| 1 | 1 | | By: Jetton H.B. No. 2494 |
|---|
| 2 | 2 | | |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | A BILL TO BE ENTITLED |
|---|
| 5 | 5 | | AN ACT |
|---|
| 6 | 6 | | relating to information security officers and network threat |
|---|
| 7 | 7 | | detection and response for state agencies. |
|---|
| 8 | 8 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 9 | 9 | | SECTION 1. Section 2054.133(b), Government Code, is amended |
|---|
| 10 | 10 | | to read as follows: |
|---|
| 11 | 11 | | (b) In developing the plan, the state agency shall: |
|---|
| 12 | 12 | | (1) consider any vulnerability report prepared under |
|---|
| 13 | 13 | | Section 2054.077 for the agency; |
|---|
| 14 | 14 | | (2) incorporate the network security services |
|---|
| 15 | 15 | | provided by the department to the agency under Chapter 2059; |
|---|
| 16 | 16 | | (3) identify and define the responsibilities of agency |
|---|
| 17 | 17 | | staff who produce, access, use, or serve as custodians of the |
|---|
| 18 | 18 | | agency's information; |
|---|
| 19 | 19 | | (4) identify risk management and other measures taken |
|---|
| 20 | 20 | | to protect the agency's information from unauthorized access, |
|---|
| 21 | 21 | | disclosure, modification, or destruction; |
|---|
| 22 | 22 | | (5) include: |
|---|
| 23 | 23 | | (A) the best practices for information security |
|---|
| 24 | 24 | | developed by the department; or |
|---|
| 25 | 25 | | (B) a written explanation of why the best |
|---|
| 26 | 26 | | practices are not sufficient for the agency's security; [and] |
|---|
| 27 | 27 | | (6) omit from any written copies of the plan |
|---|
| 28 | 28 | | information that could expose vulnerabilities in the agency's |
|---|
| 29 | 29 | | network or online systems; and |
|---|
| 30 | 30 | | (7) consider whether network threat detection and |
|---|
| 31 | 31 | | response solutions, that permit anonymized security reports to be |
|---|
| 32 | 32 | | shared among participating entities in as close to real time as |
|---|
| 33 | 33 | | possible, would enhance the plan and include those solutions as |
|---|
| 34 | 34 | | part of the plan as the agency determines appropriate. |
|---|
| 35 | 35 | | SECTION 2. Section 2054.136, Government Code, is amended to |
|---|
| 36 | 36 | | read as follows: |
|---|
| 37 | 37 | | Sec. 2054.136. DESIGNATED INFORMATION SECURITY OFFICER. |
|---|
| 38 | 38 | | Each state agency shall designate an information security officer |
|---|
| 39 | 39 | | who: |
|---|
| 40 | 40 | | (1) acts independently of the agency in the |
|---|
| 41 | 41 | | performance of the officer's duties under this chapter and reports |
|---|
| 42 | 42 | | to the department on information security issues and to the |
|---|
| 43 | 43 | | agency's executive-level management on other issues; |
|---|
| 44 | 44 | | (2) has authority over information security for the |
|---|
| 45 | 45 | | entire agency; |
|---|
| 46 | 46 | | (3) possesses the training and experience required to |
|---|
| 47 | 47 | | perform the duties required by department rules; and |
|---|
| 48 | 48 | | (4) to the extent feasible, has information security |
|---|
| 49 | 49 | | duties as the officer's primary duties. |
|---|
| 50 | 50 | | SECTION 3. Sections 2054.512(d) and (e), Government Code, |
|---|
| 51 | 51 | | are amended to read as follows: |
|---|
| 52 | 52 | | (d) The cybersecurity council shall: |
|---|
| 53 | 53 | | (1) consider the costs and benefits of establishing a |
|---|
| 54 | 54 | | computer emergency readiness team to address cyber attacks |
|---|
| 55 | 55 | | occurring in this state during routine and emergency situations; |
|---|
| 56 | 56 | | (2) establish criteria and priorities for addressing |
|---|
| 57 | 57 | | cybersecurity threats to critical state installations; |
|---|
| 58 | 58 | | (3) consolidate and synthesize best practices to |
|---|
| 59 | 59 | | assist state agencies in understanding and implementing |
|---|
| 60 | 60 | | cybersecurity measures, including network threat detection and |
|---|
| 61 | 61 | | response solutions, that are most beneficial to this state; and |
|---|
| 62 | 62 | | (4) assess the knowledge, skills, and capabilities of |
|---|
| 63 | 63 | | the existing information technology and cybersecurity workforce to |
|---|
| 64 | 64 | | mitigate and respond to cyber threats and develop recommendations |
|---|
| 65 | 65 | | for addressing immediate workforce deficiencies and ensuring a |
|---|
| 66 | 66 | | long-term pool of qualified applicants. |
|---|
| 67 | 67 | | (e) The cybersecurity council shall provide recommendations |
|---|
| 68 | 68 | | to the legislature on any legislation necessary to implement |
|---|
| 69 | 69 | | cybersecurity best practices and remediation strategies for this |
|---|
| 70 | 70 | | state, including network threat detection and response solutions. |
|---|
| 71 | 71 | | SECTION 4. Section 2054.518(a), Government Code, is amended |
|---|
| 72 | 72 | | to read as follows: |
|---|
| 73 | 73 | | (a) The department shall develop a plan to address |
|---|
| 74 | 74 | | cybersecurity risks and incidents in this state. The department |
|---|
| 75 | 75 | | may enter into an agreement with a national organization, including |
|---|
| 76 | 76 | | the National Cybersecurity Preparedness Consortium, to support the |
|---|
| 77 | 77 | | department's efforts in implementing the components of the plan for |
|---|
| 78 | 78 | | which the department lacks resources to address internally. The |
|---|
| 79 | 79 | | agreement may include provisions for: |
|---|
| 80 | 80 | | (1) providing technical assistance services to |
|---|
| 81 | 81 | | support preparedness for and response to cybersecurity risks and |
|---|
| 82 | 82 | | incidents; |
|---|
| 83 | 83 | | (2) conducting cybersecurity simulation exercises for |
|---|
| 84 | 84 | | state agencies to encourage coordination in defending against and |
|---|
| 85 | 85 | | responding to cybersecurity risks and incidents; |
|---|
| 86 | 86 | | (3) assisting state agencies in developing |
|---|
| 87 | 87 | | cybersecurity information-sharing programs to disseminate |
|---|
| 88 | 88 | | information related to cybersecurity risks and incidents; [and] |
|---|
| 89 | 89 | | (4) incorporating cybersecurity risk and incident |
|---|
| 90 | 90 | | prevention and response methods into existing state emergency |
|---|
| 91 | 91 | | plans, including continuity of operation plans and incident |
|---|
| 92 | 92 | | response plans; and |
|---|
| 93 | 93 | | (5) incorporating network threat detection and |
|---|
| 94 | 94 | | response solutions into state agency cybersecurity plans, that |
|---|
| 95 | 95 | | permit anonymized security reports to be shared among participating |
|---|
| 96 | 96 | | entities in as close to real time as possible, to assist state |
|---|
| 97 | 97 | | agencies with monitoring agency networks for security threats and |
|---|
| 98 | 98 | | responding to detected security threats. |
|---|
| 99 | 99 | | SECTION 5. This Act takes effect September 1, 2023. |
|---|