| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
| |
|
|
relating to cybersecurity for state agency information resources. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. This Act may be cited as the Texas Cybersecurity |
|
|
Act. |
|
|
SECTION 2. Section 551.089, Government Code, is amended to |
|
|
read as follows: |
|
|
Sec. 551.089. DELIBERATION REGARDING SECURITY DEVICES OR |
|
|
SECURITY AUDITS; CLOSED MEETING [DEPARTMENT OF INFORMATION
|
|
|
RESOURCES]. This chapter does not require a governmental body [the
|
|
|
governing board of the Department of Information Resources] to |
|
|
conduct an open meeting to deliberate: |
|
|
(1) security assessments or deployments relating to |
|
|
information resources technology; |
|
|
(2) network security information as described by |
|
|
Section 2059.055(b); or |
|
|
(3) the deployment, or specific occasions for |
|
|
implementation, of security personnel, critical infrastructure, or |
|
|
security devices. |
|
|
SECTION 3. Section 552.139, Government Code, is amended by |
|
|
adding Subsection (d) to read as follows: |
|
|
(d) When posting a contract on an Internet website as |
|
|
required by Section 2261.253, a state agency shall redact |
|
|
information made confidential by this section or excepted from |
|
|
public disclosure by this section. Redaction under this subsection |
|
|
does not except information from the requirements of Section |
|
|
552.021. |
|
|
SECTION 4. Subchapter C, Chapter 2054, Government Code, is |
|
|
amended by adding Section 2054.0594 to read as follows: |
|
|
Sec. 2054.0594. INFORMATION SHARING AND ANALYSIS CENTER. |
|
|
(a) The department shall establish an information sharing and |
|
|
analysis center to provide a forum for state agencies to share |
|
|
information regarding cybersecurity threats, best practices, and |
|
|
remediation strategies. |
|
|
(b) The department shall appoint persons from appropriate |
|
|
state agencies to serve as representatives to the information |
|
|
sharing and analysis center. |
|
|
(c) The department, using funds other than funds |
|
|
appropriated to the department in a general appropriations act, |
|
|
shall provide administrative support to the information sharing and |
|
|
analysis center. |
|
|
SECTION 5. Sections 2054.077(b) and (e), Government Code, |
|
|
are amended to read as follows: |
|
|
(b) The information resources manager of a state agency may |
|
|
prepare or have prepared a report, including an executive summary |
|
|
of the findings of the report, assessing the extent to which a |
|
|
computer, a computer program, a computer network, a computer |
|
|
system, a printer, an interface to a computer system, including |
|
|
mobile and peripheral devices, computer software, or data |
|
|
processing of the agency or of a contractor of the agency is |
|
|
vulnerable to unauthorized access or harm, including the extent to |
|
|
which the agency's or contractor's electronically stored |
|
|
information is vulnerable to alteration, damage, erasure, or |
|
|
inappropriate use. |
|
|
(e) Separate from the executive summary described by |
|
|
Subsection (b), a state agency [whose information resources manager
|
|
|
has prepared or has had prepared a vulnerability report] shall |
|
|
prepare a summary of the agency's vulnerability report that does |
|
|
not contain any information the release of which might compromise |
|
|
the security of the state agency's or state agency contractor's |
|
|
computers, computer programs, computer networks, computer systems, |
|
|
printers, interfaces to computer systems, including mobile and |
|
|
peripheral devices, computer software, data processing, or |
|
|
electronically stored information. The summary is available to |
|
|
the public on request. |
|
|
SECTION 6. Section 2054.1125(b), Government Code, is |
|
|
amended to read as follows: |
|
|
(b) A state agency that owns, licenses, or maintains |
|
|
computerized data that includes sensitive personal information, |
|
|
confidential information, or information the disclosure of which is |
|
|
regulated by law shall, in the event of a breach or suspected breach |
|
|
of system security or an unauthorized exposure of that information: |
|
|
(1) comply[, in the event of a breach of system
|
|
|
security,] with the notification requirements of Section 521.053, |
|
|
Business & Commerce Code, to the same extent as a person who |
|
|
conducts business in this state; and |
|
|
(2) not later than 48 hours after the discovery of the |
|
|
breach, suspected breach, or unauthorized exposure, notify: |
|
|
(A) the department, including the chief |
|
|
information security officer and the state cybersecurity |
|
|
coordinator; or |
|
|
(B) if the breach, suspected breach, or |
|
|
unauthorized exposure involves election data, the secretary of |
|
|
state. |
|
|
SECTION 7. Section 2054.133, Government Code, is amended by |
|
|
adding Subsections (b-1), (b-2), and (b-3) to read as follows: |
|
|
(b-1) The executive head and information security officer |
|
|
of each state agency shall annually review and approve in writing |
|
|
the agency's information security plan and strategies for |
|
|
addressing the agency's information resources systems that are at |
|
|
highest risk for security breaches. The plan at a minimum must |
|
|
include solutions that isolate and segment sensitive information |
|
|
and maintain architecturally sound and secured separation among |
|
|
networks. If a state agency does not have an information security |
|
|
officer, the highest ranking information security employee for the |
|
|
agency shall review and approve the plan and strategies. The |
|
|
executive head retains full responsibility for the agency's |
|
|
information security and any risks to that security. |
|
|
(b-2) Each state agency shall include in the agency's |
|
|
information security plan the actions the agency is taking to |
|
|
incorporate into the plan the core functions of "identify, protect, |
|
|
detect, respond, and recover" as recommended in the "Framework for |
|
|
Improving Critical Infrastructure Cybersecurity" of the United |
|
|
States Department of Commerce National Institute of Standards and |
|
|
Technology. The agency shall, at a minimum, identify any |
|
|
information the agency requires individuals to provide to the |
|
|
agency or the agency retains that is not necessary for the agency's |
|
|
operations. The agency may incorporate the core functions over a |
|
|
period of years. |
|
|
(b-3) A state agency's information security plan must |
|
|
include appropriate privacy and security standards that, at a |
|
|
minimum, require a vendor who offers cloud computing services or |
|
|
other software, applications, online services, or information |
|
|
technology solutions to any state agency to contractually warrant |
|
|
that data provided by the state to the vendor will be maintained in |
|
|
compliance with all applicable state and federal laws and rules as |
|
|
specified in the applicable scope of work, request for proposal, or |
|
|
other document requirements. |
|
|
SECTION 8. Section 2054.512, Government Code, is amended to |
|
|
read as follows: |
|
|
Sec. 2054.512. CYBERSECURITY [PRIVATE INDUSTRY-GOVERNMENT] |
|
|
COUNCIL. (a) The state cybersecurity coordinator shall [may] |
|
|
establish and lead a cybersecurity council that includes public and |
|
|
private sector leaders and cybersecurity practitioners to |
|
|
collaborate on matters of cybersecurity concerning this state. |
|
|
(b) The cybersecurity council must include: |
|
|
(1) one member who is an employee of the office of the |
|
|
governor; |
|
|
(2) one member of the senate appointed by the |
|
|
lieutenant governor; |
|
|
(3) one member of the house of representatives |
|
|
appointed by the speaker of the house of representatives; and |
|
|
(4) additional members appointed by the state |
|
|
cybersecurity coordinator, including representatives of |
|
|
institutions of higher education and private sector leaders. |
|
|
(c) In appointing representatives from institutions of |
|
|
higher education to the cybersecurity council, the state |
|
|
cybersecurity coordinator shall consider appointing members of the |
|
|
Information Technology Council for Higher Education. |
|
|
(d) The cybersecurity council shall provide recommendations |
|
|
to the legislature on any legislation necessary to implement |
|
|
cybersecurity best practices and remediation strategies for this |
|
|
state. |
|
|
SECTION 9. Subchapter N-1, Chapter 2054, Government Code, |
|
|
is amended by adding Section 2054.515 to read as follows: |
|
|
Sec. 2054.515. AGENCY INFORMATION SECURITY ASSESSMENT AND |
|
|
REPORT. (a) At least once every two years, each state agency shall |
|
|
conduct an information security assessment of the agency's |
|
|
information resources systems, network systems, digital data |
|
|
storage systems, digital data security measures, and information |
|
|
resources vulnerabilities. |
|
|
(b) Not later than December 1 of the year in which a state |
|
|
agency conducts the assessment under Subsection (a), the agency |
|
|
shall report the results of the assessment to the department, the |
|
|
governor, the lieutenant governor, and the speaker of the house of |
|
|
representatives. |
|
|
(c) The department by rule may establish the requirements |
|
|
for the information security assessment and report required by this |
|
|
section. |
|
|
SECTION 10. Section 2054.575(a), Government Code, is |
|
|
amended to read as follows: |
|
|
(a) A state agency shall, with available funds, identify |
|
|
information security issues and develop a plan to prioritize the |
|
|
remediation and mitigation of those issues. The agency shall |
|
|
include in the plan: |
|
|
(1) procedures for reducing the agency's level of |
|
|
exposure with regard to information that alone or in conjunction |
|
|
with other information identifies an individual maintained on a |
|
|
legacy system of the agency; |
|
|
(2) the best value approach for modernizing, |
|
|
replacing, renewing, or disposing of a legacy system that maintains |
|
|
information critical to the agency's responsibilities; |
|
|
(3) an analysis of the percentage of state agency |
|
|
personnel in information technology, cybersecurity, or other |
|
|
cyber-related positions who currently hold the appropriate |
|
|
industry-recognized certifications as identified by the National |
|
|
Initiative for Cybersecurity Education; |
|
|
(4) the level of preparedness of state agency cyber |
|
|
personnel and potential personnel who do not hold the appropriate |
|
|
industry-recognized certifications to successfully complete the |
|
|
industry-recognized certification examinations; and |
|
|
(5) a strategy for mitigating any workforce-related |
|
|
discrepancy in information technology, cybersecurity, or other |
|
|
cyber-related positions with the appropriate training and |
|
|
industry-recognized certifications. |
|
|
SECTION 11. Section 2059.055(b), Government Code, is |
|
|
amended to read as follows: |
|
|
(b) Network security information is confidential under this |
|
|
section if the information is: |
|
|
(1) related to passwords, personal identification |
|
|
numbers, access codes, encryption, or other components of the |
|
|
security system of a governmental entity [state agency]; |
|
|
(2) collected, assembled, or maintained by or for a |
|
|
governmental entity to prevent, detect, or investigate criminal |
|
|
activity; or |
|
|
(3) related to an assessment, made by or for a |
|
|
governmental entity or maintained by a governmental entity, of the |
|
|
vulnerability of a network to criminal activity. |
|
|
SECTION 12. Subtitle B, Title 10, Government Code, is |
|
|
amended by adding Chapter 2061 to read as follows: |
|
|
CHAPTER 2061. INDIVIDUAL-IDENTIFYING INFORMATION |
|
|
Sec. 2061.001. DEFINITIONS. In this chapter: |
|
|
(1) "Cybersecurity risk" means a material threat of |
|
|
attack, damage, or unauthorized access to the networks, computers, |
|
|
software, or data storage of a state agency. |
|
|
(2) "State agency" means a department, commission, |
|
|
board, office, council, authority, or other agency in the |
|
|
executive, legislative, or judicial branch of state government, |
|
|
including a university system or institution of higher education, |
|
|
as defined by Section 61.003, Education Code, that is created by the |
|
|
constitution or a statute of this state. |
|
|
Sec. 2061.002. DESTRUCTION AUTHORIZED. (a) A state agency |
|
|
shall destroy or arrange for the destruction of information that |
|
|
presents a cybersecurity risk and alone or in conjunction with |
|
|
other information identifies an individual in connection with the |
|
|
agency's networks, computers, software, or data storage if the |
|
|
agency is otherwise prohibited by law from retaining the |
|
|
information for a period of years. |
|
|
(b) This section does not apply to a record involving |
|
|
criminal activity or a criminal investigation retained for law |
|
|
enforcement purposes. |
|
|
(c) A state agency may not destroy or arrange for the |
|
|
destruction of any election data before the third anniversary of |
|
|
the date the election to which the data pertains is held. |
|
|
(d) A state agency may not under any circumstance sell: |
|
|
(1) a person's Internet browsing history; |
|
|
(2) a person's application usage history; or |
|
|
(3) the functional equivalent of the information |
|
|
described in Subdivisions (1) and (2). |
|
|
SECTION 13. Chapter 276, Election Code, is amended by |
|
|
adding Section 276.011 to read as follows: |
|
|
Sec. 276.011. ELECTION CYBER ATTACK STUDY. (a) Not later |
|
|
than December 1, 2018, the secretary of state shall: |
|
|
(1) conduct a study regarding cyber attacks on |
|
|
election infrastructure; |
|
|
(2) prepare a public summary report on the study's |
|
|
findings that does not contain any information the release of which |
|
|
may compromise any election; |
|
|
(3) prepare a confidential report on specific findings |
|
|
and vulnerabilities that is exempt from disclosure under Chapter |
|
|
552, Government Code; and |
|
|
(4) submit to the standing committees of the |
|
|
legislature with jurisdiction over election procedures a copy of |
|
|
the report required under Subdivision (2) and a general compilation |
|
|
of the report required under Subdivision (3) that does not contain |
|
|
any information the release of which may compromise any election. |
|
|
(b) The study must include: |
|
|
(1) an investigation of vulnerabilities and risks for |
|
|
a cyber attack against a county's voting system machines or the list |
|
|
of registered voters; |
|
|
(2) information on any attempted cyber attack on a |
|
|
county's voting system machines or the list of registered voters; |
|
|
and |
|
|
(3) recommendations for protecting a county's voting |
|
|
system machines and list of registered voters from a cyber attack. |
|
|
(c) The secretary of state, using existing resources, may |
|
|
contract with a qualified vendor to conduct the study required by |
|
|
this section. |
|
|
(d) This section expires January 1, 2019. |
|
|
SECTION 14. (a) The lieutenant governor shall establish a |
|
|
Senate Select Committee on Cybersecurity and the speaker of the |
|
|
house of representatives shall establish a House Select Committee |
|
|
on Cybersecurity to, jointly or separately, study: |
|
|
(1) cybersecurity in this state; |
|
|
(2) the information security plans of each state |
|
|
agency; and |
|
|
(3) the risks and vulnerabilities of state agency |
|
|
cybersecurity. |
|
|
(b) Not later than November 30, 2017: |
|
|
(1) the lieutenant governor shall appoint five |
|
|
senators to the Senate Select Committee on Cybersecurity, one of |
|
|
whom shall be designated as chair; and |
|
|
(2) the speaker of the house of representatives shall |
|
|
appoint five state representatives to the House Select Committee on |
|
|
Cybersecurity, one of whom shall be designated as chair. |
|
|
(c) The committees established under this section shall |
|
|
convene separately at the call of the chair of the respective |
|
|
committees, or jointly at the call of both chairs. In joint |
|
|
meetings, the chairs of each committee shall act as joint chairs. |
|
|
(d) Following consideration of the issues listed in |
|
|
Subsection (a) of this section, the committees established under |
|
|
this section shall jointly adopt recommendations on state |
|
|
cybersecurity and report in writing to the legislature any findings |
|
|
and adopted recommendations not later than January 13, 2019. |
|
|
(e) This section expires September 1, 2019. |
|
|
SECTION 15. (a) In this section, "state agency" means a |
|
|
board, commission, office, department, council, authority, or |
|
|
other agency in the executive or judicial branch of state |
|
|
government that is created by the constitution or a statute of this |
|
|
state. The term does not include a university system or institution |
|
|
of higher education as those terms are defined by Section 61.003, |
|
|
Education Code. |
|
|
(b) The Department of Information Resources, in |
|
|
consultation with the Texas State Library and Archives Commission, |
|
|
shall conduct a study on state agency digital data storage and |
|
|
records management practices and the associated costs to this |
|
|
state. |
|
|
(c) The study required under this section must examine: |
|
|
(1) the current digital data storage practices of |
|
|
state agencies in this state; |
|
|
(2) the costs associated with those digital data |
|
|
storage practices; |
|
|
(3) the digital records management and data |
|
|
classification policies of state agencies and whether the state |
|
|
agencies are consistently complying with the established policies; |
|
|
(4) whether the state agencies are storing digital |
|
|
data that exceeds established retention requirements and the cost |
|
|
of that unnecessary storage; |
|
|
(5) the adequacy of storage systems used by state |
|
|
agencies to securely maintain confidential digital records; |
|
|
(6) possible solutions and improvements recommended |
|
|
by the state agencies for reducing state costs and increasing |
|
|
security for digital data storage and records management; and |
|
|
(7) the security level and possible benefits of and |
|
|
the cost savings from using cloud computing services for agency |
|
|
data storage, data classification, and records management. |
|
|
(d) Each state agency shall participate in the study |
|
|
required by this section and provide appropriate assistance and |
|
|
information to the Department of Information Resources and the |
|
|
Texas State Library and Archives Commission. |
|
|
(e) Not later than December 1, 2018, the Department of |
|
|
Information Resources shall issue a report on the study required |
|
|
under this section and recommendations for reducing state costs and |
|
|
for improving efficiency in digital data storage and records |
|
|
management to the lieutenant governor, the speaker of the house of |
|
|
representatives, and the appropriate standing committees of the |
|
|
house of representatives and the senate. |
|
|
(f) This section expires September 1, 2019. |
|
|
SECTION 16. The changes in law made by this Act do not apply |
|
|
to the Electric Reliability Council of Texas. |
|
|
SECTION 17. This Act takes effect September 1, 2017. |
|
|
|
|
|
* * * * * |