| 1 | 1 | | 89R14618 LRM-D |
|---|
| 2 | 2 | | By: Parker, et al. S.B. No. 2404 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | |
|---|
| 6 | 6 | | |
|---|
| 7 | 7 | | A BILL TO BE ENTITLED |
|---|
| 8 | 8 | | AN ACT |
|---|
| 9 | 9 | | relating to the continuation and functions of the Department of |
|---|
| 10 | 10 | | Information Resources, including the composition of the governing |
|---|
| 11 | 11 | | body of the department. |
|---|
| 12 | 12 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 13 | 13 | | SECTION 1. Subchapter C, Chapter 656, Government Code, is |
|---|
| 14 | 14 | | amended by adding Sections 656.0505 and 656.0506 to read as |
|---|
| 15 | 15 | | follows: |
|---|
| 16 | 16 | | Sec. 656.0505. VOLUNTARY CERTIFICATION COURSE ON |
|---|
| 17 | 17 | | PROCUREMENT OF INFORMATION RESOURCES TECHNOLOGIES. (a) In this |
|---|
| 18 | 18 | | section: |
|---|
| 19 | 19 | | (1) "Department" means the Department of Information |
|---|
| 20 | 20 | | Resources. |
|---|
| 21 | 21 | | (2) "Information resources technologies" has the |
|---|
| 22 | 22 | | meaning assigned by Section 2054.003. |
|---|
| 23 | 23 | | (b) In coordination with the comptroller, the department |
|---|
| 24 | 24 | | shall develop and implement a certification course on the |
|---|
| 25 | 25 | | procurement of information resources technologies and make the |
|---|
| 26 | 26 | | course available to a person who: |
|---|
| 27 | 27 | | (1) holds a purchasing certification issued under |
|---|
| 28 | 28 | | Section 656.051; |
|---|
| 29 | 29 | | (2) holds a contract management certification issued |
|---|
| 30 | 30 | | under Section 656.052; or |
|---|
| 31 | 31 | | (3) holds both certifications described by |
|---|
| 32 | 32 | | Subdivisions (1) and (2). |
|---|
| 33 | 33 | | (c) The department shall provide the course at least |
|---|
| 34 | 34 | | quarterly and must provide the course in person. |
|---|
| 35 | 35 | | (d) The department shall certify a state agency employee who |
|---|
| 36 | 36 | | successfully completes the course. |
|---|
| 37 | 37 | | (e) Successful completion of the course may be credited |
|---|
| 38 | 38 | | toward any continuing education requirements for maintaining a |
|---|
| 39 | 39 | | certification under Section 656.051 or 656.052, or both. |
|---|
| 40 | 40 | | Sec. 656.0506. TRAINING ON PURCHASES OF INFORMATION |
|---|
| 41 | 41 | | RESOURCES TECHNOLOGIES FOR CERTAIN STATE AGENCY OFFICERS AND |
|---|
| 42 | 42 | | EMPLOYEES. (a) In this section: |
|---|
| 43 | 43 | | (1) "Department" means the Department of Information |
|---|
| 44 | 44 | | Resources. |
|---|
| 45 | 45 | | (2) "Information resources technologies" has the |
|---|
| 46 | 46 | | meaning assigned by Section 2054.003. |
|---|
| 47 | 47 | | (b) The department shall develop and provide annual |
|---|
| 48 | 48 | | training for persons who serve in upper management positions at |
|---|
| 49 | 49 | | state agencies, including elected or appointed state officers and |
|---|
| 50 | 50 | | executive heads of state agencies on best practices and |
|---|
| 51 | 51 | | methodologies for purchasing information resources technologies. |
|---|
| 52 | 52 | | (c) The department shall include in the training provided |
|---|
| 53 | 53 | | under Subsection (b) information the department covers in the |
|---|
| 54 | 54 | | certification programs established by Sections 656.051 and 656.052 |
|---|
| 55 | 55 | | that is related to the purchase of information resources |
|---|
| 56 | 56 | | technologies. The department may include additional topics in the |
|---|
| 57 | 57 | | training. |
|---|
| 58 | 58 | | (d) The department may not require a person described by |
|---|
| 59 | 59 | | Subsection (b) to participate in the training. |
|---|
| 60 | 60 | | SECTION 2. Section 2054.003(13), Government Code, is |
|---|
| 61 | 61 | | amended to read as follows: |
|---|
| 62 | 62 | | (13) "State agency" means, except as otherwise |
|---|
| 63 | 63 | | provided by this chapter, a department, commission, board, office, |
|---|
| 64 | 64 | | council, authority, or other agency in the executive or judicial |
|---|
| 65 | 65 | | branch of state government that is created by the constitution or a |
|---|
| 66 | 66 | | statute of this state, including a university system or institution |
|---|
| 67 | 67 | | of higher education as defined by Section 61.003, Education Code. |
|---|
| 68 | 68 | | SECTION 3. Section 2054.005, Government Code, is amended to |
|---|
| 69 | 69 | | read as follows: |
|---|
| 70 | 70 | | Sec. 2054.005. SUNSET PROVISION. [(a)] The Department of |
|---|
| 71 | 71 | | Information Resources is subject to Chapter 325 (Texas Sunset Act). |
|---|
| 72 | 72 | | Unless continued in existence as provided by that chapter, the |
|---|
| 73 | 73 | | department is abolished [and this chapter expires] September 1, |
|---|
| 74 | 74 | | 2037 [2025]. |
|---|
| 75 | 75 | | SECTION 4. Section 2054.021, Government Code, is amended by |
|---|
| 76 | 76 | | amending Subsections (a), (c), (f), (g), and (h) and adding |
|---|
| 77 | 77 | | Subsections (a-1), (c-1), (c-2), and (i) to read as follows: |
|---|
| 78 | 78 | | (a) For purposes of this section, "state agency" has the |
|---|
| 79 | 79 | | meaning assigned by Section 2054.003 but does not include a |
|---|
| 80 | 80 | | department, commission, board, office, council, authority, or |
|---|
| 81 | 81 | | other agency in the judicial branch of state government. |
|---|
| 82 | 82 | | (a-1) The department is governed by a board composed of 11 |
|---|
| 83 | 83 | | members as follows: |
|---|
| 84 | 84 | | (1) seven voting members appointed by the governor |
|---|
| 85 | 85 | | with the advice and consent of the senate; and |
|---|
| 86 | 86 | | (2) four nonvoting members as provided by Subsection |
|---|
| 87 | 87 | | (c). [One member must be employed by an institution of higher |
|---|
| 88 | 88 | | education as defined by Section 61.003, Education Code.] |
|---|
| 89 | 89 | | (c) The governor shall appoint the four nonvoting members of |
|---|
| 90 | 90 | | the board as follows: |
|---|
| 91 | 91 | | (1) one member who is an employee of an institution of |
|---|
| 92 | 92 | | higher education, as defined by Section 61.003, Education Code; |
|---|
| 93 | 93 | | (2) two members who are employees of state agencies |
|---|
| 94 | 94 | | that are on the list provided under Subsection (c-1); and |
|---|
| 95 | 95 | | (3) one member who is an employee of a state agency |
|---|
| 96 | 96 | | with fewer than 500 full-time employees. |
|---|
| 97 | 97 | | (c-1) Not later than December 1 of each even-numbered year, |
|---|
| 98 | 98 | | the department shall provide the governor a list of the 10 state |
|---|
| 99 | 99 | | agencies that spent the most money on products and services of the |
|---|
| 100 | 100 | | department during the previous state fiscal year. |
|---|
| 101 | 101 | | (c-2) A nonvoting member of the board serves for a two-year |
|---|
| 102 | 102 | | term that expires February 1 of each odd-numbered year. [Two groups |
|---|
| 103 | 103 | | each composed of three ex officio members serve on the board on a |
|---|
| 104 | 104 | | rotating basis. The ex officio members serve as nonvoting members |
|---|
| 105 | 105 | | of the board. Only one group serves at a time. The first group is |
|---|
| 106 | 106 | | composed of the commissioner of insurance, the executive |
|---|
| 107 | 107 | | commissioner of the Health and Human Services Commission, and the |
|---|
| 108 | 108 | | executive director of the Texas Department of Transportation. |
|---|
| 109 | 109 | | Members of the first group serve for two-year terms that begin |
|---|
| 110 | 110 | | February 1 of every other odd-numbered year and that expire on |
|---|
| 111 | 111 | | February 1 of the next odd-numbered year. The second group is |
|---|
| 112 | 112 | | composed of the commissioner of education, the executive director |
|---|
| 113 | 113 | | of the Texas Department of Criminal Justice, and the executive |
|---|
| 114 | 114 | | director of the Parks and Wildlife Department. Members of the |
|---|
| 115 | 115 | | second group serve for two-year terms that begin February 1 of the |
|---|
| 116 | 116 | | odd-numbered years in which the terms of members of the first group |
|---|
| 117 | 117 | | expire and that expire on February 1 of the next odd-numbered year.] |
|---|
| 118 | 118 | | (f) A [To be eligible to take office or serve as a voting or |
|---|
| 119 | 119 | | nonvoting member of the board, a] person who is appointed to and |
|---|
| 120 | 120 | | qualifies for office as a member of the board may not vote, |
|---|
| 121 | 121 | | deliberate, or be counted as a member in attendance at a meeting of |
|---|
| 122 | 122 | | the board until the person: |
|---|
| 123 | 123 | | (1) completes [appointed to or scheduled to serve as |
|---|
| 124 | 124 | | an ex officio member of the board must complete at least one course |
|---|
| 125 | 125 | | of] a training program that complies with Subsection (g); and |
|---|
| 126 | 126 | | (2) signs and submits to the executive director a |
|---|
| 127 | 127 | | statement acknowledging that the member completed the training |
|---|
| 128 | 128 | | program and the training required under Section 656.053 [this |
|---|
| 129 | 129 | | section]. [A voting or nonvoting board member must complete a |
|---|
| 130 | 130 | | training program that complies with Subsection (g) not later than |
|---|
| 131 | 131 | | the 180th day after the date on which the person takes office or |
|---|
| 132 | 132 | | begins serving as a member of the board.] |
|---|
| 133 | 133 | | (g) The training program must provide the person with |
|---|
| 134 | 134 | | information [to the person] regarding: |
|---|
| 135 | 135 | | (1) the law governing department operations [this |
|---|
| 136 | 136 | | chapter] and the board to which the person is appointed to serve; |
|---|
| 137 | 137 | | (2) the programs, functions, rules, and budget of |
|---|
| 138 | 138 | | [operated by] the department; |
|---|
| 139 | 139 | | (3) the scope of and limitations on the rulemaking |
|---|
| 140 | 140 | | authority of the department [the role and functions of the |
|---|
| 141 | 141 | | department]; |
|---|
| 142 | 142 | | (4) the results of the most recent formal audit of the |
|---|
| 143 | 143 | | department [rules of the department, with an emphasis on the rules |
|---|
| 144 | 144 | | that relate to disciplinary and investigatory authority]; |
|---|
| 145 | 145 | | (5) the requirements of: |
|---|
| 146 | 146 | | (A) laws relating to open meetings, public |
|---|
| 147 | 147 | | information, administrative procedure, and disclosing conflicts of |
|---|
| 148 | 148 | | interest; and |
|---|
| 149 | 149 | | (B) other laws applicable to members of a state |
|---|
| 150 | 150 | | policy-making body in performing their duties [current budget for |
|---|
| 151 | 151 | | the department]; |
|---|
| 152 | 152 | | (6) [the results of the most recent formal audit of the |
|---|
| 153 | 153 | | department; |
|---|
| 154 | 154 | | [(7) the requirements of the: |
|---|
| 155 | 155 | | [(A) open meetings law, Chapter 551; |
|---|
| 156 | 156 | | [(B) open records law, Chapter 552; and |
|---|
| 157 | 157 | | [(C) administrative procedure law, Chapter 2001; |
|---|
| 158 | 158 | | [(8) the requirements of the conflict of interest laws |
|---|
| 159 | 159 | | and other laws relating to public officials; |
|---|
| 160 | 160 | | [(9)] any applicable ethics policies adopted by the |
|---|
| 161 | 161 | | department or the Texas Ethics Commission; and |
|---|
| 162 | 162 | | (7) [(10)] contract management training. |
|---|
| 163 | 163 | | (h) A person appointed to the board is entitled to |
|---|
| 164 | 164 | | reimbursement, as provided by the General Appropriations Act, for |
|---|
| 165 | 165 | | travel expenses incurred in attending the training program, |
|---|
| 166 | 166 | | regardless of whether the attendance at the program occurs before |
|---|
| 167 | 167 | | or after the person qualifies for office [as provided by the General |
|---|
| 168 | 168 | | Appropriations Act and as if the person were a member of the board]. |
|---|
| 169 | 169 | | (i) The executive director shall create a training manual |
|---|
| 170 | 170 | | that includes the information required by Subsection (g). The |
|---|
| 171 | 171 | | executive director shall distribute a copy of the training manual |
|---|
| 172 | 172 | | annually to each member of the board. Each member of the board |
|---|
| 173 | 173 | | shall sign and submit to the executive director a statement |
|---|
| 174 | 174 | | acknowledging that the member received and has reviewed the |
|---|
| 175 | 175 | | training manual. |
|---|
| 176 | 176 | | SECTION 5. Section 2054.024(c), Government Code, is amended |
|---|
| 177 | 177 | | to read as follows: |
|---|
| 178 | 178 | | (c) If the final result of an action brought in a court of |
|---|
| 179 | 179 | | competent jurisdiction is that a board [an ex officio or other] |
|---|
| 180 | 180 | | member [of the board] may not serve on the board under the Texas |
|---|
| 181 | 181 | | Constitution, the [appropriate individual shall promptly submit a |
|---|
| 182 | 182 | | list to the] governor shall appoint [for the appointment of] a |
|---|
| 183 | 183 | | replacement who may serve. |
|---|
| 184 | 184 | | SECTION 6. The heading to Section 2054.033, Government |
|---|
| 185 | 185 | | Code, is amended to read as follows: |
|---|
| 186 | 186 | | Sec. 2054.033. ESTABLISHMENT OF ADVISORY COMMITTEES; |
|---|
| 187 | 187 | | ADMINISTRATION AND REQUIREMENTS. |
|---|
| 188 | 188 | | SECTION 7. Section 2054.033, Government Code, is amended by |
|---|
| 189 | 189 | | amending Subsection (a) and adding Subsections (e), (f), and (g) to |
|---|
| 190 | 190 | | read as follows: |
|---|
| 191 | 191 | | (a) The board and the executive director, if authorized by |
|---|
| 192 | 192 | | the board, by rule may establish [appoint] advisory committees as |
|---|
| 193 | 193 | | the department considers necessary to provide expertise to the |
|---|
| 194 | 194 | | department. |
|---|
| 195 | 195 | | (e) With respect to an advisory committee whose |
|---|
| 196 | 196 | | jurisdiction covers a service provided by the department to state |
|---|
| 197 | 197 | | agencies, in appointing members to the advisory committee the board |
|---|
| 198 | 198 | | shall: |
|---|
| 199 | 199 | | (1) to the extent practicable, ensure that the |
|---|
| 200 | 200 | | advisory committee is composed of a cross-section of the |
|---|
| 201 | 201 | | department's customers who use the service; and |
|---|
| 202 | 202 | | (2) appoint, in addition to the member required by |
|---|
| 203 | 203 | | Subsection (d), at least one member who is an employee of a state |
|---|
| 204 | 204 | | agency with 500 or fewer full-time employees. |
|---|
| 205 | 205 | | (f) The board shall adopt rules to govern each advisory |
|---|
| 206 | 206 | | committee of the department. The rules must include: |
|---|
| 207 | 207 | | (1) the purpose, role, goals, composition, and |
|---|
| 208 | 208 | | duration of the advisory committee; |
|---|
| 209 | 209 | | (2) as to the advisory committee members: |
|---|
| 210 | 210 | | (A) the appointment procedures, terms, and |
|---|
| 211 | 211 | | quorum requirements; |
|---|
| 212 | 212 | | (B) conflict-of-interest policies; and |
|---|
| 213 | 213 | | (C) as advisable, member qualifications or |
|---|
| 214 | 214 | | training requirements; |
|---|
| 215 | 215 | | (3) as appropriate, a method the department must use |
|---|
| 216 | 216 | | to receive public input on issues considered by the advisory |
|---|
| 217 | 217 | | committee; and |
|---|
| 218 | 218 | | (4) as appropriate, a method for sharing findings and |
|---|
| 219 | 219 | | information of the advisory committee with the public and the |
|---|
| 220 | 220 | | board. |
|---|
| 221 | 221 | | (g) Except as otherwise provided by this chapter, an |
|---|
| 222 | 222 | | advisory committee of the department is subject to Chapter 2110. |
|---|
| 223 | 223 | | SECTION 8. Subchapter B, Chapter 2054, Government Code, is |
|---|
| 224 | 224 | | amended by adding Sections 2054.0333, 2054.0335, and 2054.0337 to |
|---|
| 225 | 225 | | read as follows: |
|---|
| 226 | 226 | | Sec. 2054.0333. ADVISORY COMMITTEES ON DEPARTMENT |
|---|
| 227 | 227 | | FUNCTIONS REQUIRED. The board by rule shall establish advisory |
|---|
| 228 | 228 | | committees under Section 2054.033 that advise the board on |
|---|
| 229 | 229 | | governing the department and cover in subject matter the |
|---|
| 230 | 230 | | department's primary functions, including at least one advisory |
|---|
| 231 | 231 | | committee for each of the following subjects: |
|---|
| 232 | 232 | | (1) procurement under Subchapter B, Chapter 2157; |
|---|
| 233 | 233 | | (2) the development and implementation of information |
|---|
| 234 | 234 | | security programs; and |
|---|
| 235 | 235 | | (3) the preparation of the state strategic plan |
|---|
| 236 | 236 | | required by Section 2054.091. |
|---|
| 237 | 237 | | Sec. 2054.0335. STATEWIDE INFORMATION SECURITY ADVISORY |
|---|
| 238 | 238 | | COMMITTEE. (a) The board by rule shall establish an advisory |
|---|
| 239 | 239 | | committee under Section 2054.033 to make recommendations to the |
|---|
| 240 | 240 | | department on improving the effectiveness of the department's and |
|---|
| 241 | 241 | | this state's information security operations. |
|---|
| 242 | 242 | | (b) The advisory committee must include members who are |
|---|
| 243 | 243 | | information security professionals employed by state agencies and |
|---|
| 244 | 244 | | local governments. |
|---|
| 245 | 245 | | (c) The presiding officer of the advisory committee is the |
|---|
| 246 | 246 | | chief information security officer under Section 2054.510. |
|---|
| 247 | 247 | | Sec. 2054.0337. CUSTOMER ADVISORY COMMITTEE. (a) The |
|---|
| 248 | 248 | | board by rule shall establish an advisory committee under Section |
|---|
| 249 | 249 | | 2054.033 to report to and advise the board on improving the |
|---|
| 250 | 250 | | effectiveness and efficiency of services provided by the department |
|---|
| 251 | 251 | | to customers. |
|---|
| 252 | 252 | | (b) The board shall appoint advisory committee members who |
|---|
| 253 | 253 | | are employees of state agencies that: |
|---|
| 254 | 254 | | (1) use the department's services; and |
|---|
| 255 | 255 | | (2) have 500 or fewer full-time employees, including |
|---|
| 256 | 256 | | at least three members who are employees of state agencies that have |
|---|
| 257 | 257 | | 150 or fewer full-time employees. |
|---|
| 258 | 258 | | SECTION 9. Section 2054.035(b), Government Code, is amended |
|---|
| 259 | 259 | | to read as follows: |
|---|
| 260 | 260 | | (b) The department shall prepare information of public |
|---|
| 261 | 261 | | interest describing the functions of the department [and the |
|---|
| 262 | 262 | | procedures by which complaints are filed with and resolved by the |
|---|
| 263 | 263 | | department]. The department shall make the information available |
|---|
| 264 | 264 | | to the public and appropriate state agencies. |
|---|
| 265 | 265 | | SECTION 10. Section 2054.036, Government Code, is amended |
|---|
| 266 | 266 | | to read as follows: |
|---|
| 267 | 267 | | Sec. 2054.036. COMPLAINTS. (a) The department shall |
|---|
| 268 | 268 | | maintain a system to promptly and efficiently act on complaints |
|---|
| 269 | 269 | | filed with the department. The department shall maintain |
|---|
| 270 | 270 | | information about parties to the complaint, the subject matter of |
|---|
| 271 | 271 | | the complaint, and a summary of the results of the review or |
|---|
| 272 | 272 | | investigation of the complaint, and its disposition. [keep a file |
|---|
| 273 | 273 | | about each written complaint filed with the department that the |
|---|
| 274 | 274 | | department has authority to resolve. The department shall provide |
|---|
| 275 | 275 | | to the person filing the complaint and the persons or entities |
|---|
| 276 | 276 | | complained about the department's policies and procedures |
|---|
| 277 | 277 | | pertaining to complaint investigation and resolution. The |
|---|
| 278 | 278 | | department, at least quarterly and until final disposition of the |
|---|
| 279 | 279 | | complaint, shall notify the person filing the complaint and the |
|---|
| 280 | 280 | | persons or entities complained about of the status of the complaint |
|---|
| 281 | 281 | | unless the notice would jeopardize an undercover investigation.] |
|---|
| 282 | 282 | | (b) The department shall make information available |
|---|
| 283 | 283 | | describing its procedures for complaint investigation and |
|---|
| 284 | 284 | | resolution [keep information about each complaint filed with the |
|---|
| 285 | 285 | | department]. [The information shall include: |
|---|
| 286 | 286 | | [(1) the date the complaint is received; |
|---|
| 287 | 287 | | [(2) the name of the complainant; |
|---|
| 288 | 288 | | [(3) the subject matter of the complaint; |
|---|
| 289 | 289 | | [(4) a record of all persons contacted in relation to |
|---|
| 290 | 290 | | the complaint; |
|---|
| 291 | 291 | | [(5) a summary of the results of the review or |
|---|
| 292 | 292 | | investigation of the complaint; and |
|---|
| 293 | 293 | | [(6) for complaints for which the department took no |
|---|
| 294 | 294 | | action, an explanation of the reason the complaint was closed |
|---|
| 295 | 295 | | without action.] |
|---|
| 296 | 296 | | (c) The department shall periodically notify the complaint |
|---|
| 297 | 297 | | parties of the status of the complaint until final disposition |
|---|
| 298 | 298 | | unless the notice would jeopardize an ongoing investigation. |
|---|
| 299 | 299 | | SECTION 11. Sections 2054.055(b) and (b-2), Government |
|---|
| 300 | 300 | | Code, are amended to read as follows: |
|---|
| 301 | 301 | | (b) The report must: |
|---|
| 302 | 302 | | (1) assess the progress made toward meeting the goals |
|---|
| 303 | 303 | | and objectives of the state strategic plan for information |
|---|
| 304 | 304 | | resources management; |
|---|
| 305 | 305 | | (2) describe major accomplishments of the state or a |
|---|
| 306 | 306 | | specific state agency in information resources management; |
|---|
| 307 | 307 | | (3) describe major problems in information resources |
|---|
| 308 | 308 | | management confronting the state or a specific state agency; |
|---|
| 309 | 309 | | (4) provide a summary of the total expenditures for |
|---|
| 310 | 310 | | information resources and information resources technologies by |
|---|
| 311 | 311 | | the state; |
|---|
| 312 | 312 | | (5) make recommendations for improving the |
|---|
| 313 | 313 | | effectiveness and cost-efficiency of the state's use of information |
|---|
| 314 | 314 | | resources; |
|---|
| 315 | 315 | | (6) describe the status, progress, benefits, and |
|---|
| 316 | 316 | | efficiency gains of the state electronic Internet portal project, |
|---|
| 317 | 317 | | including any significant issues regarding contract performance; |
|---|
| 318 | 318 | | (7) provide a financial summary of the state |
|---|
| 319 | 319 | | electronic Internet portal project, including project costs and |
|---|
| 320 | 320 | | revenues; |
|---|
| 321 | 321 | | (8) [provide a summary of the amount and use of |
|---|
| 322 | 322 | | Internet-based training conducted by each state agency and |
|---|
| 323 | 323 | | institution of higher education; |
|---|
| 324 | 324 | | [(9)] provide a summary of agency and statewide |
|---|
| 325 | 325 | | results in providing access to electronic and information resources |
|---|
| 326 | 326 | | to individuals with disabilities as required by Subchapter M; |
|---|
| 327 | 327 | | (9) [(10)] assess the progress made toward |
|---|
| 328 | 328 | | accomplishing the goals of the plan for a state telecommunications |
|---|
| 329 | 329 | | network and developing a system of telecommunications services as |
|---|
| 330 | 330 | | provided by Subchapter H; and |
|---|
| 331 | 331 | | (10) [(11)] identify proposed major information |
|---|
| 332 | 332 | | resources projects for the next state fiscal biennium, including |
|---|
| 333 | 333 | | project costs through stages of the project and across state fiscal |
|---|
| 334 | 334 | | years from project initiation to implementation. |
|---|
| 335 | 335 | | (b-2) The information required under Subsection (b)(10) |
|---|
| 336 | 336 | | [(b)(11)] must include: |
|---|
| 337 | 337 | | (1) final total cost of ownership budget data for the |
|---|
| 338 | 338 | | entire life cycle of the major information resources project, |
|---|
| 339 | 339 | | including capital and operational costs that itemize staffing |
|---|
| 340 | 340 | | costs, contracted services, hardware purchased or leased, software |
|---|
| 341 | 341 | | purchased or leased, travel, and training; |
|---|
| 342 | 342 | | (2) the original project schedule and the final actual |
|---|
| 343 | 343 | | project schedule; |
|---|
| 344 | 344 | | (3) data on the progress toward meeting the original |
|---|
| 345 | 345 | | goals and performance measures of the project, specifically those |
|---|
| 346 | 346 | | related to operating budget savings; |
|---|
| 347 | 347 | | (4) lessons learned on the project, performance |
|---|
| 348 | 348 | | evaluations of any vendors used in the project, and reasons for |
|---|
| 349 | 349 | | project delays or cost increases; and |
|---|
| 350 | 350 | | (5) the benefits, cost avoidance, and cost savings |
|---|
| 351 | 351 | | generated by major technology resources projects. |
|---|
| 352 | 352 | | SECTION 12. Subchapter C, Chapter 2054, Government Code, is |
|---|
| 353 | 353 | | amended by adding Section 2054.057 to read as follows: |
|---|
| 354 | 354 | | Sec. 2054.057. PROCUREMENT SERVICES PILOT PROGRAM. (a) In |
|---|
| 355 | 355 | | this section: |
|---|
| 356 | 356 | | (1) "Participating state agency" means a state agency |
|---|
| 357 | 357 | | that the department has approved to participate in the pilot |
|---|
| 358 | 358 | | program. |
|---|
| 359 | 359 | | (2) "Pilot program" means the procurement services |
|---|
| 360 | 360 | | pilot program established under this section. |
|---|
| 361 | 361 | | (3) "State agency" means a board, commission, office, |
|---|
| 362 | 362 | | department, or other agency in the executive, judicial, or |
|---|
| 363 | 363 | | legislative branch of state government. The term does not include |
|---|
| 364 | 364 | | an institution of higher education, as defined by Section 61.003, |
|---|
| 365 | 365 | | Education Code. |
|---|
| 366 | 366 | | (b) The department shall establish a pilot program under |
|---|
| 367 | 367 | | which the department provides assistance in the procurement of |
|---|
| 368 | 368 | | information resources technologies on request by a participating |
|---|
| 369 | 369 | | state agency. |
|---|
| 370 | 370 | | (c) A state agency may participate in the pilot program only |
|---|
| 371 | 371 | | if the department approves of the participation in writing. |
|---|
| 372 | 372 | | (d) The department may limit the: |
|---|
| 373 | 373 | | (1) number of participating state agencies in the |
|---|
| 374 | 374 | | pilot program; and |
|---|
| 375 | 375 | | (2) types of information resources technologies for |
|---|
| 376 | 376 | | which procurement assistance is provided under the pilot program. |
|---|
| 377 | 377 | | (e) Services under the pilot program may include assistance |
|---|
| 378 | 378 | | with: |
|---|
| 379 | 379 | | (1) procurement planning; |
|---|
| 380 | 380 | | (2) developing a cost estimate for an information |
|---|
| 381 | 381 | | resources technologies project; and |
|---|
| 382 | 382 | | (3) drafting and developing a solicitation. |
|---|
| 383 | 383 | | (f) With respect to any procurement assistance provided by |
|---|
| 384 | 384 | | the department under the pilot program, the department: |
|---|
| 385 | 385 | | (1) may not control the procurement for which the |
|---|
| 386 | 386 | | assistance is provided or the management of any resulting contract; |
|---|
| 387 | 387 | | and |
|---|
| 388 | 388 | | (2) is not civilly liable for damages resulting from |
|---|
| 389 | 389 | | the provision of procurement assistance unless the damages result |
|---|
| 390 | 390 | | from intentional conduct or gross negligence. |
|---|
| 391 | 391 | | (g) Not later than December 1, 2028, the department shall |
|---|
| 392 | 392 | | submit a report to the legislature that includes a summary of the |
|---|
| 393 | 393 | | pilot program's activities and a recommendation of whether to |
|---|
| 394 | 394 | | continue or expand the program. |
|---|
| 395 | 395 | | (h) This section expires January 1, 2029. |
|---|
| 396 | 396 | | SECTION 13. Section 2054.075(b), Government Code, is |
|---|
| 397 | 397 | | amended to read as follows: |
|---|
| 398 | 398 | | (b) Each state agency information resources manager is part |
|---|
| 399 | 399 | | of the agency's executive management and reports directly to the |
|---|
| 400 | 400 | | executive head or deputy executive head of the agency. Each state |
|---|
| 401 | 401 | | agency shall report to the department the extent and results of its |
|---|
| 402 | 402 | | compliance with this subsection and include with the report an |
|---|
| 403 | 403 | | organizational chart showing the structure of the personnel in the |
|---|
| 404 | 404 | | agency's executive management. [The department shall report the |
|---|
| 405 | 405 | | extent and results of state agencies' compliance with this |
|---|
| 406 | 406 | | subsection to the legislature.] |
|---|
| 407 | 407 | | SECTION 14. Section 2054.097, Government Code, is amended |
|---|
| 408 | 408 | | by adding Subsections (c), (d), and (e) to read as follows: |
|---|
| 409 | 409 | | (c) Once every two years, the department shall conduct a |
|---|
| 410 | 410 | | limited evaluation of the information resources deployment review |
|---|
| 411 | 411 | | of at least five state agencies to verify the accuracy of those |
|---|
| 412 | 412 | | reviews. The department may limit the evaluation to review |
|---|
| 413 | 413 | | responses on subjects that represent the highest risks or greatest |
|---|
| 414 | 414 | | opportunities for improvement regarding the state agency's |
|---|
| 415 | 415 | | software, hardware, compliance, and cybersecurity. |
|---|
| 416 | 416 | | (d) The department is not required to conduct site visits as |
|---|
| 417 | 417 | | part of the limited evaluation required by Subsection (c). |
|---|
| 418 | 418 | | (e) The department shall use information received from the |
|---|
| 419 | 419 | | limited evaluation required by Subsection (c) to: |
|---|
| 420 | 420 | | (1) update trainings for and outreach to information |
|---|
| 421 | 421 | | resources managers on accurately completing the information |
|---|
| 422 | 422 | | resources deployment review; and |
|---|
| 423 | 423 | | (2) recommend information resources technology |
|---|
| 424 | 424 | | solutions to state agencies as needed. |
|---|
| 425 | 425 | | SECTION 15. Section 2054.2606(c), Government Code, is |
|---|
| 426 | 426 | | amended to read as follows: |
|---|
| 427 | 427 | | (c) A licensing entity that establishes a profile system |
|---|
| 428 | 428 | | under this section shall determine the information to be included |
|---|
| 429 | 429 | | in the system and the manner for collecting and reporting the |
|---|
| 430 | 430 | | information. At a minimum, the entity shall include the following |
|---|
| 431 | 431 | | information in the profile system: |
|---|
| 432 | 432 | | (1) the name of the license holder and the address and |
|---|
| 433 | 433 | | telephone number of the license holder's primary practice location; |
|---|
| 434 | 434 | | (2) whether the license holder's patient, client, |
|---|
| 435 | 435 | | user, customer, or consumer service areas, as applicable, are |
|---|
| 436 | 436 | | accessible to [disabled] persons with disabilities, as defined by |
|---|
| 437 | 437 | | federal law; |
|---|
| 438 | 438 | | (3) the type of language translating services, |
|---|
| 439 | 439 | | including translating services for a person who is deaf or hard |
|---|
| 440 | 440 | | [with impairment] of hearing, that the license holder provides for |
|---|
| 441 | 441 | | patients, clients, users, customers, or consumers, as applicable; |
|---|
| 442 | 442 | | (4) if applicable, insurance information, including |
|---|
| 443 | 443 | | whether the license holder participates in the state child health |
|---|
| 444 | 444 | | plan under Chapter 62, Health and Safety Code, or the Medicaid |
|---|
| 445 | 445 | | program; |
|---|
| 446 | 446 | | (5) the education and training received by the license |
|---|
| 447 | 447 | | holder, as required by the licensing entity; |
|---|
| 448 | 448 | | (6) any specialty certification held by the license |
|---|
| 449 | 449 | | holder; |
|---|
| 450 | 450 | | (7) the number of years the person has practiced as a |
|---|
| 451 | 451 | | license holder; and |
|---|
| 452 | 452 | | (8) if applicable, any hospital affiliation of the |
|---|
| 453 | 453 | | license holder. |
|---|
| 454 | 454 | | SECTION 16. Section 2054.456(a), Government Code, is |
|---|
| 455 | 455 | | amended to read as follows: |
|---|
| 456 | 456 | | (a) Each state agency shall, in developing, procuring, |
|---|
| 457 | 457 | | maintaining, or using electronic and information resources, ensure |
|---|
| 458 | 458 | | that state employees with disabilities have access to and the use of |
|---|
| 459 | 459 | | those resources comparable to the access and use available to state |
|---|
| 460 | 460 | | employees without disabilities, unless compliance with this |
|---|
| 461 | 461 | | section imposes a significant difficulty or expense on the agency |
|---|
| 462 | 462 | | under Section 2054.460. Subject to Section 2054.460, the agency |
|---|
| 463 | 463 | | shall take reasonable steps to ensure that an [a disabled] employee |
|---|
| 464 | 464 | | with a disability has reasonable access to perform the employee's |
|---|
| 465 | 465 | | duties. |
|---|
| 466 | 466 | | SECTION 17. The heading to Section 2054.515, Government |
|---|
| 467 | 467 | | Code, is amended to read as follows: |
|---|
| 468 | 468 | | Sec. 2054.515. AGENCY DATA GOVERNANCE [INFORMATION |
|---|
| 469 | 469 | | SECURITY] ASSESSMENT AND REPORT. |
|---|
| 470 | 470 | | SECTION 18. Section 2054.515, Government Code, is amended |
|---|
| 471 | 471 | | by amending Subsections (a), (c), and (d) and adding Subsection |
|---|
| 472 | 472 | | (a-1) to read as follows: |
|---|
| 473 | 473 | | (a) At least once every two years, each state agency shall |
|---|
| 474 | 474 | | conduct an [information security] assessment of the agency's[: |
|---|
| 475 | 475 | | [(1) information resources systems, network systems, |
|---|
| 476 | 476 | | digital data storage systems, digital data security measures, and |
|---|
| 477 | 477 | | information resources vulnerabilities; and |
|---|
| 478 | 478 | | [(2)] data governance program with participation from |
|---|
| 479 | 479 | | the agency's data management officer, if applicable, and in |
|---|
| 480 | 480 | | accordance with requirements established by department rule. |
|---|
| 481 | 481 | | (a-1) Not later than June 1 of each even-numbered year, each |
|---|
| 482 | 482 | | state agency shall report the results of the assessment conducted |
|---|
| 483 | 483 | | under Subsection (a) to: |
|---|
| 484 | 484 | | (1) the department; and |
|---|
| 485 | 485 | | (2) on request, the governor, the lieutenant governor, |
|---|
| 486 | 486 | | and the speaker of the house of representatives. |
|---|
| 487 | 487 | | (c) The department by rule shall establish the requirements |
|---|
| 488 | 488 | | for the [information security] assessment and report required by |
|---|
| 489 | 489 | | this section. |
|---|
| 490 | 490 | | (d) The report and all documentation related to the |
|---|
| 491 | 491 | | [information security] assessment and report are confidential and |
|---|
| 492 | 492 | | not subject to disclosure under Chapter 552. The state agency or |
|---|
| 493 | 493 | | department may redact or withhold the information as confidential |
|---|
| 494 | 494 | | under Chapter 552 without requesting a decision from the attorney |
|---|
| 495 | 495 | | general under Subchapter G, Chapter 552. |
|---|
| 496 | 496 | | SECTION 19. Sections 2054.5191(a), (a-1), and (a-2), |
|---|
| 497 | 497 | | Government Code, are amended to read as follows: |
|---|
| 498 | 498 | | (a) At least once each year, each employee of a [Each] state |
|---|
| 499 | 499 | | agency [shall identify state employees who use a computer to |
|---|
| 500 | 500 | | complete at least 25 percent of the employee's required duties. At |
|---|
| 501 | 501 | | least once each year, an employee identified by the state agency] |
|---|
| 502 | 502 | | and each elected or appointed officer of the agency shall complete a |
|---|
| 503 | 503 | | cybersecurity training program certified under Section 2054.519. |
|---|
| 504 | 504 | | (a-1) At least once each year, each employee and each |
|---|
| 505 | 505 | | elected or appointed official of a local government shall[: |
|---|
| 506 | 506 | | [(1) identify local government employees and elected |
|---|
| 507 | 507 | | and appointed officials who have access to a local government |
|---|
| 508 | 508 | | computer system or database and use a computer to perform at least |
|---|
| 509 | 509 | | 25 percent of the employee's or official's required duties; and |
|---|
| 510 | 510 | | [(2) require the employees and officials identified |
|---|
| 511 | 511 | | under Subdivision (1) to] complete a cybersecurity training program |
|---|
| 512 | 512 | | certified under Section 2054.519. |
|---|
| 513 | 513 | | (a-2) The governing body of a local government or the |
|---|
| 514 | 514 | | governing body's designee may deny access to the local government's |
|---|
| 515 | 515 | | computer system or database to an employee or official of the local |
|---|
| 516 | 516 | | government [an individual described by Subsection (a-1)(1)] who the |
|---|
| 517 | 517 | | governing body or the governing body's designee determines is |
|---|
| 518 | 518 | | noncompliant with the requirements of Subsection (a-1) [(a-1)(2)]. |
|---|
| 519 | 519 | | SECTION 20. Subchapter N-1, Chapter 2054, Government Code, |
|---|
| 520 | 520 | | is amended by adding Section 2054.5195 to read as follows: |
|---|
| 521 | 521 | | Sec. 2054.5195. INFORMATION SECURITY ASSESSMENT AND |
|---|
| 522 | 522 | | PENETRATION TEST REQUIRED. (a) This section does not apply to a |
|---|
| 523 | 523 | | university system or institution of higher education as defined by |
|---|
| 524 | 524 | | Section 61.003, Education Code. |
|---|
| 525 | 525 | | (b) At least once every two years, the department shall |
|---|
| 526 | 526 | | require each state agency to complete an information security |
|---|
| 527 | 527 | | assessment and a penetration test to be performed by the department |
|---|
| 528 | 528 | | or, at the department's discretion, a vendor selected by the |
|---|
| 529 | 529 | | department. |
|---|
| 530 | 530 | | (c) The department shall establish rules as necessary to |
|---|
| 531 | 531 | | implement this section, including rules for the procurement of a |
|---|
| 532 | 532 | | vendor under Subsection (b). |
|---|
| 533 | 533 | | SECTION 21. The following provisions of the Government Code |
|---|
| 534 | 534 | | are repealed: |
|---|
| 535 | 535 | | (1) Section 2054.021(d); |
|---|
| 536 | 536 | | (2) Section 2054.023(c); |
|---|
| 537 | 537 | | (3) Section 2054.0331; |
|---|
| 538 | 538 | | (4) Section 2054.091(d); |
|---|
| 539 | 539 | | (5) Section 2054.0925(c); |
|---|
| 540 | 540 | | (6) Section 2054.515(b), as amended by Chapter 567 |
|---|
| 541 | 541 | | (S.B. 475), Acts of the 87th Legislature, Regular Session, 2021; |
|---|
| 542 | 542 | | and |
|---|
| 543 | 543 | | (7) Section 2054.515(b), as amended by Chapter 856 |
|---|
| 544 | 544 | | (S.B. 800), Acts of the 87th Legislature, Regular Session, 2021. |
|---|
| 545 | 545 | | SECTION 22. (a) In this section, "institution of higher |
|---|
| 546 | 546 | | education" has the meaning assigned by Section 61.003, Education |
|---|
| 547 | 547 | | Code. |
|---|
| 548 | 548 | | (b) As soon as possible after the effective date of this |
|---|
| 549 | 549 | | Act, as the terms of members of the governing board of the |
|---|
| 550 | 550 | | Department of Information Resources expire or as vacancies occur, |
|---|
| 551 | 551 | | the governor shall appoint members to the board so that the board is |
|---|
| 552 | 552 | | composed in accordance with Section 2054.021, Government Code, as |
|---|
| 553 | 553 | | amended by this Act, except that the term of the member of the board |
|---|
| 554 | 554 | | serving on the board immediately before the effective date of this |
|---|
| 555 | 555 | | Act who holds the position of the member who is employed by an |
|---|
| 556 | 556 | | institution of higher education expires on that date. A member of |
|---|
| 557 | 557 | | the governing board whose term expires under this subsection is |
|---|
| 558 | 558 | | eligible for reappointment under Subsection (c) of this section. |
|---|
| 559 | 559 | | (c) Not later than December 1, 2025, the governor shall |
|---|
| 560 | 560 | | appoint the following members to the governing board of the |
|---|
| 561 | 561 | | Department of Information Resources in accordance with Section |
|---|
| 562 | 562 | | 2054.021, Government Code, as amended by this Act: |
|---|
| 563 | 563 | | (1) one voting member to serve a term that expires |
|---|
| 564 | 564 | | February 1, 2031; and |
|---|
| 565 | 565 | | (2) one nonvoting member to the position of the member |
|---|
| 566 | 566 | | who is employed by an institution of higher education to serve a |
|---|
| 567 | 567 | | term that expires February 1, 2027. |
|---|
| 568 | 568 | | SECTION 23. (a) Except as provided by Subsection (b) of |
|---|
| 569 | 569 | | this section, Section 2054.021(f), Government Code, as amended by |
|---|
| 570 | 570 | | this Act, applies to a member of the governing board of the |
|---|
| 571 | 571 | | Department of Information Resources appointed before, on, or after |
|---|
| 572 | 572 | | the effective date of this Act. |
|---|
| 573 | 573 | | (b) A member of the governing board of the Department of |
|---|
| 574 | 574 | | Information Resources who, before the effective date of this Act, |
|---|
| 575 | 575 | | completed the training program required by Section 2054.021(f), |
|---|
| 576 | 576 | | Government Code, and described in Section 2054.021(g), Government |
|---|
| 577 | 577 | | Code, as that law existed before the effective date of this Act, is |
|---|
| 578 | 578 | | only required to complete additional training on the subjects added |
|---|
| 579 | 579 | | by this Act to the training program described by Section |
|---|
| 580 | 580 | | 2054.021(g), Government Code. A member described by this |
|---|
| 581 | 581 | | subsection may not vote, deliberate, or be counted as a member in |
|---|
| 582 | 582 | | attendance at a meeting of the board held on or after December 1, |
|---|
| 583 | 583 | | 2025, until the member completes the additional training. |
|---|
| 584 | 584 | | SECTION 24. This Act takes effect September 1, 2025. |
|---|