|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to security procedures for digital applications that pose |
|
a network security risk to state agencies. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Chapter 2054, Government Code, is amended by |
|
adding Subchapter S to read as follows: |
|
SUBCHAPTER S. DIGITAL APPLICATION SECURITY PROCEDURES |
|
Sec. 2054.621. DEFINITIONS. In this subchapter: |
|
(1) "Digital application" means an Internet website or |
|
application that is open to the public, allows a user to create an |
|
account, and enables a user to communicate with other users by |
|
posting information, comments, messages, images, or video. The |
|
term does not include: |
|
(A) an Internet service provider, as defined by |
|
Section 324.055, Business & Commerce Code; |
|
(B) e-mail; or |
|
(C) an online service, application, or Internet |
|
website: |
|
(i) that consists primarily of news, |
|
sports, entertainment, or other content preselected by the provider |
|
that is not user generated; and |
|
(ii) for which any chat, comment, or |
|
interactive functionality is incidental to, directly related to, or |
|
dependent on provision of the content described by Subparagraph |
|
(i). |
|
(2) "Network security" has the meaning assigned by |
|
Section 2059.001. |
|
(3) "User" means a person who posts, uploads, |
|
transmits, shares, or otherwise publishes or receives content |
|
through a digital application. |
|
Sec. 2054.622. DIGITAL APPLICATION SECURITY RISK LIST. The |
|
department shall: |
|
(1) compile, maintain, and annually update a list of |
|
digital applications that create a network security risk to state |
|
agencies; |
|
(2) limit or prohibit the placement and use of digital |
|
applications on the list under Subdivision (1) on: |
|
(A) state-owned cell phones, computers, and |
|
other communication devices; and |
|
(B) personal communication devices of state |
|
agency employees that are used in the agency's office or other |
|
workplace; and |
|
(3) post the list under Subdivision (1) on a publicly |
|
accessible web page on the department's Internet website. |
|
Sec. 2054.623. DIGITAL APPLICATION SECURITY MODEL POLICY |
|
FOR STATE AGENCIES. The department shall develop, maintain, and |
|
periodically update a model policy for state agencies to use under |
|
Section 2054.624 in limiting or prohibiting the placement and use |
|
on communication devices of the digital applications included on |
|
the list compiled under Section 2054.622. |
|
Sec. 2054.624. STATE AGENCY DIGITAL APPLICATION SECURITY |
|
POLICY. (a) Each state agency shall develop, implement, and |
|
periodically update a policy limiting or prohibiting the placement |
|
and use of digital applications included on the list compiled under |
|
Section 2054.622 on: |
|
(1) state-owned cell phones, computers, and other |
|
communication devices; and |
|
(2) personal communication devices of state agency |
|
employees that are used in the agency's office or other workplace. |
|
(b) Each state agency shall submit to the department a copy |
|
of the policy required under Subsection (a) and updates to the |
|
policy. |
|
(c) The department: |
|
(1) may offer recommendations for improvements to |
|
submitted policies; |
|
(2) shall retain each copy and update submitted under |
|
Subsection (b); and |
|
(3) shall notify each member of the legislature and |
|
the governor when a state agency submits a policy or update. |
|
Sec. 2054.625. DISCLOSURE EXEMPTION. The model policy and |
|
state agency policies developed under this subchapter are exempt |
|
from disclosure under Chapter 552. |
|
Sec. 2054.626. RULEMAKING AUTHORITY. The department may |
|
adopt rules to implement this subchapter. |
|
SECTION 2. (a) As soon as practicable after the effective |
|
date of this Act, but not later than January 1, 2024, the Department |
|
of Information Resources shall develop the digital application |
|
security risk list and model policy as required by Subchapter S, |
|
Chapter 2054, Government Code, as added by this Act. |
|
(b) A state agency is not required to comply with Section |
|
2054.624, Government Code, as added by this Act, until May 1, 2024. |
|
SECTION 3. This Act takes effect September 1, 2023. |