| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to cybersecurity for state agency information resources. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. This Act may be cited as the Texas Cybersecurity |
|
|
Act. |
|
|
SECTION 2. Section 325.011, Government Code, is amended to |
|
|
read as follows: |
|
|
Sec. 325.011. CRITERIA FOR REVIEW. The commission and its |
|
|
staff shall consider the following criteria in determining whether |
|
|
a public need exists for the continuation of a state agency or its |
|
|
advisory committees or for the performance of the functions of the |
|
|
agency or its advisory committees: |
|
|
(1) the efficiency and effectiveness with which the |
|
|
agency or the advisory committee operates; |
|
|
(2)(A) an identification of the mission, goals, and |
|
|
objectives intended for the agency or advisory committee and of the |
|
|
problem or need that the agency or advisory committee was intended |
|
|
to address; and |
|
|
(B) the extent to which the mission, goals, and |
|
|
objectives have been achieved and the problem or need has been |
|
|
addressed; |
|
|
(3)(A) an identification of any activities of the |
|
|
agency in addition to those granted by statute and of the authority |
|
|
for those activities; and |
|
|
(B) the extent to which those activities are |
|
|
needed; |
|
|
(4) an assessment of authority of the agency relating |
|
|
to fees, inspections, enforcement, and penalties; |
|
|
(5) whether less restrictive or alternative methods of |
|
|
performing any function that the agency performs could adequately |
|
|
protect or provide service to the public; |
|
|
(6) the extent to which the jurisdiction of the agency |
|
|
and the programs administered by the agency overlap or duplicate |
|
|
those of other agencies, the extent to which the agency coordinates |
|
|
with those agencies, and the extent to which the programs |
|
|
administered by the agency can be consolidated with the programs of |
|
|
other state agencies; |
|
|
(7) the promptness and effectiveness with which the |
|
|
agency addresses complaints concerning entities or other persons |
|
|
affected by the agency, including an assessment of the agency's |
|
|
administrative hearings process; |
|
|
(8) an assessment of the agency's rulemaking process |
|
|
and the extent to which the agency has encouraged participation by |
|
|
the public in making its rules and decisions and the extent to which |
|
|
the public participation has resulted in rules that benefit the |
|
|
public; |
|
|
(9) the extent to which the agency has complied with: |
|
|
(A) federal and state laws and applicable rules |
|
|
regarding equality of employment opportunity and the rights and |
|
|
privacy of individuals; and |
|
|
(B) state law and applicable rules of any state |
|
|
agency regarding purchasing guidelines and programs for |
|
|
historically underutilized businesses; |
|
|
(10) the extent to which the agency issues and |
|
|
enforces rules relating to potential conflicts of interest of its |
|
|
employees; |
|
|
(11) the extent to which the agency complies with |
|
|
Chapters 551 and 552 and follows records management practices that |
|
|
enable the agency to respond efficiently to requests for public |
|
|
information; |
|
|
(12) the effect of federal intervention or loss of |
|
|
federal funds if the agency is abolished; [and] |
|
|
(13) the extent to which the purpose and effectiveness |
|
|
of reporting requirements imposed on the agency justifies the |
|
|
continuation of the requirement; and |
|
|
(14) an assessment of the agency's cybersecurity |
|
|
practices. |
|
|
SECTION 3. Subchapter A, Chapter 411, Government Code, is |
|
|
amended by adding Section 411.00431 to read as follows: |
|
|
Sec. 411.00431. CYBERSECURITY RISKS AND INCIDENTS. (a) |
|
|
The department may enter into an agreement with a national |
|
|
organization, including the National Cybersecurity Preparedness |
|
|
Consortium, to support the department's efforts in addressing |
|
|
cybersecurity risks and incidents in this state. The agreement may |
|
|
include provisions for: |
|
|
(1) providing training to state and local officials |
|
|
and first responders preparing for and responding to cybersecurity |
|
|
risks and incidents; |
|
|
(2) developing and maintaining a cybersecurity risks |
|
|
and incidents curriculum using existing programs and models for |
|
|
training state and local officials and first responders; |
|
|
(3) providing technical assistance services to |
|
|
support preparedness for and response to cybersecurity risks and |
|
|
incidents; |
|
|
(4) conducting cybersecurity training and simulation |
|
|
exercises for state agencies, political subdivisions, and private |
|
|
entities to encourage coordination in defending against and |
|
|
responding to cybersecurity risks and incidents; |
|
|
(5) assisting state agencies and political |
|
|
subdivisions in developing cybersecurity information-sharing |
|
|
programs to disseminate information related to cybersecurity risks |
|
|
and incidents; and |
|
|
(6) incorporating cybersecurity risk and incident |
|
|
prevention and response methods into existing state and local |
|
|
emergency plans, including continuity of operation plans and |
|
|
incident response plans. |
|
|
(b) In implementing the provisions of the agreement |
|
|
prescribed by Subsection (a), the department shall seek to prevent |
|
|
unnecessary duplication of existing programs or efforts of the |
|
|
department or another state agency. |
|
|
(c) In selecting an organization under Subsection (a), the |
|
|
department shall consider the organization's previous experience |
|
|
in conducting cybersecurity training and exercises for state |
|
|
agencies and political subdivisions. |
|
|
(d) The department shall consult with institutions of |
|
|
higher education in this state when appropriate based on an |
|
|
institution's expertise in addressing specific cybersecurity risks |
|
|
and incidents. |
|
|
SECTION 4. Subchapter B, Chapter 421, Government Code, is |
|
|
amended by adding Section 421.027 to read as follows: |
|
|
Sec. 421.027. CYBER ATTACK STUDY AND RESPONSE PLAN. (a) In |
|
|
this section, "cyber attack" means an attempt to damage, disrupt, |
|
|
or gain unauthorized access to a computer, computer network, or |
|
|
computer system. |
|
|
(b) The council shall: |
|
|
(1) conduct a study regarding cyber attacks on state |
|
|
agencies and on critical infrastructure that is owned, operated, or |
|
|
controlled by agencies; and |
|
|
(2) develop a state response plan to be implemented by |
|
|
an agency in the event of a cyber attack on the agency or on critical |
|
|
infrastructure that is owned, operated, or controlled by the |
|
|
agency. |
|
|
(c) Not later than September 1, 2018, the council shall |
|
|
deliver the response plan and a report on the findings of the study |
|
|
to: |
|
|
(1) the public safety director of the Department of |
|
|
Public Safety; |
|
|
(2) the governor; |
|
|
(3) the lieutenant governor; |
|
|
(4) the speaker of the house of representatives; |
|
|
(5) the chair of the committee of the senate having |
|
|
primary jurisdiction over homeland security matters; and |
|
|
(6) the chair of the committee of the house of |
|
|
representatives having primary jurisdiction over homeland security |
|
|
matters. |
|
|
(d) The response plan required by Subsection (b) and the |
|
|
report required by Subsection (c) are not public information for |
|
|
purposes of Chapter 552. |
|
|
(e) This section expires December 1, 2018. |
|
|
SECTION 5. Subchapter C, Chapter 2054, Government Code, is |
|
|
amended by adding Section 2054.0593 to read as follows: |
|
|
Sec. 2054.0593. CYBERSECURITY TASK FORCE. (a) The |
|
|
department shall establish and lead a cybersecurity task force to |
|
|
engage members of the task force in policy discussions and educate |
|
|
state agencies on cybersecurity issues. The department shall |
|
|
determine the composition of the task force, which may include |
|
|
representatives of state agencies and other interested parties. |
|
|
(b) The task force shall: |
|
|
(1) consolidate and synthesize existing cybersecurity |
|
|
resources and best practices to assist state agencies in |
|
|
understanding and implementing cybersecurity measures that are |
|
|
most beneficial to this state; |
|
|
(2) develop reliable, clear, and concise guidelines on |
|
|
cyber threat detection and prevention, including best practices and |
|
|
remediation strategies for state agencies; |
|
|
(3) develop state agency guidelines for easily |
|
|
replicated cybersecurity initiatives; |
|
|
(4) provide opportunities for state agency technology |
|
|
leaders and members of the legislature to participate in programs |
|
|
and webinars on critical cybersecurity policy issues; and |
|
|
(5) provide recommendations to the legislature on any |
|
|
needed legislation to implement cybersecurity best practices and |
|
|
remediation strategies for state agencies. |
|
|
(c) The task force is abolished September 1, 2019, unless |
|
|
the department extends the task force until September 1, 2021. |
|
|
(d) This section expires September 1, 2021. |
|
|
SECTION 6. Section 2054.076, Government Code, is amended by |
|
|
adding Subsection (b-1) to read as follows: |
|
|
(b-1) The department shall provide mandatory guidelines to |
|
|
state agencies regarding the continuing education requirements for |
|
|
cybersecurity training and certification that must be completed by |
|
|
all information resources employees of the agencies. |
|
|
SECTION 7. Section 2054.1125(b), Government Code, is |
|
|
amended to read as follows: |
|
|
(b) A state agency that owns, licenses, or maintains |
|
|
computerized data that includes sensitive personal information, |
|
|
confidential information, or information the disclosure of which is |
|
|
regulated by law shall, in the event of a breach or suspected breach |
|
|
of system security or an unauthorized exposure of that information: |
|
|
(1) comply[, in the event of a breach of system
|
|
|
security,] with the notification requirements of Section 521.053, |
|
|
Business & Commerce Code, to the same extent as a person who |
|
|
conducts business in this state; and |
|
|
(2) notify the department, including the chief |
|
|
information security officer and the state cybersecurity |
|
|
coordinator, not later than 48 hours after the discovery of the |
|
|
breach, suspected breach, or unauthorized exposure. |
|
|
SECTION 8. Section 2054.133, Government Code, is amended by |
|
|
adding Subsections (b-1), (b-2), and (b-3) to read as follows: |
|
|
(b-1) The executive head and chief information security |
|
|
officer of each state agency shall annually review and approve in |
|
|
writing the agency's information security plan and strategies for |
|
|
addressing the agency's information resources systems that are at |
|
|
highest risk for security breaches. |
|
|
(b-2) Before submitting to the Legislative Budget Board a |
|
|
legislative appropriation request for a state fiscal biennium, a |
|
|
state agency must file with the board the written approval required |
|
|
under Subsection (b-1) for each year of the current state fiscal |
|
|
biennium. |
|
|
(b-3) Each state agency shall include in the agency's |
|
|
information security plan the actions the agency is taking to |
|
|
incorporate into the plan the core functions of "identify, protect, |
|
|
detect, respond, and recover" as recommended in the "Framework for |
|
|
Improving Critical Infrastructure Cybersecurity" of the United |
|
|
States Department of Commerce National Institute of Standards and |
|
|
Technology. The agency shall, at a minimum, identify any |
|
|
information the agency requires individuals to provide to the |
|
|
agency or the agency retains that is not necessary for the agency's |
|
|
operations. The agency may incorporate the core functions over a |
|
|
period of years. |
|
|
SECTION 9. Subchapter N-1, Chapter 2054, Government Code, |
|
|
is amended by adding Sections 2054.515, 2054.516, and 2054.517 to |
|
|
read as follows: |
|
|
Sec. 2054.515. INDEPENDENT RISK ASSESSMENT. (a) At least |
|
|
once every five years, in accordance with department rules, each |
|
|
state agency shall: |
|
|
(1) contract with an independent third party selected |
|
|
from a list provided by the department to conduct an independent |
|
|
risk assessment of the agency's exposure to security risks in the |
|
|
agency's information resources systems; and |
|
|
(2) submit the results of the independent risk |
|
|
assessment to the department. |
|
|
(b) The department shall submit to the legislature a |
|
|
comprehensive report on the results of the independent risk |
|
|
assessments conducted under Subsection (a) that identifies |
|
|
systematic or pervasive security risk vulnerabilities across state |
|
|
agencies and recommendations for addressing the vulnerabilities. |
|
|
Sec. 2054.516. DATA SECURITY PLAN FOR ONLINE AND MOBILE |
|
|
APPLICATIONS. (a) Each state agency implementing an Internet |
|
|
website or mobile application that processes any personally |
|
|
identifiable or confidential information must: |
|
|
(1) submit a data security plan to the department |
|
|
before beta testing the website or application; and |
|
|
(2) before deploying the website or application: |
|
|
(A) subject the website or application to a |
|
|
vulnerability and penetration test conducted by an independent |
|
|
third party; and |
|
|
(B) address any vulnerability identified under |
|
|
Paragraph (A). |
|
|
(b) The data security plan required under Subsection (a)(1) |
|
|
must include: |
|
|
(1) data flow diagrams to show the location of |
|
|
information in use, in transit, and not in use; |
|
|
(2) data storage locations; |
|
|
(3) data interaction with online or mobile devices; |
|
|
(4) security of data transfer; |
|
|
(5) security measures for the online or mobile |
|
|
application; and |
|
|
(6) a description of any action taken by the agency to |
|
|
remediate any vulnerability identified by an independent third |
|
|
party under Subsection (a)(2). |
|
|
(c) The department shall review each data security plan |
|
|
submitted under Subsection (a) and make any recommendations for |
|
|
changes to the plan to the state agency as soon as practicable after |
|
|
the department reviews the plan. |
|
|
Sec. 2054.517. VENDOR RESPONSIBILITY FOR CYBERSECURITY. A |
|
|
vendor that contracts with the state to provide information |
|
|
resources technology for a state agency is responsible for |
|
|
addressing known cybersecurity risks associated with the |
|
|
technology and any costs associated with addressing the identified |
|
|
cybersecurity risks. |
|
|
SECTION 10. Section 2054.575(a), Government Code, is |
|
|
amended to read as follows: |
|
|
(a) A state agency shall, with available funds, identify |
|
|
information security issues and develop a plan to prioritize the |
|
|
remediation and mitigation of those issues. The agency shall |
|
|
include in the plan: |
|
|
(1) procedures for reducing the agency's level of |
|
|
exposure with regard to information that alone or in conjunction |
|
|
with other information identifies an individual maintained on a |
|
|
legacy system of the agency; and |
|
|
(2) the most cost-effective approach for modernizing, |
|
|
replacing, renewing, or disposing of a legacy system that maintains |
|
|
information critical to the agency's responsibilities. |
|
|
SECTION 11. Subtitle B, Title 10, Government Code, is |
|
|
amended by adding Chapter 2061 to read as follows: |
|
|
CHAPTER 2061. INDIVIDUAL-IDENTIFYING INFORMATION |
|
|
Sec. 2061.001. DEFINITION. In this chapter, "state agency" |
|
|
means a department, commission, board, office, council, authority, |
|
|
or other agency in the executive, legislative, or judicial branch |
|
|
of state government, including a university system or institution |
|
|
of higher education, as defined by Section 61.003, Education Code, |
|
|
that is created by the constitution or a statute of this state. |
|
|
Sec. 2061.002. DESTRUCTION AUTHORIZED. (a) A state agency |
|
|
shall destroy or arrange for the destruction of information that |
|
|
alone or in conjunction with other information identifies an |
|
|
individual if the agency is not required to retain the information |
|
|
under other law. |
|
|
(b) A state agency shall destroy or arrange for the |
|
|
destruction of information described by Subsection (a) by: |
|
|
(1) shredding; |
|
|
(2) erasing; or |
|
|
(3) otherwise modifying the sensitive information in |
|
|
the records to make the information unreadable or indecipherable |
|
|
through any means. |
|
|
SECTION 12. Section 2157.007, Government Code, is amended |
|
|
by adding Subsection (e) to read as follows: |
|
|
(e) The department shall periodically review guidelines on |
|
|
state agency information that may be stored by a cloud computing |
|
|
service and the cloud computing systems available to state agencies |
|
|
for that storage to ensure that an agency purchasing a major |
|
|
information resources project under Section 2054.118 selects the |
|
|
most affordable, secure, and efficient cloud computing service |
|
|
available to the agency. |
|
|
SECTION 13. Chapter 276, Election Code, is amended by |
|
|
adding Section 276.011 to read as follows: |
|
|
Sec. 276.011. ELECTION CYBER ATTACK STUDY. (a) Not later |
|
|
than December 1, 2018, the Texas Rangers shall conduct a study |
|
|
regarding cyber attacks on election infrastructure and shall report |
|
|
its findings to the standing committees of the legislature with |
|
|
jurisdiction over election procedures. The study shall include: |
|
|
(1) an investigation of vulnerabilities and risks for |
|
|
a cyber attack against a county's voting system machines or the list |
|
|
of registered voters; |
|
|
(2) information on any attempted cyber attack on a |
|
|
county's voting system machines or the list of registered voters; |
|
|
and |
|
|
(3) recommendations for protecting a county's voting |
|
|
system machines and list of registered voters from a cyber attack. |
|
|
(b) This section expires January 1, 2019. |
|
|
SECTION 14. (a) The lieutenant governor shall establish a |
|
|
Senate Select Committee on Cybersecurity and the speaker of the |
|
|
house of representatives shall establish a House Select Committee |
|
|
on Cybersecurity to, jointly or separately, study: |
|
|
(1) cybersecurity in this state; |
|
|
(2) the information security plans of each state |
|
|
agency; and |
|
|
(3) the risks and vulnerabilities of state agency |
|
|
cybersecurity. |
|
|
(b) Not later than November 30, 2017: |
|
|
(1) the lieutenant governor shall appoint five |
|
|
senators to the Senate Select Committee on Cybersecurity, one of |
|
|
whom shall be designated as chair; and |
|
|
(2) the speaker of the house of representatives shall |
|
|
appoint five state representatives to the House Select Committee on |
|
|
Cybersecurity, one of whom shall be designated as chair. |
|
|
(c) The committees established under this section shall |
|
|
convene separately at the call of the chair of the respective |
|
|
committees, or jointly at the call of both chairs. In joint |
|
|
meetings, the chairs of each committee shall act as joint chairs. |
|
|
(d) Following consideration of the issues listed in |
|
|
Subsection (a) of this section, the committees established under |
|
|
this section shall jointly adopt recommendations on state |
|
|
cybersecurity and report in writing to the legislature any findings |
|
|
and adopted recommendations not later than January 13, 2019. |
|
|
(e) This section expires September 1, 2019. |
|
|
SECTION 15. (a) In this section, "state agency" means a |
|
|
board, commission, office, department, council, authority, or |
|
|
other agency in the executive or judicial branch of state |
|
|
government that is created by the constitution or a statute of this |
|
|
state. The term does not include a university system or institution |
|
|
of higher education as those terms are defined by Section 61.003, |
|
|
Education Code. |
|
|
(b) The Department of Information Resources and the Texas |
|
|
State Library and Archives Commission shall conduct a study on |
|
|
state agency digital data storage and records management practices |
|
|
and the associated costs to this state. |
|
|
(c) The study required under this section must examine: |
|
|
(1) the current digital data storage practices of |
|
|
state agencies in this state; |
|
|
(2) the costs associated with those digital data |
|
|
storage practices; |
|
|
(3) the digital records management and data |
|
|
classification policies of state agencies and whether the state |
|
|
agencies are consistently complying with the established policies; |
|
|
(4) whether the state agencies are storing digital |
|
|
data that exceeds established retention requirements and the cost |
|
|
of that unnecessary storage; |
|
|
(5) the adequacy of storage systems used by state |
|
|
agencies to securely maintain confidential digital records; and |
|
|
(6) possible solutions and improvements recommended |
|
|
by the state agencies for reducing state costs and increasing |
|
|
security for digital data storage and records management. |
|
|
(d) Each state agency shall participate in the study |
|
|
required by this section and provide appropriate assistance and |
|
|
information to the Department of Information Resources and the |
|
|
Texas State Library and Archives Commission. |
|
|
(e) Not later than December 1, 2018, the Department of |
|
|
Information Resources and the Texas State Library and Archives |
|
|
Commission shall issue a report on the study required under this |
|
|
section and recommendations for reducing state costs and for |
|
|
improving efficiency in digital data storage and records management |
|
|
to the lieutenant governor, the speaker of the house of |
|
|
representatives, and the appropriate standing committees of the |
|
|
house of representatives and the senate. |
|
|
(f) This section expires September 1, 2019. |
|
|
SECTION 16. The changes in law made by this Act do not apply |
|
|
to the Electric Reliability Council of Texas. |
|
|
SECTION 17. This Act takes effect September 1, 2017. |