G, Chapter 552.
289293 SECTION 8. Section 2054.601, Government Code, is amended to
290294 read as follows:
291295 Sec. 2054.601. USE OF NEXT GENERATION TECHNOLOGY. Each
292296 state agency and local government shall, in the administration of
293297 the agency or local government, consider using next generation
294298 technologies, including cryptocurrency, blockchain technology,
295299 robotic process automation, and artificial intelligence.
296300 SECTION 9. Chapter 2059, Government Code, is amended by
297301 adding Subchapter E to read as follows:
298302 SUBCHAPTER E. REGIONAL NETWORK SECURITY CENTERS
299303 Sec. 2059.201. ELIGIBLE PARTICIPATING ENTITIES. A state
300304 agency or an entity listed in Sections 2059.058(b)(3)-(5) is
301305 eligible to participate in cybersecurity support and network
302306 security provided by a regional network security center under this
303307 subchapter.
304308 Sec. 2059.202. ESTABLISHMENT OF REGIONAL NETWORK SECURITY
305309 CENTERS. (a) Subject to Subsection (b), the department may
306310 establish regional network security centers, under the
307311 department's managed security services framework established by
308312 Section 2054.0594(d), to assist in providing cybersecurity support
309313 and network security to regional offices or locations for state
310314 agencies and other eligible entities that elect to participate in
311315 and receive services through the center.
312316 (b) The department may establish more than one regional
313317 network security center only if the department determines the first
314318 center established by the department successfully provides to state
315319 agencies and other eligible entities the services the center has
316320 contracted to provide.
317321 (c) The department shall enter into an interagency contract
318322 in accordance with Chapter 771 or an interlocal contract in
319323 accordance with Chapter 791, as appropriate, with an eligible
320324 participating entity that elects to participate in and receive
321325 services through a regional network security center.
322326 Sec. 2059.203. REGIONAL NETWORK SECURITY CENTER LOCATIONS
323327 AND PHYSICAL SECURITY. (a) In creating and operating a regional
324328 network security center, the department shall partner with a
325329 university system or institution of higher education as defined by
326330 Section 61.003, Education Code, other than a public junior college.
327331 The system or institution shall:
328332 (1) serve as an education partner with the department
329333 for the regional network security center; and
330334 (2) enter into an interagency contract with the
331335 department in accordance with Chapter 771.
332336 (b) In selecting the location for a regional network
333337 security center, the department shall select a university system or
334338 institution of higher education that has supportive educational
335339 capabilities.
336340 (c) A university system or institution of higher education
337341 selected to serve as a regional network security center shall
338342 control and monitor all entrances to and critical areas of the
339343 center to prevent unauthorized entry. The system or institution
340344 shall restrict access to the center to only authorized individuals.
341345 (d) A local law enforcement entity or any entity providing
342346 security for a regional network security center shall monitor
343347 security alarms at the regional network security center subject to
344348 the availability of that service.
345349 (e) The department and a university system or institution of
346350 higher education selected to serve as a regional network security
347351 center shall restrict operational information to only center
348352 personnel, except as provided by Chapter 321.
349353 Sec. 2059.204. REGIONAL NETWORK SECURITY CENTERS SERVICES
350354 AND SUPPORT. The department may offer the following managed
351355 security services through a regional network security center:
352356 (1) real-time network security monitoring to detect
353357 and respond to network security events that may jeopardize this
354358 state and the residents of this state;
355359 (2) alerts and guidance for defeating network security
356360 threats, including firewall configuration, installation,
357361 management, and monitoring, intelligence gathering, and protocol
358362 analysis;
359363 (3) immediate response to counter network security
360364 activity that exposes this state and the residents of this state to
361365 risk, including complete intrusion detection system installation,
362366 management, and monitoring for participating entities;
363367 (4) development, coordination, and execution of
364368 statewide cybersecurity operations to isolate, contain, and
365369 mitigate the impact of network security incidents for participating
366370 entities; and
367371 (5) cybersecurity educational services.
368372 Sec. 2059.205. NETWORK SECURITY GUIDELINES AND STANDARD
369373 OPERATING PROCEDURES. (a) The department shall adopt and provide
370374 to each regional network security center appropriate network
371375 security guidelines and standard operating procedures to ensure
372376 efficient operation of the center with a maximum return on the
373377 state's investment.
374378 (b) The department shall revise the standard operating
375379 procedures as necessary to confirm network security.
376380 (c) Each eligible participating entity that elects to
377381 participate in a regional network security center shall comply with
378382 the network security guidelines and standard operating procedures.
379383 SECTION 10. Subtitle B, Title 10, Government Code, is
380384 amended by adding Chapter 2062 to read as follows:
381385 CHAPTER 2062. RESTRICTIONS ON STATE AGENCY USE OF CERTAIN
382386 INDIVIDUAL-IDENTIFYING INFORMATION
383387 Sec. 2062.001. DEFINITIONS. In this chapter:
384388 (1) "Biometric identifier" has the meaning assigned by
385389 Section 560.001.
386390 (2) "State agency" means a department, commission,
387391 board, office, council, authority, or other agency in the
388392 executive, legislative, or judicial branch of state government,
389393 including a university system or institution of higher education as
390394 defined by Section 61.003, Education Code, that is created by the
391395 constitution or a statute of this state.
392396 Sec. 2062.002. CONSENT REQUIRED BEFORE ACQUIRING,
393397 RETAINING, OR DISSEMINATING CERTAIN INFORMATION; RECORDS. (a)
394398 Except as provided by Subsection (b), a state agency may not:
395399 (1) use global positioning system technology,
396400 individual contact tracing, or technology designed to obtain
397401 biometric identifiers to acquire information that alone or in
398402 conjunction with other information identifies an individual or the
399403 individual's location without the individual's written or
400404 electronic consent;
401405 (2) retain information with respect to an individual
402406 described by Subdivision (1) without the individual's written or
403407 electronic consent; or
404408 (3) disseminate to a person the information described
405409 by Subdivision (1) with respect to an individual unless the state
406410 agency first obtains the individual's written or electronic
407411 consent.
408412 (b) A state agency may acquire, retain, and disseminate
409413 information described by Subsection (a) with respect to an
410414 individual without the individual's written or electronic consent
411415 if the acquisition, retention, or dissemination is:
412416 (1) required or permitted by a federal statute or by a
413417 state statute other than Chapter 552; or
414418 (2) made by or to a law enforcement agency for a law
415419 enforcement purpose.
416420 (c) A state agency shall retain the written or electronic
417421 consent of an individual obtained as required under this section in
418422 the agency's records until the contract or agreement under which
419423 the information is acquired, retained, or disseminated expires.
420424 SECTION 11. (a) Not later than December 1, 2021, the
421425 Department of Information Resources shall:
422426 (1) establish the state risk and authorization
423427 management program as required by Section 2054.0593, Government
424428 Code, as added by this Act;
425429 (2) establish the framework for regional
426430 cybersecurity working groups to execute mutual aid agreements as
427431 required under Section 2054.0594(d), Government Code, as added by
428432 this Act; and
429433 (3) establish the Texas volunteer incident response
430434 team as required by Subchapter N-2, Chapter 2054, Government Code,
431435 as added by this Act.
432436 (b) Each state agency shall ensure that:
433437 (1) each contract for cloud computing services the
434438 agency enters into or renews on or after January 1, 2022, complies
435439 with Section 2054.0593, Government Code, as added by this Act; and
436440 (2) each contract subject to Section 2054.138,
437441 Government Code, as added by this Act, that is executed on or after
438442 the effective date of this Act complies with that section.
439443 (c) Each state agency subject to Section 2054.137,
440444 Government Code, as added by this Act, shall designate a data
441445 management officer as soon as practicable after the effective date
442446 of this Act.
443447 (d) Each state agency subject to Section 2054.161,
444448 Government Code, as added by this Act, shall ensure each
445449 information resources technology project initiated on or after the
446450 effective date of this Act complies with that section.
447451 SECTION 12. Not later than October 15, 2022, the Department
448452 of Information Resources shall submit to the standing committees of
449453 the senate and house of representatives with primary jurisdiction
450454 over state agency cybersecurity a report on the department's
451455 activities and recommendations related to the Texas volunteer
452456 incident response team established as required by Subchapter N-2,
453457 Chapter 2054, Government Code, as added by this Act.
454458 SECTION 13. Chapter 2062, Government Code, as added by this
455459 Act, applies only to information acquired, retained, or
456460 disseminated by a state agency to another person on or after the
457461 effective date of this Act.
458462 SECTION 14. (a) Except as provided by Subsection (b) of
459463 this section, this Act takes effect immediately if it receives a
460464 vote of two-thirds of all the members elected to each house, as
461465 provided by Section 39, Article III, Texas Constitution. If this
462466 Act does not receive the vote necessary for immediate effect, this
463467 Act takes effect September 1, 2021.
464468 (b) Chapter 2062, Government Code, as added by this Act,
465469 takes effect September 1, 2021.
466- ______________________________ ______________________________
467- President of the Senate Speaker of the House
468- I hereby certify that S.B. No. 475 passed the Senate on
469- April 19, 2021, by the following vote: Yeas 31, Nays 0; and that
470- the Senate concurred in House amendment on May 28, 2021, by the
471- following vote: Yeas 31, Nays 0.
472- ______________________________
473- Secretary of the Senate
474- I hereby certify that S.B. No. 475 passed the House, with
475- amendment, on May 25, 2021, by the following vote: Yeas 147,
476- Nays 0, one present not voting.
477- ______________________________
478- Chief Clerk of the House
479- Approved:
480- ______________________________
481- Date
482- ______________________________
483- Governor