88R2648 JXC-D
By: Raymond H.B. No. 4892
A BILL TO BE ENTITLED
AN ACT
relating to physical security and cybersecurity practices for
certain utilities that provide electricity service and an
independent organization certified to manage a power region.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. The heading to Subchapter B, Chapter 31,
Utilities Code, is amended to read as follows:
SUBCHAPTER B. PHYSICAL SECURITY AND CYBERSECURITY
SECTION 2. The heading to Section 31.052, Utilities Code,
is amended to read as follows:
Sec. 31.052. PHYSICAL SECURITY AND CYBERSECURITY
COORDINATION PROGRAM FOR UTILITIES.
SECTION 3. Section 31.052(a), Utilities Code, is amended to
read as follows:
(a) The commission shall establish a program to monitor and
support physical security and cybersecurity efforts among
utilities in this state. The program shall:
(1) provide guidance, technical assistance, and
training on best practices in physical security and cybersecurity
and facilitate the sharing of cybersecurity information between
utilities; [and]
(2) provide guidance, technical assistance, and
training on best practices for physical security and cybersecurity
controls for supply chain risk management of cybersecurity systems
used by utilities, which may include, as applicable, best practices
related to:
(A) software integrity and authenticity;
(B) vendor risk management and procurement
controls, including notification by vendors of incidents related to
the vendor's products and services; and
(C) vendor remote access;
(3) develop models, assessments, and auditing
procedures for a utility to self-assess physical security and
cybersecurity; and
(4) provide opportunities for utilities to share with
each other best practices for and information on physical security
and cybersecurity.
SECTION 4. Section 39.151(o), Utilities Code, is amended to
read as follows:
(o) An independent organization certified by the commission
under this section shall:
(1) conduct internal physical security and
cybersecurity risk assessment, vulnerability testing, and employee
training to the extent the independent organization is not
otherwise required to do so under applicable state and federal
physical security, cybersecurity, and information security laws;
and
(2) submit a report annually to the commission on the
independent organization's compliance with applicable physical
security, cybersecurity, and information security laws.
SECTION 5. This Act takes effect immediately if it receives
a vote of two-thirds of all the members elected to each house, as
provided by Section 39, Article III, Texas Constitution. If this
Act does not receive the vote necessary for immediate effect, this
Act takes effect September 1, 2023.