88R6276 YDB-D
By: Capriglione H.B. No. 1657
A BILL TO BE ENTITLED
AN ACT
relating to state agency information technology infrastructure and
information security assessments.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. The heading to Section 2054.068, Government
Code, is amended to read as follows:
Sec. 2054.068. STATE AGENCY INFORMATION TECHNOLOGY
INFRASTRUCTURE: INFORMATION SECURITY RATING; AUDIT; REPORT.
SECTION 2. Section 2054.068, Government Code, is amended by
amending Subsections (b), (c), and (d) and adding Subsections
(c-1), (c-2), (c-3), (c-4), (e-1), (e-2), and (e-3) to read as
follows:
(b) The department shall collect from each state agency
information on the status and condition of the agency's information
technology infrastructure, including [information regarding]:
(1) information on the agency's information security
program;
(2) an inventory of the agency's servers, mainframes,
cloud services, and other information technology equipment;
(3) identification information for [of] vendors that
operate and manage the agency's information technology
infrastructure; [and]
(4) the information security assessment required by
Section 2054.515; and
(5) any additional related information requested by
the department.
(c) A state agency shall provide the information required by
Subsection (b) to the department not later than August 31 of each
even-numbered year [according to a schedule determined by the
department].
(c-1) The department shall assign to each state agency that
is not required to participate in a statewide technology center
established under Subchapter L one of the following information
security ratings based on the agency's information security risk
profile:
(1) above average;
(2) average; or
(3) below average.
(c-2) In assigning an information security rating to a state
agency under Subsection (c-1), the department shall consider:
(1) the information the agency provides under
Subsection (b);
(2) the agency's comprehensive information security
risk position relative to the agency's risk environment; and
(3) any additional document or information the
department requests from the agency.
(c-3) The department:
(1) shall develop options and make recommendations for
improvements in the information security maturity of any state
agency assigned an information security risk rating of below
average under Subsection (c-1); and
(2) may assist any state agency in determining whether
additional security measures would increase the agency's
information security maturity.
(c-4) The department may audit the information security and
technology of any state agency assigned an information security
risk rating under Subsection (c-1) or contract with a vendor to
perform the audit. The department shall make available on request
by any person listed in Subsection (d) the results of an audit
conducted under this subsection.
(d) Not later than November 15 of each even-numbered year,
the department shall submit to the governor, chair of the house
appropriations committee, chair of the senate finance committee,
speaker of the house of representatives, lieutenant governor, and
staff of the Legislative Budget Board:
(1) a consolidated report of the information submitted
by state agencies under Subsection (b); and
(2) any department recommendations relevant to and
necessary for improving this state's information technology
infrastructure and information security.
(e-1) The department shall compile a summary of the
consolidated report required under Subsection (d) and make the
summary available to the public. The summary may not disclose any
confidential information.
(e-2) The consolidated report required under Subsection (d)
and all information a state submits to substantiate or otherwise
related to the report are confidential and not subject to
disclosure under Chapter 552. The agency or department may redact
or withhold information as confidential under Chapter 552 without
requesting a decision from the attorney general under Subchapter G,
Chapter 552.
(e-3) Following review of the consolidated report, the
Joint Oversight Committee on Investment in Information Technology
Improvement and Modernization Projects established under Section
2054.578 may recommend that the legislature, through a concurrent
resolution approved by a majority of the members of each house of
the legislature, direct the department to select for participation
in a statewide technology center established under Subchapter L any
state agency assigned an information security rating under
Subsection (c-1). The department shall notify each selected state
agency of the agency's selection as required by Section 2054.385.
The department is not required to conduct the cost and requirements
analysis under Section 2054.384 for a state agency selected for
participation under this subsection. This subsection expires
September 1, 2027.
SECTION 3. The heading to Section 2054.515, Government
Code, is amended to read as follows:
Sec. 2054.515. STATE AGENCY INFORMATION SECURITY
ASSESSMENT [AND REPORT].
SECTION 4. Sections 2054.515(a), (c), and (d), Government
Code, are amended to read as follows:
(a) At least once every two years, each state agency shall
conduct an information security assessment of the agency's[:
[(1)] information resources systems, network systems,
digital data storage systems, digital data security measures, and
information resources vulnerabilities[; and
[(2) data governance program with participation from
the agency's data management officer, if applicable, and in
accordance with requirements established by department rule].
(c) Each state agency shall complete the information
security assessment in consultation with the [The] department or
the vendor the department selects and submit the assessment to the
department in accordance with Section 2054.068(b) [by rule shall
establish the requirements for the information security assessment
and report required by this section].
(d) All [The report and all] documentation related to the
information security assessment is [and report are] confidential
and not subject to disclosure under Chapter 552. The state agency
or department may redact or withhold the information as
confidential under Chapter 552 without requesting a decision from
the attorney general under Subchapter G, Chapter 552.
SECTION 5. The following provisions are repealed:
(1) Section 2054.068(f), Government Code; and
(2) Section 2054.515(b), Government Code, as amended
by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the 87th
Legislature, Regular Session, 2021.
SECTION 6. This Act takes effect September 1, 2023.