| 1 | 1 | | 88R6276 YDB-D |
|---|
| 2 | 2 | | By: Capriglione H.B. No. 1657 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | A BILL TO BE ENTITLED |
|---|
| 6 | 6 | | AN ACT |
|---|
| 7 | 7 | | relating to state agency information technology infrastructure and |
|---|
| 8 | 8 | | information security assessments. |
|---|
| 9 | 9 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 10 | 10 | | SECTION 1. The heading to Section 2054.068, Government |
|---|
| 11 | 11 | | Code, is amended to read as follows: |
|---|
| 12 | 12 | | Sec. 2054.068. STATE AGENCY INFORMATION TECHNOLOGY |
|---|
| 13 | 13 | | INFRASTRUCTURE: INFORMATION SECURITY RATING; AUDIT; REPORT. |
|---|
| 14 | 14 | | SECTION 2. Section 2054.068, Government Code, is amended by |
|---|
| 15 | 15 | | amending Subsections (b), (c), and (d) and adding Subsections |
|---|
| 16 | 16 | | (c-1), (c-2), (c-3), (c-4), (e-1), (e-2), and (e-3) to read as |
|---|
| 17 | 17 | | follows: |
|---|
| 18 | 18 | | (b) The department shall collect from each state agency |
|---|
| 19 | 19 | | information on the status and condition of the agency's information |
|---|
| 20 | 20 | | technology infrastructure, including [information regarding]: |
|---|
| 21 | 21 | | (1) information on the agency's information security |
|---|
| 22 | 22 | | program; |
|---|
| 23 | 23 | | (2) an inventory of the agency's servers, mainframes, |
|---|
| 24 | 24 | | cloud services, and other information technology equipment; |
|---|
| 25 | 25 | | (3) identification information for [of] vendors that |
|---|
| 26 | 26 | | operate and manage the agency's information technology |
|---|
| 27 | 27 | | infrastructure; [and] |
|---|
| 28 | 28 | | (4) the information security assessment required by |
|---|
| 29 | 29 | | Section 2054.515; and |
|---|
| 30 | 30 | | (5) any additional related information requested by |
|---|
| 31 | 31 | | the department. |
|---|
| 32 | 32 | | (c) A state agency shall provide the information required by |
|---|
| 33 | 33 | | Subsection (b) to the department not later than August 31 of each |
|---|
| 34 | 34 | | even-numbered year [according to a schedule determined by the |
|---|
| 35 | 35 | | department]. |
|---|
| 36 | 36 | | (c-1) The department shall assign to each state agency that |
|---|
| 37 | 37 | | is not required to participate in a statewide technology center |
|---|
| 38 | 38 | | established under Subchapter L one of the following information |
|---|
| 39 | 39 | | security ratings based on the agency's information security risk |
|---|
| 40 | 40 | | profile: |
|---|
| 41 | 41 | | (1) above average; |
|---|
| 42 | 42 | | (2) average; or |
|---|
| 43 | 43 | | (3) below average. |
|---|
| 44 | 44 | | (c-2) In assigning an information security rating to a state |
|---|
| 45 | 45 | | agency under Subsection (c-1), the department shall consider: |
|---|
| 46 | 46 | | (1) the information the agency provides under |
|---|
| 47 | 47 | | Subsection (b); |
|---|
| 48 | 48 | | (2) the agency's comprehensive information security |
|---|
| 49 | 49 | | risk position relative to the agency's risk environment; and |
|---|
| 50 | 50 | | (3) any additional document or information the |
|---|
| 51 | 51 | | department requests from the agency. |
|---|
| 52 | 52 | | (c-3) The department: |
|---|
| 53 | 53 | | (1) shall develop options and make recommendations for |
|---|
| 54 | 54 | | improvements in the information security maturity of any state |
|---|
| 55 | 55 | | agency assigned an information security risk rating of below |
|---|
| 56 | 56 | | average under Subsection (c-1); and |
|---|
| 57 | 57 | | (2) may assist any state agency in determining whether |
|---|
| 58 | 58 | | additional security measures would increase the agency's |
|---|
| 59 | 59 | | information security maturity. |
|---|
| 60 | 60 | | (c-4) The department may audit the information security and |
|---|
| 61 | 61 | | technology of any state agency assigned an information security |
|---|
| 62 | 62 | | risk rating under Subsection (c-1) or contract with a vendor to |
|---|
| 63 | 63 | | perform the audit. The department shall make available on request |
|---|
| 64 | 64 | | by any person listed in Subsection (d) the results of an audit |
|---|
| 65 | 65 | | conducted under this subsection. |
|---|
| 66 | 66 | | (d) Not later than November 15 of each even-numbered year, |
|---|
| 67 | 67 | | the department shall submit to the governor, chair of the house |
|---|
| 68 | 68 | | appropriations committee, chair of the senate finance committee, |
|---|
| 69 | 69 | | speaker of the house of representatives, lieutenant governor, and |
|---|
| 70 | 70 | | staff of the Legislative Budget Board: |
|---|
| 71 | 71 | | (1) a consolidated report of the information submitted |
|---|
| 72 | 72 | | by state agencies under Subsection (b); and |
|---|
| 73 | 73 | | (2) any department recommendations relevant to and |
|---|
| 74 | 74 | | necessary for improving this state's information technology |
|---|
| 75 | 75 | | infrastructure and information security. |
|---|
| 76 | 76 | | (e-1) The department shall compile a summary of the |
|---|
| 77 | 77 | | consolidated report required under Subsection (d) and make the |
|---|
| 78 | 78 | | summary available to the public. The summary may not disclose any |
|---|
| 79 | 79 | | confidential information. |
|---|
| 80 | 80 | | (e-2) The consolidated report required under Subsection (d) |
|---|
| 81 | 81 | | and all information a state submits to substantiate or otherwise |
|---|
| 82 | 82 | | related to the report are confidential and not subject to |
|---|
| 83 | 83 | | disclosure under Chapter 552. The agency or department may redact |
|---|
| 84 | 84 | | or withhold information as confidential under Chapter 552 without |
|---|
| 85 | 85 | | requesting a decision from the attorney general under Subchapter G, |
|---|
| 86 | 86 | | Chapter 552. |
|---|
| 87 | 87 | | (e-3) Following review of the consolidated report, the |
|---|
| 88 | 88 | | Joint Oversight Committee on Investment in Information Technology |
|---|
| 89 | 89 | | Improvement and Modernization Projects established under Section |
|---|
| 90 | 90 | | 2054.578 may recommend that the legislature, through a concurrent |
|---|
| 91 | 91 | | resolution approved by a majority of the members of each house of |
|---|
| 92 | 92 | | the legislature, direct the department to select for participation |
|---|
| 93 | 93 | | in a statewide technology center established under Subchapter L any |
|---|
| 94 | 94 | | state agency assigned an information security rating under |
|---|
| 95 | 95 | | Subsection (c-1). The department shall notify each selected state |
|---|
| 96 | 96 | | agency of the agency's selection as required by Section 2054.385. |
|---|
| 97 | 97 | | The department is not required to conduct the cost and requirements |
|---|
| 98 | 98 | | analysis under Section 2054.384 for a state agency selected for |
|---|
| 99 | 99 | | participation under this subsection. This subsection expires |
|---|
| 100 | 100 | | September 1, 2027. |
|---|
| 101 | 101 | | SECTION 3. The heading to Section 2054.515, Government |
|---|
| 102 | 102 | | Code, is amended to read as follows: |
|---|
| 103 | 103 | | Sec. 2054.515. STATE AGENCY INFORMATION SECURITY |
|---|
| 104 | 104 | | ASSESSMENT [AND REPORT]. |
|---|
| 105 | 105 | | SECTION 4. Sections 2054.515(a), (c), and (d), Government |
|---|
| 106 | 106 | | Code, are amended to read as follows: |
|---|
| 107 | 107 | | (a) At least once every two years, each state agency shall |
|---|
| 108 | 108 | | conduct an information security assessment of the agency's[: |
|---|
| 109 | 109 | | [(1)] information resources systems, network systems, |
|---|
| 110 | 110 | | digital data storage systems, digital data security measures, and |
|---|
| 111 | 111 | | information resources vulnerabilities[; and |
|---|
| 112 | 112 | | [(2) data governance program with participation from |
|---|
| 113 | 113 | | the agency's data management officer, if applicable, and in |
|---|
| 114 | 114 | | accordance with requirements established by department rule]. |
|---|
| 115 | 115 | | (c) Each state agency shall complete the information |
|---|
| 116 | 116 | | security assessment in consultation with the [The] department or |
|---|
| 117 | 117 | | the vendor the department selects and submit the assessment to the |
|---|
| 118 | 118 | | department in accordance with Section 2054.068(b) [by rule shall |
|---|
| 119 | 119 | | establish the requirements for the information security assessment |
|---|
| 120 | 120 | | and report required by this section]. |
|---|
| 121 | 121 | | (d) All [The report and all] documentation related to the |
|---|
| 122 | 122 | | information security assessment is [and report are] confidential |
|---|
| 123 | 123 | | and not subject to disclosure under Chapter 552. The state agency |
|---|
| 124 | 124 | | or department may redact or withhold the information as |
|---|
| 125 | 125 | | confidential under Chapter 552 without requesting a decision from |
|---|
| 126 | 126 | | the attorney general under Subchapter G, Chapter 552. |
|---|
| 127 | 127 | | SECTION 5. The following provisions are repealed: |
|---|
| 128 | 128 | | (1) Section 2054.068(f), Government Code; and |
|---|
| 129 | 129 | | (2) Section 2054.515(b), Government Code, as amended |
|---|
| 130 | 130 | | by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the 87th |
|---|
| 131 | 131 | | Legislature, Regular Session, 2021. |
|---|
| 132 | 132 | | SECTION 6. This Act takes effect September 1, 2023. |
|---|