85(R) HB 8 - Engrossed version



	By: Capriglione, Elkins, Parker, Dale, Dean,	H.B. No. 8
	et al.


	A BILL TO BE ENTITLED
	AN ACT
	relating to cybersecurity for state agency information resources.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1. This Act may be cited as the Texas Cybersecurity
	Act.
	SECTION 2. Section 325.011, Government Code, is amended to
	read as follows:
	Sec. 325.011. CRITERIA FOR REVIEW. The commission and its
	staff shall consider the following criteria in determining whether
	a public need exists for the continuation of a state agency or its
	advisory committees or for the performance of the functions of the
	agency or its advisory committees:
	(1) the efficiency and effectiveness with which the
	agency or the advisory committee operates;
	(2)(A) an identification of the mission, goals, and
	objectives intended for the agency or advisory committee and of the
	problem or need that the agency or advisory committee was intended
	to address; and
	(B) the extent to which the mission, goals, and
	objectives have been achieved and the problem or need has been
	addressed;
	(3)(A) an identification of any activities of the
	agency in addition to those granted by statute and of the authority
	for those activities; and
	(B) the extent to which those activities are
	needed;
	(4) an assessment of authority of the agency relating
	to fees, inspections, enforcement, and penalties;
	(5) whether less restrictive or alternative methods of
	performing any function that the agency performs could adequately
	protect or provide service to the public;
	(6) the extent to which the jurisdiction of the agency
	and the programs administered by the agency overlap or duplicate
	those of other agencies, the extent to which the agency coordinates
	with those agencies, and the extent to which the programs
	administered by the agency can be consolidated with the programs of
	other state agencies;
	(7) the promptness and effectiveness with which the
	agency addresses complaints concerning entities or other persons
	affected by the agency, including an assessment of the agency's
	administrative hearings process;
	(8) an assessment of the agency's rulemaking process
	and the extent to which the agency has encouraged participation by
	the public in making its rules and decisions and the extent to which
	the public participation has resulted in rules that benefit the
	public;
	(9) the extent to which the agency has complied with:
	(A) federal and state laws and applicable rules
	regarding equality of employment opportunity and the rights and
	privacy of individuals; and
	(B) state law and applicable rules of any state
	agency regarding purchasing guidelines and programs for
	historically underutilized businesses;
	(10) the extent to which the agency issues and
	enforces rules relating to potential conflicts of interest of its
	employees;
	(11) the extent to which the agency complies with
	Chapters 551 and 552 and follows records management practices that
	enable the agency to respond efficiently to requests for public
	information;
	(12) the effect of federal intervention or loss of
	federal funds if the agency is abolished; [~~and~~]
	(13) the extent to which the purpose and effectiveness
	of reporting requirements imposed on the agency justifies the
	continuation of the requirement; and
	(14) an assessment of the agency's cybersecurity
	practices using information available from the Department of
	Information Resources or any other appropriate state agency.
	SECTION 3. Subchapter B, Chapter 421, Government Code, is
	amended by adding Section 421.027 to read as follows:
	Sec. 421.027. CYBER INCIDENT STUDY AND RESPONSE PLAN. (a)
	In this section:
	(1) "Cyber incident" means an event occurring on or
	conducted through a computer network that actually or imminently
	jeopardizes the integrity, confidentiality, or availability of
	computers, information or communications systems or networks,
	physical or virtual infrastructure controlled by computers or
	information systems, or information on the computers or systems.
	The term includes a vulnerability in implementation or in an
	information system, system security procedure, or internal control
	that could be exploited by a threat source.
	(2) "Significant cyber incident" means a cyber
	incident, or a group of related cyber incidents, likely to result in
	demonstrable harm to state security interests, foreign relations,
	or the economy of this state or to the public confidence, civil
	liberties, or public health and safety of the residents of this
	state.
	(b) The council, in cooperation with the Department of
	Information Resources, shall:
	(1) conduct a study regarding cyber incidents and
	significant cyber incidents affecting state agencies and critical
	infrastructure that is owned, operated, or controlled by agencies;
	and
	(2) develop a comprehensive state response plan to
	provide a format for each state agency to develop an
	agency-specific response plan and to implement the plan into the
	agency's information security plan required under Section 2054.133
	to be implemented by the agency in the event of a cyber incident or
	significant cyber incident affecting the agency or critical
	infrastructure that is owned, operated, or controlled by the
	agency.
	(c) Not later than September 1, 2018, the council shall
	deliver the response plan and a report on the findings of the study
	to:
	(1) the public safety director of the Department of
	Public Safety;
	(2) the governor;
	(3) the lieutenant governor;
	(4) the speaker of the house of representatives;
	(5) the chair of the committee of the senate having
	primary jurisdiction over homeland security matters; and
	(6) the chair of the committee of the house of
	representatives having primary jurisdiction over homeland security
	matters.
	(d) The response plan required by Subsection (b) and the
	report required by Subsection (c) are not public information for
	purposes of Chapter 552.
	(e) This section expires December 1, 2018.
	SECTION 4. Section 551.089, Government Code, is amended to
	read as follows:
	Sec. 551.089. DELIBERATION REGARDING SECURITY DEVICES OR
	SECURITY AUDITS; CLOSED MEETING [~~DEPARTMENT OF INFORMATION~~
	~~RESOURCES~~]. This chapter does not require a governmental body [~~the~~
	~~governing board of the Department of Information Resources~~] to
	conduct an open meeting to deliberate:
	(1) security assessments or deployments relating to
	information resources technology;
	(2) network security information as described by
	Section 2059.055(b); or
	(3) the deployment, or specific occasions for
	implementation, of security personnel, critical infrastructure, or
	security devices.
	SECTION 5. Section 552.139, Government Code, is amended by
	adding Subsection (d) to read as follows:
	(d) When posting a contract on an Internet website as
	required by Section 2261.253, a state agency shall redact
	information made confidential by this section or excepted from
	public disclosure by this section. Redaction under this subsection
	does not except information from the requirements of Section
	552.021.
	SECTION 6. The heading to Section 656.047, Government Code,
	is amended to read as follows:
	Sec. 656.047. PAYMENT OF PROGRAM AND CERTIFICATION
	EXAMINATION EXPENSES.
	SECTION 7. Section 656.047, Government Code, is amended by
	adding Subsection (a-1) to read as follows:
	(a-1) A state agency may spend public funds as appropriate
	to reimburse a state agency employee or administrator who serves in
	an information technology, cybersecurity, or other cyber-related
	position for fees associated with industry-recognized
	certification examinations.
	SECTION 8. Subchapter C, Chapter 2054, Government Code, is
	amended by adding Section 2054.0594 to read as follows:
	Sec. 2054.0594. INFORMATION SHARING AND ANALYSIS CENTER.
	(a) The department shall establish an information sharing and
	analysis center to provide a forum for state agencies to share
	information regarding cybersecurity threats, best practices, and
	remediation strategies.
	(b) The department shall appoint persons from appropriate
	state agencies to serve as representatives to the information
	sharing and analysis center.
	(c) The department, using existing resources, shall provide
	administrative support to the information sharing and analysis
	center.
	SECTION 9. Section 2054.076, Government Code, is amended by
	adding Subsection (b-1) to read as follows:
	(b-1) The department shall provide mandatory guidelines to
	state agencies regarding the continuing education requirements for
	cybersecurity training and the industry-recognized certifications
	that must be completed by all information resources employees of
	the agencies. The department shall consult with the Information
	Technology Council for Higher Education on applying the guidelines
	to institutions of higher education.
	SECTION 10. Sections 2054.077(b) and (e), Government Code,
	are amended to read as follows:
	(b) The information resources manager of a state agency
	shall [~~may~~] prepare or have prepared a report, including an
	executive summary of the findings of the report, assessing the
	extent to which a computer, a computer program, a computer network,
	a computer system, a printer, an interface to a computer system,
	including mobile and peripheral devices, computer software, or data
	processing of the agency or of a contractor of the agency is
	vulnerable to unauthorized access or harm, including the extent to
	which the agency's or contractor's electronically stored
	information is vulnerable to alteration, damage, erasure, or
	inappropriate use.
	(e) Separate from the executive summary described by
	Subsection (b), a state agency [~~whose information resources manager~~
	~~has prepared or has had prepared a vulnerability report~~] shall
	prepare a summary of the agency's vulnerability report that does
	not contain any information the release of which might compromise
	the security of the state agency's or state agency contractor's
	computers, computer programs, computer networks, computer systems,
	printers, interfaces to computer systems, including mobile and
	peripheral devices, computer software, data processing, or
	electronically stored information. The summary is available to
	the public on request.
	SECTION 11. Section 2054.1125(b), Government Code, is
	amended to read as follows:
	(b) A state agency that owns, licenses, or maintains
	computerized data that includes sensitive personal information,
	confidential information, or information the disclosure of which is
	regulated by law shall, in the event of a breach or suspected breach
	of system security or an unauthorized exposure of that information:
	(1) comply[~~, in the event of a breach of system~~
	~~security,~~] with the notification requirements of Section 521.053,
	Business & Commerce Code, to the same extent as a person who
	conducts business in this state; and
	(2) not later than 48 hours after the discovery of the
	breach, suspected breach, or unauthorized exposure, notify:
	(A) the department, including the chief
	information security officer and the state cybersecurity
	coordinator; or
	(B) if the breach, suspected breach, or
	unauthorized exposure involves election data, the secretary of
	state.
	SECTION 12. Section 2054.133, Government Code, is amended
	by adding Subsections (b-1), (b-2), (b-3), and (b-4) to read as
	follows:
	(b-1) The executive head and chief information security
	officer of each state agency shall annually review and approve in
	writing the agency's information security plan and strategies for
	addressing the agency's information resources systems that are at
	highest risk for security breaches. The plan at a minimum must
	include solutions that isolate and segment sensitive information
	and maintain architecturally sound and secured separation among
	networks. If a state agency does not have a chief information
	security officer, the highest ranking information security
	employee for the agency shall review and approve the plan and
	strategies. The executive head retains full responsibility for the
	agency's information security and any risks to that security.
	(b-2) Before submitting to the Legislative Budget Board a
	legislative appropriation request for a state fiscal biennium, a
	state agency must file with the board the written approval required
	under Subsection (b-1) for each year of the current state fiscal
	biennium.
	(b-3) Each state agency shall include in the agency's
	information security plan the actions the agency is taking to
	incorporate into the plan the core functions of "identify, protect,
	detect, respond, and recover" as recommended in the "Framework for
	Improving Critical Infrastructure Cybersecurity" of the United
	States Department of Commerce National Institute of Standards and
	Technology. The agency shall, at a minimum, identify any
	information the agency requires individuals to provide to the
	agency or the agency retains that is not necessary for the agency's
	operations. The agency may incorporate the core functions over a
	period of years.
	(b-4) A state agency's information security plan must
	include appropriate privacy and security standards that, at a
	minimum, require a vendor who offers cloud computing services or
	other software, applications, online services, or information
	technology solutions to any state agency to contractually warrant
	that data provided by the state to the vendor will be maintained in
	compliance with all applicable state and federal laws and rules.
	SECTION 13. Section 2054.512, Government Code, is amended
	to read as follows:
	Sec. 2054.512. CYBERSECURITY [~~PRIVATE INDUSTRY-GOVERNMENT~~]
	COUNCIL. (a) The state cybersecurity coordinator shall [~~may~~]
	establish and lead a cybersecurity council that includes public and
	private sector leaders and cybersecurity practitioners to
	collaborate on matters of cybersecurity concerning this state.
	(b) The cybersecurity council must include:
	(1) one member appointed by the governor;
	(2) one member of the senate appointed by the
	lieutenant governor;
	(3) one member of the house of representatives
	appointed by the speaker of the house of representatives; and
	(4) additional members appointed by the state
	cybersecurity coordinator, including representatives of
	institutions of higher education and private sector leaders.
	(c) In appointing representatives from institutions of
	higher education to the cybersecurity council, the state
	cybersecurity coordinator shall consider appointing members of the
	Information Technology Council for Higher Education.
	(d) The cybersecurity council shall provide recommendations
	to the legislature on any legislation necessary to implement
	cybersecurity best practices and remediation strategies for this
	state.
	SECTION 14. Subchapter N-1, Chapter 2054, Government Code,
	is amended by adding Sections 2054.515, 2054.516, 2054.517,
	2054.518, and 2054.519 to read as follows:
	Sec. 2054.515. INDEPENDENT RISK ASSESSMENT. (a) At least
	once every five years, in accordance with department rules, each
	state agency shall:
	(1) contract with an independent third party selected
	from a list provided by the department to conduct an independent
	risk assessment of the agency's exposure to security risks in the
	agency's information resources systems and to conduct tests to
	practice securing systems and notifying all affected parties in the
	event of a data breach; and
	(2) submit the results of the independent risk
	assessment to the department.
	(b) The department annually shall compile the results of the
	independent risk assessments conducted in the preceding year and
	prepare:
	(1) a public report on the general security issues
	covered by the assessments that does not contain any information
	the release of which may compromise any state agency's information
	resources system; and
	(2) a confidential report on specific risks and
	vulnerabilities that is exempt from disclosure under Chapter 552.
	(c) The department annually shall submit to the legislature
	a comprehensive report on the results of the independent risk
	assessments conducted under Subsection (a) during the preceding
	year that includes the report prepared under Subsection (b)(1) and
	that identifies systematic or pervasive security risk
	vulnerabilities across state agencies and recommendations for
	addressing the vulnerabilities but does not contain any information
	the release of which may compromise any state agency's information
	resources system.
	Sec. 2054.516. DATA SECURITY PLAN FOR ONLINE AND MOBILE
	APPLICATIONS. (a) Each state agency, other than an institution of
	higher education subject to Section 2054.517, implementing an
	Internet website or mobile application that processes any
	personally identifiable or confidential information must:
	(1) submit a data security plan to the department
	during development and as early as feasible in the testing of the
	website or application and submit any modification to the plan made
	during development; and
	(2) before deploying the website or application:
	(A) subject the website or application to a
	vulnerability and penetration test conducted by an independent
	third party; and
	(B) address any high priority vulnerability
	identified under Paragraph (A).
	(b) The data security plan required under Subsection (a)(1)
	must include:
	(1) data flow diagrams to show the location of
	information in use, in transit, and not in use;
	(2) data storage locations;
	(3) data interaction with online or mobile devices;
	(4) security of data transfer;
	(5) security measures for the online or mobile
	application;
	(6) a description of any action taken by the agency to
	remediate any vulnerability identified by an independent third
	party under Subsection (a)(2); and
	(7) appropriate privacy and security standards that,
	at a minimum, require a vendor who offers cloud computing services
	or other software, applications, online services, or information
	technology solutions to any state agency to demonstrate that data
	provided by the state to the vendor will be maintained in compliance
	with all applicable state and federal laws and rules.
	(c) Unless a state agency has previously submitted a
	comprehensive security plan approved by the department and has
	sufficient personnel and technology to review plans internally, the
	department shall review each data security plan submitted under
	Subsection (a) and make any recommendations for changes to the plan
	to the state agency as soon as practicable after the department
	reviews the plan.
	(d) A data security plan submitted under Subsection (a) and
	any recommendation for changes made under Subsection (c) are not
	public information for purposes of Chapter 552.
	Sec. 2054.517. DATA SECURITY PROCEDURES FOR ONLINE AND
	MOBILE APPLICATIONS OF INSTITUTIONS OF HIGHER EDUCATION. (a) Each
	institution of higher education, as defined by Section 61.003,
	Education Code, shall adopt and implement a policy for Internet
	website and mobile application security procedures that complies
	with this section.
	(b) Before deploying an Internet website or mobile
	application that processes confidential information for an
	institution of higher education, the developer of the website or
	application for the institution must submit to the institution's
	information security officer the information required under
	policies adopted by the institution to protect the privacy of
	individuals by preserving the confidentiality of information
	processed by the website or application. At a minimum, the
	institution's policies must require the developer to submit
	information describing:
	(1) the architecture of the website or application;
	(2) the authentication mechanism for the website or
	application; and
	(3) the administrator level access to data included in
	the website or application.
	(c) Before deploying an Internet website or mobile
	application described by Subsection (b), an institution of higher
	education must subject the website or application to a
	vulnerability and penetration test conducted internally or by an
	independent third party.
	(d) Each institution of higher education shall submit to the
	department the policies adopted as required by Subsection (b). The
	department shall review the policies and make recommendations for
	appropriate changes.
	Sec. 2054.518. VENDOR RESPONSIBILITY FOR CYBERSECURITY. A
	vendor that contracts with this state to provide information
	resources technology for a state agency at a cost to the agency of
	$1 million or more is responsible for addressing known
	cybersecurity risks associated with the technology and is
	responsible for any cost associated with addressing the identified
	cybersecurity risks. For a major information resources project,
	the vendor shall provide to state agency contracting personnel:
	(1) written acknowledgment of any known cybersecurity
	risks associated with the technology identified in the
	vulnerability and penetration test conducted under Section
	2054.516 or Section 2054.517;
	(2) proof that any individual servicing the contract
	holds the appropriate industry-recognized certifications as
	identified by the National Initiative for Cybersecurity Education;
	(3) a strategy for mitigating any technology or
	personnel-related cybersecurity risk identified in the
	vulnerability and penetration test conducted under Section
	2054.516 or Section 2054.517; and
	(4) an initial summary of any costs associated with
	addressing or remediating the identified technology or
	personnel-related cybersecurity risks as identified in
	collaboration with this state following a risk assessment.
	Sec. 2054.519. CYBERSECURITY RISKS AND INCIDENTS. (a) The
	department shall develop a plan to address cybersecurity risks and
	incidents in this state. The department may enter into an agreement
	with a national organization, including the National Cybersecurity
	Preparedness Consortium, to support the department's efforts in
	implementing the components of the plan for which the department
	lacks resources to address internally. The agreement may include
	provisions for:
	(1) providing fee reimbursement for appropriate
	industry-recognized certification examinations for and training to
	state and local officials and first responders preparing for and
	responding to cybersecurity risks and incidents;
	(2) developing and maintaining a cybersecurity risks
	and incidents curriculum using existing programs and models for
	training state and local officials and first responders;
	(3) delivering to state agency personnel with access
	to state agency networks routine training related to appropriately
	protecting and maintaining information technology systems and
	devices, implementing cybersecurity best practices, and mitigating
	cybersecurity risks and vulnerabilities;
	(4) providing technical assistance services to
	support preparedness for and response to cybersecurity risks and
	incidents;
	(5) conducting cybersecurity training and simulation
	exercises for state agencies, political subdivisions, and private
	entities to encourage coordination in defending against and
	responding to cybersecurity risks and incidents;
	(6) assisting state agencies and political
	subdivisions in developing cybersecurity information-sharing
	programs to disseminate information related to cybersecurity risks
	and incidents; and
	(7) incorporating cybersecurity risk and incident
	prevention and response methods into existing state and local
	emergency plans, including continuity of operation plans and
	incident response plans.
	(b) In implementing the provisions of the agreement
	prescribed by Subsection (a), the department shall seek to prevent
	unnecessary duplication of existing programs or efforts of the
	department or another state agency.
	(c) In selecting an organization under Subsection (a), the
	department shall consider the organization's previous experience
	in conducting cybersecurity training and exercises for state
	agencies and political subdivisions.
	(d) The department shall consult with institutions of
	higher education in this state when appropriate based on an
	institution's expertise in addressing specific cybersecurity risks
	and incidents.
	SECTION 15. Section 2054.575(a), Government Code, is
	amended to read as follows:
	(a) A state agency shall, with available funds, identify
	information security issues and develop a plan to prioritize the
	remediation and mitigation of those issues. The agency shall
	include in the plan:
	(1) procedures for reducing the agency's level of
	exposure with regard to information that alone or in conjunction
	with other information identifies an individual maintained on a
	legacy system of the agency;
	(2) the best value approach for modernizing,
	replacing, renewing, or disposing of a legacy system that maintains
	information critical to the agency's responsibilities;
	(3) analysis of the percentage of state agency
	personnel in information technology, cybersecurity, or other
	cyber-related positions who currently hold the appropriate
	industry-recognized certifications as identified by the National
	Initiative for Cybersecurity Education;
	(4) the level of preparedness of state agency cyber
	personnel and potential personnel who do not hold the appropriate
	industry-recognized certifications to successfully complete the
	industry-recognized certification examinations; and
	(5) a strategy for mitigating any workforce-related
	discrepancy in information technology, cybersecurity, or other
	cyber-related positions with the appropriate training and
	industry-recognized certifications.
	SECTION 16. Section 2059.055(b), Government Code, is
	amended to read as follows:
	(b) Network security information is confidential under this
	section if the information is:
	(1) related to passwords, personal identification
	numbers, access codes, encryption, or other components of the
	security system of a governmental entity [~~state agency~~];
	(2) collected, assembled, or maintained by or for a
	governmental entity to prevent, detect, or investigate criminal
	activity; or
	(3) related to an assessment, made by or for a
	governmental entity or maintained by a governmental entity, of the
	vulnerability of a network to criminal activity.
	SECTION 17. Subtitle B, Title 10, Government Code, is
	amended by adding Chapter 2061 to read as follows:
	CHAPTER 2061. INDIVIDUAL-IDENTIFYING INFORMATION
	Sec. 2061.001. DEFINITIONS. In this chapter:
	(1) "Cybersecurity risk" means a material threat of
	attack, damage, or unauthorized access to the networks, computers,
	software, or data storage of a state agency.
	(2) "State agency" means a department, commission,
	board, office, council, authority, or other agency in the
	executive, legislative, or judicial branch of state government,
	including a university system or institution of higher education,
	as defined by Section 61.003, Education Code, that is created by the
	constitution or a statute of this state.
	Sec. 2061.002. DESTRUCTION AUTHORIZED. (a) A state agency
	shall destroy or arrange for the destruction of information that
	presents a cybersecurity risk and alone or in conjunction with
	other information identifies an individual in connection with the
	agency's networks, computers, software, or data storage if the
	agency is otherwise prohibited by law from retaining the
	information for a period of years.
	(b) A state agency shall destroy or arrange for the
	destruction of information described by Subsection (a) in
	accordance with standards for destruction of data prescribed in the
	National Security Program Operating Manual, 1995 edition.
	(c) This section does not apply to a record involving
	criminal activity or a criminal investigation retained for law
	enforcement purposes.
	(d) A state agency may not destroy or arrange for the
	destruction of any election data before the third anniversary of
	the date the election to which the data pertains is held.
	(e) A state agency may not under any circumstance sell:
	(1) a person's precise geographic location
	information;
	(2) a person's Internet browsing history;
	(3) a person's application usage history; or
	(4) the functional equivalent of the information
	described in Subdivisions (1)-(3).
	(f) Not later than September 1, 2019, each state agency
	shall develop the systems and policies necessary to comply with
	this section. This subsection expires September 1, 2020.
	SECTION 18. Section 2157.007, Government Code, is amended
	by adding Subsection (e) to read as follows:
	(e) The department shall periodically review guidelines on
	state agency information that may be stored by a cloud computing or
	other storage service and the cloud computing or other storage
	services available to state agencies for that storage to ensure
	that an agency purchasing a major information resources project
	under Section 2054.118 selects the most affordable, secure, and
	efficient cloud computing or other storage service available to the
	agency. The guidelines must include appropriate privacy and
	security standards that, at a minimum, require a vendor who offers
	cloud computing or other storage services or other software,
	applications, online services, or information technology solutions
	to any state agency to demonstrate that data provided by the state
	to the vendor will be maintained in compliance with all applicable
	state and federal laws and rules.
	SECTION 19. Chapter 276, Election Code, is amended by
	adding Section 276.011 to read as follows:
	Sec. 276.011. ELECTION CYBER ATTACK STUDY. (a) Not later
	than December 1, 2018, the secretary of state shall:
	(1) conduct a study regarding cyber attacks on
	election infrastructure;
	(2) prepare a public summary report on the study's
	findings that does not contain any information the release of which
	may compromise any election;
	(3) prepare a confidential report on specific findings
	and vulnerabilities that is exempt from disclosure under Chapter
	552, Government Code; and
	(4) submit a copy of the report required under
	Subdivision (2) and a general compilation of the report required
	under Subdivision (3) that does not contain any information the
	release of which may compromise any election to the standing
	committees of the legislature with jurisdiction over election
	procedures.
	(b) The study must include:
	(1) an investigation of vulnerabilities and risks for
	a cyber attack against a county's voting system machines or the list
	of registered voters;
	(2) information on any attempted cyber attack on a
	county's voting system machines or the list of registered voters;
	and
	(3) recommendations for protecting a county's voting
	system machines and list of registered voters from a cyber attack.
	(c) The secretary of state, using existing resources, may
	contract with a qualified vendor to conduct the study required by
	this section.
	(d) This section expires January 1, 2019.
	SECTION 20. (a) The lieutenant governor shall establish a
	Senate Select Committee on Cybersecurity and the speaker of the
	house of representatives shall establish a House Select Committee
	on Cybersecurity to, jointly or separately, study:
	(1) cybersecurity in this state;
	(2) the information security plans of each state
	agency; and
	(3) the risks and vulnerabilities of state agency
	cybersecurity.
	(b) Not later than November 30, 2017:
	(1) the lieutenant governor shall appoint five
	senators to the Senate Select Committee on Cybersecurity, one of
	whom shall be designated as chair; and
	(2) the speaker of the house of representatives shall
	appoint five state representatives to the House Select Committee on
	Cybersecurity, one of whom shall be designated as chair.
	(c) The committees established under this section shall
	convene separately at the call of the chair of the respective
	committees, or jointly at the call of both chairs. In joint
	meetings, the chairs of each committee shall act as joint chairs.
	(d) Following consideration of the issues listed in
	Subsection (a) of this section, the committees established under
	this section shall jointly adopt recommendations on state
	cybersecurity and report in writing to the legislature any findings
	and adopted recommendations not later than January 13, 2019.
	(e) This section expires September 1, 2019.
	SECTION 21. (a) In this section, "state agency" means a
	board, commission, office, department, council, authority, or
	other agency in the executive or judicial branch of state
	government that is created by the constitution or a statute of this
	state. The term does not include a university system or institution
	of higher education as those terms are defined by Section 61.003,
	Education Code.
	(b) The Department of Information Resources and the Texas
	State Library and Archives Commission shall conduct a study on
	state agency digital data storage and records management practices
	and the associated costs to this state.
	(c) The study required under this section must examine:
	(1) the current digital data storage practices of
	state agencies in this state;
	(2) the costs associated with those digital data
	storage practices;
	(3) the digital records management and data
	classification policies of state agencies and whether the state
	agencies are consistently complying with the established policies;
	(4) whether the state agencies are storing digital
	data that exceeds established retention requirements and the cost
	of that unnecessary storage;
	(5) the adequacy of storage systems used by state
	agencies to securely maintain confidential digital records;
	(6) possible solutions and improvements recommended
	by the state agencies for reducing state costs and increasing
	security for digital data storage and records management; and
	(7) the security level and possible benefits of and
	the cost savings from using cloud computing services for agency
	data storage, data classification, and records management.
	(d) Each state agency shall participate in the study
	required by this section and provide appropriate assistance and
	information to the Department of Information Resources and the
	Texas State Library and Archives Commission.
	(e) Not later than December 1, 2018, the Department of
	Information Resources and the Texas State Library and Archives
	Commission shall issue a report on the study required under this
	section and recommendations for reducing state costs and for
	improving efficiency in digital data storage and records management
	to the lieutenant governor, the speaker of the house of
	representatives, and the appropriate standing committees of the
	house of representatives and the senate.
	(f) This section expires September 1, 2019.
	SECTION 22. The changes in law made by this Act do not apply
	to the Electric Reliability Council of Texas.
	SECTION 23. This Act takes effect September 1, 2017.