87R5826 YDB-F
 
  By: Shaheen H.B. No. 4071
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the requirements for the purchase of endpoint devices
  by a state agency.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Subchapter N-1, Chapter 2054, Government Code,
  is amended by adding Section 2054.5193 to read as follows:
         Sec. 2054.5193.  ENDPOINT DEVICE CYBERSECURITY. (a) In
  this section, "endpoint device" has the meaning assigned by Section
  2157.201.
         (b)  The department may compile a list of endpoint devices
  that are approved for purchase by a state agency. An approved
  endpoint device must meet the:
               (1)  guidelines and best practices for computer
  security issued by the National Institute of Standards and
  Technology of the United States Department of Commerce;
               (2)  cybersecurity framework established by the
  National Institute of Standards and Technology of the United States
  Department of Commerce; and
               (3)  supply chain risk management guidelines developed
  by the United States Department of Homeland Security.
         (c)  The department shall update any list of approved
  endpoint devices the department issues under Subsection (b) not
  later than the first anniversary of the date of an amendment to a
  security standard described by Subsection (b).
         (d)  The department may adopt rules to implement this
  section.
         SECTION 2.  Chapter 2157, Government Code, is amended by
  adding Subchapter E to read as follows:
  SUBCHAPTER E. ENDPOINT SECURITY DEVICE
         Sec. 2157.201.  DEFINITIONS. In this subchapter:
               (1)  "Endpoint device" means personal computing goods
  and multi-functional devices.
               (2)  "Multi-functional device" includes computer
  imaging devices that perform at least two of the following
  functions:
                     (A)  printing;
                     (B)  copying;
                     (C)  scanning; or
                     (D)  faxing.
               (3)  "Personal computing goods" includes desktop
  computers, laptop computers, all-in-one computers, tablet
  computers, thin client computers, and computer monitors.
               (4)  "State agency" means a board, commission,
  department, office, or other agency in the executive, legislative,
  or judicial branch of state government that is created by the
  constitution or a statute of this state.
         Sec. 2157.202.  ENDPOINT DEVICE STANDARDS. (a) A state
  agency may purchase or lease an endpoint device only if the device
  meets the:
               (1)  guidelines and best practices for computer
  security issued by the National Institute of Standards and
  Technology of the United States Department of Commerce;
               (2)  cybersecurity framework established by the
  National Institute of Standards and Technology of the United States
  Department of Commerce; and
               (3)  supply chain risk management guidelines developed
  by the United States Department of Homeland Security.
         (b)  An endpoint device included on a list of approved
  endpoint security devices compiled under Section 2054.5193
  satisfies the requirements of Subsection (a).
         SECTION 3.  This Act takes effect immediately if it receives
  a vote of two-thirds of all the members elected to each house, as
  provided by Section 39, Article III, Texas Constitution.  If this
  Act does not receive the vote necessary for immediate effect, this
  Act takes effect September 1, 2021.