By: Parker, Paxton S.B. No. 2358
A BILL TO BE ENTITLED
AN ACT
relating to security procedures for digital applications that pose
a network security risk to state agencies.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Chapter 2054, Government Code, is amended by
adding Subchapter S to read as follows:
SUBCHAPTER S. DIGITAL APPLICATION SECURITY PROCEDURES
Sec. 2054.621. DEFINITIONS. In this subchapter:
(1) "Digital application" means an Internet website or
application that is open to the public, allows a user to create an
account, and enables a user to communicate with other users by
posting information, comments, messages, images, or video. The
term does not include:
(A) an Internet service provider, as defined by
Section 324.055, Business & Commerce Code;
(B) e-mail; or
(C) an online service, application, or Internet
website:
(i) that consists primarily of news,
sports, entertainment, or other content preselected by the provider
that is not user generated; and
(ii) for which any chat, comment, or
interactive functionality is incidental to, directly related to, or
dependent on provision of the content described by Subparagraph
(i).
(2) "Network security" has the meaning assigned by
Section 2059.001.
(3) "User" means a person who posts, uploads,
transmits, shares, or otherwise publishes or receives content
through a digital application.
Sec. 2054.622. DIGITAL APPLICATION SECURITY RISK LIST. The
department shall:
(1) compile, maintain, and annually update a list of
digital applications that create a network security risk to state
agencies;
(2) limit or prohibit the placement and use of digital
applications on the list under Subdivision (1) on:
(A) state-owned cell phones, computers, and
other communication devices; and
(B) personal communication devices of state
agency employees that are used in the agency's office or other
workplace; and
(3) post the list under Subdivision (1) on a publicly
accessible web page on the department's Internet website.
Sec. 2054.623. DIGITAL APPLICATION SECURITY MODEL POLICY
FOR STATE AGENCIES. The department shall develop, maintain, and
periodically update a model policy for state agencies to use under
Section 2054.624 in limiting or prohibiting the placement and use
on communication devices of the digital applications included on
the list compiled under Section 2054.622.
Sec. 2054.624. STATE AGENCY DIGITAL APPLICATION SECURITY
POLICY. (a) Each state agency shall develop, implement, and
periodically update a policy limiting or prohibiting the placement
and use of digital applications included on the list compiled under
Section 2054.622 on:
(1) state-owned cell phones, computers, and other
communication devices; and
(2) personal communication devices of state agency
employees that are used in the agency's office or other workplace.
(b) Each state agency shall submit to the department a copy
of the policy required under Subsection (a) and updates to the
policy.
(c) The department:
(1) may offer recommendations for improvements to
submitted policies;
(2) shall retain each copy and update submitted under
Subsection (b); and
(3) shall notify each member of the legislature and
the governor when a state agency submits a policy or update.
Sec. 2054.625. DISCLOSURE EXEMPTION. The model policy and
state agency policies developed under this subchapter are exempt
from disclosure under Chapter 552.
Sec. 2054.626. RULEMAKING AUTHORITY. The department may
adopt rules to implement this subchapter.
SECTION 2. (a) As soon as practicable after the effective
date of this Act, but not later than January 1, 2024, the Department
of Information Resources shall develop the digital application
security risk list and model policy as required by Subchapter S,
Chapter 2054, Government Code, as added by this Act.
(b) A state agency is not required to comply with Section
2054.624, Government Code, as added by this Act, until May 1, 2024.
SECTION 3. This Act takes effect September 1, 2023.