TX
Texas House Bill HB150

Texas 2025 - 89th Regular

Texas House Bill HB150 Compare Versions

OldNewDifferences
1-By: Capriglione, Bonnen, Hefner, Lujan, H.B. No. 150
1+89R20783 LRM-F
2+ By: Capriglione, Hefner, Lujan, H.B. No. 150
23 Lopez of Bexar, et al.
3-
4-
4+ Substitute the following for H.B. No. 150:
5+ By: Troxclair C.S.H.B. No. 150
56
67
78 A BILL TO BE ENTITLED
89 AN ACT
910 relating to the establishment of the Texas Cyber Command as a
1011 component institution of The University of Texas System and the
1112 transfer to it of certain powers and duties of the Department of
1213 Information Resources.
1314 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1415 SECTION 1. Subtitle B, Title 10, Government Code, is
1516 amended by adding Chapter 2063 to read as follows:
1617 CHAPTER 2063. TEXAS CYBER COMMAND
1718 SUBCHAPTER A. GENERAL PROVISIONS
1819 Sec. 2063.001. DEFINITIONS. In this chapter:
1920 (1) "Chief" means the chief of the Texas Cyber
2021 Command.
2122 (2) "Command" means the Texas Cyber Command
2223 established under this chapter.
2324 (3) "Covered entity" means a private entity operating
2425 critical infrastructure or a local government that the command
2526 contracts with in order to provide cybersecurity services under
2627 this chapter.
2728 (4) "Critical infrastructure" means infrastructure in
2829 this state vital to the security, governance, public health and
2930 safety, economy, or morale of the state or the nation, including:
3031 (A) chemical facilities;
3132 (B) commercial facilities;
3233 (C) communication facilities;
3334 (D) manufacturing facilities;
3435 (E) dams;
3536 (F) defense industrial bases;
3637 (G) emergency services systems;
3738 (H) energy facilities;
3839 (I) financial services systems;
3940 (J) food and agriculture facilities;
4041 (K) government facilities;
4142 (L) health care and public health facilities;
4243 (M) information technology and information
4344 technology systems;
4445 (N) nuclear reactors, materials, and waste;
4546 (O) transportation systems; or
4647 (P) water and wastewater systems.
4748 (5) "Cybersecurity" means the measures taken for a
4849 computer, computer network, computer system, or other technology
4950 infrastructure to protect against, respond to, and recover from
5051 unauthorized:
5152 (A) use, access, disruption, modification, or
5253 destruction; or
5354 (B) disclosure, modification, or destruction of
5455 information.
5556 (6) "Cybersecurity incident" includes:
5657 (A) a breach or suspected breach of system
5758 security as defined by Section 521.053, Business & Commerce Code;
5859 (B) the introduction of ransomware, as defined by
5960 Section 33.023, Penal Code, into a computer, computer network, or
6061 computer system; or
6162 (C) any other cybersecurity-related occurrence
6263 that jeopardizes information or an information system designated by
6364 command policy adopted under this chapter.
6465 (7) "Department" means the Department of Information
6566 Resources.
66- (8) "Governmental entity" means a state agency.
67+ (8) "Governmental entity" means this state, a state
68+ agency, or a local government.
6769 (9) "Information resources" has the meaning assigned
6870 by Section 2054.003, Government Code.
6971 (10) "Information resources technologies" has the
7072 meaning assigned by Section 2054.003.
7173 (11) "Local government" has the meaning assigned by
7274 Section 2054.003.
7375 (12) "Sensitive personal information" has the meaning
7476 assigned by Section 521.002, Business & Commerce Code.
7577 (13) "State agency" means:
7678 (A) a department, commission, board, office, or
7779 other agency that is in the executive branch of state government and
7880 that was created by the constitution or a statute;
7981 (B) the supreme court, the court of criminal
8082 appeals, a court of appeals, a district court, or the Texas Judicial
8183 Council or another agency in the judicial branch of state
8284 government; or
8385 (C) a university system or an institution of
8486 higher education as defined by Section 61.003, Education Code.
8587 Sec. 2063.002. ORGANIZATION. (a) The Texas Cyber Command
8688 is a component of The University of Texas System and
8789 administratively attached to The University of Texas at San
8890 Antonio.
8991 (b) The command is managed by a chief appointed by the
9092 governor and confirmed with the advice and consent of the senate.
9193 The chief serves at the pleasure of the governor and must possess
9294 professional training and knowledge relevant to the functions and
9395 duties of the command.
9496 (c) The command shall employ other coordinating and
9597 planning officers and other personnel necessary to the performance
9698 of its functions.
9799 (d) Under an agreement with the command, The University of
98100 Texas at San Antonio shall provide administrative support services
99101 for the command as necessary to carry out the purposes of this
100102 chapter.
101103 Sec. 2063.003. ESTABLISHMENT AND PURPOSE. (a) The command
102104 is established to prevent and respond to cybersecurity incidents
103105 that affect governmental entities and critical infrastructure in
104106 this state.
105107 (b) The command is responsible for cybersecurity for this
106108 state, including:
107109 (1) developing tools to enhance cybersecurity
108110 defenses;
109111 (2) facilitating education and training of a
110112 cybersecurity workforce;
111113 (3) developing cyber threat intelligence, monitoring
112114 information systems to detect and warn entities of cyber attacks,
113115 proactively searching for cyber threats to critical infrastructure
114116 and state systems, developing and executing cybersecurity incident
115117 responses, and conducting digital forensics of cybersecurity
116118 incidents to support law enforcement and attribute the incidents;
117119 (4) creating partnerships needed to effectively carry
118120 out the command's functions; and
119121 (5) receiving all cybersecurity incident reports from
120122 state agencies and covered entities.
121123 Sec. 2063.004. GENERAL POWERS AND DUTIES. (a) The command
122124 shall:
123125 (1) promote public awareness of cybersecurity issues;
124126 (2) develop cybersecurity best practices and minimum
125127 standards for governmental entities;
126128 (3) develop and provide training to state agencies and
127129 covered entities on cybersecurity measures and awareness;
128130 (4) administer the cybersecurity threat intelligence
129131 center under Section 2063.201;
130132 (5) provide support to state agencies and covered
131133 entities experiencing a cybersecurity incident and respond to
132134 cybersecurity reports received under Subchapter D and other reports
133135 as appropriate;
134136 (6) administer the digital forensics laboratory under
135137 Section 2063.203;
136138 (7) administer a statewide portal for enterprise
137139 cybersecurity threat, risk, and incident management, and operate a
138140 cybersecurity hotline available for state agencies and covered
139141 entities 24 hours a day, seven days a week;
140142 (8) collaborate with law enforcement agencies to
141143 provide training and support related to cybersecurity incidents;
142144 (9) serve as a clearinghouse for information relating
143145 to all aspects of protecting the cybersecurity of governmental
144146 entities, including sharing appropriate intelligence and
145147 information with governmental entities, federal agencies, and
146148 covered entities;
147149 (10) collaborate with the department to ensure
148150 information resources and information resources technologies
149151 obtained by the department meet the cybersecurity standards and
150152 requirements established under this chapter;
151153 (11) offer cybersecurity resources to state agencies
152154 and covered entities as determined by the command;
153155 (12) adopt policies to ensure state agencies implement
154156 sufficient cybersecurity measures to defend information resources,
155157 information resources technologies, and sensitive personal
156158 information maintained by the agencies; and
157159 (13) collaborate with federal agencies to protect
158160 against, respond to, and recover from cybersecurity incidents.
159161 (b) The command may:
160162 (1) adopt and enforce rules necessary to carry out
161163 this chapter;
162164 (2) adopt and use an official seal;
163165 (3) establish ad hoc advisory committees as necessary
164166 to carry out the command's duties under this chapter;
165167 (4) acquire and convey property or an interest in
166168 property;
167169 (5) procure insurance and pay premiums on insurance of
168170 any type, in accounts, and from insurers as the command considers
169171 necessary and advisable to accomplish any of the command's duties;
170172 (6) hold patents, copyrights, trademarks, or other
171173 evidence of protection or exclusivity issued under the laws of the
172174 United States, any state, or any nation and may enter into license
173175 agreements with any third parties for the receipt of fees,
174176 royalties, or other monetary or nonmonetary value; and
175177 (7) solicit and accept gifts, grants, donations, or
176178 loans from and contract with any entity to accomplish the command's
177179 duties.
178180 (c) Except as otherwise provided by this chapter, the
179181 command shall deposit money paid to the command under this chapter
180182 in the state treasury to the credit of the general revenue fund.
181183 Sec. 2063.005. COST RECOVERY. The command shall recover
182184 the cost of providing direct technical assistance, training
183185 services, and other services to covered entities when reasonable
184186 and practical.
185187 Sec. 2063.007. EMERGENCY PURCHASING. In the event the
186188 emergency response to a cybersecurity incident requires the command
187189 to purchase an item, the command is exempt from the requirements of
188190 Sections 2155.0755, 2155.083, and 2155.132(c) in making the
189191 purchase.
190192 Sec. 2063.008. RULES. The chief may adopt rules necessary
191193 for carrying out the purposes of this chapter.
192194 Sec. 2063.009. APPLICATION OF SUNSET ACT. The command is
193195 subject to Chapter 325 (Texas Sunset Act). Unless continued in
194196 existence as provided by that chapter, the command is abolished
195197 September 1, 2031.
196198 SUBCHAPTER B. MINIMUM STANDARDS AND TRAINING
197199 Sec. 2063.101. BEST PRACTICES AND MINIMUM STANDARDS FOR
198200 CYBERSECURITY AND TRAINING. (a) The command shall develop and
199201 annually assess best practices and minimum standards for use by
200202 governmental entities to enhance the security of information
201203 resources in this state.
202204 (b) The command shall establish and periodically assess
203205 mandatory cybersecurity training that must be completed by all
204206 information resources employees of state agencies. The command
205207 shall consult with the Information Technology Council for Higher
206208 Education established under Section 2054.121 regarding applying
207209 the training requirements to employees of institutions of higher
208210 education.
209- (c) Except as otherwise provided by this subsection, the
210- command shall adopt policies to ensure governmental entities are
211- complying with the requirements of this section. The command shall
212- adopt policies that ensure that a person who is not a citizen of the
213- United States may not be a member, employee, contractor, volunteer,
214- or otherwise affiliated with the command or any entity or
215- organization established or operated by the command under this
216- chapter.
211+ (c) The command shall adopt policies to ensure governmental
212+ entities are complying with the requirements of this section.
217213 SUBCHAPTER C. CYBERSECURITY PREVENTION, RESPONSE, AND RECOVERY
218214 Sec. 2063.201. CYBERSECURITY THREAT INTELLIGENCE CENTER.
219215 (a) In this section, "center" means the cybersecurity threat
220216 intelligence center established under this section.
221217 (b) The command shall establish a cybersecurity threat
222218 intelligence center. The center shall collaborate with federal
223219 cybersecurity intelligence and law enforcement agencies to achieve
224220 the purposes of this section.
225221 (c) The center, in coordination with the digital forensics
226222 laboratory under Section 2063.203, shall:
227223 (1) operate the information sharing and analysis
228224 organization established under Section 2063.204; and
229225 (2) provide strategic guidance to regional security
230226 operations centers established under Subchapter G and the
231227 cybersecurity incident response unit under Section 2063.202 to
232228 assist governmental entities in responding to a cybersecurity
233229 incident.
234230 (d) The chief shall employ a director for the center.
235231 Sec. 2063.202. CYBERSECURITY INCIDENT RESPONSE UNIT. (a)
236232 The command shall establish a dedicated cybersecurity incident
237233 response unit to:
238234 (1) detect and contain cybersecurity incidents in
239235 collaboration with the cybersecurity threat intelligence center
240236 under Section 2063.201;
241237 (2) engage in threat neutralization as necessary and
242238 appropriate, including removing malware, disallowing unauthorized
243239 access, and patching vulnerabilities in information resources
244240 technologies;
245241 (3) in collaboration with the digital forensics
246242 laboratory under Section 2063.203, undertake mitigation efforts if
247243 sensitive personal information is breached during a cybersecurity
248244 incident;
249245 (4) loan resources to state agencies and covered
250246 entities to promote continuity of operations while the agency or
251247 entity restores the systems affected by a cybersecurity incident;
252248 (5) assist in the restoration of information resources
253249 and information resources technologies after a cybersecurity
254250 incident and conduct post-incident monitoring;
255251 (6) in collaboration with the cybersecurity threat
256252 intelligence center under Section 2063.201 and digital forensics
257253 laboratory under Section 2063.203, identify weaknesses, establish
258254 risk mitigation options and effective vulnerability-reduction
259255 strategies, and make recommendations to state agencies and covered
260256 entities that have been the target of a cybersecurity attack or have
261257 experienced a cybersecurity incident in order to remediate
262258 identified cybersecurity vulnerabilities;
263259 (7) in collaboration with the cybersecurity threat
264260 intelligence center under Section 2063.201, the digital forensics
265261 laboratory under Section 2063.203, the Texas Division of Emergency
266262 Management, and other state agencies, conduct, support, and
267263 participate in cyber-related exercises; and
268264 (8) undertake any other activities necessary to carry
269265 out the duties described by this subsection.
270266 (b) The chief shall employ a director for the cybersecurity
271267 incident response unit.
272268 Sec. 2063.203. DIGITAL FORENSICS LABORATORY. (a) The
273269 command shall establish a digital forensics laboratory to:
274270 (1) in collaboration with the cybersecurity incident
275271 response unit under Section 2063.202, develop procedures to:
276272 (A) preserve evidence of a cybersecurity
277273 incident, including logs and communication;
278274 (B) document chains of custody; and
279275 (C) timely notify and maintain contact with the
280276 appropriate law enforcement agencies investigating a cybersecurity
281277 incident;
282278 (2) develop and share with relevant state agencies and
283279 covered entities cyber threat hunting tools and procedures to
284280 assist in identifying indicators of a compromise in the
285281 cybersecurity of state information systems and non-state
286282 information systems, as appropriate, for proactive discovery of
287283 latent intrusions;
288284 (3) conduct analyses of causes of cybersecurity
289285 incidents and of remediation options;
290286 (4) conduct assessments of the scope of harm caused by
291287 cybersecurity incidents, including data loss, compromised systems,
292288 and system disruptions;
293289 (5) provide information and training to state agencies
294290 and covered entities on producing reports required by regulatory
295291 and auditing bodies;
296292 (6) in collaboration with the Department of Public
297293 Safety, the Texas Military Department, the office of the attorney
298294 general, and other state agencies, provide forensic analysis of a
299295 cybersecurity incident to support an investigation, attribution
300296 process, or other law enforcement or judicial action; and
301297 (7) undertake any other activities necessary to carry
302298 out the duties described by this subsection.
303299 (b) The chief shall employ a director for the digital
304300 forensics laboratory.
305301 Sec. 2063.205. POLICIES. The command shall adopt policies
306302 and procedures necessary to enable the entities established in this
307303 subchapter to carry out their respective duties and purposes.
308304 SUBCHAPTER E. CYBERSECURITY PREPARATION AND PLANNING
309305 Sec. 2063.404. ONGOING INFORMATION TRANSMISSIONS.
310306 Information received from state agencies by the department under
311307 Section 2054.069 shall be transmitted by the department to the
312308 command on an ongoing basis.
313309 SECTION 2. Section 2054.510, Government Code, is
314310 transferred to Subchapter A, Chapter 2063, Government Code, as
315311 added by this Act, redesignated as Section 2063.0025, Government
316312 Code, and amended to read as follows:
317313 Sec. 2063.0025 [2054.510]. COMMAND CHIEF [INFORMATION
318314 SECURITY OFFICER]. (a) In this section, "state cybersecurity
319315 [information security] program" means the policies, standards,
320316 procedures, elements, structure, strategies, objectives, plans,
321317 metrics, reports, services, and resources that establish the
322318 cybersecurity [information resources security] function for this
323319 state.
324320 (b) The chief directs the day-to-day operations and
325321 policies of the command and oversees and is responsible for all
326322 functions and duties of the command. [The executive director,
327323 using existing funds, shall employ a chief information security
328324 officer.]
329325 (c) The chief [information security officer] shall oversee
330326 cybersecurity matters for this state including:
331327 (1) implementing the duties described by Section
332328 2063.004 [2054.059];
333329 (2) [responding to reports received under Section
334330 2054.1125;
335331 [(3)] developing a statewide cybersecurity
336332 [information security] framework;
337333 (3) [(4)] overseeing the development of cybersecurity
338334 [statewide information security] policies and standards;
339335 (4) [(5)] collaborating with [state agencies, local]
340336 governmental entities[,] and other entities operating or
341337 exercising control over state information systems or
342338 state-controlled data critical to strengthen this state's
343339 cybersecurity and information security policies, standards, and
344340 guidelines;
345341 (5) [(6)] overseeing the implementation of the
346342 policies, standards, and requirements [guidelines] developed under
347343 this chapter [Subdivisions (3) and (4)];
348344 (6) [(7)] providing cybersecurity [information
349345 security] leadership, strategic direction, and coordination for
350346 the state cybersecurity [information security] program;
351347 (7) [(8)] providing strategic direction to:
352348 (A) the network security center established
353349 under Section 2059.101; and
354350 (B) regional security operations [statewide
355351 technology] centers operated under Subchapter G [L]; and
356352 (8) [(9)] overseeing the preparation and submission
357353 of the report described by Section 2063.301 [2054.0591].
358354 SECTION 3. Section 2054.0592, Government Code, is
359355 transferred to Subchapter A, Chapter 2063, Government Code, as
360356 added by this Act, redesignated as Section 2063.006, Government
361357 Code, and amended to read as follows:
362358 Sec. 2063.006 [2054.0592]. CYBERSECURITY EMERGENCY
363359 FUNDING. If a cybersecurity event creates a need for emergency
364360 funding, the command [department] may request that the governor or
365361 Legislative Budget Board make a proposal under Chapter 317 to
366362 provide funding to manage the operational and financial impacts
367363 from the cybersecurity event.
368364 SECTION 4. Section 2054.519, Government Code, is
369365 transferred to Subchapter B, Chapter 2063, Government Code, as
370366 added by this Act, redesignated as Section 2063.102, Government
371367 Code, and amended to read as follows:
372368 Sec. 2063.102 [2054.519]. STATE CERTIFIED CYBERSECURITY
373369 TRAINING PROGRAMS. (a) The command [department], in consultation
374370 with the cybersecurity council established under Section 2063.406
375371 [2054.512] and industry stakeholders, shall annually:
376372 (1) certify at least five cybersecurity training
377373 programs for state and local government employees; and
378374 (2) update standards for maintenance of certification
379375 by the cybersecurity training programs under this section.
380376 (b) To be certified under Subsection (a), a cybersecurity
381377 training program must:
382378 (1) focus on forming appropriate cybersecurity
383379 [information security] habits and procedures that protect
384380 information resources; and
385381 (2) teach best practices and minimum standards
386382 established under this subchapter [for detecting, assessing,
387383 reporting, and addressing information security threats].
388384 (c) The command [department] may identify and certify under
389385 Subsection (a) training programs provided by state agencies and
390386 local governments that satisfy the training requirements described
391387 by Subsection (b).
392388 (d) The command [department] may contract with an
393389 independent third party to certify cybersecurity training programs
394390 under this section.
395391 (e) The command [department] shall annually publish on the
396392 command's [department's] Internet website the list of cybersecurity
397393 training programs certified under this section.
398394 SECTION 5. Section 2054.5191, Government Code, is
399395 transferred to Subchapter B, Chapter 2063, Government Code, as
400396 added by this Act, redesignated as Section 2063.103, Government
401397 Code, and amended to read as follows:
402398 Sec. 2063.103 [2054.5191]. CYBERSECURITY TRAINING REQUIRED
403399 [: CERTAIN EMPLOYEES AND OFFICIALS]. (a) Each elected or appointed
404400 official and employee of a governmental entity who has access to the
405401 entity's information resources or information resources
406402 technologies [state agency shall identify state employees who use a
407403 computer to complete at least 25 percent of the employee's required
408404 duties. At least once each year, an employee identified by the
409405 state agency and each elected or appointed officer of the agency]
410406 shall annually complete a cybersecurity training program certified
411407 under Section 2063.102 [2054.519].
412408 (b) [(a-1) At least once each year, a local government
413409 shall:
414410 [(1) identify local government employees and elected
415411 and appointed officials who have access to a local government
416412 computer system or database and use a computer to perform at least
417413 25 percent of the employee's or official's required duties; and
418414 [(2) require the employees and officials identified
419415 under Subdivision (1) to complete a cybersecurity training program
420416 certified under Section 2054.519.
421417 [(a-2)] The governing body of a governmental entity [local
422418 government] or the governing body's designee may deny access to the
423419 governmental entity's information resources or information
424420 resources technologies [local government's computer system or
425421 database] to an employee or official [individual described by
426422 Subsection (a-1)(1)] who [the governing body or the governing
427423 body's designee determines] is noncompliant with the requirements
428424 of Subsection (a) [(a-1)(2)].
429425 (c) [(b)] The governing body of a local government may
430426 select the most appropriate cybersecurity training program
431427 certified under Section 2063.102 [2054.519] for employees and
432428 officials of the local government to complete. The governing body
433429 shall:
434430 (1) verify and report on the completion of a
435431 cybersecurity training program by employees and officials of the
436432 local government to the command [department]; and
437433 (2) require periodic audits to ensure compliance with
438434 this section.
439435 (d) [(c)] A state agency may select the most appropriate
440436 cybersecurity training program certified under Section 2063.102
441437 [2054.519] for employees and officials of the state agency. The
442438 executive head of each state agency shall verify completion of a
443439 cybersecurity training program by employees and officials of the
444440 state agency in a manner specified by the command [department].
445441 (e) [(d)] The executive head of each state agency shall
446442 periodically require an internal review of the agency to ensure
447443 compliance with this section.
448444 (f) [(e)] The command [department] shall develop a form for
449445 use by governmental entities [state agencies and local governments]
450446 in verifying completion of cybersecurity training program
451447 requirements under this section. The form must allow the state
452448 agency and local government to indicate the percentage of employee
453449 and official completion.
454450 (g) [(f)] The requirements of Subsection [Subsections] (a)
455451 [and (a-1)] do not apply to employees and officials who have been:
456452 (1) granted military leave;
457453 (2) granted leave under the federal Family and Medical
458454 Leave Act of 1993 (29 U.S.C. Section 2601 et seq.);
459455 (3) granted leave related to a sickness or disability
460456 covered by workers' compensation benefits, if that employee or
461457 official no longer has access to the governmental entity's
462458 information resources or information resources technologies [state
463459 agency's or local government's database and systems];
464460 (4) granted any other type of extended leave or
465461 authorization to work from an alternative work site if that
466462 employee or official no longer has access to the governmental
467463 entity's information resources or information resources
468464 technologies [state agency's or local government's database and
469465 systems]; or
470466 (5) denied access to a governmental entity's
471467 information resources or information resources technologies [local
472468 government's computer system or database by the governing body of
473469 the local government or the governing body's designee] under
474470 Subsection (b) [(a-2)] for noncompliance with the requirements of
475471 Subsection (a) [(a-1)(2)].
476472 SECTION 6. Section 2054.5192, Government Code, is
477473 transferred to Subchapter B, Chapter 2063, Government Code, as
478474 added by this Act, redesignated as Section 2063.104, Government
479475 Code, and amended to read as follows:
480476 Sec. 2063.104 [2054.5192]. CYBERSECURITY TRAINING
481477 REQUIRED: CERTAIN STATE CONTRACTORS. (a) In this section,
482478 "contractor" includes a subcontractor, officer, or employee of the
483479 contractor.
484480 (b) A state agency shall require any contractor who has
485481 access to a state computer system or database to complete a
486482 cybersecurity training program certified under Section 2063.102
487483 [2054.519] as selected by the agency.
488484 (c) The cybersecurity training program must be completed by
489485 a contractor during the term of the contract and during any renewal
490486 period.
491487 (d) Required completion of a cybersecurity training program
492488 must be included in the terms of a contract awarded by a state
493489 agency to a contractor.
494490 (e) A contractor required to complete a cybersecurity
495491 training program under this section shall verify completion of the
496492 program to the contracting state agency. The person who oversees
497493 contract management for the agency shall:
498494 (1) not later than August 31 of each year, report the
499495 contractor's completion to the command [department]; and
500496 (2) periodically review agency contracts to ensure
501497 compliance with this section.
502498 SECTION 7. Section 2054.0594, Government Code, is
503499 transferred to Subchapter C, Chapter 2063, Government Code, as
504500 added by this Act, redesignated as Section 2063.204, Government
505501 Code, and amended to read as follows:
506502 Sec. 2063.204 [2054.0594]. INFORMATION SHARING AND
507503 ANALYSIS ORGANIZATION. (a) The command [department] shall
508504 establish at least one [an] information sharing and analysis
509505 organization to provide a forum for state agencies, local
510506 governments, public and private institutions of higher education,
511507 and the private sector to share information regarding cybersecurity
512508 threats, best practices, and remediation strategies.
513509 (b) [The department shall provide administrative support to
514510 the information sharing and analysis organization.
515511 [(c)] A participant in the information sharing and analysis
516512 organization shall assert any exception available under state or
517513 federal law, including Section 552.139, in response to a request
518514 for public disclosure of information shared through the
519515 organization. Section 552.007 does not apply to information
520516 described by this subsection.
521517 (c) [(d)] The command [department] shall establish a
522518 framework for regional cybersecurity task forces [working groups]
523519 to execute mutual aid agreements that allow state agencies, local
524520 governments, regional planning commissions, public and private
525521 institutions of higher education, the private sector, the regional
526522 security operations centers under Subchapter G, and the
527523 cybersecurity incident response unit under Section 2063.202 [and
528524 the incident response team established under Subchapter N-2] to
529525 assist with responding to a cybersecurity incident [event] in this
530526 state. A task force [working group] may be established within the
531527 geographic area of a regional planning commission established under
532528 Chapter 391, Local Government Code. The task force [working group]
533529 may establish a list of available cybersecurity experts and share
534530 resources to assist in responding to the cybersecurity incident
535531 [event] and recovery from the incident [event].
536532 SECTION 8. Chapter 2063, Government Code, as added by this
537533 Act, is amended by adding Subchapter D, and a heading is added to
538534 that subchapter to read as follows:
539535 SUBCHAPTER D. REPORTING
540536 SECTION 9. Sections 2054.0591, 2054.603, and 2054.077,
541537 Government Code, are transferred to Subchapter D, Chapter 2063,
542538 Government Code, as added by this Act, redesignated as Sections
543539 2063.301, 2063.302, and 2063.303, Government Code, respectively,
544540 and amended to read as follows:
545541 Sec. 2063.301 [2054.0591]. CYBERSECURITY REPORT. (a) Not
546542 later than November 15 of each even-numbered year, the command
547543 [department] shall submit to the governor, the lieutenant governor,
548544 the speaker of the house of representatives, and the standing
549545 committee of each house of the legislature with primary
550546 jurisdiction over state government operations a report identifying
551547 preventive and recovery efforts the state can undertake to improve
552548 cybersecurity in this state. The report must include:
553549 (1) an assessment of the resources available to
554550 address the operational and financial impacts of a cybersecurity
555551 event;
556552 (2) a review of existing statutes regarding
557553 cybersecurity and information resources technologies; and
558554 (3) recommendations for legislative action to
559555 increase the state's cybersecurity and protect against adverse
560556 impacts from a cybersecurity incident [event; and
561557 [(4) an evaluation of a program that provides an
562558 information security officer to assist small state agencies and
563559 local governments that are unable to justify hiring a full-time
564560 information security officer].
565561 (b) Not later than October 1 of each even-numbered year, the
566562 command shall submit a report to the Legislative Budget Board that
567563 prioritizes, for the purpose of receiving funding, state agency
568564 cybersecurity projects. Each state agency shall coordinate with the
569565 command to implement this subsection.
570566 (c) [(b)] The command [department] or a recipient of a
571567 report under this section may redact or withhold information
572568 confidential under Chapter 552, including Section 552.139, or other
573569 state or federal law that is contained in the report in response to
574570 a request under Chapter 552 without the necessity of requesting a
575571 decision from the attorney general under Subchapter G, Chapter 552.
576572 The disclosure of information under this section is not a voluntary
577573 disclosure for purposes of Section 552.007.
578574 Sec. 2063.302 [2054.603]. CYBERSECURITY [SECURITY]
579575 INCIDENT NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) [In
580576 this section:
581577 [(1) "Security incident" means:
582578 [(A) a breach or suspected breach of system
583579 security as defined by Section 521.053, Business & Commerce Code;
584580 and
585581 [(B) the introduction of ransomware, as defined
586582 by Section 33.023, Penal Code, into a computer, computer network,
587583 or computer system.
588584 [(2) "Sensitive personal information" has the meaning
589585 assigned by Section 521.002, Business & Commerce Code.
590586 [(b)] A state agency or local government that owns,
591587 licenses, or maintains computerized data that includes sensitive
592588 personal information, confidential information, or information the
593589 disclosure of which is regulated by law shall, in the event of a
594590 cybersecurity [security] incident:
595591 (1) comply with the notification requirements of
596592 Section 521.053, Business & Commerce Code, to the same extent as a
597593 person who conducts business in this state;
598594 (2) not later than 48 hours after the discovery of the
599595 cybersecurity [security] incident, notify:
600596 (A) the command [department], including the
601597 chief [information security officer]; or
602598 (B) if the cybersecurity [security] incident
603599 involves election data, the secretary of state; and
604600 (3) comply with all command [department] rules
605601 relating to reporting cybersecurity [security] incidents as
606602 required by this section.
607603 (b) [(c)] Not later than the 10th business day after the
608604 date of the eradication, closure, and recovery from a cybersecurity
609605 [security] incident, a state agency or local government shall
610606 notify the command [department], including the chief [information
611607 security officer], of the details of the cybersecurity [security]
612608 incident and include in the notification an analysis of the cause of
613609 the cybersecurity [security] incident.
614610 (c) [(d)] This section does not apply to a cybersecurity
615611 [security] incident that a local government is required to report
616612 to an independent organization certified by the Public Utility
617613 Commission of Texas under Section 39.151, Utilities Code.
618614 Sec. 2063.303 [2054.077]. VULNERABILITY REPORTS. (a) In
619615 this section, a term defined by Section 33.01, Penal Code, has the
620616 meaning assigned by that section.
621617 (b) The information security officer of a state agency shall
622618 prepare or have prepared a report, including an executive summary
623619 of the findings of the biennial report, not later than June 1 of
624620 each even-numbered year, assessing the extent to which a computer,
625621 a computer program, a computer network, a computer system, a
626622 printer, an interface to a computer system, including mobile and
627623 peripheral devices, computer software, or data processing of the
628624 agency or of a contractor of the agency is vulnerable to
629625 unauthorized access or harm, including the extent to which the
630626 agency's or contractor's electronically stored information is
631627 vulnerable to alteration, damage, erasure, or inappropriate use.
632628 (c) Except as provided by this section, a vulnerability
633629 report and any information or communication prepared or maintained
634630 for use in the preparation of a vulnerability report is
635631 confidential and is not subject to disclosure under Chapter 552.
636632 (d) The information security officer shall provide an
637633 electronic copy of the vulnerability report on its completion to:
638634 (1) the command [department];
639635 (2) the state auditor;
640636 (3) the agency's executive director;
641637 (4) the agency's designated information resources
642638 manager; and
643639 (5) any other information technology security
644640 oversight group specifically authorized by the legislature to
645641 receive the report.
646642 (e) Separate from the executive summary described by
647643 Subsection (b), a state agency shall prepare a summary of the
648644 agency's vulnerability report that does not contain any information
649645 the release of which might compromise the security of the state
650646 agency's or state agency contractor's computers, computer programs,
651647 computer networks, computer systems, printers, interfaces to
652648 computer systems, including mobile and peripheral devices,
653649 computer software, data processing, or electronically stored
654650 information. [The summary is available to the public on request.]
655651 SECTION 10. Section 2054.136, Government Code, is
656652 transferred to Subchapter E, Chapter 2063, Government Code, as
657653 added by this Act, redesignated as Section 2063.401, Government
658654 Code, and amended to read as follows:
659655 Sec. 2063.401 [2054.136]. DESIGNATED INFORMATION SECURITY
660656 OFFICER. Each state agency shall designate an information security
661657 officer who:
662658 (1) reports to the agency's executive-level
663659 management;
664660 (2) has authority over information security for the
665661 entire agency;
666662 (3) possesses the training and experience required to
667663 ensure the agency complies with requirements and policies
668664 established by the command [perform the duties required by
669665 department rules]; and
670666 (4) to the extent feasible, has information security
671667 duties as the officer's primary duties.
672668 SECTION 11. Section 2054.518, Government Code, is
673669 transferred to Subchapter E, Chapter 2063, Government Code, as
674670 added by this Act, redesignated as Section 2063.402, Government
675671 Code, and amended to read as follows:
676672 Sec. 2063.402 [2054.518]. CYBERSECURITY RISKS AND
677673 INCIDENTS. (a) The command [department] shall develop a plan to
678674 address cybersecurity risks and incidents in this state. The
679675 command [department] may enter into an agreement with a national
680676 organization, including the National Cybersecurity Preparedness
681677 Consortium, to support the command's [department's] efforts in
682678 implementing the components of the plan for which the command
683679 [department] lacks resources to address internally. The agreement
684680 may include provisions for:
685681 (1) providing technical assistance services to
686682 support preparedness for and response to cybersecurity risks and
687683 incidents;
688684 (2) conducting cybersecurity simulation exercises for
689685 state agencies to encourage coordination in defending against and
690686 responding to cybersecurity risks and incidents;
691687 (3) assisting state agencies in developing
692688 cybersecurity information-sharing programs to disseminate
693689 information related to cybersecurity risks and incidents; and
694690 (4) incorporating cybersecurity risk and incident
695691 prevention and response methods into existing state emergency
696692 plans, including continuity of operation plans and incident
697693 response plans.
698694 (b) In implementing the provisions of the agreement
699695 prescribed by Subsection (a), the command [department] shall seek
700696 to prevent unnecessary duplication of existing programs or efforts
701697 of the command [department] or another state agency.
702698 (c) [(d)] The command [department] shall consult with
703699 institutions of higher education in this state when appropriate
704700 based on an institution's expertise in addressing specific
705701 cybersecurity risks and incidents.
706702 SECTION 12. Section 2054.133, Government Code, is
707703 transferred to Subchapter E, Chapter 2063, Government Code, as
708704 added by this Act, redesignated as Section 2063.403, Government
709705 Code, and amended to read as follows:
710706 Sec. 2063.403 [2054.133]. INFORMATION SECURITY PLAN. (a)
711707 Each state agency shall develop, and periodically update, an
712708 information security plan for protecting the security of the
713709 agency's information.
714710 (b) In developing the plan, the state agency shall:
715711 (1) consider any vulnerability report prepared under
716712 Section 2063.303 [2054.077] for the agency;
717713 (2) incorporate the network security services
718714 provided by the department to the agency under Chapter 2059;
719715 (3) identify and define the responsibilities of agency
720716 staff who produce, access, use, or serve as custodians of the
721717 agency's information;
722718 (4) identify risk management and other measures taken
723719 to protect the agency's information from unauthorized access,
724720 disclosure, modification, or destruction;
725721 (5) include:
726722 (A) the best practices for information security
727723 developed by the command [department]; or
728724 (B) if best practices are not applied, a written
729725 explanation of why the best practices are not sufficient for the
730726 agency's security; and
731727 (6) omit from any written copies of the plan
732728 information that could expose vulnerabilities in the agency's
733729 network or online systems.
734730 (c) Not later than June 1 of each even-numbered year, each
735731 state agency shall submit a copy of the agency's information
736732 security plan to the command [department]. Subject to available
737733 resources, the command [department] may select a portion of the
738734 submitted security plans to be assessed by the command [department]
739735 in accordance with command policies [department rules].
740736 (d) Each state agency's information security plan is
741737 confidential and exempt from disclosure under Chapter 552.
742738 (e) Each state agency shall include in the agency's
743739 information security plan a written document that is signed by the
744740 head of the agency, the chief financial officer, and each executive
745741 manager designated by the state agency and states that those
746742 persons have been made aware of the risks revealed during the
747743 preparation of the agency's information security plan.
748744 (f) Not later than November 15 of each even-numbered year,
749745 the command [department] shall submit a written report to the
750746 governor, the lieutenant governor, the speaker of the house of
751747 representatives, and each standing committee of the legislature
752748 with primary jurisdiction over matters related to the command
753749 [department] evaluating information security for this state's
754750 information resources. In preparing the report, the command
755751 [department] shall consider the information security plans
756752 submitted by state agencies under this section, any vulnerability
757753 reports submitted under Section 2063.303 [2054.077], and other
758754 available information regarding the security of this state's
759755 information resources. The command [department] shall omit from
760756 any written copies of the report information that could expose
761757 specific vulnerabilities [in the security of this state's
762758 information resources].
763759 SECTION 13. Section 2054.516, Government Code, is
764760 transferred to Subchapter E, Chapter 2063, Government Code, as
765761 added by this Act, redesignated as Section 2063.405, Government
766762 Code, and amended to read as follows:
767763 Sec. 2063.405 [2054.516]. DATA SECURITY PLAN FOR ONLINE
768764 AND MOBILE APPLICATIONS. (a) Each state agency implementing an
769765 Internet website or mobile application that processes any sensitive
770766 personal or personally identifiable information or confidential
771767 information must:
772768 (1) submit a biennial data security plan to the
773769 command [department] not later than June 1 of each even-numbered
774770 year to establish planned beta testing for the website or
775771 application; and
776772 (2) subject the website or application to a
777773 vulnerability and penetration test and address any vulnerability
778774 identified in the test.
779775 (b) The command [department] shall review each data
780776 security plan submitted under Subsection (a) and make any
781777 recommendations for changes to the plan to the state agency as soon
782778 as practicable after the command [department] reviews the plan.
783779 SECTION 14. Section 2054.512, Government Code, is
784780 transferred to Subchapter E, Chapter 2063, Government Code, as
785781 added by this Act, redesignated as Section 2063.406, Government
786782 Code, and amended to read as follows:
787783 Sec. 2063.406 [2054.512]. CYBERSECURITY COUNCIL. (a) The
788784 chief or the chief's designee [state cybersecurity coordinator]
789785 shall [establish and] lead a cybersecurity council that includes
790786 public and private sector leaders and cybersecurity practitioners
791787 to collaborate on matters of cybersecurity concerning this state.
792788 (b) The cybersecurity council must include:
793789 (1) one member who is an employee of the office of the
794790 governor;
795791 (2) one member of the senate appointed by the
796792 lieutenant governor;
797793 (3) one member of the house of representatives
798794 appointed by the speaker of the house of representatives;
799- (4) the director of [one member who is an employee of]
800- the Elections Division of the Office of the Secretary of State;
801- [and]
795+ (4) one member who is an employee of the Elections
796+ Division of the Office of the Secretary of State; [and]
802797 (5) one member who is an employee of the department;
803798 and
804799 (6) additional members appointed by the chief [state
805800 cybersecurity coordinator], including representatives of
806801 institutions of higher education and private sector leaders.
807802 (c) Members of the cybersecurity council serve staggered
808803 six-year terms, with as near as possible to one-third of the
809804 members' terms expiring February 1 of each odd-numbered year.
810805 (d) In appointing representatives from institutions of
811806 higher education to the cybersecurity council, the chief [state
812807 cybersecurity coordinator] shall consider appointing members of
813808 the Information Technology Council for Higher Education.
814809 (e) [(d)] The cybersecurity council shall:
815810 (1) consider the costs and benefits of establishing a
816811 computer emergency readiness team to address cybersecurity
817812 incidents [cyber attacks] occurring in this state during routine
818813 and emergency situations;
819814 (2) establish criteria and priorities for addressing
820815 cybersecurity threats to critical state installations;
821816 (3) consolidate and synthesize best practices to
822817 assist state agencies in understanding and implementing
823818 cybersecurity measures that are most beneficial to this state; and
824819 (4) assess the knowledge, skills, and capabilities of
825820 the existing information technology and cybersecurity workforce to
826821 mitigate and respond to cyber threats and develop recommendations
827822 for addressing immediate workforce deficiencies and ensuring a
828823 long-term pool of qualified applicants.
829824 (f) [(e)] The chief, in collaboration with the
830825 cybersecurity council, shall provide recommendations to the
831826 legislature on any legislation necessary to implement
832827 cybersecurity best practices and remediation strategies for this
833828 state.
834829 SECTION 15. Section 2054.514, Government Code, is
835830 transferred to Subchapter E, Chapter 2063, Government Code, as
836831 added by this Act, redesignated as Section 2063.407, Government
837832 Code, and amended to read as follows:
838833 Sec. 2063.407 [2054.514]. RECOMMENDATIONS. The chief
839834 [state cybersecurity coordinator] may implement any portion, or all
840835 of the recommendations made by the cybersecurity council under
841836 Section 2063.406 [Cybersecurity, Education, and Economic
842837 Development Council under Subchapter N].
843838 SECTION 16. Subchapter N-2, Chapter 2054, Government Code,
844839 is transferred to Chapter 2063, Government Code, as added by this
845840 Act, redesignated as Subchapter F, Chapter 2063, Government Code,
846841 and amended to read as follows:
847842 SUBCHAPTER F [N-2]. TEXAS VOLUNTEER INCIDENT RESPONSE TEAM
848843 Sec. 2063.501 [2054.52001]. DEFINITIONS. In this
849844 subchapter:
850845 (1) "Incident response team" means the Texas volunteer
851846 incident response team established under Section 2063.502
852847 [2054.52002].
853848 (2) "Participating entity" means a state agency,
854849 including an institution of higher education, or a local government
855850 that receives assistance under this subchapter during a
856851 cybersecurity incident [event].
857852 (3) "Volunteer" means an individual who provides rapid
858853 response assistance during a cybersecurity incident [event] under
859854 this subchapter.
860855 Sec. 2063.502 [2054.52002]. ESTABLISHMENT OF TEXAS
861856 VOLUNTEER INCIDENT RESPONSE TEAM. (a) The command [department]
862857 shall establish the Texas volunteer incident response team to
863858 provide rapid response assistance to a participating entity under
864859 the command's [department's] direction during a cybersecurity
865860 incident [event].
866861 (b) The command [department] shall prescribe eligibility
867862 criteria for participation as a volunteer member of the incident
868863 response team, including a requirement that each volunteer have
869864 expertise in addressing cybersecurity incidents [events].
870865 Sec. 2063.503 [2054.52003]. CONTRACT WITH VOLUNTEERS. The
871866 command [department] shall enter into a contract with each
872867 volunteer the command [department] approves to provide rapid
873868 response assistance under this subchapter. The contract must
874869 require the volunteer to:
875870 (1) acknowledge the confidentiality of information
876871 required by Section 2063.510 [2054.52010];
877872 (2) protect all confidential information from
878873 disclosure;
879874 (3) avoid conflicts of interest that might arise in a
880875 deployment under this subchapter;
881876 (4) comply with command [department] security
882877 policies and procedures regarding information resources
883878 technologies;
884879 (5) consent to background screening required by the
885880 command [department]; and
886881 (6) attest to the volunteer's satisfaction of any
887882 eligibility criteria established by the command [department].
888883 Sec. 2063.504 [2054.52004]. VOLUNTEER QUALIFICATION. (a)
889884 The command [department] shall require criminal history record
890885 information for each individual who accepts an invitation to become
891886 a volunteer.
892887 (b) The command [department] may request other information
893888 relevant to the individual's qualification and fitness to serve as
894889 a volunteer.
895890 (c) The command [department] has sole discretion to
896891 determine whether an individual is qualified to serve as a
897892 volunteer.
898893 Sec. 2063.505 [2054.52005]. DEPLOYMENT. (a) In response
899894 to a cybersecurity incident [event] that affects multiple
900895 participating entities or a declaration by the governor of a state
901896 of disaster caused by a cybersecurity event, the command
902897 [department] on request of a participating entity may deploy
903898 volunteers and provide rapid response assistance under the
904899 command's [department's] direction and the managed security
905900 services framework established under Section 2063.204(c)
906901 [2054.0594(d)] to assist with the incident [event].
907902 (b) A volunteer may only accept a deployment under this
908903 subchapter in writing. A volunteer may decline to accept a
909904 deployment for any reason.
910905 Sec. 2063.506 [2054.52006]. CYBERSECURITY COUNCIL
911906 DUTIES. The cybersecurity council established under Section
912907 2063.406 [2054.512] shall review and make recommendations to the
913908 command [department] regarding the policies and procedures used by
914909 the command [department] to implement this subchapter. The command
915910 [department] may consult with the council to implement and
916911 administer this subchapter.
917912 Sec. 2063.507 [2054.52007]. COMMAND [DEPARTMENT] POWERS
918913 AND DUTIES. (a) The command [department] shall:
919914 (1) approve the incident response tools the incident
920915 response team may use in responding to a cybersecurity incident
921916 [event];
922917 (2) establish the eligibility criteria an individual
923918 must meet to become a volunteer;
924919 (3) develop and publish guidelines for operation of
925920 the incident response team, including the:
926921 (A) standards and procedures the command
927922 [department] uses to determine whether an individual is eligible to
928923 serve as a volunteer;
929924 (B) process for an individual to apply for and
930925 accept incident response team membership;
931926 (C) requirements for a participating entity to
932927 receive assistance from the incident response team; and
933928 (D) process for a participating entity to request
934929 and obtain the assistance of the incident response team; and
935930 (4) adopt policies [rules] necessary to implement this
936931 subchapter.
937932 (b) The command [department] may require a participating
938933 entity to enter into a contract as a condition for obtaining
939934 assistance from the incident response team. [The contract must
940935 comply with the requirements of Chapters 771 and 791.]
941936 (c) The command [department] may provide appropriate
942937 training to prospective and approved volunteers.
943938 (d) In accordance with state law, the command [department]
944939 may provide compensation for actual and necessary travel and living
945940 expenses incurred by a volunteer on a deployment using money
946941 available for that purpose.
947942 (e) The command [department] may establish a fee schedule
948943 for participating entities receiving incident response team
949944 assistance. The amount of fees collected may not exceed the
950945 command's [department's] costs to operate the incident response
951946 team.
952947 Sec. 2063.508 [2054.52008]. STATUS OF VOLUNTEER;
953948 LIABILITY. (a) A volunteer is not an agent, employee, or
954949 independent contractor of this state for any purpose and has no
955950 authority to obligate this state to a third party.
956951 (b) This state is not liable to a volunteer for personal
957952 injury or property damage sustained by the volunteer that arises
958953 from participation in the incident response team.
959954 Sec. 2063.509 [2054.52009]. CIVIL LIABILITY. A volunteer
960955 who in good faith provides professional services in response to a
961956 cybersecurity incident [event] is not liable for civil damages as a
962957 result of the volunteer's acts or omissions in providing the
963958 services, except for wilful and wanton misconduct. This immunity
964959 is limited to services provided during the time of deployment for a
965960 cybersecurity incident [event].
966961 Sec. 2063.510 [2054.52010]. CONFIDENTIAL INFORMATION.
967962 Information written, produced, collected, assembled, or maintained
968963 by the command [department], a participating entity, the
969964 cybersecurity council, or a volunteer in the implementation of this
970965 subchapter is confidential and not subject to disclosure under
971966 Chapter 552 if the information:
972967 (1) contains the contact information for a volunteer;
973968 (2) identifies or provides a means of identifying a
974969 person who may, as a result of disclosure of the information, become
975970 a victim of a cybersecurity incident [event];
976971 (3) consists of a participating entity's cybersecurity
977972 plans or cybersecurity-related practices; or
978973 (4) is obtained from a participating entity or from a
979974 participating entity's computer system in the course of providing
980975 assistance under this subchapter.
981976 SECTION 17. Subchapter E, Chapter 2059, Government Code, is
982977 transferred to Chapter 2063, Government Code, as added by this Act,
983978 redesignated as Subchapter G, Chapter 2063, Government Code, and
984979 amended to read as follows:
985980 SUBCHAPTER G [E]. REGIONAL [NETWORK] SECURITY OPERATIONS CENTERS
986981 Sec. 2063.601 [2059.201]. ELIGIBLE PARTICIPATING ENTITIES.
987982 A state agency or an entity listed in Section 2059.058 is eligible
988983 to participate in cybersecurity support and network security
989984 provided by a regional [network] security operations center under
990985 this subchapter.
991986 Sec. 2063.602 [2059.202]. ESTABLISHMENT OF REGIONAL
992987 [NETWORK] SECURITY OPERATIONS CENTERS. (a) Subject to Subsection
993988 (b), the command [department] may establish regional [network]
994989 security operations centers, under the command's [department's]
995990 managed security services framework established by Section
996991 2063.204(c) [2054.0594(d)], to assist in providing cybersecurity
997992 support and network security to regional offices or locations for
998993 state agencies and other eligible entities that elect to
999994 participate in and receive services through the center.
1000995 (b) The command [department] may establish more than one
1001996 regional [network] security operations center only if the command
1002997 [department] determines the first center established by the command
1003998 [department] successfully provides to state agencies and other
1004999 eligible entities the services the center has contracted to
10051000 provide.
10061001 (c) The command [department] shall enter into an
10071002 interagency contract in accordance with Chapter 771 or an
10081003 interlocal contract in accordance with Chapter 791, as appropriate,
10091004 with an eligible participating entity that elects to participate in
10101005 and receive services through a regional [network] security
10111006 operations center.
10121007 Sec. 2063.603 [2059.203]. REGIONAL [NETWORK] SECURITY
10131008 OPERATIONS CENTER LOCATIONS AND PHYSICAL SECURITY. (a) In
10141009 creating and operating a regional [network] security operations
10151010 center, the command may [department shall] partner with another [a]
10161011 university system or institution of higher education as defined by
10171012 Section 61.003, Education Code, other than a public junior college.
10181013 The system or institution shall:
10191014 (1) serve as an education partner with the command
10201015 [department] for the regional [network] security operations
10211016 center; and
10221017 (2) enter into an interagency contract with the
10231018 command [department] in accordance with Chapter 771.
10241019 (b) In selecting the location for a regional [network]
10251020 security operations center, the command [department] shall select a
10261021 university system or institution of higher education that has
10271022 supportive educational capabilities.
10281023 (c) A university system or institution of higher education
10291024 selected to serve as a regional [network] security operations
10301025 center shall control and monitor all entrances to and critical
10311026 areas of the center to prevent unauthorized entry. The system or
10321027 institution shall restrict access to the center to only authorized
10331028 individuals.
10341029 (d) A local law enforcement entity or any entity providing
10351030 security for a regional [network] security operations center shall
10361031 monitor security alarms at the regional [network] security
10371032 operations center subject to the availability of that service.
10381033 (e) The command [department] and a university system or
10391034 institution of higher education selected to serve as a regional
10401035 [network] security operations center shall restrict operational
10411036 information to only center personnel, except as provided by Chapter
10421037 321.
10431038 Sec. 2063.604 [2059.204]. REGIONAL [NETWORK] SECURITY
10441039 OPERATIONS CENTERS SERVICES AND SUPPORT. The command [department]
10451040 may offer the following managed security services through a
10461041 regional [network] security operations center:
10471042 (1) real-time cybersecurity [network security]
10481043 monitoring to detect and respond to cybersecurity incidents
10491044 [network security events] that may jeopardize this state and the
10501045 residents of this state;
10511046 (2) alerts and guidance for defeating cybersecurity
10521047 [network security] threats, including firewall configuration,
10531048 installation, management, and monitoring, intelligence gathering,
10541049 and protocol analysis;
10551050 (3) immediate response to counter unauthorized
10561051 [network security] activity that exposes this state and the
10571052 residents of this state to risk, including complete intrusion
10581053 detection system installation, management, and monitoring for
10591054 participating entities;
10601055 (4) development, coordination, and execution of
10611056 statewide cybersecurity operations to isolate, contain, and
10621057 mitigate the impact of cybersecurity [network security] incidents
10631058 for participating entities; and
10641059 (5) cybersecurity educational services.
10651060 Sec. 2063.605 [2059.205]. NETWORK SECURITY GUIDELINES AND
10661061 STANDARD OPERATING PROCEDURES. (a) The command [department] shall
10671062 adopt and provide to each regional [network] security operations
10681063 center appropriate network security guidelines and standard
10691064 operating procedures to ensure efficient operation of the center
10701065 with a maximum return on the state's investment.
10711066 (b) The command [department] shall revise the standard
10721067 operating procedures as necessary to confirm network security.
10731068 (c) Each eligible participating entity that elects to
10741069 participate in a regional [network] security operations center
10751070 shall comply with the network security guidelines and standard
10761071 operating procedures.
10771072 SECTION 18. Section 325.011, Government Code, is amended to
10781073 read as follows:
10791074 Sec. 325.011. CRITERIA FOR REVIEW. The commission and its
10801075 staff shall consider the following criteria in determining whether
10811076 a public need exists for the continuation of a state agency or its
10821077 advisory committees or for the performance of the functions of the
10831078 agency or its advisory committees:
10841079 (1) the efficiency and effectiveness with which the
10851080 agency or the advisory committee operates;
10861081 (2)(A) an identification of the mission, goals, and
10871082 objectives intended for the agency or advisory committee and of the
10881083 problem or need that the agency or advisory committee was intended
10891084 to address; and
10901085 (B) the extent to which the mission, goals, and
10911086 objectives have been achieved and the problem or need has been
10921087 addressed;
10931088 (3)(A) an identification of any activities of the
10941089 agency in addition to those granted by statute and of the authority
10951090 for those activities; and
10961091 (B) the extent to which those activities are
10971092 needed;
10981093 (4) an assessment of authority of the agency relating
10991094 to fees, inspections, enforcement, and penalties;
11001095 (5) whether less restrictive or alternative methods of
11011096 performing any function that the agency performs could adequately
11021097 protect or provide service to the public;
11031098 (6) the extent to which the jurisdiction of the agency
11041099 and the programs administered by the agency overlap or duplicate
11051100 those of other agencies, the extent to which the agency coordinates
11061101 with those agencies, and the extent to which the programs
11071102 administered by the agency can be consolidated with the programs of
11081103 other state agencies;
11091104 (7) the promptness and effectiveness with which the
11101105 agency addresses complaints concerning entities or other persons
11111106 affected by the agency, including an assessment of the agency's
11121107 administrative hearings process;
11131108 (8) an assessment of the agency's rulemaking process
11141109 and the extent to which the agency has encouraged participation by
11151110 the public in making its rules and decisions and the extent to which
11161111 the public participation has resulted in rules that benefit the
11171112 public;
11181113 (9) the extent to which the agency has complied with:
11191114 (A) federal and state laws and applicable rules
11201115 regarding equality of employment opportunity and the rights and
11211116 privacy of individuals; and
11221117 (B) state law and applicable rules of any state
11231118 agency regarding purchasing guidelines and programs for
11241119 historically underutilized businesses;
11251120 (10) the extent to which the agency issues and
11261121 enforces rules relating to potential conflicts of interest of its
11271122 employees;
11281123 (11) the extent to which the agency complies with
11291124 Chapters 551 and 552 and follows records management practices that
11301125 enable the agency to respond efficiently to requests for public
11311126 information;
11321127 (12) the effect of federal intervention or loss of
11331128 federal funds if the agency is abolished;
11341129 (13) the extent to which the purpose and effectiveness
11351130 of reporting requirements imposed on the agency justifies the
11361131 continuation of the requirement; and
11371132 (14) an assessment of the agency's cybersecurity
11381133 practices using confidential information available from the
11391134 Department of Information Resources, the Texas Cyber Command, or
11401135 any other appropriate state agency.
11411136 SECTION 19. Section 11.175(h-1), Education Code, is amended
11421137 to read as follows:
11431138 (h-1) Notwithstanding Section 2063.103 [2054.5191],
11441139 Government Code, only the district's cybersecurity coordinator is
11451140 required to complete the cybersecurity training under that section
11461141 on an annual basis. Any other school district employee required to
11471142 complete the cybersecurity training shall complete the training as
11481143 determined by the district, in consultation with the district's
11491144 cybersecurity coordinator.
11501145 SECTION 20. Section 38.307(e), Education Code, is amended
11511146 to read as follows:
11521147 (e) The agency shall maintain the data collected by the task
11531148 force and the work product of the task force in accordance with:
11541149 (1) the agency's information security plan under
11551150 Section 2063.403 [2054.133], Government Code; and
11561151 (2) the agency's records retention schedule under
11571152 Section 441.185, Government Code.
11581153 SECTION 21. Section 61.003(6), Education Code, is amended
11591154 to read as follows:
11601155 (6) "Other agency of higher education" means The
11611156 University of Texas System, System Administration; The University
11621157 of Texas at El Paso Museum; Texas Epidemic Public Health Institute
11631158 at The University of Texas Health Science Center at Houston; the
11641159 Texas Cyber Command; The Texas A&M University System,
11651160 Administrative and General Offices; Texas A&M AgriLife Research;
11661161 Texas A&M AgriLife Extension Service; Rodent and Predatory Animal
11671162 Control Service (a part of the Texas A&M AgriLife Extension
11681163 Service); Texas A&M Engineering Experiment Station (including the
11691164 Texas A&M Transportation Institute); Texas A&M Engineering
11701165 Extension Service; Texas A&M Forest Service; Texas Division of
11711166 Emergency Management; Texas Tech University Museum; Texas State
11721167 University System, System Administration; Sam Houston Memorial
11731168 Museum; Panhandle-Plains Historical Museum; Cotton Research
11741169 Committee of Texas; Texas Water Resources Institute; Texas A&M
11751170 Veterinary Medical Diagnostic Laboratory; and any other unit,
11761171 division, institution, or agency which shall be so designated by
11771172 statute or which may be established to operate as a component part
11781173 of any public senior college or university, or which may be so
11791174 classified as provided in this chapter.
11801175 SECTION 22. Section 65.02(a), Education Code, is amended to
11811176 read as follows:
11821177 (a) The University of Texas System is composed of the
11831178 following institutions and entities:
11841179 (1) The University of Texas at Arlington;
11851180 (2) The University of Texas at Austin;
11861181 (3) The University of Texas at Dallas;
11871182 (4) The University of Texas at El Paso;
11881183 (5) The University of Texas Permian Basin;
11891184 (6) The University of Texas at San Antonio;
11901185 (7) The University of Texas Southwestern Medical
11911186 Center;
11921187 (8) The University of Texas Medical Branch at
11931188 Galveston;
11941189 (9) The University of Texas Health Science Center at
11951190 Houston;
11961191 (10) The University of Texas Health Science Center at
11971192 San Antonio;
11981193 (11) The University of Texas M. D. Anderson Cancer
11991194 Center;
12001195 (12) Stephen F. Austin State University, a member of
12011196 The University of Texas System;
12021197 (13) The University of Texas at Tyler; [and]
12031198 (14) The University of Texas Rio Grande Valley; and
12041199 (15) the Texas Cyber Command (Chapter 2063, Government
12051200 Code).
12061201 SECTION 23. Sections 772.012(b) and (c), Government Code,
12071202 are amended to read as follows:
12081203 (b) To apply for a grant under this chapter, a local
12091204 government must submit with the grant application a written
12101205 certification of the local government's compliance with the
12111206 cybersecurity training required by Section 2063.103 [2054.5191].
12121207 (c) On a determination by the criminal justice division
12131208 established under Section 772.006 that a local government awarded a
12141209 grant under this chapter has not complied with the cybersecurity
12151210 training required by Section 2063.103 [2054.5191], the local
12161211 government shall pay to this state an amount equal to the amount of
12171212 the grant award. A local government that is the subject of a
12181213 determination described by this subsection is ineligible for
12191214 another grant under this chapter until the second anniversary of
12201215 the date the local government is determined ineligible.
12211216 SECTION 24. Section 2054.0701(c), Government Code, is
12221217 amended to read as follows:
12231218 (c) A program offered under this section must:
12241219 (1) be approved by the Texas Higher Education
12251220 Coordinating Board in accordance with Section 61.0512, Education
12261221 Code;
12271222 (2) develop the knowledge and skills necessary for an
12281223 entry-level information technology position in a state agency; and
12291224 (3) include a one-year apprenticeship with:
12301225 (A) the department;
12311226 (B) another relevant state agency;
12321227 (C) an organization working on a major
12331228 information resources project; or
12341229 (D) a regional [network] security operations
12351230 center established under Section 2063.602 [2059.202].
12361231 SECTION 25. Section 2056.002(b), Government Code, is
12371232 amended to read as follows:
12381233 (b) The Legislative Budget Board and the governor's office
12391234 shall determine the elements required to be included in each
12401235 agency's strategic plan. Unless modified by the Legislative Budget
12411236 Board and the governor's office, and except as provided by
12421237 Subsection (c), a plan must include:
12431238 (1) a statement of the mission and goals of the state
12441239 agency;
12451240 (2) a description of the indicators developed under
12461241 this chapter and used to measure the output and outcome of the
12471242 agency;
12481243 (3) identification of the groups of people served by
12491244 the agency, including those having service priorities, or other
12501245 service measures established by law, and estimates of changes in
12511246 those groups expected during the term of the plan;
12521247 (4) an analysis of the use of the agency's resources to
12531248 meet the agency's needs, including future needs, and an estimate of
12541249 additional resources that may be necessary to meet future needs;
12551250 (5) an analysis of expected changes in the services
12561251 provided by the agency because of changes in state or federal law;
12571252 (6) a description of the means and strategies for
12581253 meeting the agency's needs, including future needs, and achieving
12591254 the goals established under Section 2056.006 for each area of state
12601255 government for which the agency provides services;
12611256 (7) a description of the capital improvement needs of
12621257 the agency during the term of the plan and a statement, if
12631258 appropriate, of the priority of those needs;
12641259 (8) identification of each geographic region of this
12651260 state, including the Texas-Louisiana border region and the
12661261 Texas-Mexico border region, served by the agency, and if
12671262 appropriate the agency's means and strategies for serving each
12681263 region;
12691264 (9) a description of the training of the agency's
12701265 contract managers under Section 656.052;
12711266 (10) an analysis of the agency's expected expenditures
12721267 that relate to federally owned or operated military installations
12731268 or facilities, or communities where a federally owned or operated
12741269 military installation or facility is located;
12751270 (11) an analysis of the strategic use of information
12761271 resources as provided by the instructions prepared under Section
12771272 2054.095;
12781273 (12) a written certification of the agency's
12791274 compliance with the cybersecurity training required under Sections
12801275 2063.103 [2054.5191] and 2063.104 [2054.5192]; and
12811276 (13) other information that may be required.
1282- SECTION 26. Section 2054.5181, Government Code, is
1283- repealed.
1284- SECTION 27. (a) In this section, "department" means the
1277+ SECTION 26. (a) In this section, "department" means the
12851278 Department of Information Resources.
12861279 (b) On the effective date of this Act, the Texas Cyber
12871280 Command, organized as provided by Section 2063.002, Government
12881281 Code, as added by this Act, is created with the powers and duties
12891282 assigned by Chapter 2063, Government Code, as added by this Act.
12901283 (b-1) As soon as practicable on or after the effective date
12911284 of this Act, the governor shall appoint the chief of the Texas Cyber
12921285 Command, as described by Section 2063.0025, Government Code, as
12931286 added by this Act.
12941287 (c) Notwithstanding Subsection (b) of this section, the
12951288 department shall continue to perform duties and exercise powers
12961289 under Chapter 2054, Government Code, as that law existed
12971290 immediately before the effective date of this Act, until the date
12981291 provided by the memorandum of understanding entered into under
12991292 Subsection (e) of this section.
13001293 (d) Not later than December 31, 2026:
13011294 (1) all functions and activities performed by the
13021295 department that relate to cybersecurity under Chapter 2063,
13031296 Government Code, as added by this Act, are transferred to the Texas
13041297 Cyber Command;
13051298 (2) all employees of the department who primarily
13061299 perform duties related to cybersecurity, including employees who
13071300 provide administrative support for those services, under Chapter
13081301 2063, Government Code, as added by this Act, become employees of the
13091302 Texas Cyber Command, but continue to work in the same physical
13101303 location unless moved in accordance with the memorandum of
13111304 understanding entered into under Subsection (e) of this section;
13121305 (3) a rule or form adopted by the department that
13131306 relates to cybersecurity under Chapter 2063, Government Code, as
13141307 added by this Act, is a rule or form of the Texas Cyber Command and
13151308 remains in effect until changed by the command;
13161309 (4) a reference in law to the department that relates
13171310 to cybersecurity under Chapter 2063, Government Code, as added by
13181311 this Act, means the Texas Cyber Command;
13191312 (5) a contract negotiation for a contract specified as
13201313 provided by Subdivision (7) of this subsection in the memorandum of
13211314 understanding entered into under Subsection (e) of this section or
13221315 other proceeding involving the department that is related to
13231316 cybersecurity under Chapter 2063, Government Code, as added by this
13241317 Act, is transferred without change in status to the Texas Cyber
13251318 Command, and the Texas Cyber Command assumes, without a change in
13261319 status, the position of the department in a negotiation or
13271320 proceeding relating to cybersecurity to which the department is a
13281321 party;
13291322 (6) all money, leases, rights, and obligations of the
13301323 department related to cybersecurity under Chapter 2063, Government
13311324 Code, as added by this Act, are transferred to the Texas Cyber
13321325 Command;
13331326 (7) contracts specified as necessary to accomplish the
13341327 goals and duties of the Texas Cyber Command, as established by
13351328 Chapter 2063, Government Code, as added by this Act, in the
13361329 memorandum of understanding entered into under Subsection (e) of
13371330 this section are transferred to the Texas Cyber Command;
13381331 (8) all property, including records, in the custody of
13391332 the department related to cybersecurity under Chapter 2063,
13401333 Government Code, as added by this Act, becomes property of the Texas
13411334 Cyber Command, but stays in the same physical location unless moved
13421335 in accordance with the specific steps and methods created under
13431336 Subsection (e) of this section; and
13441337 (9) all funds appropriated by the legislature to the
13451338 department for purposes related to cybersecurity, including funds
13461339 for providing administrative support, under Chapter 2063,
13471340 Government Code, as added by this Act, are transferred to the Texas
13481341 Cyber Command.
13491342 (e) Not later than January 1, 2026, the department, in
13501343 collaboration with the chief of the Texas Cyber Command, and the
13511344 board of regents of The University of Texas System shall enter into
13521345 a memorandum of understanding relating to the transfer of powers
13531346 and duties from the department to the Texas Cyber Command as
13541347 provided by this Act. The memorandum must include:
13551348 (1) a timetable and specific steps and methods for the
13561349 transfer of all powers, duties, obligations, rights, contracts,
13571350 leases, records, real or personal property, and unspent and
13581351 unobligated appropriations and other funds relating to the
13591352 administration of the powers and duties as provided by this Act;
13601353 (2) measures to ensure against any unnecessary
13611354 disruption to cybersecurity operations during the transfer
13621355 process; and
13631356 (3) a provision that the terms of any memorandum of
13641357 understanding entered into related to the transfer remain in effect
13651358 until the transfer is completed.
1366- SECTION 28. This Act takes effect September 1, 2025.
1359+ SECTION 27. This Act takes effect September 1, 2025.