88R2127 JCG-D
By: Campbell S.B. No. 2377
A BILL TO BE ENTITLED
AN ACT
relating to homeland security, including the creation of the Texas
Homeland Security Division in the Department of Public Safety, the
operations of the Homeland Security Council, the creation of a
homeland security fusion center, and the duties of state agencies
and local governments in preparing for, reporting, and responding
to cybersecurity breaches; providing administrative penalties;
creating criminal offenses.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. (a) The legislature finds that the federal
government's inadequate border security measures, the trafficking
of fentanyl across the borders of this state, Central America's
turn towards authoritarian regimes, China's hostile rhetoric
regarding Taiwan, and Russia's invasion of Ukraine create an
ever-changing threat landscape to the security of this state.
(b) Due to these continuous threats, this state must
continue taking serious measures to secure its critical
infrastructure, cyber networks, and border and monitor security
threats from hostile nations and non-state actors.
(c) These present and future threats require this state to
create a unified security organization under the Department of
Public Safety of the State of Texas whose sole mission is to
safeguard the people and infrastructure that make this state great.
(d) The Texas Homeland Security Division, as established by
this Act, will unify this state's security responsibilities into
one entity that reports directly to the governor and the public
safety director of the Department of Public Safety of the State of
Texas.
SECTION 2. Chapter 411, Government Code, is amended by
adding Subchapter S to read as follows:
SUBCHAPTER S. TEXAS HOMELAND SECURITY DIVISION
Sec. 411.551. DEFINITIONS. In this subchapter:
(1) "Division" means the Texas Homeland Security
Division established in the department under this subchapter.
(2) "Division director" means the director of the
Texas Homeland Security Division appointed under this subchapter.
Sec. 411.552. ESTABLISHMENT; DIRECTOR; EMPLOYEES. (a) The
Texas Homeland Security Division is established in the department.
(b) Notwithstanding Section 411.006(a)(6), the public
safety director shall appoint, with the advice and consent of the
governor, a homeland security director to manage the division.
(c) The division director may hire employees as necessary to
carry out the duties of the division.
Sec. 411.553. GENERAL DUTIES. The division shall, in
consultation with the governor:
(1) develop and implement strategic homeland security
operations; and
(2) unify governmental activities and
responsibilities related to homeland security under the direction
of the division.
Sec. 411.554. BORDER SECURITY: INTELLIGENCE. (a) The
division shall coordinate with the Texas Military Department, state
and local law enforcement agencies, federal agencies, and any other
entity the division determines appropriate to secure the
international border.
(b) In coordinating with the entities described by
Subsection (a), the division shall:
(1) collect, analyze, and provide intelligence for
each major operation to secure the international border, including
consulting with the Texas Military Department and other appropriate
agencies that collect, analyze, or provide intelligence to the
governor, the department, and other entities deployed on major
operations;
(2) make recommendations on essential tasks and
desired results for each element of a major operation;
(3) provide augmented equipment and personnel for a
major operation; and
(4) conduct periodic internal reviews of
interoperability among agencies deployed on a major operation and
make available reports on subsequent efforts to improve
interoperability.
(c) Each month, the division shall provide a report to the
governor on the major operations conducted by this state to secure
the international border.
Sec. 411.555. BORDER SECURITY: GRANT RECOMMENDATIONS. The
division shall advise the criminal justice division of the
governor's office on the allocation of grants under the prosecution
of border crime grant program established under Section 772.0071.
Sec. 411.556. CRITICAL INFRASTRUCTURE AND POWER GRID. (a)
The division shall coordinate with federal, state, and local
agencies, and any other entity the division determines appropriate,
to protect the critical infrastructure of this state and the ERCOT
power grid from remote and physical attacks, including:
(1) oil and gas infrastructure, including:
(A) oil, gas, and chemical pipelines;
(B) oil and gas drilling sites; and
(C) oil, gas, and chemical production
facilities;
(2) electrical power generating facilities,
substations, switching stations, and electrical control centers;
(3) petroleum and alumina refineries and chemical,
polymer, and rubber manufacturing facilities; and
(4) water intake structures, water treatment
facilities, wastewater treatment plants, and pump stations.
(b) In coordinating the efforts of this state to secure
critical infrastructure and the ERCOT power grid, the division
shall cooperate with the Cybersecurity and Infrastructure Security
Agency, the United States Department of Energy, and the Homeland
Security Fusion Center.
Sec. 411.557. CRITICAL INFRASTRUCTURE: INVESTIGATION OF
CERTAIN PURCHASES. The division shall investigate any purchases of
substantial portions of land or infrastructure in this state by a
designated country, as that term is defined by Section 2274.0101,
as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature,
Regular Session, 2021.
Sec. 411.558. PROHIBITED EQUIPMENT REPORTS. At least
annually, the division shall issue a report to the governor,
lieutenant governor, members of the legislature, and all state
agencies identifying equipment that the United States Department of
Defense has prohibited entities that contract with the department
of defense from using.
Sec. 411.559. CYBERSECURITY: WEBSITE FOR REPORTING THREATS
AND ATTACKS. The division shall develop a secure Internet website
that is accessible by state agencies and local governments and
permits those entities to report to the division suspected
cybersecurity threats and attacks against those entities.
Sec. 411.560. BUDGET REQUESTS. (a) Not later than April 1
of each even-numbered year, the division director shall submit to
the public safety director a request for appropriations that
estimates the cost of the division's operations.
(b) A request for appropriations described by Subsection
(a) may not be aggregated with any other appropriation request made
by the department when the request is submitted to a legislative
committee with jurisdiction over appropriations.
SECTION 3. Section 421.021, Government Code, is amended by
adding Subsection (a-1) to read as follows:
(a-1) The Homeland Security Council is composed of:
(1) the governor or the governor's designee;
(2) the lieutenant governor or the lieutenant
governor's designee;
(3) the director of the Texas Homeland Security
Division of the Department of Public Safety; and
(4) other persons appointed by the governor or
lieutenant governor.
SECTION 4. Section 421.023, Government Code, is amended by
amending Subsections (c) and (d) and adding Subsection (f) to read
as follows:
(c) The governor shall designate the director of the Texas
Homeland Security Division of the Department of Public Safety as
the presiding officer of the council.
(d) The council shall meet at the call of the presiding
officer [governor] and shall meet at least once each quarter in a
calendar year.
(f) The presiding officer shall appoint a secretary, who may
be a member of the council, to record meeting minutes and
attendance.
SECTION 5. Section 421.024, Government Code, is amended to
read as follows:
Sec. 421.024. DUTIES. The council shall advise the
governor on:
(1) the implementation of the governor's homeland
security strategy by state and local agencies and provide specific
suggestions for helping those agencies implement the strategy;
[and]
(2) recommendations from the Texas Homeland Security
Division of the Department of Public Safety on improving the
security of this state; and
(3) other matters related to the planning,
development, coordination, and implementation of initiatives to
promote the governor's homeland security strategy.
SECTION 6. Chapter 421, Government Code, is amended by
adding Subchapter E-1 to read as follows:
SUBCHAPTER E-1. HOMELAND SECURITY FUSION CENTER
Sec. 421.0901. DEFINITIONS. In this subchapter:
(1) "Board" means the oversight board of the homeland
security fusion center.
(2) "Director" means the director of the Texas
Homeland Security Division of the Department of Public Safety.
Sec. 421.0902. HOMELAND SECURITY FUSION CENTER. (a) From
funds available for this purpose, the director may:
(1) establish the homeland security fusion center; and
(2) hire employees to operate the homeland security
fusion center.
(b) The homeland security fusion center shall:
(1) collect, receive, generate, and disseminate
intelligence critical for homeland security policy and homeland
security activities in this state, including the issuance of
relevant threat warnings;
(2) promote and improve intelligence sharing:
(A) among public safety and public service
agencies at the federal, state, local, and tribal levels; and
(B) with entities in the private sector operating
critical infrastructure and other key resources;
(3) otherwise support federal, state, local, and
tribal agencies and private organizations in preventing, preparing
for, responding to, and recovering from homeland security threats
and attacks; and
(4) maintain intelligence collected, received, or
generated in compliance with applicable state and federal law and
in a secure manner, including:
(A) providing appropriate security for a
facility that contains sensitive information;
(B) compartmentalizing sensitive information;
and
(C) adopting appropriate internal procedures for
the security of the facility and the information.
Sec. 421.0903. OVERSIGHT BOARD; QUALIFICATIONS; RULES. (a)
If the homeland security fusion center is established under Section
421.0902, there is also established an oversight board that shall
govern the operations of the homeland security fusion center.
(b) The board is composed of:
(1) the director;
(2) the adjutant general; and
(3) other persons appointed by the director.
(c) The director serves as the chair of the board and the
adjutant general serves as the vice chair.
(d) A member of the board must have and maintain a secret
security clearance granted by the United States government. A
person who has applied for a secret security clearance and has been
granted an interim secret security clearance may serve as a member
of the board but may not be given access to classified information,
participate in a briefing involving classified information, or vote
on an issue involving classified information before the person is
granted a secret security clearance.
(e) The board may adopt rules, policies, and procedures for
the operation of the homeland security fusion center.
Sec. 421.0904. GIFTS, GRANTS, AND DONATIONS; DEDICATED
ACCOUNT. (a) The homeland security fusion center may accept gifts,
grants, and donations of any kind from any public or private source,
including services or property, for the purpose of paying the costs
to establish, maintain, or operate the homeland security fusion
center.
(b) The homeland security fusion center shall remit all
amounts received under this section to the comptroller. The
comptroller shall deposit the amounts to the credit of an account in
the general revenue fund that may be appropriated only to the
Department of Public Safety to provide funding for establishing,
maintaining, or operating the homeland security fusion center.
(c) The board must approve expenditures made for the
purposes described by Subsection (b).
Sec. 421.0905. ADMINISTRATIVE SUPPORT. The Texas Homeland
Security Division of the Department of Public Safety shall provide
administrative support for the homeland security fusion center and
the board, including securely maintaining the records of the board.
SECTION 7. Section 2054.077(d), Government Code, is amended
to read as follows:
(d) The information security officer shall provide an
electronic copy of the vulnerability report on its completion to:
(1) the Texas Homeland Security Division of the
Department of Public Safety;
(2) the department;
(3) [(2)] the state auditor;
(4) [(3)] the agency's executive director;
(5) [(4)] the agency's designated information
resources manager; and
(6) [(5)] any other information technology security
oversight group specifically authorized by the legislature to
receive the report.
SECTION 8. Section 2054.1125, Government Code, is amended
by amending Subsection (b) and adding Subsections (d) and (e) to
read as follows:
(b) A state agency that owns, licenses, or maintains
computerized data that includes sensitive personal information,
confidential information, or information the disclosure of which is
regulated by law shall, in the event of a breach or suspected breach
of system security or an unauthorized exposure of that information:
(1) comply with the notification requirements of
Section 521.053, Business & Commerce Code, to the same extent as a
person who conducts business in this state; and
(2) not later than 48 hours after the discovery of the
breach, suspected breach, or unauthorized exposure, notify:
(A) the Texas Homeland Security Division of the
Department of Public Safety;
(B) the department, including the chief
information security officer; and
(C) [or (B)] if the breach, suspected breach, or
unauthorized exposure involves election data, the secretary of
state.
(d) The Texas Homeland Security Division of the Department
of Public Safety shall notify the governor of any breach or
suspected breach reported to the division under this section.
(e) The administrative head of a state agency commits an
offense if the person intentionally or knowingly fails to notify
the Texas Homeland Security Division of the Department of Public
Safety of a breach, suspected breach, or unauthorized exposure, as
required by Subsection (b)(2)(A). An offense under this subsection
is a Class C misdemeanor.
SECTION 9. Section 2054.133(f), Government Code, is amended
to read as follows:
(f) Not later than November 15 of each even-numbered year,
the department shall submit a written report to the governor, the
lieutenant governor, and each standing committee of the legislature
with primary jurisdiction over matters related to the department
evaluating information security for this state's information
resources. In preparing the report, the department shall consider
the information security plans submitted by state agencies under
this section, any vulnerability reports submitted under Section
2054.077, any relevant information provided by the Texas Homeland
Security Division of the Department of Public Safety, and other
available information regarding the security of this state's
information resources. The department shall omit from any written
copies of the report information that could expose specific
vulnerabilities in the security of this state's information
resources.
SECTION 10. Section 2054.511, Government Code, is amended
to read as follows:
Sec. 2054.511. CYBERSECURITY COORDINATOR. (a) The
executive director shall designate an employee of the department as
the state cybersecurity coordinator to oversee cybersecurity
matters for this state.
(b) The director of the Texas Homeland Security Division of
the Department of Public Safety and the cybersecurity coordinator
shall jointly improve the efficacy and efficiency of this state's
response to and investigations of cyber attacks occurring in this
state.
SECTION 11. Section 2054.512(b), Government Code, is
amended to read as follows:
(b) The cybersecurity council must include:
(1) one member who is an employee of the office of the
governor;
(2) one member of the senate appointed by the
lieutenant governor;
(3) one member of the house of representatives
appointed by the speaker of the house of representatives;
(4) the director of the Texas Homeland Security
Division of the Department of Public Safety;
(5) one member who is an employee of the Elections
Division of the Office of the Secretary of State; and
(6) [(5)] additional members appointed by the state
cybersecurity coordinator, including representatives of
institutions of higher education and private sector leaders.
SECTION 12. Section 2054.515(b), Government Code, as
amended by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the
87th Legislature, Regular Session, 2021, is reenacted and amended
to read as follows:
(b) Not later than December 1 of the year [November 15 of
each even-numbered year] in which a state agency conducts the
assessment under Subsection (a) or the 60th day after the date the
agency completes the assessment, whichever occurs first, the agency
shall report the results of the assessment to:
(1) the Texas Homeland Security Division of the
Department of Public Safety;
(2) the department; and
(3) [(2)] on request, the governor, the lieutenant
governor, and the speaker of the house of representatives.
SECTION 13. Section 2054.518(a), Government Code, is
amended to read as follows:
(a) In consultation with the Texas Homeland Security
Division of the Department of Public Safety, the [The] department
shall develop a plan to address cybersecurity risks and incidents
in this state. The department may enter into an agreement with a
national organization, including the National Cybersecurity
Preparedness Consortium, to support the department's efforts in
implementing the components of the plan for which the department
lacks resources to address internally. The agreement may include
provisions for:
(1) providing technical assistance services to
support preparedness for and response to cybersecurity risks and
incidents;
(2) conducting cybersecurity simulation exercises for
state agencies to encourage coordination in defending against and
responding to cybersecurity risks and incidents;
(3) assisting state agencies in developing
cybersecurity information-sharing programs to disseminate
information related to cybersecurity risks and incidents; and
(4) incorporating cybersecurity risk and incident
prevention and response methods into existing state emergency
plans, including continuity of operation plans and incident
response plans.
SECTION 14. Subchapter F, Chapter 2270, Government Code, is
amended by adding Section 2270.0254 to read as follows:
Sec. 2270.0254. ADMINISTRATIVE PENALTY. The Department of
Public Safety may impose an administrative penalty in the same
manner and using the same procedures as Subchapter R, Chapter 411,
against a person who violates this chapter.
SECTION 15. Chapter 2274, Government Code, as added by
Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular
Session, 2021, is amended by adding Section 2274.0104 to read as
follows:
Sec. 2274.0104. ADMINISTRATIVE PENALTY. The Department of
Public Safety may impose an administrative penalty in the same
manner and using the same procedures as Subchapter R, Chapter 411,
against a person who violates this chapter.
SECTION 16. Section 205.010(a), Local Government Code, is
amended by adding Subdivision (1-a) to read as follows:
(1-a) "Local government" means a municipality,
county, special district or authority, or any other political
subdivision of this state.
SECTION 17. Section 205.010, Local Government Code, is
amended by adding Subsections (c), (d), and (e) to read as follows:
(c) In addition to notifying the attorney general under
Section 521.053, Business & Commerce Code, of a breach of system
security, the local government shall report the breach to the Texas
Homeland Security Division of the Department of Public Safety. The
division shall notify the governor of a breach of system security
reported to the division under this section.
(d) Not later than the 10th business day after the date of
the eradication, closure, and recovery from a breach, a local
government shall notify the Department of Information Resources,
including the chief information security officer, of the details of
the event and include in the notification an analysis of the cause
of the event.
(e) The administrative head of a local government commits an
offense if the person intentionally or knowingly fails to notify
the Texas Homeland Security Division of the Department of Public
Safety of a breach of system security as required by Subsection (c).
An offense under this subsection is a Class C misdemeanor.
SECTION 18. (a) Section 421.021(a), Government Code, as
amended by Chapters 93 (S.B. 686), 616 (S.B. 1393), and 1217 (S.B.
1536), Acts of the 83rd Legislature, Regular Session, 2013, is
repealed.
(b) Section 421.021(c), Government Code, is repealed.
SECTION 19. As soon as practicable after the Texas Homeland
Security Division of the Department of Public Safety of the State of
Texas is established, the division shall notify each state agency
and local government of the requirements to notify the division of a
breach of system security under Section 2054.1125, Government Code,
as amended by this Act, and Section 205.010, Local Government Code,
as amended by this Act, including the criminal penalties that may be
imposed for failure to comply with those requirements.
SECTION 20. It is the intent of the 88th Legislature,
Regular Session, 2023, that the amendments made by this Act be
harmonized with another Act of the 88th Legislature, Regular
Session, 2023, relating to nonsubstantive additions to and
corrections in enacted codes.
SECTION 21. This Act takes effect September 1, 2023.