By: Paxton, et al. S.B. No. 1204
(Capriglione)
A BILL TO BE ENTITLED
AN ACT
relating to state and local government information technology and
information security.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 2054.003, Government Code, is amended by
adding Subdivisions (11) and (11-a) to read as follows:
(11) "Peer-to-peer payment" means a transfer of funds
using a peer-to-peer payment system.
(11-a) "Peer-to-peer payment system" means a digital
non-credit card system used for transferring funds from one party
to another.
SECTION 2. The heading to Section 2054.0594, Government
Code, is amended to read as follows:
Sec. 2054.0594. INFORMATION SHARING AND ANALYSIS
ORGANIZATIONS [ORGANIZATION].
SECTION 3. Section 2054.0594, Government Code, is amended
by amending Subsections (a), (b), and (c) and adding Subsection
(a-1) to read as follows:
(a) The department shall establish an intrastate
information sharing and analysis organization to provide a forum
for state agencies, local governments, public and private
institutions of higher education, and [the] private sector entities
in this state to share information regarding cybersecurity threats,
best practices, and remediation strategies.
(a-1) The department may establish an interstate
information sharing and analysis organization to provide a forum
for states to share information regarding cybersecurity threats,
best practices, and remediation strategies.
(b) The department shall provide administrative support to
each [the] information sharing and analysis organization
established under this section.
(c) A participant in an [the] information sharing and
analysis organization established under this section shall assert
any exception available under state or federal law, including
Section 552.139, in response to a request for public disclosure of
information shared through the organization. Section 552.007 does
not apply to information described by this subsection.
SECTION 4. Section 2054.060, Government Code, is amended by
adding Subsection (a-1) to read as follows:
(a-1) Unless expressly prohibited by other law or a rule
adopted by the state agency, a state agency shall accept a digital
signature included in any communication or payment electronically
delivered to the state agency.
SECTION 5. The heading to Section 2054.068, Government
Code, is amended to read as follows:
Sec. 2054.068. STATE AGENCY INFORMATION TECHNOLOGY
INFRASTRUCTURE: INFORMATION SECURITY RATING; AUDIT; REPORT.
SECTION 6. Section 2054.068, Government Code, is amended by
amending Subsections (b), (c), and (d) and adding Subsections
(c-1), (c-2), (c-3), (c-4), (e-1), (e-2), and (e-3) to read as
follows:
(b) The department shall collect from each state agency
information on the status and condition of the agency's information
technology infrastructure, including [information regarding]:
(1) information on the agency's information security
program;
(2) an inventory of the agency's servers, mainframes,
cloud services, and other information technology equipment;
(3) identification information for [of] vendors that
operate and manage the agency's information technology
infrastructure; [and]
(4) the results of the information security assessment
required by Section 2054.515; and
(5) any additional related information requested by
the department.
(c) A state agency shall provide the information required by
Subsection (b) to the department not later than June 1 of each
even-numbered year [according to a schedule determined by the
department].
(c-1) The department shall assign to each state agency,
other than an institution of higher education, one of the following
information security ratings based on the agency's information
security risk profile:
(1) above average;
(2) average; or
(3) below average.
(c-2) In assigning an information security rating to a state
agency under Subsection (c-1), the department shall consider:
(1) the information the agency provides under
Subsection (b);
(2) the agency's comprehensive information security
risk position relative to the agency's risk environment; and
(3) any additional document or information the
department requests from the agency.
(c-3) The department:
(1) shall develop options and make recommendations for
improvements in the information security maturity of any state
agency assigned an information security rating of below average
under Subsection (c-1); and
(2) may assist any state agency in determining whether
additional security measures would increase the agency's
information security maturity.
(c-4) The department may audit the information security and
technology of any state agency assigned an information security
rating under Subsection (c-1) or contract with a vendor to perform
the audit. The department shall make available on request by any
person listed in Subsection (d) the results of an audit conducted
under this subsection.
(d) Not later than November 15 of each even-numbered year,
the department shall submit to the governor, chair of the house
appropriations committee, chair of the senate finance committee,
speaker of the house of representatives, lieutenant governor, and
staff of the Legislative Budget Board:
(1) a consolidated report of the information submitted
by state agencies under Subsection (b); and
(2) any department recommendations relevant to and
necessary for improving this state's information technology
infrastructure and information security.
(e-1) The department shall compile a summary of the
consolidated report required under Subsection (d) and make the
summary available to the public. The summary may not disclose any
confidential information.
(e-2) The consolidated report required under Subsection (d)
and all information a state agency submits to substantiate or
otherwise related to the report are confidential and not subject to
disclosure under Chapter 552. The state agency or the department
may redact or withhold information as confidential under Chapter
552 without requesting a decision from the attorney general under
Subchapter G, Chapter 552.
(e-3) Following review of the consolidated report, the
Legislative Budget Board may direct the department to select for
participation in a statewide technology center established under
Subchapter L any state agency assigned an information security
rating under Subsection (c-1). The department shall notify each
selected state agency of the agency's selection as required by
Section 2054.385. The department is not required to conduct the
cost and requirements analysis under Section 2054.384 for a state
agency selected for participation under this subsection. This
subsection expires September 1, 2027.
SECTION 7. Subchapter C, Chapter 2054, Government Code, is
amended by adding Section 2054.0692 to read as follows:
Sec. 2054.0692. GUIDANCE ON USE OF DISTRIBUTED LEDGER
TECHNOLOGY. (a) The department shall develop and disseminate
guidance for the use of distributed ledger technology, including
blockchain, among state agencies.
(b) The guidance must include a framework or model for
deciding if distributed ledger technology is appropriate for
meeting a state agency's needs. The guidance may include:
(1) examples of potential uses of distributed ledger
technology by an agency;
(2) sample procurement and contractual language; and
(3) information on educational resources for agencies
on distributed ledger technology.
SECTION 8. Section 2054.095(b), Government Code, is amended
to read as follows:
(b) Except as otherwise modified by the Legislative Budget
Board or the governor, instructions under Subsection (a) must
require each state agency's strategic plan to include:
(1) a description of the agency's information
resources management organizations, policies, and practices,
including the extent to which the agency uses its project
management practices, as defined by Section 2054.152;
(2) a description of how the agency's information
resources programs support and promote its mission, goals, and
objectives and the goals and policies of the state strategic plan
for information resources; [and]
(3) a description of customer service technology,
including telephone systems and websites, that improves customer
service performance; and
(4) other planning components that the department may
prescribe.
SECTION 9. Section 2054.1115, Government Code, is amended
by amending Subsection (a) and adding Subsection (c) to read as
follows:
(a) A state agency or local government that uses the state
electronic Internet portal may use electronic payment methods,
including the acceptance of peer-to-peer payments, credit cards,
and debit cards, for:
(1) point-of-sale transactions, including:
(A) person-to-person transactions;
(B) transactions that use an automated process to
facilitate a person-to-person transaction; and
(C) transactions completed by a person at an
unattended self-standing computer station using an automated
process;
(2) telephone transactions; or
(3) mail transactions.
(c) The department shall identify at least three commonly
used peer-to-peer payment systems that provide for data privacy and
financial security and post a list containing those systems in a
conspicuous location on the department's Internet website. The
department shall biennially review and, if necessary, update the
list required under this subsection.
SECTION 10. Section 2054.136, Government Code, is amended
to read as follows:
Sec. 2054.136. DESIGNATED INFORMATION SECURITY OFFICER.
(a) Each state agency shall designate an information security
officer who:
(1) reports to the agency's executive-level
management;
(2) has authority over information security for the
entire agency;
(3) possesses the training and experience required to
perform the duties required by department rules; and
(4) to the extent feasible, has information security
duties as the officer's primary duties.
(b) An employee designated under Subsection (a) may be
designated to serve as a joint information security officer by two
or more state agencies. The department must approve the joint
designation.
SECTION 11. Subchapter L, Chapter 2054, Government Code, is
amended by adding Section 2054.393 to read as follows:
Sec. 2054.393. MARKETING OF SERVICES. (a) Notwithstanding
Section 2113.011 and subject to Subsection (b), the department may
use appropriated money to market to state agencies and local
governments shared information resources technology services
offered by the department under this subchapter, including data
center, disaster recovery, and cybersecurity services.
(b) An expenditure of money under this section must be
approved by the executive director.
SECTION 12. The heading to Section 2054.515, Government
Code, is amended to read as follows:
Sec. 2054.515. STATE AGENCY INFORMATION SECURITY
ASSESSMENT [AND REPORT].
SECTION 13. Sections 2054.515(a), (c), and (d), Government
Code, are amended to read as follows:
(a) At least once every two years, each state agency shall
conduct an information security assessment of the agency's[:
[(1)] information resources systems, network systems,
digital data storage systems, digital data security measures, and
information resources vulnerabilities[; and
[(2) data governance program with participation from
the agency's data management officer, if applicable, and in
accordance with requirements established by department rule].
(c) Each state agency shall complete the information
security assessment in consultation with the department or the
vendor the department selects and submit the results of the
assessment to the department in accordance with Section 2054.068(b)
[The department by rule shall establish the requirements for the
information security assessment and report required by this
section].
(d) All [The report and all] documentation related to the
information security assessment is [and report are] confidential
and not subject to disclosure under Chapter 552. The state agency
or department may redact or withhold the information as
confidential under Chapter 552 without requesting a decision from
the attorney general under Subchapter G, Chapter 552.
SECTION 14. Section 2054.577(c), Government Code, is
amended to read as follows:
(c) Money in the fund:
(1) may be used to improve and modernize state agency
information resources, including legacy system projects and
cybersecurity projects; [and]
(2) may be used to mitigate a breach or suspected
breach of system security, as defined by Section 521.053, Business &
Commerce Code, or the introduction of ransomware, as defined by
Section 33.023, Penal Code, into a computer, computer network, or
computer system at a state agency;
(3) may not be used to replace money appropriated to a
state agency for the purposes of operating and maintaining state
agency information resources or reduce the amount of money
appropriated to a state agency for those purposes; and
(4) may not be used to pay a person who commits the
offense of electronic data tampering punishable under Section
33.023, Penal Code.
SECTION 15. Chapter 2056, Government Code, is amended by
adding Section 2056.0023 to read as follows:
Sec. 2056.0023. INFORMATION TECHNOLOGY MODERNIZATION PLAN.
(a) As part of the strategic plan required under Section 2056.002,
a state agency shall include an information technology
modernization plan that outlines the manner in which the agency
intends to transition its information technology and data-related
services and capabilities into a more modern, integrated, secure,
and effective technological environment.
(b) The Department of Information Resources may provide a
template for the information technology modernization plan
required by this section.
SECTION 16. The following provisions are repealed:
(1) Section 2054.068(f), Government Code; and
(2) Section 2054.515(b), Government Code, as amended
by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the 87th
Legislature, Regular Session, 2021.
SECTION 17. The Department of Information Resources shall
develop and disseminate the guidance and decision model required by
Section 2054.0692, Government Code, as added by this Act, not later
than December 1, 2023.
SECTION 18. This Act takes effect September 1, 2023.