| 1 | 1 | | 88R2648 JXC-D |
|---|
| 2 | 2 | | By: Raymond H.B. No. 4892 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | A BILL TO BE ENTITLED |
|---|
| 6 | 6 | | AN ACT |
|---|
| 7 | 7 | | relating to physical security and cybersecurity practices for |
|---|
| 8 | 8 | | certain utilities that provide electricity service and an |
|---|
| 9 | 9 | | independent organization certified to manage a power region. |
|---|
| 10 | 10 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 11 | 11 | | SECTION 1. The heading to Subchapter B, Chapter 31, |
|---|
| 12 | 12 | | Utilities Code, is amended to read as follows: |
|---|
| 13 | 13 | | SUBCHAPTER B. PHYSICAL SECURITY AND CYBERSECURITY |
|---|
| 14 | 14 | | SECTION 2. The heading to Section 31.052, Utilities Code, |
|---|
| 15 | 15 | | is amended to read as follows: |
|---|
| 16 | 16 | | Sec. 31.052. PHYSICAL SECURITY AND CYBERSECURITY |
|---|
| 17 | 17 | | COORDINATION PROGRAM FOR UTILITIES. |
|---|
| 18 | 18 | | SECTION 3. Section 31.052(a), Utilities Code, is amended to |
|---|
| 19 | 19 | | read as follows: |
|---|
| 20 | 20 | | (a) The commission shall establish a program to monitor and |
|---|
| 21 | 21 | | support physical security and cybersecurity efforts among |
|---|
| 22 | 22 | | utilities in this state. The program shall: |
|---|
| 23 | 23 | | (1) provide guidance, technical assistance, and |
|---|
| 24 | 24 | | training on best practices in physical security and cybersecurity |
|---|
| 25 | 25 | | and facilitate the sharing of cybersecurity information between |
|---|
| 26 | 26 | | utilities; [and] |
|---|
| 27 | 27 | | (2) provide guidance, technical assistance, and |
|---|
| 28 | 28 | | training on best practices for physical security and cybersecurity |
|---|
| 29 | 29 | | controls for supply chain risk management of cybersecurity systems |
|---|
| 30 | 30 | | used by utilities, which may include, as applicable, best practices |
|---|
| 31 | 31 | | related to: |
|---|
| 32 | 32 | | (A) software integrity and authenticity; |
|---|
| 33 | 33 | | (B) vendor risk management and procurement |
|---|
| 34 | 34 | | controls, including notification by vendors of incidents related to |
|---|
| 35 | 35 | | the vendor's products and services; and |
|---|
| 36 | 36 | | (C) vendor remote access; |
|---|
| 37 | 37 | | (3) develop models, assessments, and auditing |
|---|
| 38 | 38 | | procedures for a utility to self-assess physical security and |
|---|
| 39 | 39 | | cybersecurity; and |
|---|
| 40 | 40 | | (4) provide opportunities for utilities to share with |
|---|
| 41 | 41 | | each other best practices for and information on physical security |
|---|
| 42 | 42 | | and cybersecurity. |
|---|
| 43 | 43 | | SECTION 4. Section 39.151(o), Utilities Code, is amended to |
|---|
| 44 | 44 | | read as follows: |
|---|
| 45 | 45 | | (o) An independent organization certified by the commission |
|---|
| 46 | 46 | | under this section shall: |
|---|
| 47 | 47 | | (1) conduct internal physical security and |
|---|
| 48 | 48 | | cybersecurity risk assessment, vulnerability testing, and employee |
|---|
| 49 | 49 | | training to the extent the independent organization is not |
|---|
| 50 | 50 | | otherwise required to do so under applicable state and federal |
|---|
| 51 | 51 | | physical security, cybersecurity, and information security laws; |
|---|
| 52 | 52 | | and |
|---|
| 53 | 53 | | (2) submit a report annually to the commission on the |
|---|
| 54 | 54 | | independent organization's compliance with applicable physical |
|---|
| 55 | 55 | | security, cybersecurity, and information security laws. |
|---|
| 56 | 56 | | SECTION 5. This Act takes effect immediately if it receives |
|---|
| 57 | 57 | | a vote of two-thirds of all the members elected to each house, as |
|---|
| 58 | 58 | | provided by Section 39, Article III, Texas Constitution. If this |
|---|
| 59 | 59 | | Act does not receive the vote necessary for immediate effect, this |
|---|
| 60 | 60 | | Act takes effect September 1, 2023. |
|---|